Motorola Wing 5 Manual

							FIREWALL-POLICY 14 - 9
14.1.6 flow
firewall-policy
Defines the session flow timeout for different packet types
Supported in the following platforms:
 AP300
 AP621
 AP650
 AP6511
 AP6521
 AP6532
 AP71XX
 RFS4000
 RFS6000
 RFS7000
 NX9000
 NX9500
Syntax
flow [dhcp|timeout]
flow dhcp stateful
flow timeout [icmp|other|tcp|udp]
flow timeout [icmp|other] 
flow timeout udp 
flow timeout tcp [close-wait|reset|setup|stateless-fin-or-reset|
stateless-general] 
flow timeout tcp established 
Parameters
• flow dhcp stateful
• flow timeout [icmp|other] 
dhcp Configures DHCP packet flow
stateful Performs a stateful check on DHCP packets
timeout Configures a packet timeout
icmp Configures the timeout for ICMP packets
other Configures the timeout for packets that are not ICPM, TCP, or UDP
 Configures the timeout from 1 - 32400 seconds 
						

							14 - 10 WiNG CLI Reference Guide
• flow timeout udp 
• flow timeout tcp [close-wait|reset|setup|stateless-fin-or-reset|
stateless-general] 
• flow timeout tcp established 
Examples
rfs7000-37FABE(config-rw-policy-test)#flow timeout udp 10000
rfs7000-37FABE(config-rw-policy-test)#flow timeout icmp 16000
rfs7000-37FABE(config-rw-policy-test)#flow timeout other 16000
rfs7000-37FABE(config-rw-policy-test)#flow timeout tcp established 1500
rfs7000-37FABE(config-rw-policy-test)#show context
firewall-policy test
 no ip dos tcp-sequence-past-window
 flow timeout icmp 16000
 flow timeout udp 10000
 flow timeout tcp established 1500
 flow timeout other 16000
 dhcp-offer-convert
 dns-snoop entry-timeout 35
Related Commands
timeout Configures a packet timeout
udp Configures the timeout for UDP packets
 Configures the timeout from 15 - 32400 seconds
timeout Configures a packet timeout
tcp Configures the timeout for TCP packets
close-wait Configures the closed TCP flow timeout
reset Configures the reset TCP flow timeout
setup Configures the opening TCP flow timeout
stateless-fin-or-reset Configures the stateless TCP flow timeout created with the FIN or RESET packets
stateless-general Configures the stateless TCP flow timeout
 Configures the timeout from 1 - 32400 seconds
timeout Configures packet timeout
tcp Configures the timeout for TCP packets
established Configures the established TCP flow timeout
 Configures the timeout from 15 - 32400 seconds
noResets values or disables firewall policy flow commands 
						

							FIREWALL-POLICY 14 - 11
14.1.7 ip
firewall-policy
Configures Internet Protocol (IP) components
Supported in the following platforms:
 AP300
 AP621
 AP650
 AP6511
 AP6521
 AP6532
 AP71XX
 RFS4000
 RFS6000
 RFS7000
 NX9000
 NX9500
Syntax
ip [dos|tcp]
ip dos {[ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|
invalid-protocol|ip-ttl-zero|ipspoof|land|option-route|router-advt|
router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|
tcp-max-incomplete|tcp-null-scan|tcp-post-syn|tcp-sequence-past-window|
tcp-xmas-scan|tcphdrfrag|twinge|udp-short-hdr|winnuke]}
ip tcp [adjust-mss|recreate-flow-on-out-of-state-syn|validate-icmp-unreachable|
validate-rst-ack-number|validate-rst-seq-number|optimize-unnecessary-resends]
ip dos {[ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-
protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-
solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|tcp-
post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-
hdr|winnuke]} {[log-and-drop|log-only]} {log-level} {[|alerts|critical|debug|emergencies|errors|informational|notifications|warnigns]}
ip dos {[ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|invalid-
protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|router-
solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|tcp-null-scan|tcp-
post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|twinge|udp-short-
hdr|winnuke]} {drop-only}
ip dos tcp-max-incomplete [high|low] 
 
ip tcp adjust-mss 
ip tcp [optimize-unnecessary-resends| 
recreate-flow-on-out-of-state-syn|validate-icmp-unreachable|
validate-rst-ack-number|validate-rst-seq-number] 
						

