Syntax

ip filter [rule-number]action protocol {source source-bitmask} {destination destination-bitmask} [fragments] [log]

The port number is not checked. The fragments option is allowed.

ip filter [rule-number]action protocol {source source-bitmask}[source-port-range] {destination destination-bitmask}[destination-port-range] [log]

The port number is checked; that is, if either source-port-rangeor destination- port-rangeis specified, the fragments option is not allowed.

ip filter [rule-number]action tcp {source source-bitmask}[source-port-range] {destination destination-bitmask}[destination-port-range]

[code {{code code-bitmask} code-keyword-seq}] [log]

Checks for tcp keyword. If found, the code option is allowed.

no ip filter {all rule-number}

Deletes the specified rule number from the filter table.

rule-number– Inserts a filter rule at the specified position in the table, pushing any existing patterns at or below that location down in the table. A rule- number cannot exceed the next available number in the table. If the rule- number is not specified, a new pattern is appended to the end of the rule table. The maximum number of rules is 128.

action – {deny permit}

Blocks or allows packets moving between the down-link ports and the management port (NETMGT).

protocol – {any tcp udp number}

Indicates any protocol, TCP, UDP, or a specific protocol number (0 to 255).

source source-bitmask– The frame’s source address and netmask.

source-port-range– [number start_number-end_number] TCP/UDP source port or port range. (Range: 0 to 65,535)

destination destination-bitmask– The frame’s destination address and netmask.

destination-port-range– [number start_number-end_number] TCP/UDP destination port or port range. (Range: 0-65535)

code

code – A decimal number (representing a bit string) that specifies flag bits in byte 14 of the TCP header. (Range: 0-63)

code-bitmask– A decimal number (representing a bit mask) that is applied to the code. Type a decimal number, where the equivalent binary bit “1” means to match a bit and “0” means to ignore a bit. The following bits may be specified:

4-78Sun Fire B1600 Blade System Chassis Switch Administration Guide • June 2003

Page 275 Page 277
Page 276
Image 276
Sunfire B1600 manual Port number is not checked. The fragments option is allowed
Page 275 Page 277
Top Page Image Contents