Home Theater Server User Manual
Table Of Contents
- Contents
- About This Document
- Network Security
- TCP SYN attacks
- IP TCP syn-proxy
- Granular application of syn-proxy feature
- Syn-def
- No response to non-SYN first packet of a TCP flow
- Prioritizing management traffic
- Peak BP utilization with TRAP
- Transaction Rate Limit (TRL)
- Understanding transaction rate limit
- Configuring transaction rate limit
- Configuring the maximum number of rules
- Saving a TRL configuration
- Transaction rate limit command reference
- Global TRL
- TRL plus security ACL-ID
- security acl-id
- Transaction rate limit hold-down value
- Displaying TRL rules statistics
- Displaying TRL rules in a policy
- Displaying IP address with held down traffic
- Refusing new connections from a specified IP address
- HTTP TRL
- Overview of HTTP TRL
- Configuring HTTP TRL
- Displaying HTTP TRL
- Display all HTTP TRL policies
- Display HTTP TRL policy from index
- Display HTTP TRL policy client
- Display HTTP TRL policy starting from index
- Display HTTP TRL policy matching a regular expression
- Display HTTP TRL policy client index (MP)
- Display HTTP TRL policy client index (BP)
- Display HTTP TRL policy for all client entries (BP)
- Downloading an HTTP TRL policy through TFTP
- HTTP TRL policy commands
- Logging for DoS Attacks
- Maximum connections
- clear statistics dos-attack
- Maximum concurrent connection limit per client
- Firewall load balancing enhancements
- Syn-cookie threshhold trap
- Service port attack protection in hardware
- Traffic segmentation
- DNS attack protection
- Access Control List
- How ServerIron processes ACLs
- Default ACL action
- Types of IP ACLs
- ACL IDs and entries
- ACL entries and the Layer 4 CAM
- Configuring numbered and named ACLs
- Modifying ACLs
- Displaying a list of ACL entries
- Applying an ACLs to interfaces
- ACL logging
- Dropping all fragments that exactly match a flow-based ACL
- Enabling ACL filtering of fragmented packets
- Enabling hardware filtering for packets denied by flow-based ACLs
- Enabling strict TCP or UDP mode for flow-based ACLs
- ACLs and ICMP
- Using ACLs and NAT on the same interface (flow-based ACLs)
- Displaying ACL bindings
- Troubleshooting rule-based ACLs
- IPv6 Access Control Lists
- Network Address Translation
- Syn-Proxy and DoS Protection
- Understanding Syn-Proxy
- Configuring Syn-Proxy
- DDoS protection
- Configuring a security filter
- Configuring a Generic Rule
- Configuring a rule for common attack types
- Configuring a rule for ip-option attack types
- Configuring a rule for icmp-type options
- Configuring a rule for IPv6 ICMP types
- Configuring a rule for IPv6 ext header types
- Binding the filter to an interface
- Clearing DOS attack statistics
- Clearing all DDOS Filter & Attack Counters
- Logging for DoS attacks
- Displaying security filter statistics
- Address-sweep and port-scan logging
- Secure Socket Layer (SSL) Acceleration
- SSL overview
- SSL acceleration on the ServerIron ADX
- Configuring SSL on a ServerIron ADX
- Basic SSL profile configuration
- Advanced SSL profile configuration
- Configuring Real and Virtual Servers for SSL Termination and Proxy Mode
- Configuration Examples for SSL Termination and Proxy Modes
- SSL debug and troubleshooting commands
- Displaying socket information
78 ServerIron ADX Security Guide
53-1002440-03
Enabling strict TCP or UDP mode for flow-based ACLs
2
Syntax: [no] ip strict-acl-udp
This command configures the device to compare all UDP packets against the configured ACLs
before forwarding them.
To disable the strict ACL mode and return to the default ACL behavior, enter the following
command.
ServerIronADX(config)# no ip strict-acl-udp
NOTE
Enter the ip rebind-acl command at the global CONFIG level of the CLI to place the ip strict-acl-udp
or no ip strict-acl-udp command into effect.
Configuring ACL packet and flow counters
You can configure counters for packets and flows that match entries in an ACL. Using the CLI, you
can display the contents of the counters and clear them:
• The ACL packet counter feature provides an accurate count of packets matching individual ACL
entries.
• The ACL flow counter feature provides an approximate count of flows matching individual ACL
entries. This feature can be used for troubleshooting purposes to provide an indication of flow
activity against an ACL. Each time the Brocade device receives the first packet of a flow
matching an entry in an ACL list, the flow counter for that ACL entry is incremented by one. If a
flow lasts longer than two minutes, the flow counter for the ACL entry is incremented again.
NOTE
The ACL flow counter feature is designed to monitor the general volume of flow activity for an
ACL. It is not intended to be used for accounting purposes.
The ACL flow and packet counters are incremented differently depending on whether packets are
handled by the Management Processor (MP), and whether they are permit or deny flows.
The Management Processor (MP) handles flows as follows.
For flows handled by the Management Processor:
• For permit flows, only flows are counted. If a permit flow lasts longer than two minutes, the flow
counter is incremented again.
• For deny flows, only packets are counted.
By default the ACL packet and flow counters are disabled. To activate them, enter the following
command.
ServerIronADX(config)# enable-acl-counter
Syntax: [no] enable-acl-counter
Once the ACL packet and flow counters are enabled, you can disable them with the no form of the
enable-acl-counter command. Disabling and then re-enabling the ACL packet and flow counters
resets them to zero.
To display the packet and flow counters for ACL 100.