Firewall Feature Set Commands
XSR CLI Reference Guide 16-117
Default
Disabledglobally
Mode
GlobalorInterfaceconfiguration:XSR(config)# or XSR(config-if<xx>)#
Example
Thefollowingexampleenablesthefirewallglobally:
XSR(config)#ip firewall enable
ip firewall filter
Thiscommanddefinesthefilterobjectfornon‐TCPandUDPtraff ic,forwhichnostateful
inspectionisrequired.Bydefault,allnon‐TCPandUDPtrafficisdroppedbythefirewall.To
allowcertainIPprotocolstopassthroughthefirewall,afilterobjectmustbeconfigured.
Filteringisperformed
ontheprotocolIDandsourceanddestinationaddresseswhicharenetwork
objects.Protocolscanbespecifiedbynumberorname.Ifanameisused,itshouldmatchthat
specifiedbytheInternetAssignedNumbersAuthority(IANA).Referto:
http://www.iana.org/assignments/protocol‐numbers
Anameforanyfirewallobjectmustusethesealpha
‐numericcharactersonly:A‐Z(upperorlower
case),
0‐9,-(dash),or _(underscore).Also,allfirewallobjectnamesincludingpre‐defined
objectssuchasANY_EXTERNALanduser‐definedobjectnamesarecase‐sensitive.
Syntax
ip firewall filter filter_name src_net_name dst_net_name {protocol-id prot-number
| protocol-name prot-name} [type number] [allow-log] bidirectional
Syntax of the “no” Form
Thenoformofthiscommanddisablesthespecifiedfilter:
no ip firewall filter filter_name
Note: Logging for the filter is performed on a per packet basis.
filter_name
Nameoffilterobject, nottoexceed16characters.
src_net_name
Nameofanysourcenetworkobject.Limit:16characters.
dst_net_name
Nameofdestinationnetworkobject.Limit:16characters.
protocol-id
Protocolspecifiedbydecimalvalue.
protocol-name
Protocolspecifiedbyname,nottoexceed16characters.
type number
IftheprotocolisICMP,youcanfilterspecifictypesonly.
bidirectional
Policyapp liesinbothdirections.Thatis,forasessioninitiatedatthe
sourceaswellasthedestination.
allow-log
Allmatchingpacketsarelogged.