Motorola Wing 5 Manual

							FIREWALL-POLICY 14 - 19
Examples
rfs7000-37FABE(config-rw-policy-test)#ip-mac conflict drop-only
rfs7000-37FABE(config-rw-policy-test)#ip-mac routing conflict log-and-drop log-level 
notifications
rfs7000-37FABE(config-rw-policy-test)#show context
firewall-policy test
 ip dos fraggle drop-only
 no ip dos tcp-sequence-past-window
 ip dos tcp-max-incomplete high 600
 ip dos tcp-max-incomplete low 60
 ip-mac conflict drop-only
 ip-mac routing conflict log-and-drop log-level notifications
 flow timeout icmp 16000
 flow timeout udp 10000
 flow timeout tcp established 1500
 flow timeout other 16000
 dhcp-offer-convert
 dns-snoop entry-timeout 35
Related Commands
informational Numerical severity 6. Indicates a informational condition
notification Numerical severity 5. Indicates a normal but significant condition
warnings Numerical severity 4. Indicates a warning condition
noResets values or disables IP MAC commands 
						

							14 - 20 WiNG CLI Reference Guide
14.1.9 logging
firewall-policy
Configures enhanced firewall logging
Supported in the following platforms:
 AP300
 AP621
 AP650
 AP6511
 AP6521
 AP6532
 AP71XX
 RFS4000
 RFS6000
 RFS7000
 NX9000
 NX9500
Syntax
logging [icmp-packet-drop|malformed-packet-drop|verbose]
logging verbose
logging [icmp-packet-drop|malformed-packet-drop] [all|rate-limited]
Parameters
• logging verbose
• logging [icmp-packet-drop|malformed-packet-drop] [all|rate-limited]
logging Configures enhanced firewall logging
verbose Enables verbose logging
logging Configures enhanced firewall logging
icmp-packet-drop Drops ICMP packets that do not pass sanity checks
malformed-packet-drop Drops raw IP packets that do not pass sanity checks
all Logs all messages
rate-limited Sets the rate limit for log messages to one message every 20 seconds 
						

							FIREWALL-POLICY 14 - 21
Examples
rfs7000-37FABE(config-rw-policy-test)#logging verbose
rfs7000-37FABE(config-rw-policy-test)#logging icmp-packet-drop rate-limited
rfs7000-37FABE(config-rw-policy-test)#logging malformed-packet-drop all
rfs7000-37FABE(config-rw-policy-test)#show context
firewall-policy test
 ip dos fraggle drop-only
 no ip dos tcp-sequence-past-window
 ip dos tcp-max-incomplete high 600
 ip dos tcp-max-incomplete low 60
 ip-mac conflict drop-only
 ip-mac routing conflict log-and-drop log-level notifications
 flow timeout icmp 16000
 flow timeout udp 10000
 flow timeout tcp established 1500
 flow timeout other 16000
 dhcp-offer-convert
 logging icmp-packet-drop rate-limited
 logging malformed-packet-drop all
 logging verbose
 dns-snoop entry-timeout 35
Related Commands
noResets values or disables IP MAC commands 
						

							14 - 22 WiNG CLI Reference Guide
14.1.10 no
firewall-policy
Negates a command or sets the default for firewall policy commands
Supported in the following platforms:
 AP300
 AP621
 AP650
 AP6511
 AP6521
 AP6532
 AP71XX
 RFS4000
 RFS6000
 RFS7000
 NX9000
 NX9500
Syntax
no [alg|clamp|dhcp-offer-convert|dns-snooping|firewall|flow|ip|ip-mac|logging|
proxy-arp|stateful-packet-inspection-l2|storm-control|virtual-defragmentation]
no [dhcp-offer-convert|proxy-arp|stateful-packet-inspection-l2]
no alg [dns|ftp|sip|tftp]
no clamp tcp-mss
no dns-snooping entry-timeout
no firewall enable
no flow dhcp stateful
no flow timeout [icmp|other|udp]
no flow timeout tcp [closed-wait|established|reset|setup|stateless-fin-or-reset|
stateless-general]
no ip dos [ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|
invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|
router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|
tcp-null-scan|tcp-post-syn|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|
twinge|udp-short-hdr|winnuke]
no ip tcp [adjust-mss|optimize-unnecessary-resends|
recreate-flow-on-out-of-state-syn|validate-icmp-unreachable|
validate-rst-ack-number|validate-rst-seq-number]
no ip-mac conflict
no ip-mac routing conflict 
no logging [icmp-packet-drop|verbose|malformed-packet-drop]
storm-control [arp|broadcast|multicast|unicast] {[fe |ge |log|
port-channel |up1|wlan ]}
no virtual-defragmentation {[maximum-fragments-per-datagram|
minimum-first-fragment-length|maximum-defragmentation-per-host]} 
						

