HP StorageWorks 2/16V HP StorageWorks Fabric OS 5.3.x administrator guide (569 - Page 138
IP Filter policy enforcement, Creating IP Filter policy rules, ipAddrSet, proto
View all HP StorageWorks 2/16V manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 138 highlights
Table 38 Default IP policy rules (continued) Rule number Source address Destination port 11 Any 123 12 Any 600-1023 Protocol UDP UDP Action Permit Permit IP Filter policy enforcement An active IP Filter policy is a filter applied to the IP packets through the management interface. IPv4 management traffic will pass through the active IPv4 filter policy, and IPv6 management traffic will pass through the active IPv6 filter policy. The IP Filter policy applies to the incoming (ingress) management traffic only. When a packet arrives, it is compared against each rule, starting from the first rule. If a match is found for the source address, destination port, and protocol, the corresponding action for this rule is taken, and the subsequent rules in this policy will be ignored. If there is no match, then it is compared to the next rule in the policy. This process continues until the incoming packet is compared to all rules in the active policy. If none of the rules in the policy matches the incoming packet, the two implicit rules will be matched to the incoming packet. If the rules still don't match the packet, the default action, which is to deny, will be taken. When the IPv4 or IPv6 address for the management interface of a switch is changed through the ipAddrSet command or manageability tools, the active IP Filter policies will automatically become enforced on the management IP interface with the changed IP address. NOTE: If a switch is part of a LAN behind a Network Address Translation (NAT) server, depending on the NAT server configuration, the source address in an IP Filter rule may have to be the NAT server address. Creating IP Filter policy rules There can be a maximum of 256 rules created for an IP Filter policy. The change to the specified IP Filter policy is not saved to the persistent configuration until a save or activate sub-command is run. To add a rule to an IP Filter policy: 1. Log in to the switch as admin 2. Type in the following command: ipfilter --addrule -rule -sip -dp -proto -act policyname -rule rule number -sip source IP -dp destination port -proto protocol --act Specifies the policy name which is a unique string composed of a maximum of 20 alphanumeric and underscore characters. The names default_ipv4 and default_ipv6 are reserved for the default IP Filter policies. The policy name is case-insensitive and always stored as lower case. Enter a valid rule number between 1 and the current maximum rule number plus one. Specifies the source IP address. For IPv4 filter type, the address must be a 32-bit address in dot decimal notation, or a CIDR block IPv4 prefix. For IPv6 filter type, the address must be a 128-bit IPv6 address in any format specified by RFC, or a CIDR block IPv6 prefix. Specifies the destination port number, or a range of port numbers, or a service name. Specifies the protocol type, either TCP or UDP. Specifies the permit or deny action associated with this rule. 140 Configuring advanced security