Note ¯ Filter names have a maximum of 15 characters. If longer names are used, they are truncated to 15 characters.
Note ¯ Enter the commands on one line, without any breaks. Line breaks shown here are due to the limited space available.
Command Syntax | |
---|---|
add filter Filtername | - see page 12-3 |
delete filter Filtername | - see page 12-4 |
save filter | - see page 12-4 |
set filter Filtername blank | - see page 12-5 |
set filter Filtername RuleNumber permit|deny [Ipaddress/NM Ipaddress(dest)/NM] [esp|ah|ipip|ospf] [log] [notify] | - see page 12-5 |
set filter Filtername RuleNumber permit|deny [Ipaddress/NM Ipaddress(dest)/NM] [protocol Number] [log] [notify] | - see page 12-5 |
set filter Filtername RuleNumber permit|deny =ListName Ipaddress(dest)/NM [esp|ah|ipip|ospf] [log] [notify] | - see page 12-5 |
set filter Filtername RuleNumber permit|deny =ListName Ipaddress(dest)/NM [protocol Number] [log] [notify] | - see page 12-5 |
set filter Filtername RuleNumber permit|deny Ipaddress/NM =ListName [esp|ah|ipip|ospf] [log] [notify] | - see page 12-5 |
set filter Filtername RuleNumber permit|deny Ipaddress/NM =ListName [protocol Number] [log] [notify] | - see page 12-6 |
set filter Filtername RuleNumber permit|deny [Ipaddress/NM Ipaddress(dest)/NM] tcp [src eq|lt|gt Tport] [dst eq|lt|gt Tport] [established] [log] [notify] | - see page 12-7 |
set filter Filtername RuleNumber permit|deny =ListName Ipaddress(dest)/NM tcp [src eq|lt|gt Tport] [dst eq|lt|gt Tport] [established] [log] [notify] | - see page 12-7 |
set filter Filtername RuleNumber permit|deny Ipaddress/NM =ListName tcp [src eq|lt|gt Tport] [dst eq|lt|gt Tport] [established] [log] [notify] | - see page 12-8 |
set filter Filtername RuleNumber permit|deny [Ipaddress/NM Ipaddress(dest)/NM] udp [src eq|lt|gt Uport] [dst eq|lt|gt Uport] [log] [notify] | - see page 12-10 |
set filter Filtername RuleNumber permit|deny =ListName Ipaddress(dest)/NM udp [src eq|lt|gt Uport] [dst eq|lt|gt Uport] [log] [notify] | - see page 12-10 |
set filter Filtername RuleNumber permit|deny Ipaddress/NM =ListName udp [src eq|lt|gt Uport] [dst eq|lt|gt Uport] [log] [notify] | - see page 12-10 |
set filter Filtername RuleNumber permit|deny [Ipaddress/NM Ipaddress(dest)/NM] icmp [type Itype] [log] [notify] | - see page 12-12 |
set filter Filtername RuleNumber permit|deny =ListName Ipaddress(dest)/NM icmp [type Itype] [log] [notify] | - see page 12-12 |
set filter Filtername RuleNumber permit|deny Ipaddress/NM =ListName icmp [type Itype] [log] [notify] | - see page 12-12 |
set ipxfilter Filtername RuleNumber permit|deny [srcnet Ipxnetwork] [srchost Ipxnode] [srcsocket eq|gt|lt Ipxsock] [dstnet Ipxnetwork] [dsthost Ipxnode] [dstsocket eq|gt|lt Ipxsock] | - see page 12-14 |
set sapfilter Filtername RuleNumber permit|deny [server String] [network Ipxnetwork] [host Ipxnode] [socket eq|gt|lt Ipxsock] | - see page 12-16 |
- see page 12-18 | |
show table filter | - see page 12-18 |
Note ¯ If a filter rule is set with no arguments, the rule is removed. If a filter rule is set with arguments without specifying permit or deny , permit is chosen by default.
add filter - page 12-3
show table filter- page 12-18
Command> save filter
Filter table successfully saved
New configurations successfully saved.set filter blank
Command> set filter test blank
Removed all rules from filter test
delete filter - page 12-4
Note ¯ Enter this command on one line, without any breaks. The line breaks shown here are due to the limited space available.
set filter Filtername RuleNumber permit|deny
[Ipaddress/NM Ipaddress(dest)/NM] [esp|ah|ipip|ospf] [log] [notify]
set filter Filtername RuleNumber permit|deny
[Ipaddress/NM Ipaddress(dest)/NM] [protocol Number] [log] [notify]
set filter Filtername RuleNumber permit|deny
=ListName Ipaddress(dest)/NM [esp|ah|ospf] [log] [notify]
set filter Filtername RuleNumber permit|deny
=ListName Ipaddress(dest)/NM [protocol Number] [log] [notify]
set filter Filtername RuleNumber permit|deny
Ipaddress/NM =ListName [esp|ah|ipip] [log] [notify]
set filter Filtername RuleNumber permit|deny
Ipaddress/NM =ListName [protocol Number][log] [notify]
Note ¯ Entering the command set filter Filtername without any arguments removes all filter rules from the filter.
