3com 3031 Instruccion De Instalación
Introduction to ACL
815
the specified number to create a new rule. When the number is not specified, it
indicates to add a new rule. In this case, the system will assign a number
automatically for the ACL rule and add the new rule.
indicates to add a new rule. In this case, the system will assign a number
automatically for the ACL rule and add the new rule.
■
deny
: Discard qualified data packet.
■
permit
: Permit qualified data packet.
■
interface
: Optional parameter, used to specify interface information of data
packet. If it is not specified, it indicates all interfaces match.
■
interface-name
: Specify the interface name that the packet enters, or “any”
can be used to represent all interfaces.
■
logging
: Optional parameter, indicating whether to log qualified packet. Log
contents include sequence number of ACL rule, packet permitted or discarded
and the number of data packets.
and the number of data packets.
■
time-range
: Optional parameter, used to specify the time range in which the
rule is valid.
■
time-name
: The ACL rule is valid in the time range.
The following command can be used to delete an interface-based ACL rule:
undo rule rule-id
Parameter description:
■
rule-id
: Number of ACL rule, which must be an existing ACL rule number.
ACL Supporting
Fragment
Traditional packet filtering does not process all IP packet fragments. Rather, it only
performs matching processing on the first fragment and releases all the follow-up
fragments. Thus, security dormant trouble exists, which makes attackers able to
construct follow-up segments to realize traffic attack.
performs matching processing on the first fragment and releases all the follow-up
fragments. Thus, security dormant trouble exists, which makes attackers able to
construct follow-up segments to realize traffic attack.
Packet filtering of 3Com router provides fragment filtering function, including:
performing Layer3 (IP Layer) matching filtering on all fragments; at the same time,
providing two kinds of matching, normal matching and exact matching, for ACL
rule entries containing extension information (such as TCP/UDP port number and
ICMP type). Normal matching is the matching of Layer3 information and it omits
non-Layer3 information. Exact matching matches all ACL entries, which requires
firewall should record the state of first fragment so as to obtain complete
matching information of follow-up fragments. The default function mode is
normal matching.
performing Layer3 (IP Layer) matching filtering on all fragments; at the same time,
providing two kinds of matching, normal matching and exact matching, for ACL
rule entries containing extension information (such as TCP/UDP port number and
ICMP type). Normal matching is the matching of Layer3 information and it omits
non-Layer3 information. Exact matching matches all ACL entries, which requires
firewall should record the state of first fragment so as to obtain complete
matching information of follow-up fragments. The default function mode is
normal matching.
The keyword
fragment
is used in the configuration entry of ACL rule to identify
that the ACL rule is only valid for non-first fragments. For non-fragments and first
fragment, this rule is omitted. In contrast, the configuration rule entry not
containing this keyword is valid for all packets.
fragment, this rule is omitted. In contrast, the configuration rule entry not
containing this keyword is valid for all packets.
For example:
[3Com-basic-2000] rule deny source 202.101.1.0 0.0.0.255 fragment
[3Com-basic-2000] rule permit source 202.101.2.0 0.0.0.255
[3Com-adv-3001] rule permit ip destination 171.16.23.1 0 fragment
[3Com-adv-3001] rule deny ip destination 171.16.23.2 0