No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Security

AR500, AR510, AR531, AR550, AR1500, and AR2500 V200R010

This document provides the basic concepts, configuration procedures, and configuration examples in different application scenarios of the network management feature supported by the device.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring ACL-based Packet Filtering in an Interzone

Configuring ACL-based Packet Filtering in an Interzone

Context

When data is transmitted between two zones, the ACL-based packet filtering firewall enforces the packet filtering policies according to the ACL rules.

NOTE:

If a tunnel is set up on a physical interface, the traffic destined for or from the tunnel is sent or received by the tunnel interface. If you need to configure the firewall function, configure the zone on the tunnel interface, but not on the physical interface. Otherwise, the firewall function cannot take effect.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run acl [ number ] acl-number [ match-order { config | auto }]

    Or acl ipv6 [ number ] acl6-number

    An ACL or ACL6 is created, and the ACL view or ACL6 view is displayed.

    NOTE:

    The ACLs for filtering packets include basic ACLs and advanced ACLs.

    The ACL6-based packet filtering can use basic ACL6 and advanced ACL6.

  3. Run rule (basic ACL view), rule (advanced ACL view), rule (basic ACL6 view), or rule (advanced ACL6 view)

    An ACL rule is configured.

    If destination pd destination-dhcpv6-prefix or source pd source-dhcpv6-prefix is specified in the rule (advanced ACL6 view) command, when the IPv6 address prefix obtained from the DHCPv6 server changes, update the session table on the firewall so that the new IPv6 address prefix can take effect. During the update, service forwarding on the firewall may be temporarily affected. After the update, services automatically recover.

    NOTE:

    When the ACL6-based packet filtering firewall function is configured, the fragment parameter is not supported in an ACL6 rule.

  4. Run quit

    Return to the system view.

  5. Run firewall interzone zone-name1 zone-name2

    The interzone view is displayed.

  6. Run packet-filter { acl-number | default { deny | permit } } { inbound | outbound }or packet-filter ipv6 acl6-number { inbound | outbound }

    The ACL-based packet filtering or ACL6 packet filtering is configured.

    You can configure ACL-based packet filtering in the interzone for inbound or outbound packets.

    1. When permit is used in the ACL rule:
      • When the ACL is applied to the inbound traffic, the system forwards the packets matching the ACL rule sent from the low-priority zone to the high-priority zone.
      • When the ACL is applied to the outbound traffic, the system forwards the packets matching the ACL rule sent from the high-priority zone to the low-priority zone.
    2. When deny is used in the ACL rule:

      • When the ACL is applied to the inbound traffic, the system discards the packets matching the ACL rule sent from the low-priority zone to the high-priority zone.
      • When the ACL is applied to the outbound traffic, the system discards the packets matching the ACL rule sent from the high-priority zone to the low-priority zone.
    3. When an ACL does not contain rules:

      • When the ACL is applied to the inbound traffic, the ACL does not take effect, and the system discards all packets sent from the low-priority zone to the high-priority zone.
      • When the ACL is applied to the outbound traffic, the ACL does not take effect, and the system discards all packets sent from the high-priority zone to the low-priority zone.

    You can configure ACL6-based packet filtering in the outbound and inbound directions of an interzone.

    When the ACL6 does not contain rules:

    • When the ACL6 is applied to the inbound traffic, the ACL6 does not take effect, and the system discards all packets sent from the low-priority zone to the high-priority zone.
    • When the ACL6 is applied to the outbound traffic, the ACL6 does not take effect, and the system discards all packets sent from the high-priority zone to the low-priority zone.

  7. (Optional) Run bypass [ session-overrun ]

    The packet filtering firewall bypass function is enabled in an interzone.

    By default, the packet filtering firewall bypass function is disabled in an interzone.

Translation
Download
Updated: 2019-08-09

Document ID: EDOC1100034236

Views: 100145

Downloads: 59

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next