USG5300 V100R002 and earlier versions apply ACL-based packet filtering, and USG5300 V100R003 and later versions apply policy-based packet filtering.
As shown in Figure 1, hosts at 192.168.0.2/24 can access the Internet, but the host at 192.168.0.3 cannot. The following examples describe how to configure ACL- and policy-based packet filtering for IP addresses. For details on packet filtering, refer to the related product documents.
Figure 1 Networking diagram for IP-specific interzone packet filtering
1、Configure ACL-based packet filtering.
[sysname] acl 3001
[sysname-acl-adv-3001] rule permit ip source 192.168.0.2 0 //You can set the source IP address, destination IP address, protocol, and time range in a rule.
[sysname-acl-adv-3001] rule deny ip source 192.168.0.3 0
[sysname] firewall interzone trust untrust
[sysname-interzone-trust-untrust] packet-filter 3001 outbound
2、Configure policy-based packet filtering.
[sysname] policy interzone trust untrust outbound
[sysname-policy-interzone-trust-untrust-outbound] policy 1
[sysname-policy-interzone-trust-untrust-outbound-1] policy source 192.168.0.2 0 //You can set the source IP address, destination IP address, protocol, and time range in the policy ID view.
[sysname-policy-interzone-trust-untrust-outbound-1] action permit
[sysname-policy-interzone-trust-untrust-outbound] policy 2 //You can configure multiple policy IDs. Run the display this command in the policy interzone view to display policy IDs. The policy IDs are displayed in descending order of matching priority.
[sysname-policy-interzone-trust-untrust-outbound-2] policy source 192.168.0.3 0
[sysname-policy-interzone-trust-untrust-outbound-2] action deny