The IP Access Control List can store up to 256 filters definitions.
In this section will be described the commands for the IP Access Control List management.
These are the commands:
Every filter is identified by a priority index, which is used to add, modify and delete IPACL entries.
Priority indexes, every time a filter is added or deleted, are automatically kept in sequential order.
Changes to IPACL are immediately active, so there's no need to restart Abilis CPX.
It shows the current content of the IP access list. By omitting the priority, the command will show all the filters currently in the table.
Type d ipacl ?, to display the syntax of the command.
[15:45:59] ABILIS_CPX:d ipacl
IPRTR resource parameters: ACL:YES ACLBYPASS:#
COS:ENABLED COSDFT:NORMAL
Tot-IPACL-Number:0
-------------------------------------------------------------------------------
PR: [DESCR:]
TYPE: SA: PROT: ICMP-TYPE:
IPCOS: DA: SPO:/PO: DPO:
TOS-O: TOS-I: SRES: DRES:
TI:
-------------------------------------------------------------------------------
*** NO IP ACCESS LISTS DEFINED ***
Meaning of the parameters:
PR
The priority index sets the filter verifying order. The
verifying procedure is executed on each datagram. It starts from
the filter with priority 0 and continues until the suitable
datagram is found or the list ends. If the IP datagram doesn't
match any filter, it will be routed; if the IP services class
functionality is activated, the Router will assign to the datagram
the default priority set in the parameter
COSDFT
of the port IPRTR.
TYPE
This command sets whether the datagram, matching the filter,
have to be routed (filter matched type PERMIT
)
or discarded (filter matched type DENY
).
IPCOS
Ip Class of Service [DFT
,
HIGH
, NORMAL
,
LOW
or D, H, N, L]
SA
It sets the IP address which the datagrams source address has to match (or be contained in). It may be expressed as:
a single value, using the Dotted Decimal Notation (E.g.: 150.200.192.192).
an interval, by separating the two IP addresses with
:
(colon) character (E.g.:
192.168.0.0:192.168.0.100).
the name of an Elements List of type IP or IR or RU or MR, written between primes (E.g.: 'My_List').
the *
(asterisk) string, that stands
for “any IP address”.
DA
It sets the IP address (IP interval of addresses) which the datagrams destination address has to match (or be contained in). It may be expressed as:
a single value, using the Dotted Decimal Notation (E.g.: 150.200.192.192).
an interval, by separating the two IP addresses with
:
(colon) character (E.g.:
192.168.0.0:192.168.0.100).
the name of an Elements List of type IP or IR or RU or MR, written between primes (E.g.: 'My_List').
the *
(asterisk) string, that stands
for “any IP address”.
PROT
It sets the Internet protocol where the filter can be applied on. It may be expressed as:
mnemonic or numeric identifier [1 -
254
] of an Internet Protocol (E.g.: tcp or
6).
the name of an Elements List of type IPT or RU or MR, written between primes (E.g.: 'My_List').
the tcpudp
string, that stands for
“tcp and/or udp protocols”.
the *
(asterisk) string, that stands
for “any Internet protocol”.
SPO
This parameter is used only for TCP and UDP protocols type. It sets the source port (interval of ports) that the datagrams source port has to match (or be contained in). It may be expressed as:
mnemonic or numeric identifier [1 -
65535
] of a TCP/UDP port (E.g.: telnet or
23).
an interval, by separating the two TCP/UDP ports value
with :
(colon) character (E.g. 23:161 or
telnet:snmp).
the name of an Elements List of type TUP or RU or MR, written between primes (E.g.: 'My_List').
the *
(asterisk) string, that stands
for “any TCP/UDP port”.
