Firewall Feature Set Commands
XSR CLI Reference Guide 16-117
Default
Disabledglobally
Mode
GlobalorInterfaceconfiguration:XSR(config)# or XSR(config-if<xx>)#
Example
Thefollowingexampleenablesthefirewallglobally:
XSR(config)#ip firewall enable

ip firewall filter

ThiscommanddefinesthefilterobjectfornonTCPandUDPtraffic,forwhichnostateful
inspectionisrequired.Bydefault,allnonTCPandUDPtrafficisdroppedbythefirewall.To
allowcertainIPprotocolstopassthroughthefirewall,afilterobjectmustbeconfigured.
FilteringisperformedontheprotocolIDandsourceanddestinationaddresseswhicharenetwork
objects.Protocolscanbespecifiedbynumberorname.Ifanameisused,itshouldmatchthat
specifiedbytheInternetAssignedNumbersAuthority(IANA).Referto:
http://www.iana.org/assignments/protocolnumbers
Anameforanyfirewallobjectmustusethesealphanumericcharactersonly:A‐Z(upperorlower
case),0‐9,-(dash),or _(underscore).Also,allfirewallobjectnamesincludingpredefined
objectssuchasANY_EXTERNALanduserdefinedobjectnamesarecasesensitive.
Syntax
ip firewall filter filter_name src_net_name dst_net_name {protocol-id prot-number
| protocol-name prot-name} [type number] [allow-log] bidirectional
Syntax of the “no” Form
Thenoformofthiscommanddisablesthespecifiedfilter:
no ip firewall filter filter_name
Note: Logging for the filter is performed on a per packet basis.
filter_name Nameoffilterobject,nottoexceed16characters.
src_net_name Nameofanysourcenetworkobject.Limit:16characters.
dst_net_name Nameofdestinationnetworkobject.Limit:16characters.
protocol-id Protocolspecifiedbydecimalvalue.
protocol-name Protocolspecifiedbyname,nottoexceed16characters.
type number IftheprotocolisICMP,youcanfilterspecifictypesonly.
bidirectional Policyappliesinbothdirections.Thatis,forasessioninitiatedatthe
sourceaswellasthedestination.
allow-log Allmatchingpacketsarelogged.