220 MDS Orbit MCR/ECR Technical Manual MDS 05-6632A01, Rev. F
- Not Address - Apply rule to traffic that is not intended for a specific destination address
and prefix.
- Not Address Range – Apply rule to traffic that is not intended for a specific destination
address range.
- Not Address Set – Apply rule to traffic that is not intended for a non-contiguous set of
destination addresses.
Destination Port – Apply rule to traffic intended for a specific destination port. This option is
available only with protocols SCTP, TCP, and UDP.
Services – Services, Port Range, Not Services, Not Port Range.
Services – Apply rule to traffic intended for one or more designated well-known service
destination ports. The services must be specified by name and separated by commas.
- Port Range – Apply rule to traffic intended for a specific destination port or set of ports.
- Not Services – Apply rule to traffic that is not intended for one or more designated well-
known service destination ports. The services must be specified by name and separated
by commas.
- Not Port Range – Apply rule to traffic that is not intended for a specific destination port
or set of ports.
Actions – Accept, Drop, Reject. Specifies what should be done with packets that match the rule.
- Accept – Allow packets to ingress or egress the unit.
- Drop – Block packets from ingress or egress.
- Reject – Block packets from ingress or egress and send an error message to the sender.
When ICMP protocol is selected, a rejection message may be chosen.
- Reject Type – Net unreachable, Host unreachable, Port unreachable, Proto unreachable,
Net prohibited, Host prohibited, Admin prohibited
Log – Optional. Allows packets that meet the rule to be logged to the event log.
Level – Emergency, Alert, Critical, Error, Warning, Notice, Info, Debug.
Prefix – Enter a text string to prepend to generated log entries.
Allow Select Cell Inbound traffic
In this example, the input filter will be restrictive and permit only some types of traffic: IPsec tunnel
traffic, UDP services DNS, NTP, and IKE (to allow IPsec connection setup), and TCP services SSH and
NETCONF (to allow management of the MCR).
To create a rule to permit IPsec tunnel traffic, select Protocol ESP and ensure that Action is set to
Accept. The Log Level can be set to Debug, unless incoming IPsec traffic is of interest.
Figure 3-127. Creation of a packet filter rule to allow IPsec connections
Next, click Add new rule to create a rule to allow the desired UDP services. For this rule, select Protocol
UDP and set Source Port to Services. The services must be entered as a comma-separated list. Since this
example permits UDP services DNS, NTP, and IKE, enter dns, ntp, Ike in the textbox next to Services.
To Next Page
Loading...
Need help?
General
