Specifications
268 Chapter 8. Command Reference
If no line numbers are specified, all filters in the list are deleted. If only the first line number is specified,
all filters from that line to the end are deleted. To see the line numbers, use the remote ipfilter list
command. Filters are used in the order they appear in their list.
remote ipfilter clear [<first line> [<last line>]] [<type>] <clear arg> <remoteName>
Resets the counters for the specified filters. A filter has a counter if the -c parameter was specified for the
filter.
You can specify the filters whose counters are to be reset by their line number range and type (input,
output, or forward). If no type is specified, the counters for all filters for the interface are reset. If no line
numbers are specified, the counters for all filters for that type and interface are reset. If only the first line
number is specified, all counters for filters from that line to the end are reset. To see the line numbers and
counters, use the remote ipfilter list command.
remote ipfilter check <type> <parameters> <remoteName>
Checks the action that would be taken if a packet with the specified parameters was compared with the
list of filters defined for the specified type and remote router entry.
For example, the command
remote ipfilter check input -p TCP branch1
would check what action (accept, drop, reject, inipsec, outipsec) would be taken for a TCP packet after it
was compared with the list of input filters defined for remote router branch1.
remote ipfilter list <type> <remoteName>
Lists all filters of the specified <type> (Input, Output, or Forward) for this remote router entry.
remote ipfilter watch <on | off> [-q | -v] <remoteName>
Turns on or turns off the console watch for this remote router entry. If the watch is on, a message is
printed to the console serial port when a packet is dropped or rejected. (The message is also sent to any
Syslog servers; see Syslog Client, on page 153.)
However, if the parameter -q (quiet) was specified for a filter, no message is printed when that filter
matches a packet. If the parameter -v (verbose) was specified for a filter, a message is printed whenever
that filter matches a packet, regardless of the filter action.
To see the messages, Telnet to the router and enter system log start. The watch does not continue after a
restart or reboot; to resume the watch, you must enter the remote ipfilter watch on command again.
The Þlter type speciÞes at which point the Þlter is compared to the IP packet (see the illustration under IP Filtering,
on page 119):
input Filter is used when the packet enters the interface, before any IP address translation is
performed.
forward Filter is used, after any IP address translation, but before routing is performed.
output Filter is used after routing and IP address translation have been performed, just before the
packet is sent out an interface.
If the packet matches the Þlter, the speciÞed action is performed:
accept The packet is allowed to proceed for further processing.