							FIREWALL-POLICY 14 - 23
Parameters
• no [dhcp-offer-convert|proxy-arp|stateful-packet-inspection-l2]
• no alg [dns|ftp|sip|tftp]
• no clamp tcp-mss
• no dns-snooping entry-timeout
• no firewall enable
• no flow dhcp stateful
• no flow timeout [icmp|other|udp]
• no flow timeout tcp [closed-wait|established|reset|setup|stateless-fin-or-
reset|stateless-general]
no dhcp-offer-convert Disables the conversion of broadcast DHCP offers to unicast
no proxy-arp Disables the generation of ARP responses on behalf of other devices
no stateful-packet-inspection-l2 Disables layer 2 stateful packet inspection
no alg Disables preconfigured algorithms (dns, ftp, sip, and tftp)
dns Disables the DNS algorithm
ftp Disables the FTP algorithm
sip Disables the SIP algorithm
tftp Disables the TFTP algorithm
no clamp tcp-mss Disables limiting the TCP MSS to the size of the MTU of the inner protocol for a 
tunneled packet
no dns Disables DNS snooping
entry-timeout Disables DNS snoop table entry timeout
no firewall enable Disables a device’s firewalls
no flow  Disables firewall flows
dhcp stateful Disables DHCP stateful flow
no flow Disables firewall flow
timeout Disables the timeout for following packet types:
icmp Disables ICMP packet timeout
others Disables the timeout for packets that are not TCP, ICMP, or UDP
udp Disables UDP packet timeout
no flow Disables firewall flows
timeout Disables the timeout for the following packet types: 
						

							14 - 24 WiNG CLI Reference Guide
• no ip dos [ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|
invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|
router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|
tcp-null-scan|tcp-post-syn|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|
twinge|udp-short-hdr|winnuke]
tcp Disables TCP packet timeout
close-wait Disables the timeout for TCP flows in close wait status
established Disables the timeout for TCP flows in established status
reset Disables the timeout for TCP flows in reset status
setup Disables the timeout for TCP flows in setup status
stateless-fin-or-reset Disables the timeout for TCP flows in stateless FIN or RST status
stateless-general Disables the timeout for TCP flows in general stateless states
no ip Disables IP events
dos Disables IP DoS events
ascend Disables an ASCEND DoS check
Ascend routers listen on UDP port 9 for packets from Ascends Java Configurator. 
Sending a formatted packet to this port can cause an Ascend router to crash.
broacast-multicast-icmp Disables the detection of broadcast or multicast ICMP packets as an attack
chargen Disables the chargen service
The Character Generation Protocol (chargen) is an IP suite service primarily used for 
testing and debugging networks. It is also used as a generic payload for bandwidth 
and QoS measurements.
fraggle Disables checking for Fraggle DoS attacks. This checks for UDP packets to or from 
port 7 or 19
ftp-bounce Disables FTP bounce attack checks
A FTP bounce attack is a MIM attack that enables an attacker to open a port on a 
different machine using FTP. FTP requires that when a connection is requested by a 
client on the FTP port (21), another connection must open between the server and 
the client. To confirm, the PORT command has the client specify an arbitrary 
destination machine and port for the data connection. This is exploited by the 
attacker to gain access to a device that may not be the originating client.
invalid-protocol Disables a check for invalid protocol number
ip-ttl-zero Disables a check for the TCP/IP TTL field with a value of Zero (0)
ipsproof Disables IP spoofing DoS attack checks
land Disables LAND attack checks
Local Area Network Denial (LAND) is a DoS attack where IP packets are spoofed and 
sent to a device where the source IP and destination IP of the packet are the target 
device’s IP, and similarly, the source port and destination port are open ports on the 
same device. This causes the attacked device to reply to itself continuously. 
						

