User guide

ManualsBrandsEfficient Networks ManualsComputer equipmentRouter family Command line interface

171

172

173

174

175

176

177

178

179

180

Chapter 5. Command Line Interface Reference 175

specified, the packet must have that destination IP address. If no destination IP address is specified, the filter

matches any address in the range 0.0.0.0:255.255.255.255.

-dm <dest ip mask>

The filter uses the specified mask when comparing the <first dest ip addr>...<last dest ip addr> with the

destination IP address in the IP packet. If no destination mask is specified, the mask used is 255.255.255.255.

-dp <ICMP type> | <first dest port>[:<last dest port>]

The packet must have a destination port that matches the specified ICMP type or that is within the specified

port range. If only one port is specified, the packet must have that destination port. If no destination port is

specified, the filter matches any destination port in the range 0:0xffff.

-tcp syn|ack|noflag

If the IP packet is a TCP packet, the filter matches the packet only if the packet flag settings are as specified.

If no -tcp option is specified for the filter, flag settings are not checked.

Specify syn if the TCP SYN flag must be set. Specify ack if the TCP ACK flag must be set.Specify noflag if

neither the SYN flag nor the ACK flag can be set.

Note: You may specify more than one -tcp option for the IP filter.

For example, for the IP filter to match the initiation of a TCP connection, specify -tcp syn. The filter will

match TCP packets that have the TCP SYN flag set but not the TCP ACK flag set. For the filter to match the

response to initiation of a TCP connection, specify -tcp syn and -tcp ack. The filter will match only TCP

packets with both the TCP SYN and TCP ACK flags set.

The following parameters request additional filter options.

-b

This option requests that this filter be compared twice with each packet. The first time the source filter

information is matched against the source information in the IP packet and the destination filter information is

matched against the destination information in the IP packet. The second time the source filter information is

matched against the destination information in the IP packet and the destination filter information is matched

against the source information in the IP packet.

-c <count of times rule used>

This option requests a counter for this filter. If specified, a count is kept of how many IP packets have

matched this filter since the router was rebooted. To see the current count for a filter, use the eth ip filter list

command. To clear a counter, use the eth ip filter clear command.

-ipsec <IPSec record name>

Use this option when the action specified is inipsec or outipsec. It specifies the IPSec Security Association

that uses the filter.

-q or -v

Specify one of these options to determine when watch messages are printed for this filter.

If neither -q or -v are specified for the filter, and an eth ip filter watch on command is entered for the

interface, a message is printed to the console serial port each time this filter causes a packet to be dropped or

rejected.

If -q (quiet) is specified, no messages are printed for this filter, even if the filter causes a packet to be dropped

or rejected.