HP StorageWorks 8/8 HP StorageWorks Fabric OS 6.2 administrator guide (5697-00 - Page 139
Implicit IP Filter rules
View all HP StorageWorks 8/8 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 139 highlights
For an IPv4 filter policy, the source address has to be a 32-bit IPv4 address in dot decimal notation. The group prefix has to be a CIDR block prefix representation. For example, 208.130.32.0/24 represents a 24-bit IPv4 prefix starting from the most significant bit. The special prefix 0.0.0.0/0 matches any IPv4 address. In addition, the keyword any is supported to represent any IPv4 address. For an IPv6 filter policy, the source address has to be a 128-bit IPv6 address, in a format acceptable in RFC 3513. The group prefix has to be a CIDR block prefix representation. For example, 12AB:0:0:CD30::/64 represents a 64-bit IPv6 prefix starting from the most significant bit. In addition, the keyword any is supported to represent any IPv6 address. For the destination port, a single port number or a port number range can be specified. According to IANA (http://www.iana.org), ports 0 to 1023 are well-known port numbers, ports 1024 to 49151 are registered port numbers, and ports 49152 to 65535 are dynamic or private port numbers. Well-known and registered ports are normally used by servers to accept connections, while dynamic port numbers are used by clients. For an IP Filter policy rule, you can select port numbers only in either the well-known or the registered port number range, between 0 and 49151, inclusive. This means that you have the ability to control how to expose the management services hosted on a switch, but not the ability to affect the management traffic that is initiated from a switch. A valid port number range is represented by a dash, for example 7-30. Alternatively, service names can also be used instead of port number. Table 31 lists the supported service names and their corresponding port number. Table 31 Supported services Service name Port number http 443 rpcd 897 securerpcd 898 snmp 161 ssh 22 sunrpc 111 telnet 23 www 80 TCP and UDP protocols are valid selections. Fabric OS 5.3.0 and later does not support a configuration to filter other protocols. Implicitly, ICMP type 0 and type 8 packets are always allowed to support ICMP echo request and reply on commands like ping and traceroute. For the action, only permit and deny are valid. For every IP Filter policy, the two rules in Table 32 are always assumed to be appended implicitly to the end of the policy. This ensures that TCP and UDP traffic to dynamic port ranges is allowed, so that management IP traffic initiated from a switch, such as syslog, radius and ftp, is not affected. Table 32 Implicit IP Filter rules Source address Destination port Protocol Action Any 1024-65535 TCP Permit Any 1024-65535 UDP Permit Fabric OS 6.2 administrator guide 137