Install guide

ManualsBrandsAllied Telesis ManualsSwitchAT 8648T/2SP

56 Firewall Enhancements Release Note

Software Version 2.7.6

C613-10462-00 REV A

add firewall policy rule

Syntax ADD FIREwall POLIcy=policy-name RUle=rule-id

ACtion={ALLOw|DENY|NAT|NONat} INTerface=interface

PROTocol={protocol|ALL|EGP|GRE|ICmp|OSPF|SA|TCP|UDP}

[AFTer=hh:mm] [BEFore=hh:mm]

[DAYs={ALL|MON|TUE|WED|THU|FRI|SAT|SUN|WEEKDay|WEEKEnd}

[,...]] [ENCapsulation={NONE|IPSec}] [GBLIP=ipadd]

[GBLPort={ALL|port[-port]|service-name}]

[GBLRemoteip=ipadd

[-ipadd]] [IP=ipadd[-ipadd]]

[LISt={list-name|RADius|MACRADius}]

[NATType={DOuble|ENAPt|ENHanced|NApt|REVerse|STAndard}]

[NATMask=ipadd] [POrt={ALL|port[-port]|service-name}]

[REMoteip=ipadd[-ipadd]] [SOurceport={ALL|port[-port]}]

[TTL=hh:mm]

Description The new enapt option for the nattype parameter specifies that the firewall

performs Enhanced NAPT on traffic that matches the rule.

IP and port parameters

in policy rules

The following table shows the IP address and port parameters that you can use

when you create a rule to apply ENAPT to matching traffic. It indicates which

parameters the rule can match against to select packets, and which parameters

specify translations. The table also indicates whether the rule matches source

or destination IP address or port. For example, when the private interface

processes an outgoing packet for a session that the private side initiated, ip is

the packet’s source address and remoteip is its destination address.

The following table shows the IP address and port parameters that you can use

when you create a rule on a policy that uses interface-based ENAPT. It

indicates which parameters the rule can match against to select packets, and

which parameters specify translations. In this situation, the rule specifies

whether to allow or deny the traffic, and what the IP address and port are

translated to. The ENAPT is defined by using the add firewall policy nat

command, but the rule translations override the interface-based translations.

Rule-based

NAT type

Interface Type of address

or port

Match Translate to

ENAPT

(nattype=

enapt)

Private:

outgoing

traffic

Source IP ip glbip

(required)

Destination IP remoteip Not translated

Source TCP/UDP

port

sourceport Translated; no

user control

Destination

TCP/UDP port

port Not translated

Interface-based

NAT type

Interface Type of address

or port

Match Translate to

ENAPT Public:

incoming

traffic

destined for a

private server

etc

Destination IP glbip

(required)

Source IP remoteip Not translated

Destination

TCP/UDP port

gblport

(required)

port

(required)

Source

TCP/UDP port

sourceport Not translated