							14 - 12 WiNG CLI Reference Guide
Parameters
• ip dos {[ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|
invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|
router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|
tcp-null-scan|tcp-post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|
twinge|udp-short-hdr|winnuke]} {[log-and-drop|log-only]} {log-level} 
{[|alerts|critical|debug|emergencies|errors|informational|notifications|
warnigns]}
dos Identifies IP events as DoS events
ascend Enables an ASCEND DoS check. Ascend routers listen on UDP port 9 for packets from 
Ascends Java Configurator. Sending a formatted packet to this port can cause an 
Ascend router to crash.
broadcast-multicast-icmp Detects broadcast or multicast ICMP packets as an attack
chargen The Character Generation Protocol (chargen) is an IP suite service primarily used for 
testing and debugging networks. It is also used as a source of generic payload for 
bandwidth and QoS measurements.
fraggle A Fraggle DoS attack checks for UDP packets to or from port 7 or 19
ftp-bounce A FTP bounce attack is a MIM attack that enables an attacker to open a port on a 
different machine using FTP. FTP requires that when a connection is requested by a 
client on the FTP port (21), another connection must open between the server and 
the client. To confirm, the PORT command has the client specify an arbitrary 
destination machine and port for the data connection. This is exploited by the 
attacker to gain access to a device that may not be the originating client.
invalid-protocol Enables a check for an invalid protocol number
ip-ttl-zero Enables a check for the TCP/IP TTL field having a value of zero (0)
ipsproof Enables a check for the IP spoofing DoS attack
land A Local Area Network Denial (LAND) is a DoS attack where IP packets are spoofed 
and sent to a device where the source IP and destination IP of the packet are the 
target device’s IP, and similarly, the source port and destination port are open ports 
on the same device. This causes the attacked device to reply to itself continuously.
option-route Enables an IP Option Record Route DoS check
router-advt This is an attack where a default route entry is added remotely to a device. This route 
entry is given preference, and thereby exposes an attack vector.
router-solicit Router solicitation messages are sent to locate routers as a form of network 
scanning. This information can then be used to attack a device.
smurf In this attack, a large number of ICMP echo packets are sent with a spoofed source 
address. This causes the device with the spoofed source address to be flooded with 
a large number of replies.
snork This attack causes a remote Windows™ NT to consume 100% of the CPU’s 
resources. This attack uses a UDP packtet with a destination port of 135 and a 
source port of 7, 9, or 135. This attack can also be exploited as a bandwidth 
consuming attack. 
						

							FIREWALL-POLICY 14 - 13
tcp-bad-sequence A DoS attack that uses a specially crafted TCP packet to cause the targeted device 
to drop all subsequent network traffic for a specific TPC connection
tcp-fin-scan A FIN scan finds services on ports. A closed port returns a RST. This allows the 
attacker to identify open ports
tcp-intercept Prevents TCP intercept attacks by using TCP SYN cookies
tcp-null-scan A TCP null scan finds services on ports. A closed port returns a RST. This allows the 
attacker to identify open ports.
tcp-post-syn Enables TCP post SYN DoS attacks
tcp-sequence-past-window Enables a TCP SEQUENCE PAST WINDOW DoS attack check. Disable this check to 
work around a bug in Windows XPs TCP stack which sends data past the window 
when conducting a selective ACK.
tcp-xmas-scan A TCP XMAS scan finds services on ports. A closed port returns a RST. This allows 
the attacker to identify open ports
tcphdrfrag A DoS attack where the TCP header spans IP fragments
twinge A twinge attack is a flood of false ICMP packets to try and slow down a system
udp-short-hdr Enables the identification of truncated UDP headers and UDP header length fields
winnuke This DoS attack is specific to Windows™ 95 and Windows™ NT, causing devices to 
crash with a blue screen
log-and-drop Logs the event and drops the packet
log-only Logs the event only, the packet is not dropped
log-level  Configures the log level
 Sets the numeric logging level
alerts Numerical severity 1. Indicates a condition where immediate action is required
critical Numerical severity 2. Indicates a critical condition
debugging Numerical severity 7. Debugging messages
emergencies Numerical severity 0. System is unusable
errors Numerical severity 3. Indicates an error condition
informational Numerical severity 6. Indicates a informational condition
notification Numerical severity 5. Indicates a normal but significant condition
warnings Numerical severity 4. Indicates a warning condition 
						

