Cisco Cisco Packet Data Interworking Function (PDIF)
[ dynamic-only | static-and-dynamic ] firewall-ruledef firewall_ruledef_name
Specifies the Stateful Firewall ruledef to add to the rulebase. Optionally, the Stateful Firewall ruledef type
can be specified.
can be specified.
• dynamic-only: Firewall Dynamic Ruledef—Predefined ruledef that can be enabled/disabled by the
policy server, and is disabled by default.
• static-and-dynamic: Firewall Static and Dynamic Ruledef—Predefined ruledef that can be
disabled/enabled by the policy server, and is enabled by default.
• firewall_ruledef_name must be the name of a Stateful Firewall ruledef, and must be an alphanumeric
string of 1 through 63 characters.
deny [ charging-action charging_action_name ]
Denies packets if the rule is matched. An optional charging action can be specified. If a packet matches the
deny rule, action is taken as configured in the charging action. For Stateful Firewall ruledefs, only the
terminate-flow action is applicable, if configured in the specified charging action.
deny rule, action is taken as configured in the charging action. For Stateful Firewall ruledefs, only the
terminate-flow action is applicable, if configured in the specified charging action.
charging_action_name must be the name of a charging action, and must be an alphanumeric string of 1 through
63 characters.
63 characters.
permit [ nat-realm nat_realm_name | [ bypass-nat ] [ trigger open-port { aux_port_number | range
start_port_number to end_port_number } ] ]
start_port_number to end_port_number } ] ]
Permits packets.
• nat-realm nat_realm_name: Specifies the NAT realm to be used for performing NAT on subscriber
packets matching the Stateful Firewall ruledef.
If the NAT realm is not specified, then NAT will be bypassed. That is, NAT will not be applied on
subscriber packets that are matching a Stateful Firewall ruledef with no NAT realm name configured.
subscriber packets that are matching a Stateful Firewall ruledef with no NAT realm name configured.
nat_realm_name must be the name of a NAT realm, and must be an alphanumeric string of 1 through
31 characters.
31 characters.
• bypass-nat: Specifies that packets bypass NAT.
If the nat-realm is not configured, NAT is performed if the nat policy nat-required
CLI command is configured with the default-nat-realm option.
CLI command is configured with the default-nat-realm option.
Important
• trigger open-port { aux_port_number | range start_port_number to end_port_number }: Permits packets
if the rule is matched, and allows the creation of data flows for Stateful Firewall. Optionally a port trigger
can be specified to be used for this rule to limit the range of auxiliary data connections (a single or range
of port numbers) for protocols having control and data connections (like FTP). The trigger port will be
the destination port of an association which matches a rule.
can be specified to be used for this rule to limit the range of auxiliary data connections (a single or range
of port numbers) for protocols having control and data connections (like FTP). The trigger port will be
the destination port of an association which matches a rule.
◦aux_port_number: Specifies the number of auxiliary ports to open for traffic, and must be an integer
from 1 through 65535.
◦range start_port_number to end_port_number: Specifies the range of ports to open for subscriber
traffic.
Command Line Interface Reference, Modes A - B, StarOS Release 19
666
ACS Rulebase Configuration Mode Commands
firewall priority