Command> set filter w1.in 1 deny 192.168.1.0/24 0.0.0.0/0 log
Filter w1.in updated
add filter - page 12-3
set choicenet - page 3-31
set loghost - page 3-16
Note ¯ Enter this command on one line, without any breaks. The line breaks shown here are due to the limited space available.
set filter Filtername RuleNumber permit|deny
[Ipaddress/NM Ipaddress(dest)/NM] tcp [src eq|lt|gt Tport]
[dst eq|lt|gt Tport] [established] [log] [notify]
set filter Filtername RuleNumber permit|deny
=ListName Ipaddress(dest)/NM tcp [src eq|lt|gt Tport]
[dst eq|lt|gt Tport] [established] [log] [notify]
set filter Filtername RuleNumber permit|deny
Ipaddress/NM =ListName tcp [src eq|lt|gt Tport]
[dst eq|lt|gt Tport] [established] [log] [notify]
Filtername | Name of an existing filter that is in the filter table. |
RuleNumber | Filter rule number--between 1 and 256. |
permit | Permits a packet that matches the filter to pass through the interface. This is the default. |
deny | Stops a packet that matches the filter from passing through the interface. The packet is dropped, and an ICMP "Host Unreachable" message is sent to the source address. |
Ipaddress | IP address expressed in dotted decimal notation, to compare with the destination IP address of the packet. Hostnames are not recognized. |
/NM | Netmask that indicates the number of high-order bits of the source or destination IP address of the packet that must match an address in the filter. Any value between 0 and 32 can be used; common mask values are
/0--To match all packets with any address. /16--Looks at high-order 16 bits of the address. /24--Looks at high-order 24 bits of the address. /32--Looks at the entire IP address. |
Ipaddress(dest) | IP address expressed in dotted decimal notation, to compare with the destination IP address of the packet. Hostnames are not recognized. |
src | Specifies that the packet source port number be tested; see "Usage" for test criteria. |
eq, lt, or gt | Mode of comparison of port numbers; equal to (eq ), less than (lt ), or greater than (gt ). |
Tport | Number of the designated TCP port. See Table B-1 on page B-1 for a list of the port numbers 20 through 1701 commonly assigned to TCP and UDP services. |
dst | Specifies that the packet destination port number be tested; see "Usage" for test criteria. |
established | Accepts only packets being sent to an established TCP network connection, and denies packets sent to establish new TCP connections. |
log | Packets matching the rule are logged by syslog to the loghost. |
notify | Packets matching the rule are logged by syslog to the source of the packet. If you have the ChoiceNet notifier installed, this keyword is used to cause a notification pop-up to appear on your computer. |
=ListName | Specifies a list of source or destination sites in the /etc/choicenet/lists directory on the ChoiceNet server. The equal sign (= ) must immediately precede the value. |
[src|dst eq] | Equals the port number in the filter. |
[src|dst gt] | Is greater than the port number in the filter. |
[src|dst lt] | Is less than the port number in the filter. |
Note ¯ Entering the command set filter Filtername without any arguments removes all filter rules from the filter.
Command> set filter w1.in 1 deny 192.168.1.0/24 0.0.0.0./0 log
Filter w1.in updated
Command> set filter w1.in 2 permit tcp estab
Filter w1.in updated
Command> set filter w1.in 3 permit tcp dst eq 80
Filter w1.in updated
Command> set filter w1.in 4 permit tcp dst eq 25
Filter w1.in updated
Command> show filter w1.in
1 deny 192.168.1.0/24 0.0.0.0/0 ip log
2 permit 0.0.0.0/0 0.0.0.0/0 tcp estab
3 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 80
4 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 25
Note ¯ Enter this command on one line, without any breaks. The line breaks shown here are due to the limited space available.
set filter Filtername RuleNumber permit|deny
[Ipaddress/NM Ipaddress(dest)/NM] udp [src eq|lt|gt Uport]
[dst eq|lt|gt Uport] [log] [notify]
set filter Filtername RuleNumber permit|deny
=ListName Ipaddress(dest)/NM udp [src eq|lt|gt Uport]
[dst eq|lt|gt Uport] [log] [notify]
set filter Filtername RuleNumber permit|deny
Ipaddress/NM =ListName udp [src eq|lt|gt Uport]
[dst eq|lt|gt Uport] [log] [notify]
Filtername | Name of an existing filter that is in the filter table. |
RuleNumber | Filter rule number--between 1 and 256. |
permit | Permits a packet that matches the filter to pass through the interface. This is the default. |
deny | Stops a packet that matches the filter from passing through the interface. The packet is dropped, and an ICMP "Host Unreachable" message is sent to the source address. |
Ipaddress | IP address expressed in dotted decimal notation, to compare with the destination IP address of the packet. Hostnames are not recognized. |
/NM | Netmask that indicates the number of high-order bits of the source or destination IP address of the packet that must match an address in the filter. Any value between 0 and 32 can be used; common mask values are
/0--To match all packets with any address. /16--Looks at high-order 16 bits of the address. /24--Looks at high-order 24 bits of the address. /32--Looks at the entire IP address. |
Ipaddress(dest) | IP address expressed in dotted decimal notation, to compare with the destination IP address of the packet. Hostnames are not recognized. |
src | Specifies that the packet source port number be tested; see "Usage" for test criteria. |
eq, lt, or gt | Mode of comparison of port numbers; equal (eq ), less than (lt ), or greater than (gt ). |
Uport | Designated UDP port. See Table B-1 on page B-1 for a list of the port numbers 20 through 1701 commonly assigned to TCP and UDP services. |
dst | Specifies that the packet destination UDP port number be tested; see "Usage" for test criteria. |
log | Packets matching the rule are logged by syslog to the loghost. |
notify | Packets matching the rule are logged by syslog to the source of the packet. If you have the ChoiceNet notifier installed, this keyword is used to cause a notification pop-up to appear on your computer. |
=ListName | Specifies a list of source or destination sites in the /etc/choicenet/lists directory on the ChoiceNet server. The equal sign (= ) must immediately precede the value. |
[src|dst eq] | Equals the port number in the filter. |
[src|dst gt] | Is greater than the port number in the filter. |
[src|dst lt] | Is less than the port number in the filter. |
Note ¯ Entering the command set filter Filtername without any arguments removes all filter rules from the filter.
