238
DWS-1008 User’s Manual
D-Link Systems, Inc.
Configuring and Managing Security ACLs
Setting a TCP ACL
The following command filters TCP packets:
set security acl ip
acl-name
{
permit
[
cos
cos
] |
deny
}
tcp
{
source-ip-addr mask
[
operator
port
[
port2
]]
destination-ip-addr mask
[
operator port
[
port2
]]} [
precedence
precedence
] [
tos
tos
] [
established
] [
before
editbuffer-index
|
modify
editbuffer-index
] [
hits
]
For example, the following command permits packets sent from IP address 192.168.1.5 to
192.168.1.6 with the TCP destination port equal to 524, a precedence of 7, and a type of
service of 15, on an established TCP session, and counts the number of hits generated by
the ACE:
DWS-1008#
set security acl ip acl-4 permit tcp 192.168.1.5 0.0.0.0 192.168.1.6 0.0.0.0
eq 524 precedence 7 tos 15 established hits
Setting a UDP ACL
The following command filters UDP packets:
set security acl ip
acl-name
{
permit
[
cos
cos
] |
deny
}
udp
{
source-ip-addr mask
[
operator
port
[
port2
]]
destination-ip-addr mask
[
operator
port
[
port2
]]} [
precedence
precedence
] [
tos
tos
] [
before
editbuffer-index
|
modify
editbuffer-index
] [
hits
]
For example, the following command permits UDP packets sent from IP address 192.168.1.7
to IP address 192.168.1.8, with any UDP destination port less than 65,535. It puts this ACE
first in the ACL, and counts the number of hits generated by the ACE.
DWS-1008#
set security acl ip acl-5 permit udp 192.168.1.7 0.0.0.0 192.168.1.8 0.0.0.0
lt 65535 precedence 7 tos 15 before 1 hits
Determining the ACE Order
The
set security acl
command creates a new entry in the edit buffer and appends the new
entry as a rule at the end of an ACL, unless you specify otherwise. The order of ACEs is
significant, because the earliest ACE takes precedence over later ACEs. To place the ACEs
in the correct order, use the parameters
before
editbuffer-index
and
modify
editbuffer-index
.
The first ACE is number 1.
To specify the order of the commands, use the following parameters:
•
before
editbuffer-index
inserts an ACE before a specific location.
•
modify
editbuffer-index
changes an existing ACE.
If the security ACL you specify when creating an ACE does not exist when you enter
set
security acl ip
, the specified ACL is created in the edit buffer. If the ACL exists but is not in
the edit buffer, the ACL reverts, or is rolled back, to the state when its last ACE was committed,
but it now includes the new ACE.
Summary of Contents for DWS-1008
Page 1: ......