Home Theater Server User Manual
Table Of Contents
- Contents
- About This Document
- Network Security
- TCP SYN attacks
- IP TCP syn-proxy
- Granular application of syn-proxy feature
- Syn-def
- No response to non-SYN first packet of a TCP flow
- Prioritizing management traffic
- Peak BP utilization with TRAP
- Transaction Rate Limit (TRL)
- Understanding transaction rate limit
- Configuring transaction rate limit
- Configuring the maximum number of rules
- Saving a TRL configuration
- Transaction rate limit command reference
- Global TRL
- TRL plus security ACL-ID
- security acl-id
- Transaction rate limit hold-down value
- Displaying TRL rules statistics
- Displaying TRL rules in a policy
- Displaying IP address with held down traffic
- Refusing new connections from a specified IP address
- HTTP TRL
- Overview of HTTP TRL
- Configuring HTTP TRL
- Displaying HTTP TRL
- Display all HTTP TRL policies
- Display HTTP TRL policy from index
- Display HTTP TRL policy client
- Display HTTP TRL policy starting from index
- Display HTTP TRL policy matching a regular expression
- Display HTTP TRL policy client index (MP)
- Display HTTP TRL policy client index (BP)
- Display HTTP TRL policy for all client entries (BP)
- Downloading an HTTP TRL policy through TFTP
- HTTP TRL policy commands
- Logging for DoS Attacks
- Maximum connections
- clear statistics dos-attack
- Maximum concurrent connection limit per client
- Firewall load balancing enhancements
- Syn-cookie threshhold trap
- Service port attack protection in hardware
- Traffic segmentation
- DNS attack protection
- Access Control List
- How ServerIron processes ACLs
- Default ACL action
- Types of IP ACLs
- ACL IDs and entries
- ACL entries and the Layer 4 CAM
- Configuring numbered and named ACLs
- Modifying ACLs
- Displaying a list of ACL entries
- Applying an ACLs to interfaces
- ACL logging
- Dropping all fragments that exactly match a flow-based ACL
- Enabling ACL filtering of fragmented packets
- Enabling hardware filtering for packets denied by flow-based ACLs
- Enabling strict TCP or UDP mode for flow-based ACLs
- ACLs and ICMP
- Using ACLs and NAT on the same interface (flow-based ACLs)
- Displaying ACL bindings
- Troubleshooting rule-based ACLs
- IPv6 Access Control Lists
- Network Address Translation
- Syn-Proxy and DoS Protection
- Understanding Syn-Proxy
- Configuring Syn-Proxy
- DDoS protection
- Configuring a security filter
- Configuring a Generic Rule
- Configuring a rule for common attack types
- Configuring a rule for ip-option attack types
- Configuring a rule for icmp-type options
- Configuring a rule for IPv6 ICMP types
- Configuring a rule for IPv6 ext header types
- Binding the filter to an interface
- Clearing DOS attack statistics
- Clearing all DDOS Filter & Attack Counters
- Logging for DoS attacks
- Displaying security filter statistics
- Address-sweep and port-scan logging
- Secure Socket Layer (SSL) Acceleration
- SSL overview
- SSL acceleration on the ServerIron ADX
- Configuring SSL on a ServerIron ADX
- Basic SSL profile configuration
- Advanced SSL profile configuration
- Configuring Real and Virtual Servers for SSL Termination and Proxy Mode
- Configuration Examples for SSL Termination and Proxy Modes
- SSL debug and troubleshooting commands
- Displaying socket information
108 ServerIron ADX Security Guide
53-1002440-03
Displaying NAT information
4
Displaying NAT statistics
To display NAT statistics, enter commands such as the following.
ServerIronADX# rconsole 1 1
ServerIronADX1/1#ServerIronADX_Lower1/1# show ip nat stat
Debug counters:
TCP FWD:
send nat unreachable tcp fwd) =0 nat tcp no ports avl = 2867811
nat tcp status zero = 0 nat tcp ip status zero = 0
nat tcp usr index null = 0
TCP REV:
send nat unreachable (tcp rev) =0 nat tcp rev no ports avl = 0
nat tcp rev status zero = 0 nat tcp rev ip status zero = 0
nat tcp rev usr index null = 0
UDP FWD:
send nat unreachable (udp_fwd) =0 nat udp fwd no ports avl = 0
nat udp fwd status zero = 0 nat udp fwd ip status zero = 0
nat udp fwd usr index null = 0
UDP REV:
send nat unreachable (udp rev) =0 nat udp rev no ports avl = 0
nat udp rev status zero = 0 nat udp rev ip status zero = 0
nat udp rev usr index null = 0
nat corruption = 0 rtsp port unavailable = 0
RTSP inside alloc same = 53271 RTSP reply port not same= 0
Wrong port range = 0
Total translations: 12433 (0 static, 12433 dynamic)
Hits: 5786108 Misses: 94
Expired translations: 5773769
Dynamic mappings:
pool p1: prefix_len= 24
start 15.15.15.15 end 15.15.15.20
total addresses 6 overloaded
[0]: h: 0 t: 0 m: 248a6000 T: 384 f: 384
[1]: h: 0 t: 0 m: 248ab000 T: 384 f: 384
[2]: h: 0 t: 0 m: 29f33000 T: 384 f: 384
[3]: h: 0 t: 0 m: 2a5cb000 T: 384 f: 384
[4]: h: 0 t: 0 m: 2a5d4000 T: 384 f: 384
[5]: h: 0 t: 0 m: 2a5dd000 T: 384 f: 384
[0]: h: 0 t: 0 m: 248a8000 T: 320 f: 320
[1]: h: 0 t: 0 m: 29f30000 T: 320 f: 320
[2]: h: 0 t: 0 m: 2a5c4000 T: 320 f: 320
[3]: h: 0 t: 0 m: 2a5cd000 T: 320 f: 320
[4]: h: 0 t: 0 m: 2a5d6000 T: 320 f: 320
[5]: h: 0 t: 0 m: 2a5df000 T: 320 f: 320
[0]: h: 972 t: 5653 m: 248a2000 T: 7168 f: 4681
[1]: h: 972 t: 5653 m: 2a5bc000 T: 7168 f: 4681
[2]: h: 2520 t: 656 m: 2a5c0000 T: 7168 f: 5304
[3]: h: 2520 t: 655 m: 2a5c7000 T: 7168 f: 5303
Sess: Total 2000000, Avail 1950226, NAT 24886
Stream media=1, RTSP=(1:94547), MMS=(1:0), PNM=(1:0)
Inside global Last Inside Local xmit pkts xmit bytes rx pkts rx bytes cnt
15.15.15.15 20.20.2.15 89909 7619664 44954 8023584 2487
15.15.15.16 20.20.2.16 89907 7619447 44950 8023575 2487
15.15.15.17 20.20.2.11 67428 5714424 33712 6017592 1864
15.15.15.18 20.20.2.12 67428 5714424 33712 6017592 1865
15.15.15.19 20.20.2.13 67432 5714763 33714 6017949 1865
15.15.15.20 20.20.2.14 67434 5714883 33714 6017949 1865