Kernel filter rules provide a security mechanism that allows or denies inbound traffic on ME IP interfaces. The filter controls access to resources on the enterprise servers based on source IP address and/or subnet, source port, and protocol. When the ME processes kernel rules, it first interprets deny rules, then allow rules. Therefore, you can deny a subnet access, and then allow specific endpoints.
The ME acts on kernel rules before the other, higher level rules such as DOS policy rules. This stops traffic from known problems early, tying up fewer processing resources.
Creates or edits kernel filters. Kernel filter rules allow you to deny traffic on an IP interface based on source IP address, source port number, and packet type.
Note:
Kernel filters are not allowed for media interfaces. If kernel filters are needed for SIP interfaces, then you must configure a separate interface to use for media.Creates or edits the named kernel filter deny-rule configuration. A deny rule specifies the source IP address or subnet, source port number, and protocol associated with traffic to be blocked on the current IP interface.
Specify the rule name using up to 16 alphanumeric characters, enclosing blank spaces in quotation marks.
config cluster box integer interface ethX ip name kernel-filter deny-rule name config cluster box integer interface ethX vlan integer ip name kernel-filter deny-rule name config box interface ethX ip name kernel-filter deny-rule name config box interface ethX vlan integer ip name kernel-filter deny-rule name
admin: Sets the administrative state of this kernel filter deny rule. When enabled, network traffic is blocked using the configured IP address or subnet, port number, and packet type. When disabled, the deny rule is not in effect.
Default: enabled
Values: enabled | disabled
Example: set admin disabled
source-address</mask ipAddress/mask>: Specifies the source IP address or subnet associated to filter (deny) on this IP interface. Specify the IP address and mask in CIDR format.
Default: 0.0.0.0/0
Example: set source-address /mask 215.200.0.0/16
source-port: Specifies the source port number associated with received packets to filter (deny) on this system interface.
Default: 0 (deny all ports)
Example: set source-port 56
protocol: Specifies the source protocol associated with received packets to filter (deny) on this system interface..
Default: all Values: all | icmp | tcp | udp | vrrp
Example: set protocol tcp
Creates or edits the named kernel filter allow-rule configuration. An allow rule specifies the source IP address or subnet, source port number, and protocol associated with traffic to be specifically allowed on the current IP interface. Typically the allow rule is used to override the denial of an subnet by allowing specific endpoints.
Specify the rule name using up to 16 alphanumeric characters, enclosing blank spaces in quotation marks.
config cluster box integer interface ethX ip name kernel-filter allow-rule name config cluster box integer interface ethX vlan integer ip name kernel-filter allow-rule name config box interface ethX ip name kernel-filter allow-rule name config box interface ethX vlan integer ip name kernel-filter allow-rule name
admin: Sets the administrative state of this kernel fitter allow rule. When enabled, network traffic is allowed using the configured IP address or subnet, port number, and packet type. When disabled, the allow rule is not in effect.
Default: enabled
Values: enabled | disabled
Example: set admin disabled
source-address</mask ipAddress/mask>: Specifies the source subnet, but more typically IP address, to allow on this IP interface. Specify the IP address and mask in CIDR format.
Default: 0.0.0.0/0
Example: set source-address /mask 215.200.40.8/32
source-port: Specifies the source port number associated with received packets to allow on this system interface.
Default: 0 (allow all ports)
Example: set source-port 56
protocol: Specifies the source protocol associated with received packets to allow on this system interface.
Default: all
Values: all | icmp | tcp | udp | vrrp
Example: set protocol tcp