Access control list configuration task list
61
OnSite Model 3210 User Manual
6 • Access control list configuration
Where the syntax is as following:
If you place a
deny ip any any
rule at the top of an access-list profile, no packets will pass regardless of the other
rules you defined.
Example:
Create ICMP access control list entries
Select the access-list profile named WanRx and create the rules to filter all ICMP echo requests (as used by the
ping command).
3210(cfg)#profile acl WanRx
3210(pf-acl)[WanRx]#deny icmp any any type 8 code 0
3210(pf-acl)[WanRx]#exit
3210(cfg)#
Keyword
Meaning
src
The source address to be included in the rule. An IP address in dotted-decimal-format, e.g.
64.231.1.10.
src-wildcard
A wildcard for the source address. Expressed in dotted-decimal format this value specifies
which bits are significant for matching. One-bits in the wildcard indicate that the corre-
sponding bits are ignored. An example for a valid wildcard is 0.0.0.255, which specifies
a class C network.
any
Indicates that IP traffic to or from all IP addresses is to be included in the rule.
host
src
The address of a single source host.
dest
The destination address to be included in the rule. An IP address in dotted-decimal-format,
e.g. 64.231.1.10
dest-wildcard
A wildcard for the destination address. See
src-wildcard
.
host
dest
The address of a single destination host.
msg
name
The ICMP message name. The following are valid message names:
administratively-prohibited, alternate-address, conversion-error, dod-host-prohibited, dod-
net-prohibited, echo, echo-reply, general-parameter-problem, host-isolated, host-prece-
dence-unreachable, host-redirect, host-tos-redirect, host-tos-unreachable, host-unknown,
host-unreachable, information-reply, information-request, mask-reply, mask-request, mobile-
redirect, net-redirect, net-tos-redirect, net-tos-unreachable, net-unreachable, network-
unknown, no-room-for-option, option-missing, packet-too-big, parameter-problem, port-
unreachable, precedence-unreachable, protocol-unreachable, reassembly-timeout, redirect,
router-advertisement, router-solicitation, source-quench, source-route-failed, time-exceeded,
timestamp-reply, timestamp-request, traceroute, ttl-exceeded, unreachable
type
type
The ICMP message type. A number from 0 to 255 (inclusive)
code
code
The ICMP message code. A number from 0 to 255 (inclusive)
cos
Optional. Specifies that packets matched by this rule belong to a certain Class of Service
(CoS). For detailed description of CoS configuration refer to chapter 7,
“Link scheduler
configuration”
on page 68.
group
CoS group name.