Cisco Cisco Packet Data Interworking Function (PDIF)
action { deny [ charging-action charging_action_name ] | permit [ bypass-nat | nat-realm nat_realm_name
] }
] }
Specifies the default action for packets with no Stateful Firewall ruledef match.
permit [ bypass-nat | nat-realm nat_realm_name ]: Permit packets.
The bypass-nat keyword is only available in StarOS 8.3 and later releases.
Important
Optionally specify:
• bypass-nat: Specifies to bypass Network Address Translation (NAT).
• nat-realm nat_realm_name: Specifies a NAT realm to be used for performing NAT on subscriber
packets.
nat_realm_name must be the name of a NAT realm, and must be an alphanumeric string of 1 through
31 characters.
31 characters.
If neither bypass-nat or nat-realm are configured, NAT is performed if the nat policy nat-required CLI
command is configured with the default-nat-realm option.
command is configured with the default-nat-realm option.
Important
deny [ charging-action charging_action_name ]: Denies specified packets.
Optionally, a charging action can be specified.
charging_action_name must be the name of a charging action, and must be an alphanumeric string of 1 through
63 characters.
63 characters.
Usage Guidelines
Use this command to configure the default action to be taken on packets with no Stateful Firewall ruledef
matches.
matches.
If, for deny action, the optional charging action is configured, the action taken depends on what is configured
in the charging action. For the Stateful Firewall rule, the "flow action", "billing action", and "content ID" of
the charging action will be used to take action. If flow exists, flow statistics are updated.
in the charging action. For the Stateful Firewall rule, the "flow action", "billing action", and "content ID" of
the charging action will be used to take action. If flow exists, flow statistics are updated.
Allowing/dropping of packets is determined in the following sequence:
• Check is done to see if the packet matches any pinholes. If yes, no rule matching is done and the packet
is allowed.
• Stateful Firewall ruledef matching is done. If a rule matches, the packet is allowed or dropped as per
the firewall priority configuration.
• If no Stateful Firewall ruledef matches, the packet is allowed or dropped as per the no-ruledef-matches
configuration.
For a packet dropped due to Stateful Firewall ruledef match or no match (first packet of a flow), the charging
action applied is the one configured in the firewall priority or the firewall no-ruledef-matches command
respectively.
action applied is the one configured in the firewall priority or the firewall no-ruledef-matches command
respectively.
In StarOS 8.1, in the case of Policy-based Stateful Firewall, the charging action applied is the one configured
in the access-rule priority or the access-rule no-ruledef-matches command respectively.
in the access-rule priority or the access-rule no-ruledef-matches command respectively.
Command Line Interface Reference, Modes A - B, StarOS Release 19
661
ACS Rulebase Configuration Mode Commands
firewall no-ruledef-matches