Motorola Wing 5 Manual
Here you can view all the pages of manual Motorola Wing 5 Manual. The Motorola manuals for Wireless are available online for free. You can easily download all the documents as PDF.
Page 851
![Page 851
FIREWALL-POLICY 14 - 9
14.1.6 flow
firewall-policy
Defines the session flow timeout for different packet types
Supported in the following platforms:
AP300
AP621
AP650
AP6511
AP6521
AP6532
AP71XX
RFS4000
RFS6000
RFS7000
NX9000
NX9500
Syntax
flow [dhcp|timeout]
flow dhcp stateful
flow timeout [icmp|other|tcp|udp]
flow timeout [icmp|other]
flow timeout udp
flow timeout tcp [close-wait|reset|setup|stateless-fin-or-reset|
stateless-general]
flow timeout tcp established
Parameters
• flow dhcp...](http://img.usermanuals.tech/thumb/52/100713/w300_wing-5-manual-1509563222_d-850.png "Page 851
FIREWALL-POLICY 14 - 9
14.1.6 flow
firewall-policy
Defines the session flow timeout for different packet types
Supported in the following platforms:
AP300
AP621
AP650
AP6511
AP6521
AP6532
AP71XX
RFS4000
RFS6000
RFS7000
NX9000
NX9500
Syntax
flow [dhcp|timeout]
flow dhcp stateful
flow timeout [icmp|other|tcp|udp]
flow timeout [icmp|other]
flow timeout udp
flow timeout tcp [close-wait|reset|setup|stateless-fin-or-reset|
stateless-general]
flow timeout tcp established
Parameters
• flow dhcp...")
FIREWALL-POLICY 14 - 9 14.1.6 flow firewall-policy Defines the session flow timeout for different packet types Supported in the following platforms: AP300 AP621 AP650 AP6511 AP6521 AP6532 AP71XX RFS4000 RFS6000 RFS7000 NX9000 NX9500 Syntax flow [dhcp|timeout] flow dhcp stateful flow timeout [icmp|other|tcp|udp] flow timeout [icmp|other] flow timeout udp flow timeout tcp [close-wait|reset|setup|stateless-fin-or-reset| stateless-general] flow timeout tcp established Parameters • flow dhcp...
Page 852
![Page 852
14 - 10 WiNG CLI Reference Guide
• flow timeout udp
• flow timeout tcp [close-wait|reset|setup|stateless-fin-or-reset|
stateless-general]
• flow timeout tcp established
Examples
rfs7000-37FABE(config-rw-policy-test)#flow timeout udp 10000
rfs7000-37FABE(config-rw-policy-test)#flow timeout icmp 16000
rfs7000-37FABE(config-rw-policy-test)#flow timeout other 16000
rfs7000-37FABE(config-rw-policy-test)#flow timeout tcp established 1500
rfs7000-37FABE(config-rw-policy-test)#show context
firewall-policy...](http://img.usermanuals.tech/thumb/52/100713/w300_wing-5-manual-1509563222_d-851.png "Page 852
14 - 10 WiNG CLI Reference Guide
• flow timeout udp
• flow timeout tcp [close-wait|reset|setup|stateless-fin-or-reset|
stateless-general]
• flow timeout tcp established
Examples
rfs7000-37FABE(config-rw-policy-test)#flow timeout udp 10000
rfs7000-37FABE(config-rw-policy-test)#flow timeout icmp 16000
rfs7000-37FABE(config-rw-policy-test)#flow timeout other 16000
rfs7000-37FABE(config-rw-policy-test)#flow timeout tcp established 1500
rfs7000-37FABE(config-rw-policy-test)#show context
firewall-policy...")
14 - 10 WiNG CLI Reference Guide • flow timeout udp • flow timeout tcp [close-wait|reset|setup|stateless-fin-or-reset| stateless-general] • flow timeout tcp established Examples rfs7000-37FABE(config-rw-policy-test)#flow timeout udp 10000 rfs7000-37FABE(config-rw-policy-test)#flow timeout icmp 16000 rfs7000-37FABE(config-rw-policy-test)#flow timeout other 16000 rfs7000-37FABE(config-rw-policy-test)#flow timeout tcp established 1500 rfs7000-37FABE(config-rw-policy-test)#show context firewall-policy...
Page 853
![Page 853
FIREWALL-POLICY 14 - 11
14.1.7 ip
firewall-policy
Configures Internet Protocol (IP) components
Supported in the following platforms:
AP300
AP621
AP650
AP6511
AP6521
AP6532
AP71XX
RFS4000
RFS6000
RFS7000
NX9000
NX9500
Syntax
ip [dos|tcp]
ip dos {[ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|
invalid-protocol|ip-ttl-zero|ipspoof|land|option-route|router-advt|
router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|...](http://img.usermanuals.tech/thumb/52/100713/w300_wing-5-manual-1509563222_d-852.png "Page 853
FIREWALL-POLICY 14 - 11
14.1.7 ip
firewall-policy
Configures Internet Protocol (IP) components
Supported in the following platforms:
AP300
AP621
AP650
AP6511
AP6521
AP6532
AP71XX
RFS4000
RFS6000
RFS7000
NX9000
NX9500
Syntax
ip [dos|tcp]
ip dos {[ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|
invalid-protocol|ip-ttl-zero|ipspoof|land|option-route|router-advt|
router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|...")