DPO
This parameter is used only for TCP and UDP protocols type. It sets the destination port (interval of ports) that the datagrams destination port has to match (or be contained in). It may be expressed as:
mnemonic or numeric identifier [1 -
65535
] of a TCP/UDP port (E.g.: telnet or
23).
an interval, by separating the two TCP/UDP ports value
with :
(colon) character (E.g. 23:161 or
telnet:snmp).
the name of an Elements List of type TUP or RU or MR, written between primes (E.g.: 'My_List').
the *
(asterisk) string, that stands
for “any TCP/UDP port”.
PO
This parameter is used only for TCP and UDP protocols type,
in alternative to the parameters SPO
and
DPO
. It sets the port value (or an interval of
values) which the datagram source or destination port has to match
(or be contained in).
mnemonic or numeric identifier [1 -
65535
] of a TCP/UDP port (E.g.: telnet or
23).
an interval, by separating the two TCP/UDP ports value
with :
(colon) character (E.g. 23:161 or
telnet:snmp).
the name of an Elements List of type TUP or RU or MR, written between primes (E.g.: 'My_List').
the *
(asterisk) string, that stands
for “any TCP/UDP port”.
TOS-I
Input Type of Service octet or Differentiated Services Field. It may be expressed as:
*
or *-*
means
“any value”.
p-t
, PRECEDENCE and TOS values, where
p
can be [0..7
,
*
] and t
can be
[combination of N
: None;
D
: Minimize Delay; T
:
Maximize Throughput; R
: Maximize
Reliability; C
: Minimize Monetary Cost;
*
].
bbbbbb
, DS value bit by bit, where
b
can be [0, 1, x] and x
means “don't care”.
TOS-O
Output Type of Service octet or Differentiated Services Field. It may be expressed as:
*
or *-*
means
“don't change”.
p-t
, PRECEDENCE and TOS values, where
p
can be [0..7
,
*
] and t
can be
[combination of N
: None;
D
: Minimize Delay; T
:
Maximize Throughput; R
: Maximize
Reliability; C
: Minimize Monetary Cost;
*
].
bbbbbb
, DS value bit by bit, where
b
can be [0, 1, x] and x
means “don't change this bit”.
SRES
Source Ip resource: An Ip resource [Ip-1..Ip-250] or "*" or "INT" or the name of a CR/RU/MR list between single quotes. (E.g. INT or * or Ip-3 or 'list']
DRES
Destination Ip resource: An Ip resource [Ip-1..Ip-250] or "*" or "INT" or the name of a CR/RU/MR list between single quotes. (E.g. INT or * or Ip-3 or 'list']
ICMP-TYPE
ICMP message type. <Only for PROT:ICMP> An ICMP message type mnemonic or decimal value [0..255] or "*" or "#" or the name of an ICMPT/RU/MR list between single quotes. (E.g.: Unreachable or 3 or * or # or 'List') See HELP INTERNET ICMP for the list of ICMP message types.
TI
Time interval [#, ALL, *, string in format day,hh:mm-hh:mm], # = never, ALL and * = always. Value 'day' can be:
a single day of the week [MO, TU, WE, TH, FR, SA, SU];
a set of days of the week (E.g. MO+TH or TU+TH+SU);
an interval of days of the week (E.g. MO-WE or TH-SU);
ALL.
It adds a new filter to the IP access list, with priority
“PR
:xxx
” and it sets
the requested parameters to the specified values.
The syntax of the command is:
a ipacl pr:xxx TYPE:val SA:val DA:val PROT:val [SPO:val DPO:val] [par:val]
[11:56:38] ABILIS_CPX:a ipacl pr:0 type:permit sa:192.168.0.50:192.168.0.60 da:* prot:tcp spo:* dpo:80 sres:ip-2 dres:ip-5
COMMAND EXECUTED [11:58:02] ABILIS_CPX:d ipacl
IPRTR resource parameters: ACL:YES ACLBYPASS:# COS:ENABLED COSDFT:NORMAL - Not Saved (SAVE CONF) ------------------------------------------------------- Tot-IPACL-Number:1 ------------------------------------------------------------------------------- PR: [DESCR:] TYPE: SA: PROT: ICMP-TYPE: IPCOS: DA: SPO:/PO: DPO: TOS-O: TOS-I: SRES: DRES: TI: ------------------------------------------------------------------------------- 0 PERMIT 192.168.000.050:192.168.000.060 tcp DFT * * http(80) * * Ip-2 Ip-5 -------------------------------------------------------------------------------
It deletes the specified definition, if present in the IP access
list. The priority of those filters, whose
“PR
:xxx
” is higher
that the deleted one, is decremented by one, because of table
contiguity.
