Specifications
154 ExtremeWare XOS 11.0 Concepts Guide
Security
Policy file syntax checker. The fragments keyword cannot be used in a rule with L4 information.
The syntax checker will reject such policy files.
Packet processing flow. With no keyword specified, processing proceeds as follows:
• An L3-only rule that does not contain either the fragments or first-fragments keyword matches
any IP packets.
• An L4 rule that does not contain either the fragments or first-fragments keyword matches
non-fragmented or initial-fragment packets.
With the fragment keyword specified:
• An L3-only rule with the fragments keyword only matches fragmented packets.
• An L4 rule with the fragments keyword is not valid (see above).
With the first-fragments keyword specified:
• An L3-only rule with the first-fragments keyword matches non-fragmented or initial fragment
packets.
• An L4 rule with the first-fragments keyword matches non-fragmented or initial fragment packets.
Example ACL Rule Entries
The following entry accepts all the UDP packets from the 10.203.134.0/24 subnet that are destined for
the host 140.158.18.16, with source port 190 and a destination port in the range of 1200 to 1400:
entry udpacl {
if {
source-address 10.203.134.0/24;
destination-address 140.158.18.16/32;
protocol udp;
source-port 190;
destination-port 1200 - 1400;
} then {
permit;
}
}
The following rule entry accepts TCP packets from the 10.203.134.0/24 subnet with a source port larger
than 190 and ACK & SYN bits set and also increments the counter tcpcnt. The packets will be forwarded
using QoS profile QP3:
entry tcpacl {
if {
source-address 10.203.134.0/24;
protocol TCP;
source-port > 190;
tcp-flags syn_ack;
} then {
permit;
count tcpcnt ;
qosprofile qp3;
}
}