Cisco Cisco Packet Data Interworking Function (PDIF)
Firewall-and-NAT Policy Configuration Mode Commands
▀ firewall dos-protection
▄ Command Line Interface Reference, StarOS Release 17
5056
firewall dos-protection
This command configures Stateful Firewall protection for subscribers from Denial-of-Service (DoS) attacks.
Important:
In release 8.0, this configuration is available in the ACS Configuration Mode. In release 8.1, for
Rulebase-based Stateful Firewall configuration, this configuration is available in the ACS Rulebase Configuration
Mode. In release 8.3, this configuration is available in the ACS Rulebase Configuration Mode.
Mode. In release 8.3, this configuration is available in the ACS Rulebase Configuration Mode.
Product
PSF
Privilege
Security Administrator, Administrator
Mode
Exec > ACS Configuration > Firewall-and-NAT Policy Configuration
active-charging service service_name > fw-and-nat policy policy_name
Entering the above command sequence results in the following prompt:
[local]host_name(config-fw-and-nat-policy)#
Syntax
[ no ] firewall dos-protection { all | flooding { icmp | tcp-syn | udp } | ftp-bounce |
ip-sweep { icmp | tcp-syn | udp } | ip-unaligned-timestamp | ipv6-dst-options [ invalid-
options | unknown-options ] | ipv6-extension-hdrs [ limit extension_limit ] | ipv6-frag-
hdr nested-fragmentation | ipv6-hop-by-hop [ invalid-options | jumbo-payload | router-
alert | unknown-options ] | mime-flood | port-scan | source-router | tcp-window-
containment | teardrop | winnuke }
ip-sweep { icmp | tcp-syn | udp } | ip-unaligned-timestamp | ipv6-dst-options [ invalid-
options | unknown-options ] | ipv6-extension-hdrs [ limit extension_limit ] | ipv6-frag-
hdr nested-fragmentation | ipv6-hop-by-hop [ invalid-options | jumbo-payload | router-
alert | unknown-options ] | mime-flood | port-scan | source-router | tcp-window-
containment | teardrop | winnuke }
default firewall dos-protection
no
Disables Stateful Firewall protection for subscribers against the specified Denial of Service (DoS) attack(s).
default
Disables Stateful Firewall protection for subscribers against all DoS attacks.
all
Enables Stateful Firewall protection for subscribers against all DoS attacks supported by the Stateful Firewall
service.
The IPv6 extension headers will be enabled only if the
service.
The IPv6 extension headers will be enabled only if the
firewall validate-ip-options
command is
enabled in the Firewall-and-NAT policy configuration.
flooding { icmp | tcp-syn | udp }
Enables protection against the specified flooding attack:
icmp
: Enables protection against ICMP Flood attack.