							FIREWALL-POLICY 14 - 25
option-route Disables an IP Option Record Route DoS check
router-advt Disables router-advt attack checks
This is an attack where a default route entry is added remotely to a device. This route 
entry is given preference, and thereby exposes a vector of attacks.
router-solicit Disables router-solicit attack checks
Router solicitation messages are sent to locate routers as a form of network 
scanning. This information can then be used to attack a device.
smurf Disables smurf attack checks
In this attack a large number of ICMP echo packets are sent with a spoofed source 
address. This causes the device with the spoofed source address to be flooded with 
a large number of replies.
snork Disables snork attack checks
This attack causes a remote Windows™ NT to consume 100% of the CPU’s 
resources. This attack uses a UDP packtet with a destination port of 135 and a 
source port of 7, 9, or 135. This attack can also be exploited as a bandwidth 
consuming attack.
tcp-bad-sequence Disables tcp-bad-sequence checks
This DoS attack uses a specially crafted TCP packet to cause the targeted device to 
drop all subsequent network of a specific TPC connection. Disables tcp-bad-
sequence check.
tcp-fin-scan Disables TCP FIN scan checks
A FIN scan finds services on ports. A closed port returns a RST. This allows the 
attacker to identify open ports
tcp-intercept Disables TCP intercept attack checks
Prevents TCP intercept attacks by using TCP SYN cookies
tcp-null-scan Disables TCP Null scan checks
A TCP null scan finds services on ports. A closed port returns a RST. This allows the 
attacker to identify open ports
tcp-post-syn Disables TCP post SYN DoS attack checks
tcp-sequence-past-window Disables TCP SEQUENCE PAST WINDOW DoS attack checks
Disable this check to work around a bug in Windows XPs TCP stack which sends 
data past the window when conducting a selective ACK.
tcp-xmas-scan Disables TCP XMAS scan checks
A TCP XMAS scan finds services on ports. A closed port returns a RST. This allows 
the attacker to identify open ports
tcphdrfrag Disables TCP header checks
A DoS attack where the TCP header spans IP fragments
twinge Disables twinge attack checks
A twinge attack is a flood of false ICMP packets to try and slow down a system 
						

							14 - 26 WiNG CLI Reference Guide
• no ip tcp [adjust-mss|optimize-unnecessary-resends|
recreate-flow-on-out-of-state-syn|validate-icmp-unreachable|
validate-rst-ack-number|validate-rst-seq-number]
• no ip-mac conflict
• no ip-mac routing conflict
• no logging [icmp-packet-drop|verbose|malformed-packet-drop]
• no storm-control [arp|broadcast|multicast|unicast] {[fe |ge |log|
port-channel |up1|wlan ]}
udp-short-hdr Disables UDP short header checks
Enables the identification of truncated UDP headers and UDP header length fields
winnuke Disables Winnuke checks
This DoS attack is specific to Windows™ 95 and Windows™ NT, causing devices to 
crash with a blue screen
no ip Disables IP DoS events
tcp Identifies and disables TCP events and configuration items
adjust-mss Disables the adjust MSS configuration
optimize-unnecessary-resends Disables the validation of unnecessary TCP packets
recreate-flow-on-out-of-state-
syncDisallows a TCP SYN packet to delete an old flow in TCP_FIN_FIN_STATE, and 
TCP_CLOSED_STATE states and create a new flow
validate-icpm-unreachable Disables the sequence number validation in ICMP unreachable error packets
validate-rst-ack-number Disables the acknowledgement number validation in RST packets
validate-rst-seq-number Disables the sequence number validation in RST packets
no ip-mac Disables IP MAC configuration
conflict Disables the action performed when a conflict exists between the IP address and 
MAC address
no ip-mac Disables IP MAC configuration
routing Configures a routing table based action
conflict Disables the action performed when a conflict exists in the routing table
no logging Disables enhanced firewall logging
icmp-packet-drop Disables dropping of ICMP packets that do not pass sanity checks
malformed-packet-drop Disables dropping of raw IP packets that do not pass sanity checks
verbose Disables verbose logging
no storm-control Disables storm control
arp Disables storm control for ARP packets 
						

