Specifications

ManualsBrandsEfficient Networks ManualsComputer equipmentRouter family Command line interface

261

262

263

264

265

266

267

268

269

270

270 Chapter 8. Command Reference

- Specify -tcp noflag if neither the SYN flag nor the ACK flag can be set.

For example, for the IP filter to match the initiation of a TCP connection, specify -tcp syn. The filter will

match TCP packets that have the TCP SYN flag set but not the TCP ACK flag set. For the filter to match the

response to initiation of a TCP connection, specify -tcp syn and -tcp ack. The filter will match only TCP

packets with both the TCP SYN and TCP ACK flags set.

The -tcp rst setting is independent of the others; if you specify -tcp rst for the filter, the filter matches every

TCP packet with the TCP RESET flag set, regardless of the other flag settings. For example, for the filter to

match packets for ÒestablishedÓ connections, you would specify both -tcp rst and -tcp ack so that the filter is

applied to every TCP packet that has either the RESET flag or the ACK flag set.

The following parameters request additional filter options.

-b

This option requests that this filter be compared twice with each packet.The first time the source filter

information is matched against the source information in the IP packet and the destination filter information is

matched against the destination information in the IP packet. The second time the source filter information is

matched against the destination information in the IP packet and the destination filter information is matched

against the source information in the IP packet.

-c <count of times rule used>

This option requests a counter for this filter. If specified, a count is kept of how many IP packets have

matched this filter since the router was restarted or rebooted.To see the current count for a filter, use the

remote ipfilter list command. To clear a counter, use the remote ipfilter clear command.

-ipsec <IPSec record name>

Use this option when the action specified is inipsec or outipsec. It specifies the IPSec Security Association

that uses the filter.

-q or -v

Specify one of these options to determine when watch messages are sent for this filter. The messages are sent

to the console serial port (and to any Syslog servers; see page 153).

If neither -q or -v are specified for the filter, and an remote ipfilter watch on command is entered for the

interface, a message is sent each time this filter causes a packet to be dropped or rejected.

If -q (quiet) is specified, no messages are printed for this filter, even if it causes a packet to be dropped or

rejected.

If -v (verbose) is specified, a message is printed every time this filter matches a packet, regardless of the filter

action.

The remote name specifies the entry in the remote router database that the command applies to. The remote name

is the name given the entry when it was created by a remote add command.

Examples:

This command deletes all IP filters of type Forward for the remote interface internet.

remote ipfilter flush forward internet

Both of the following commands have the same effect: they deny all IP traffic for the remote interface internet

from the specified destination addresses. The addresses can be specified as 192.168.0.0 masked with 255.255.0.0

or as the range 192.168.0.0 through 192.168.255.255).