							14 - 14 WiNG CLI Reference Guide
• ip dos {[ascend|broadcast-multicast-icmp|chargen|fraggle|ftp-bounce|
invalid-protocol|ip-ttl-zero|ipsproof|land|option-route|router-advt|
router-solicit|smurf|snork|tcp-bad-sequence|tcp-fin-scan|tcp-intercept|
tcp-null-scan|tcp-post-scan|tcp-sequence-past-window|tcp-xmas-scan|tcphdrfrag|
twinge|udp-short-hdr|winnuke]} {drop-only}
dos Identifies IP events as DoS events
ascend Enables an ASCEND DoS check. Ascend routers listen on UDP port 9 for packets from 
Ascends Java Configurator. Sending a formatted packet to this port can cause an 
Ascend router to crash.
broacast-multicast-icmp Detects broadcast or multicast ICMP packets as an attack
chargen The Character Generation Protocol (chargen) is an IP suite service primarily used for 
testing and debugging networks. It is also used as a source of generic payload for 
bandwidth and QoS measurements.
fraggle A Fraggle DoS attack checks for UDP packets to or from port 7 or 19
ftp-bounce A FTP bounce attack is a MIM attack that enables an attacker to open a port on a 
different machine using FTP. FTP requires that when a connection is requested by a 
client on the FTP port (21), another connection must open between the server and 
the client. To confirm, the PORT command has the client specify an arbitrary 
destination machine and port for the data connection. This is exploited by the 
attacker to gain access to a device that may not be the originating client.
invalid-protocol Enables a check for invalid protocol number
ip-ttl-zero Enables a check for the TCP/IP TTL field having a value of zero (0)
ipsproof Enables a check for IP spoofing DoS attack
land A Local Area Network Denial (LAND) is a DoS attack where IP packets are spoofed 
and sent to a device where the source IP and destination IP of the packet are the 
target device’s IP, and similarly, the source port and destination port are open ports 
on the same device. This causes the attacked device to reply to itself continuously.
option-route Enables an IP Option Record Route DoS check
router-advt This is an attack where a default route entry is added remotely to a device. This route 
entry is given preference, and thereby exposes an attack vector.
router-solicit Router solicitation messages are sent to locate routers as a form of network 
scanning. This information can then be used to attack a device.
smurf In this attack a large number of ICMP echo packets are sent with a spoofed source 
address. This causes the device with the spoofed source address to be flooded with 
a large number of replies.
snork This attack causes a remote Windows™ NT to consume 100% of the CPU’s 
resources. This attack uses a UDP packtet with a destination port of 135 and a 
source port of 7, 9, or 135. This attack can also be exploited as a bandwidth 
consuming attack.
tcp-bad-sequence A DoS attack that uses a specially crafted TCP packet to cause the targeted device 
to drop all subsequent network traffic for a specific TPC connection 
						

							FIREWALL-POLICY 14 - 15
• ip dos tcp-max-incomplete [high|low] 
• ip tcp adjust-mss 
• ip tcp [optimize-unnecessary-resends|recreate-flow-on-out-of-state-syn|validate-
icmp-unreachable|validate-rst-ack-number|validate-rst-seq-number]
tcp-fin-scan A FIN scan finds services on ports. A closed port returns a RST. This allows the 
attacker to identify open ports
tcp-intercept Prevents TCP intercept attacks by using TCP SYN cookies
tcp-null-scan A TCP null scan finds services on ports. A closed port returns a RST. This allows the 
attacker to identify open ports
tcp-post-syn Enables a TCP post SYN DoS attack
tcp-sequence-past-window Enables a TCP SEQUENCE PAST WINDOW DoS attack check. Disable this check to 
work around a bug in Windows XPs TCP stack which sends data past the window 
when conducting a selective ACK.
tcp-xmas-scan A TCP XMAS scan finds services on ports. A closed port returns a RST. This allows 
the attacker to identify open ports
tcphdrfrag A DoS attack where the TCP header spans IP fragments
twinge A twinge attack is a flood of false ICMP packets to try and slow down a system
udp-short-hdr Enables the identification of truncated UDP headers and UDP header length fields
winnuke This DoS attack is specific to Windows™ 95 and Windows™ NT, causing devices to 
crash with a blue screen
drop-only Drops a packet without logging
dos Identifies IP events as DoS events
tcp-max-incomplete Sets the limits for the maximum number of incomplete TCP connections
high Sets the upper limit for the maximum number of incomplete TCP connections
low Sets the lower limit for the maximum number of incomplete TCP connections
 Sets the limit in the range of 1 - 1000 connections
tcp Identifies and configures TCP events and configuration items
adjust-mss Adjusts the TCP Maximum Segment Size (MSS)
 Sets the TCP MSS value from 472 - 1460
tcp Identifies and configures TCP events and configuration items
optimize-unnecessary-resends Enables the validation of unnecessary of TCP packets
recreate-flow-on-out-of-state-
syncAllows a TCP SYN packet to delete an old flow in TCP_FIN_FIN_STATE, and 
TCP_CLOSED_STATE states and create a new flow 
						

