Specifications
acl permit|deny tcp
60 SSR Command Line Interface Reference Manual
<SrcPort> For TCP or UDP, is the number of the source TCP or UDP port. This field
applies only to incoming TCP or UDP traffic. You can specify a range of
port numbers using operator symbols; for example, 10-20 (between 10
and 20 inclusive), >1024 (greater than 1024), <1024 (less than 1024),
!=1024 (not equal to 1024). The port numbers of some popular services
are already defined as keywords. For example, for Telnet, you can enter
the port number 23 as well as the keyword telnet.
<DstPort> For TCP or UDP, is the number of the destination TCP or UDP port.
This field applies only to incoming TCP or UDP traffic. The same
requirements and restrictions for <SrcPort> apply to <DstPort>.
<tos> Is the IP TOS (Type of Service) value. You can specify a TOS value from
0 – 15.
accounting Is valid with the permit command only. This keyword causes LFAP
accounting information to be sent to the configured server for flows
that match the ACL.
established Allows TCP responses from external hosts, provided the connection
was established internally.
Restrictions
When you apply an ACL to an interface, the SSR appends an implicit deny rule to that ACL.
The implicit deny rule denies all traffic. If you intend to allow all traffic that doesn’t
match your specified ACL rules to go through, you must explicitly define a rule to permit
all traffic.
Examples
To create an ACL to permit TCP traffic from the subnet 10.21.33.0 (with a 24 bit netmask)
to any destination:
To create an ACL to deny any incoming HTTP traffic:
To create an ACL to permit FTP traffic (both command and data ports) from subnet
10.31.34.0 to 10.31.60.0:
ssr(config)# acl 100 permit tcp 10.21.33.0/255.255.255.0 any
ssr(config)# acl noweb deny tcp any any http any
ssr(config)# acl ftp100 permit tcp 10.31.34.0/24 10.31.60.0/24 20-21 any