Product specifications
Efficient Networks
®
Router family
Technical Reference Guide
Chapter 5: System Security
Efficient Networks
®
Page 5-37
message logging - Specify one of these options to determine when watch messages are
displayed for this firewall rule. The messages are sent to the console serial port and a Syslog
server, if configured
. There are two options:
-q | -v
Quiet - If -q (quiet) is specified, no messages are displayed for this firewall rule,
even if the rule causes a packet to be dropped. This is the default setting for firewall
allow rules.
Verbose - If -v (verbose) is specified, a message is displayed every time this
firewall rule matches a packet, regardless of the rule action.
-> firewall allow -p tcp -sa 192.168.1.34 -q out
direction -Specify one of these options to specify the direction of the packet to which the
firewall rule is applied
. If no direction parameter is specified, the direction is defaulted to
both. The parameter must be preceded by -d.
in | out
-> firewall allow -p tcp -sa 192.168.1.34 -v -d out
Examples
The following examples assume that the machines behind the router are on the
subnet 192.168.1.0 with a subnet mask of 255.255.255.0. The router has a WAN
address of 12.10.1.1.
• This example will allow the machines behind the router to FTP to any
machine on the internet, the firewall rule to be entered for this is:
-> firewall allow -a FTP -sa 192.168.1.0 -sm 255.255.255.0 -d out
• To allow the machines behind the router to FTP to one specific machine, say
64.12.11.1, on the internet, use the command:
-> firewall allow -a FTP -sa 192.168.1.0 -sm 255.255.255.0 -da
64.12.11.1 -d out
• To allow all the machines behind the router, except, say 192.168.1.20, to FTP
to any machine on the internet, you will need to enter two rules - one allow
rule and one deny rule. The rules to specify this are:
-> firewall deny -a FTP -sa 192.168.1.20 -d out
-> firewall allow -a FTP -sa 192.168.1.0 255.255.255.0 -d out