FIREWALL-POLICY 14 - 11
14.1.7 ip
firewall-policy
Configures Internet Protocol (IP) components
Supported in the following platforms:
AP300
AP621
AP650
AP6511
AP6521
AP6532
AP71XX
RFS4000
RFS6000
RFS7000
NX9000
NX9500
Syntax
ip [dos|tcp]
ip dos {[ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|
invalid-protocol|ip-ttl-zero|ipspoof|land|option-route|router-advt|
router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|...
Page 854
![Page 854
14 - 12 WiNG CLI Reference Guide
Parameters
• ip dos {[ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|
invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|
router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|
tcp-null-scan|tcp-post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|
twinge|udp-short-hdr|winnuke]} {[log-and-drop|log-only]} {log-level}
{[|alerts|critical|debug|emergencies|errors|informational|notifications|
warnigns]}
dos Identifies IP...](http://img.usermanuals.tech/thumb/52/100713/w300_wing-5-manual-1509563222_d-853.png "Page 854
14 - 12 WiNG CLI Reference Guide
Parameters
• ip dos {[ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|
invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|
router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|
tcp-null-scan|tcp-post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|
twinge|udp-short-hdr|winnuke]} {[log-and-drop|log-only]} {log-level}
{[|alerts|critical|debug|emergencies|errors|informational|notifications|
warnigns]}
dos Identifies IP...")
14 - 12 WiNG CLI Reference Guide
Parameters
• ip dos {[ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|
invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|
router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|
tcp-null-scan|tcp-post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|
twinge|udp-short-hdr|winnuke]} {[log-and-drop|log-only]} {log-level}
{[|alerts|critical|debug|emergencies|errors|informational|notifications|
warnigns]}
dos Identifies IP...
Page 855
FIREWALL-POLICY 14 - 13 tcp-bad-sequence A DoS attack that uses a specially crafted TCP packet to cause the targeted device to drop all subsequent network traffic for a specific TPC connection tcp-fin-scan A FIN scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open ports tcp-intercept Prevents TCP intercept attacks by using TCP SYN cookies tcp-null-scan A TCP null scan finds services on ports. A closed port returns a RST. This allows the attacker to...
Page 856
![Page 856
14 - 14 WiNG CLI Reference Guide
• ip dos {[ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|
invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|
router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|
tcp-null-scan|tcp-post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|
twinge|udp-short-hdr|winnuke]} {drop-only}
dos Identifies IP events as DoS events
ascend Enables an ASCEND DoS check. Ascend routers listen on UDP port 9 for packets from
Ascends Java...](http://img.usermanuals.tech/thumb/52/100713/w300_wing-5-manual-1509563222_d-855.png "Page 856
14 - 14 WiNG CLI Reference Guide
• ip dos {[ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|
invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|
router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|
tcp-null-scan|tcp-post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|
twinge|udp-short-hdr|winnuke]} {drop-only}
dos Identifies IP events as DoS events
ascend Enables an ASCEND DoS check. Ascend routers listen on UDP port 9 for packets from
Ascends Java...")
14 - 14 WiNG CLI Reference Guide
• ip dos {[ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|
invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|
router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|
tcp-null-scan|tcp-post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|
twinge|udp-short-hdr|winnuke]} {drop-only}
dos Identifies IP events as DoS events
ascend Enables an ASCEND DoS check. Ascend routers listen on UDP port 9 for packets from
Ascends Java...
Page 857
![Page 857
FIREWALL-POLICY 14 - 15
• ip dos tcp-max-incomplete [high|low]
• ip tcp adjust-mss
• ip tcp [optimize-unnecessary-resends|recreate-flow-on-out-of-state-syn|validate-
icmp-unreachable|validate-rst-ack-number|validate-rst-seq-number]
tcp-fin-scan A FIN scan finds services on ports. A closed port returns a RST. This allows the
attacker to identify open ports
tcp-intercept Prevents TCP intercept attacks by using TCP SYN cookies
tcp-null-scan A TCP null scan finds services on ports. A closed port returns a...](http://img.usermanuals.tech/thumb/52/100713/w300_wing-5-manual-1509563222_d-856.png "Page 857
FIREWALL-POLICY 14 - 15
• ip dos tcp-max-incomplete [high|low]
• ip tcp adjust-mss
• ip tcp [optimize-unnecessary-resends|recreate-flow-on-out-of-state-syn|validate-
icmp-unreachable|validate-rst-ack-number|validate-rst-seq-number]
tcp-fin-scan A FIN scan finds services on ports. A closed port returns a RST. This allows the
attacker to identify open ports
tcp-intercept Prevents TCP intercept attacks by using TCP SYN cookies
tcp-null-scan A TCP null scan finds services on ports. A closed port returns a...")