							FIREWALL-POLICY 14 - 27
• no virtual-defragmentation {[maximum-fragments-per-datagram|
minimum-first-fragment-length|maximum-defragmentation-per-host]}
Examples
rfs7000-37FABE(config-fw-policy-test)#show context
firewall-policy test
 ip dos fraggle drop-only
 no ip dos tcp-sequence-past-window
 ip dos tcp-max-incomplete high 600
 ip dos tcp-max-incomplete low 60
 storm-control broadcast level 20000 ge 4
 storm-control arp log warnings
 ip-mac conflict drop-only
 ip-mac routing conflict log-and-drop log-level notifications
 flow timeout icmp 16000
 flow timeout udp 10000
 flow timeout tcp established 1500
 flow timeout other 16000
 dhcp-offer-convert
 logging icmp-packet-drop rate-limited
 logging malformed-packet-drop all
 logging verbose
 dns-snoop entry-timeout 35
rfs7000-37FABE(config-fw-policy-test)#no ip dos fraggle
rfs7000-37FABE(config-fw-policy-test)#no storm-control arp log
rfs7000-37FABE(config-fw-policy-test)#no dhcp-offer-convert
rfs7000-37FABE(config-fw-policy-test)#no logging malformed-packet-drop
broadcast Disables storm control or broadcast packets
multicast Disables storm control for multicast packets
unicast Disables storm control for unicast packets
fe  Disables the FastEthernet port
  – Sets the FastEthernet port
ge  Disables the Gigabit Ethernet port
  – Sets the GigabitEthernet port
log Disables storm control logging
port-channel  Disables the port channel.
  – Sets the port channel port
up1 Disables the uplink interface
wlan  Disables the WLAN
  – Sets the WLAN ID
no virtual-defragmentation Disables the virtual defragmentation of IPv4 packets
maximum-defragmentation-per-
host Optional. Disables the maximum active IPv4 defragmentation per host
maximum-fragments-per-
datagram Optional. Disables the maximum IPv4 fragments per datagram
minimum-first-fragment-length 
Optional. Disables the minimum length required for the first IPv4 fragment 
						

							14 - 28 WiNG CLI Reference Guide
rfs7000-37FABE(config-fw-policy-test)#show context
firewall-policy test
 no ip dos fraggle
 no ip dos tcp-sequence-past-window
 ip dos tcp-max-incomplete high 600
 ip dos tcp-max-incomplete low 60
 storm-control broadcast level 20000 ge 4
 storm-control arp log none
 ip-mac conflict drop-only
 ip-mac routing conflict log-and-drop log-level notifications
 flow timeout icmp 16000
 flow timeout udp 10000
 flow timeout tcp established 1500
 flow timeout other 16000
 logging icmp-packet-drop rate-limited
 logging verbose
 dns-snoop entry-timeout 35
Related Commands
algConfigures algorithms used with a firewall policy
clampLimits the TCP MSS to the MTU value of the inner protocol for tunneled packets
dhcp-offer-convertEnables the conversion of broadcast DHCP offer packets to unicast
dns-snoopConfigures the DNS snoop table entry timeout
firewallEnables firewalls
flowConfigures firewall flows
ipConfigures IP settings
ip-macDefines actions based on the device IP MAC table
loggingConfigures firewall logging
proxy-arpEnables the generation of ARP responses on behalf of other devices
stateful-packet-inspection-12Enables layer 2 stateful packet inspection
storm-controlConfigures storm control
virtual-defragmentationConfigures the virtual defragmentation of packets at the firewall level