ACL policy with ICMP types
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-16-2014 01:15 PM
I want/need to create an ACL that only allows certain ICMP types and denies "the rest". Specifically "echo (8)", "echo-reply (0)", "time-exceeded (11)", "traceroute (30, I know. technically deprecated)", and "unreachable (3)" need to be accepted.
And "of course" there are a few other rules in that policy file as well, like accepting only HTTP/S traffic etc.
My question is, do I need to create five distinct entries in my policy file, each saying
if match all {
protocol icmp;
icmp-type 3;
} then {
permit;
}
or can I simply have one
if {
icmp-type 3;
icmp-type 0;
icmp-type 30;
...
} then {
permit;
}
I don't think we have (in 15.3/4/5/6.X) the option of "AND" and "OR", do we? So I guess I can not do
if {
protocol icmp; AND
( icmp-type 3; OR
icmp-type 0; OR
icmp-type 30; OR
...)
} then {
permit;
}
correct?
Thanks,
Frank
And "of course" there are a few other rules in that policy file as well, like accepting only HTTP/S traffic etc.
My question is, do I need to create five distinct entries in my policy file, each saying
if match all {
protocol icmp;
icmp-type 3;
} then {
permit;
}
or can I simply have one
if {
icmp-type 3;
icmp-type 0;
icmp-type 30;
...
} then {
permit;
}
I don't think we have (in 15.3/4/5/6.X) the option of "AND" and "OR", do we? So I guess I can not do
if {
protocol icmp; AND
( icmp-type 3; OR
icmp-type 0; OR
icmp-type 30; OR
...)
} then {
permit;
}
correct?
Thanks,
Frank
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-16-2014 08:37 PM
Hi,
You cannot have several icmp-type in the same match condition. Any packet can only be of one type, not all. That's why you have the error message. You would have the same kind of error if you tried to have on the same condition match both an IPv4 and an IPv6 address. That's not possible.
Rgds,
Stephane
You cannot have several icmp-type in the same match condition. Any packet can only be of one type, not all. That's why you have the error message. You would have the same kind of error if you tried to have on the same condition match both an IPv4 and an IPv6 address. That's not possible.
Rgds,
Stephane
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-16-2014 04:19 PM
Whooops:
# refresh policy "test"
Error: Was not able to refresh policy test
Line 75 : Attribute icmp-type already exists as a match statement in Acl entry Allow_ICMP.
Configuration failed on backup MSM, command execution aborted!
I guess I have to type out five different entries. At least on 15.5.1.6 😞
Yup, that worked.
# refresh policy "test"
Error: Was not able to refresh policy test
Line 75 : Attribute icmp-type already exists as a match statement in Acl entry Allow_ICMP.
Configuration failed on backup MSM, command execution aborted!
I guess I have to type out five different entries. At least on 15.5.1.6 😞
Yup, that worked.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-16-2014 03:54 PM
OUCH!!!
-> Line 73 : Protocol needs to be set to icmp or icmpv6 , before setting "icmp-type".
However, this seems to be sufficient to pass the check command:
entry Allow_ICMP {
if match any {
protocol icmp;
icmp-type 0;
icmp-type 3;
icmp-type 8;
icmp-type 11;
icmp-type 30;
} then {
permit;
}
}
If I hit another snag, I'll be back posting 🙂
-> Line 73 : Protocol needs to be set to icmp or icmpv6 , before setting "icmp-type".
However, this seems to be sufficient to pass the check command:
entry Allow_ICMP {
if match any {
protocol icmp;
icmp-type 0;
icmp-type 3;
icmp-type 8;
icmp-type 11;
icmp-type 30;
} then {
permit;
}
}
If I hit another snag, I'll be back posting 🙂
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-16-2014 03:28 PM
Sure does - and thank you much!