The syntax of the command is:
c ipacl pr:xx
[11:58:02] ABILIS_CPX:d ipacl
IPRTR resource parameters: ACL:YES ACLBYPASS:# COS:ENABLED COSDFT:NORMAL - Not Saved (SAVE CONF) ------------------------------------------------------- Tot-IPACL-Number:2 ------------------------------------------------------------------------------- PR: [DESCR:] TYPE: SA: PROT: ICMP-TYPE: IPCOS: DA: SPO:/PO: DPO: TOS-O: TOS-I: SRES: DRES: TI: ------------------------------------------------------------------------------- 0 PERMIT 192.168.000.050:192.168.000.060 tcp DFT * * http(80) * * Ip-2 Ip-5 ------------------------------------------------------------------------------- 1 PERMIT 192.168.001.070 udp HIGH * * * * * Ip-2 Ip-5 ------------------------------------------------------------------------------- [11:58:04] ABILIS_CPX:c ipacl pr:1
COMMAND EXECUTED [11:58:57] ABILIS_CPX:d ipacl
IPRTR resource parameters: ACL:YES ACLBYPASS:# COS:ENABLED COSDFT:NORMAL - Not Saved (SAVE CONF) ------------------------------------------------------- Tot-IPACL-Number:1 ------------------------------------------------------------------------------- PR: [DESCR:] TYPE: SA: PROT: ICMP-TYPE: IPCOS: DA: SPO:/PO: DPO: TOS-O: TOS-I: SRES: DRES: TI: ------------------------------------------------------------------------------- 0 PERMIT 192.168.000.050:192.168.000.060 tcp DFT * * http(80) * * Ip-2 Ip-5 -------------------------------------------------------------------------------
It sets the values of the specified filter. The syntax of the command is:
s ipacl pr:xxx par:val [par:val]
[11:58:57] ABILIS_CPX:d ipacl
IPRTR resource parameters: ACL:YES ACLBYPASS:# COS:ENABLED COSDFT:NORMAL - Not Saved (SAVE CONF) ------------------------------------------------------- Tot-IPACL-Number:1 ------------------------------------------------------------------------------- PR: [DESCR:] TYPE: SA: PROT: ICMP-TYPE: IPCOS: DA: SPO:/PO: DPO: TOS-O: TOS-I: SRES: DRES: TI: ------------------------------------------------------------------------------- 0 PERMIT 192.168.000.050:192.168.000.060 * * DFT * * * * * Ip-2 Ip-5 ------------------------------------------------------------------------------- [11:58:58] ABILIS_CPX:s ipacl pr:0 prot:tcp
COMMAND EXECUTED [12:00:46] ABILIS_CPX:d ipacl
IPRTR resource parameters: ACL:YES ACLBYPASS:# COS:ENABLED COSDFT:NORMAL - Not Saved (SAVE CONF) ------------------------------------------------------- Tot-IPACL-Number:1 ------------------------------------------------------------------------------- PR: [DESCR:] TYPE: SA: PROT: ICMP-TYPE: IPCOS: DA: SPO:/PO: DPO: TOS-O: TOS-I: SRES: DRES: TI: ------------------------------------------------------------------------------- 0 PERMIT 192.168.000.050:192.168.000.060 tcp DFT * * * * * Ip-2 Ip-5 ------------------------------------------------------------------------------
It changes the filter priority value from
“PR
:xxx
” to
“PR
:yyy
”.
