Organizing multiple IP filter rules

 

When you create a filter rule, it refers to a one-rule statement. A group of filter rules is called a set. The filters within a set are processed top to bottom, in physical order. Multiple sets are processed in physical order within a FILTER_INTERFACE statement.

The following example shows where one set contains three filter statements. Whenever you refer to this set, all three rules will be included. It is typically easiest to include all of your filter rules in one set.

FILTER SET all ACTION = PERMIT DIRECTION = INBOUND SRCADDR = * DSTADDR  %
        = * PROTOCOL = TCP/STARTING DSTPORT = * SRCPORT = * FRAGMENTS  %
        = HEADERS JRN = FULL 
FILTER SET all ACTION = PERMIT DIRECTION = INBOUND SRCADDR = * DSTADDR  %
        = * PROTOCOL = TCP DSTPORT = * SRCPORT = * FRAGMENTS = NONE  %
        JRN = OFF 
FILTER SET all ACTION = PERMIT DIRECTION = INBOUND SRCADDR = * DSTADDR  %
        = * PROTOCOL = ICMP TYPE = * CODE = * FRAGMENTS = NONE JRN  %
        = OFF 
FILTER_INTERFACE LINE = ETHLINE SET = all ###Ethernet line ETHLINE

 

Parent topic:

Packet rules concepts