							14 - 16 WiNG CLI Reference Guide
Examples
rfs7000-37FABE(config-rw-policy-test)#ip dhcp fraggle drop-only
rfs7000-37FABE(config-rw-policy-test)#ip dhcp tcp-max-incomplete high 600
rfs7000-37FABE(config-rw-policy-test)#ip dhcp tcp-max-incomplete low 60
rfs7000-37FABE(config-rw-policy-test)#show context
firewall-policy test
 ip dos fraggle drop-only
 no ip dos tcp-sequence-past-window
 ip dos tcp-max-incomplete high 600
 ip dos tcp-max-incomplete low 60
 flow timeout icmp 16000
 flow timeout udp 10000
 flow timeout tcp established 1500
 flow timeout other 16000
 dhcp-offer-convert
 dns-snoop entry-timeout 35
Related Commands
validate-icpm-unreachable Enables the validation of the sequence number in ICMP unreachable error packets 
which abort an established TCP flow
validate-rst-ack-number Enables the validation of acknowledgement number in RST packets which abort a 
TCP flow
validate-rst-seq-number Enables the validation of the sequence number in RST packets which abort an 
established TCP flow
noResets values or disables firewall policy IP commands 
						

							FIREWALL-POLICY 14 - 17
14.1.8 ip-mac
firewall-policy
Defines an action based on the device IP MAC table, and also detects conflicts between IP addresses and MAC addresses
Supported in the following platforms:
 AP300
 AP621
 AP650
 AP6511
 AP6521
 AP6532
 AP71XX
 RFS4000
 RFS6000
 RFS7000
 NX9000
 NX9500
Syntax
ip-mac [conflict|routing]
ip-mac conflict drop-only
ip-mac conflict [log-and-drop|log-only] log-level [|alerts|critical|debug|
emergencies|errors|informational|notifications|warnings]
ip-mac routing conflict drop-only
ip-mac routing [log-and-drop|log-only] log-level [|alerts|critical|debug|
emergencies|errors|informational|notifications|warnings]
Parameters
• ip-mac conflict drop-only
conflict Action performed when a conflict exists between the IP address and MAC address
drop-only Drops a packet without logging 
						

							14 - 18 WiNG CLI Reference Guide
• ip-mac conflict [log-and-drop|log-only] log-level [|alerts|critical|debug|
emergencies|errors|informational|notifications|warnings]
• ip-mac routing conflict drop-only
• ip-mac routing [log-and-drop|log-only] log-level [|alerts|critical|debug|
emergencies|errors|informational|notifications|warnings]
conflict Action performed when a conflict exists between the IP address and MAC address
log-and-drop Logs the event and drops the packet
log-only Logs the event only, the packet is not dropped
log-level  Configures the log level
 Sets the numeric logging level
alerts Numerical severity 1. Indicates a condition where immediate action is required
critical Numerical severity 2. Indicates a critical condition
debugging Numerical severity 7. Debugging messages
emergencies Numerical severity 0. System is unusable
errors Numerical severity 3. Indicates an error condition
informational Numerical severity 6. Indicates a informational condition
notification Numerical severity 5. Indicates a normal but significant condition
warnings Numerical severity 4. Indicates a warning condition
routing Defines a routing table based action
conflict Action performed when a conflict exists in the routing table
drop-only Drops a packet without logging
routing Defines a routing table based action
conflict Action performed when a conflict exists in the routing table
log-and-drop Logs the event and drops the packet
log-only Logs the event only, the packet is not dropped
log-level  Configures the log level to log this event under
 Sets the numeric logging level
alerts Numerical severity 1. Indicates a condition where immediate action is required
critical Numerical severity 2. Indicates a critical condition
debugging Numerical severity 7. Debugging messages
emergencies Numerical severity 0. System is unusable
errors Numerical severity 3. Indicates an error condition