This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ACL policy with ICMP types

ACL policy with ICMP types

Frank
Contributor II

‎12-16-2014 01:15 PM

I want/need to create an ACL that only allows certain ICMP types and denies "the rest". Specifically "echo (8)", "echo-reply (0)", "time-exceeded (11)", "traceroute (30, I know. technically deprecated)", and "unreachable (3)" need to be accepted.

And "of course" there are a few other rules in that policy file as well, like accepting only HTTP/S traffic etc.

My question is, do I need to create five distinct entries in my policy file, each saying

if match all {
protocol icmp;
icmp-type 3;
} then {
permit;
}

or can I simply have one

if {
icmp-type 3;
icmp-type 0;
icmp-type 30;
...
} then {
permit;
}

I don't think we have (in 15.3/4/5/6.X) the option of "AND" and "OR", do we? So I guess I can not do

if {
protocol icmp; AND
( icmp-type 3; OR
icmp-type 0; OR
icmp-type 30; OR
...)
} then {
permit;
}

correct?

Thanks,

Frank

0 Kudos
8 REPLIES 8

Stephane_Grosj1
Extreme Employee

‎12-16-2014 08:37 PM

Hi,

You cannot have several icmp-type in the same match condition. Any packet can only be of one type, not all. That's why you have the error message. You would have the same kind of error if you tried to have on the same condition match both an IPv4 and an IPv6 address. That's not possible.

Rgds,
Stephane
0 Kudos

Frank
Contributor II

‎12-16-2014 04:19 PM

Whooops:
# refresh policy "test"

Error: Was not able to refresh policy test
Line 75 : Attribute icmp-type already exists as a match statement in Acl entry Allow_ICMP.
Configuration failed on backup MSM, command execution aborted!

I guess I have to type out five different entries. At least on 15.5.1.6 😞

Yup, that worked.

0 Kudos

Frank
Contributor II

‎12-16-2014 03:54 PM

OUCH!!!
-> Line 73 : Protocol needs to be set to icmp or icmpv6 , before setting "icmp-type".

However, this seems to be sufficient to pass the check command:

entry Allow_ICMP {
if match any {
protocol icmp;
icmp-type 0;
icmp-type 3;
icmp-type 8;
icmp-type 11;
icmp-type 30;
} then {
permit;
}
}

If I hit another snag, I'll be back posting 🙂
0 Kudos

Frank
Contributor II

‎12-16-2014 03:28 PM

Sure does - and thank you much!
0 Kudos
GTM-P2G8KFN