Command> set filter w1.in 5 permit udp src eq 53
Filter w1.in updated
Command> set filter w1.in 6 permit udp dst eq 53
Filter w1.in updated
add filter - page 12-3
set loghost - page 3-16
Note ¯ Enter this command on one line, without any breaks. The line breaks shown here are due to the limited space available.
Note ¯ Entering the command set filter Filtername without any arguments removes all filter rules from the filter.
set filter Filtername RuleNumber permit|deny
[Ipaddress/NM Ipaddress(dest)/NM] icmp [type Itype] [log] [notify]
set filter Filtername RuleNumber permit|deny
=ListName Ipaddress(dest)/NM icmp [type Itype] [log] [notify]
set filter Filtername RuleNumber permit|deny
Ipaddress/NM =ListName icmp [type Itype] [log] [notify]
Command> set filter w1.in 1 permit icmp
Filter w1.in updated
add filter - page 12-3
set loghost - page 3-16
Note ¯ Enter this command on one line, without any breaks. The line breaks shown here are due to the limited space available.
set ipxfilter Filtername RuleNumber permit|deny
[srcnet Ipxnetwork] [srchost Ipxnode] [srcsocket eq|gt|lt Ipxsock]
[dstnet Ipxnetwork] [dsthost Ipxnode] [dstsocket eq|gt|lt Ipxsock]
eq | Equals the socket number in the filter. |
gt | Is greater than the socket number in the filter. |
lt | Is less than the socket number in the filter. |
Note ¯ Entering the command set filter Filtername without any arguments removes all filter rules from the filter.
Command> set ipxfilter e0.in 1 permit dstnet OXC009C901
Filter e0.in updated
Command> set ipxfilter e0.in 2 permit srcnet OXC009C905
Filter e0.in updated
Command> set ipxfilter e0.in 3 permit srchost OXA0B1C2D3
Filter e0.in updated
Command> set ipxfilter e0.in 4 permit dsthost OXA1B2C3D4
Filter e0.in updated
Command> set ipxfilter e0.in 5 deny dstsocket eq 451
Filter e0.in updated
Command> set ipxfilter e0.in 6 permit srcsocket gt 455
Filter e0.in updated
Command> show ipxfilter e0.in
- IPX Rules -
1 permit dstnet C009C901
2 permit srcnet C009C905
3 permit srchost A0B1C2D3
4 permit dsthost A1B2C3D4
5 deny dstsocket eq 0451
6 permit srcsocket gt 0455
add filter - page 12-3
Note ¯ Enter this command on one line, without any breaks. The line breaks shown here are due to the limited space available.
set sapfilter Filtername RuleNumber permit|deny [server String]
[network Ipxnetwork] [host Ipxnode] [socket eq|gt|lt Ipxsock]
eq | Equals the socket number in the filter. |
gt | Is greater than the socket number in the filter. |
lt | Is less than the socket number in the filter. |
Note ¯ Entering the command set filter Filtername without any arguments removes all filter rules from the filter.
Command> set sapfilter e0.out 1 permit network C009C901
Filter e0.out updated
Command> set sapfilter e0.out 2 permit host A0B1C2D3E4F5
Filter e0.out updated
Command> set sapfilter e0.out 3 deny socket eq 452
Filter e0.out updated
Command> show sapfilter e0.out
1 permit network C009C901
2 permit host A0B1C2D3E4F5
3 deny socket eq 0452
add filter - page 12-3
Command> show filter internet.in
1 deny 192.168.200.0/24 0.0.0.0/0 ip
2 permit 0.0.0.0/0 0.0.0.0/0 tcp estab
3 permit 0.0.0.0/0 0.0.0.0/0 udp dst eq 53
4 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 53
5 permit 0.0.0.0/0 0.0.0.0/0 tcp dst eq 25
6 permit 0.0.0.0/0 0.0.0.0/0 icmp