Configuration Command encyclopedia for router firewalls

First, access-list is used to create access rules.

(1) Create a standard access list

access-list [Normal | special] Listnumber1 {permit | deny} SOURCE-ADDR [Source-mask]

(2) Create an extended access list

access-list [Normal | special] Listnumber2 {permit | deny} protocol SOURCE-ADDR source-mask [operator Port1 [PORT2] ] Dest-addr dest-mask [operator port1 [PORT2] | icmp-type [Icmp-code]] [log]

(3) Delete access list

No Access-list {normal | special} {ALL | listnumber [Subitem]}

"Parameter description"

Normal specifies that the rule is added to the normal time period.

Special specify a rule to add a special time period.

Listnumber1 is a numeric value between 1 and 99, which indicates that the rule is a standard access list rule.

Listnumber2 is a numeric value between 100 and 199 that indicates that the rule is an extended access list rule.

Permit indicates that a message is allowed to satisfy the condition.

A deny indicates that a message is prohibited from satisfying the condition.

Protocol for protocol type, support ICMP, TCP, UDP, etc., other protocols also support, at this time there is no concept of port comparison, for IP has a special meaning, representing all IP protocol.

SOURCE-ADDR is the source address.

Source-mask is the source address wildcard, is optional in the standard access list, and does not input is 0.0.0.0.

DEST-ADDR is the destination address.

Dest-mask for the purpose of the address wildcard.

operator[Optional] port operator, supported port comparisons when the protocol type is TCP or UDP, the supported comparison operations are equal to (EQ), greater than (GT), less than (LT), not equal to (NEQ), or between (range), or two ports after the operator is range.

Port1 occurs when the protocol type is TCP or UDP, it can be a numeric value between the preset values (such as Telnet) or 0~65535 that are set for the keyword.

Port2 occurs when the protocol type is TCP or UDP and the action type is range, and can be a numeric value between preset values (such as Telnet) or 0~65535 that are set by the keyword.

Icmp-type[optional] Occurs when the protocol is ICMP, representing the ICMP message type, either a preset value set by the keyword (such as echo-reply) or a value between 0~255.

Icmp-code occurs when the protocol is ICMP and the preset value is not selected, representing the ICMP code, which is a numeric value between 0~255.

Log [optional] indicates that if the message meets the criteria, it needs to be logged.

Listnumber is the sequence number of the deletion, which is a numeric value between 1~199.

subitem[Optional] Specifies the number of the rule in the access list for which the ordinal number is deleted Listnumber.

"Default Condition"

System defaults do not configure any access rules.

"Command mode"

Global configuration Mode

"Use Guide"

The rules of the same ordinal number can be regarded as a class of rules, which can be used not only to filter packets on an interface, but also to determine whether a message is interested, such as a DDR, at which point permit and deny are interested or uninterested.

Use the protocol domain to represent all IP protocols for an extended access list for IP.

The rules between the same serial number are arranged and selected according to a certain principle, which can be seen by the show Access-list command.

Example

Allow the source address to be the 10.1.1.0 network, the destination address is the 10.1.2.0 network of WWW access, but does not allow the use of FTP.

Quidway (config) #access-list permit tcp 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 eq www

Quidway (config) #access-list deny TCP 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 eq FTP

"Related Commands"

IP access-group

Clear Access-list counters clears statistics for access list rules.

Clear Access-list counters [Listnumber]

"Parameter description"

Listnumber [optional] The ordinal number of the rule to which statistics are cleared, and if unspecified, clears all the rule's statistics.

"Default Condition"

Statistics are not cleared at any time.

"Command mode"

Privileged User mode

"Use Guide"

Use this command to clear statistics for the currently used rule, and to clear all rule statistics without specifying a rule number.

Example

Example 1: Clears the statistics for the rule that is currently in use with the ordinal number 100.

Quidway#clear access-list Counters 100

Example 2: Clears the statistics for all the rules currently in use.

Quidway#clear access-list Counters

"Related Commands"

Access-list

Third, firewall enable or prohibit the firewall.

Firewall {enable | disable}

"Parameter description"

The enable means that the firewall is enabled.

Disable means no firewall.

"Default Condition"

The system defaults to firewall suppression.

"Command mode"

Global configuration Mode

"Use Guide"

Use this command to enable or disable firewalls, and you can see the results by the show Firewall command. If a time period packet filter is used, it is also closed when the firewall is closed, and the command controls the total switch of the firewall. When you close a firewall using the firewall Disable command, the statistics for the firewall itself are also cleared.

Example

Enable the firewall.

Quidway (config) #firewall enable