The syntax of the command is:
m ipacl pr:xxx pr:yyy
[12:01:38] ABILIS_CPX:d ipacl
IPRTR resource parameters: ACL:YES ACLBYPASS:# COS:ENABLED COSDFT:NORMAL - Not Saved (SAVE CONF) ------------------------------------------------------- Tot-IPACL-Number:2 ------------------------------------------------------------------------------- PR: [DESCR:] TYPE: SA: PROT: ICMP-TYPE: IPCOS: DA: SPO:/PO: DPO: TOS-O: TOS-I: SRES: DRES: TI: ------------------------------------------------------------------------------- 0 PERMIT 192.168.000.050:192.168.000.060 tcp DFT * * * * * Ip-2 Ip-5 ------------------------------------------------------------------------------- 1 PERMIT 192.168.001.070 udp HIGH * * * * * Ip-2 Ip-5 ------------------------------------------------------------------------------- [12:01:39] ABILIS_CPX:m ipacl pr:0 pr:1
COMMAND EXECUTED [12:01:43] ABILIS_CPX:d ipacl
IPRTR resource parameters: ACL:YES ACLBYPASS:# COS:ENABLED COSDFT:NORMAL - Not Saved (SAVE CONF) ------------------------------------------------------- Tot-IPACL-Number:2 ------------------------------------------------------------------------------- PR: [DESCR:] TYPE: SA: PROT: ICMP-TYPE: IPCOS: DA: SPO:/PO: DPO: TOS-O: TOS-I: SRES: DRES: TI: ------------------------------------------------------------------------------- 0 PERMIT 192.168.001.070 udp HIGH * * * * * Ip-2 Ip-5 ------------------------------------------------------------------------------- 1 PERMIT 192.168.000.050:192.168.000.060 tcp DFT * * * * * Ip-2 Ip-5 -------------------------------------------------------------------------------
It verifies how the IP datagram, specified in the command, will be managed depending on the current content of the IP access list.
The search is made by verifying the source and destination IP address, the Type Of Service, Internet protocol, source IP resource, source and destination ports (required only for TCP and UDP protocols), ICMP message type (required only for ICMP protocol only); optionally it can make a verification on the destination IP resource and time;
This is the syntax of the command:
F IPACL SrcAddr DstAddr TOS Protocol SrcPort DstPort IcmpType SrcRes [DstRes] [Time]
[12:43:54] ABILIS_CPX:d ipacl
IPRTR resource parameters: ACL:YES ACLBYPASS:# COS:ENABLED COSDFT:NORMAL - Not Saved (SAVE CONF) ------------------------------------------------------- Tot-IPACL-Number:2 ------------------------------------------------------------------------------- PR: [DESCR:] TYPE: SA: PROT: ICMP-TYPE: IPCOS: DA: SPO:/PO: DPO: TOS-O: TOS-I: SRES: DRES: TI: ------------------------------------------------------------------------------- 0 PERMIT 192.168.001.070 udp HIGH * * * * * Ip-2 Ip-5 ------------------------------------------------------------------------------- 1 DENY 192.168.000.050:192.168.000.060 tcp DFT * * * * * Ip-2 Ip-5 ------------------------------------------------------------------------------- [12:44:08] ABILIS_CPX:f ipacl 192.168.0.50 8.8.8.8 c tcp 80 8080 ip-2
EXTENDED SEARCH RESULT: MATCH FOUND WITH IPACL PR:1 IP FORWARDING IS NOT PERMITTED [12:44:12] ABILIS_CPX:f ipacl 192.168.1.70 8.8.8.8 c udp 3000 3080 ip-2
EXTENDED SEARCH RESULT: MATCH FOUND WITH IPACL PR:0 IP FORWARDING IS PERMITTED: - OUTPUT TOS/DS: 0-TR/000011 (00001100 [0C]) - IP CLASS OF SERVICE: HIGH