FIREWALL-POLICY 14 - 15 • ip dos tcp-max-incomplete [high|low] • ip tcp adjust-mss • ip tcp [optimize-unnecessary-resends|recreate-flow-on-out-of-state-syn|validate- icmp-unreachable|validate-rst-ack-number|validate-rst-seq-number] tcp-fin-scan A FIN scan finds services on ports. A closed port returns a RST. This allows the attacker to identify open ports tcp-intercept Prevents TCP intercept attacks by using TCP SYN cookies tcp-null-scan A TCP null scan finds services on ports. A closed port returns a...
Page 858
14 - 16 WiNG CLI Reference Guide Examples rfs7000-37FABE(config-rw-policy-test)#ip dhcp fraggle drop-only rfs7000-37FABE(config-rw-policy-test)#ip dhcp tcp-max-incomplete high 600 rfs7000-37FABE(config-rw-policy-test)#ip dhcp tcp-max-incomplete low 60 rfs7000-37FABE(config-rw-policy-test)#show context firewall-policy test ip dos fraggle drop-only no ip dos tcp-sequence-past-window ip dos tcp-max-incomplete high 600 ip dos tcp-max-incomplete low 60 flow timeout icmp 16000 flow timeout udp 10000...
Page 859
![Page 859
FIREWALL-POLICY 14 - 17
14.1.8 ip-mac
firewall-policy
Defines an action based on the device IP MAC table, and also detects conflicts between IP addresses and MAC addresses
Supported in the following platforms:
AP300
AP621
AP650
AP6511
AP6521
AP6532
AP71XX
RFS4000
RFS6000
RFS7000
NX9000
NX9500
Syntax
ip-mac [conflict|routing]
ip-mac conflict drop-only
ip-mac conflict [log-and-drop|log-only] log-level [|alerts|critical|debug|
emergencies|errors|informational|notifications|warnings]
ip-mac...](http://img.usermanuals.tech/thumb/52/100713/w300_wing-5-manual-1509563222_d-858.png "Page 859
FIREWALL-POLICY 14 - 17
14.1.8 ip-mac
firewall-policy
Defines an action based on the device IP MAC table, and also detects conflicts between IP addresses and MAC addresses
Supported in the following platforms:
AP300
AP621
AP650
AP6511
AP6521
AP6532
AP71XX
RFS4000
RFS6000
RFS7000
NX9000
NX9500
Syntax
ip-mac [conflict|routing]
ip-mac conflict drop-only
ip-mac conflict [log-and-drop|log-only] log-level [|alerts|critical|debug|
emergencies|errors|informational|notifications|warnings]
ip-mac...")
FIREWALL-POLICY 14 - 17 14.1.8 ip-mac firewall-policy Defines an action based on the device IP MAC table, and also detects conflicts between IP addresses and MAC addresses Supported in the following platforms: AP300 AP621 AP650 AP6511 AP6521 AP6532 AP71XX RFS4000 RFS6000 RFS7000 NX9000 NX9500 Syntax ip-mac [conflict|routing] ip-mac conflict drop-only ip-mac conflict [log-and-drop|log-only] log-level [|alerts|critical|debug| emergencies|errors|informational|notifications|warnings] ip-mac...
Page 860
![Page 860
14 - 18 WiNG CLI Reference Guide
• ip-mac conflict [log-and-drop|log-only] log-level [|alerts|critical|debug|
emergencies|errors|informational|notifications|warnings]
• ip-mac routing conflict drop-only
• ip-mac routing [log-and-drop|log-only] log-level [|alerts|critical|debug|
emergencies|errors|informational|notifications|warnings]
conflict Action performed when a conflict exists between the IP address and MAC address
log-and-drop Logs the event and drops the packet
log-only Logs the event only, the...](http://img.usermanuals.tech/thumb/52/100713/w300_wing-5-manual-1509563222_d-859.png "Page 860
14 - 18 WiNG CLI Reference Guide
• ip-mac conflict [log-and-drop|log-only] log-level [|alerts|critical|debug|
emergencies|errors|informational|notifications|warnings]
• ip-mac routing conflict drop-only
• ip-mac routing [log-and-drop|log-only] log-level [|alerts|critical|debug|
emergencies|errors|informational|notifications|warnings]
conflict Action performed when a conflict exists between the IP address and MAC address
log-and-drop Logs the event and drops the packet
log-only Logs the event only, the...")
14 - 18 WiNG CLI Reference Guide • ip-mac conflict [log-and-drop|log-only] log-level [|alerts|critical|debug| emergencies|errors|informational|notifications|warnings] • ip-mac routing conflict drop-only • ip-mac routing [log-and-drop|log-only] log-level [|alerts|critical|debug| emergencies|errors|informational|notifications|warnings] conflict Action performed when a conflict exists between the IP address and MAC address log-and-drop Logs the event and drops the packet log-only Logs the event only, the...
All Motorola manuals