access inbound rule add
Adds a secure access inbound rule.
Syntax
[no] access inbound rule add [allow | deny] protocol {<protocol-number> [dstport <port-number>} | service <service>} [srcaddr <ip-address>] [interface <interface>] [description <description>] [rulenum <rule-number>] [log {on | off}] [override]
Parameters
allow | Allows a matching packet access to the SteelHead. This is the default action. |
deny | Denies access to any matching packets. |
protocol <protocol- number> | Specifies the protocol name (all, icmp, tcp, udp) or protocol number (1, 6, 17) in the IP packet header. The default setting is all. |
dstport <port-number> | Specifies the destination port of the inbound packet. You can also specify port ranges: 1000-30000. |
service <service> | Optionally, specify the service name: http, https, snmp, ssh, soap, telnet. |
srcaddr <ip-address> | Specifies the source subnet of the inbound packet; for example, 1.2.3.0/24. |
interface <interface> | Specifies an interface name: primary, aux, inpath0_0. |
rulenum <rule-number> | Specifies a rule number from 1 to <N>, start, or end. The SteelHeads evaluate rules in numerical order starting with rule 1. If the conditions set in the rule match, then the rule is applied, and the system moves on to the next packet. If the conditions set in the rule do not match, the system consults the next rule. For example, if the conditions of rule 1 do not match, rule 2 is consulted. If rule 2 matches the conditions, it is applied, and no further rules are consulted. |
description <description> | Provides a description to facilitate communication about network administration. |
log {on | off} | Tracks denied packets in the log. By default, packet logging is enabled. |
override | Ignores the warning and forces the rule modification. If you add, delete, edit, or move a rule that could disconnect you from the SteelHead appliance, a warning message appears. You can specify override to ignore the warning and force the rule modification. Use caution when you override a disconnect warning. |
Usage
The management ACL contains rules that define a match condition for an inbound IP packet. You set a rule to allow or deny access to a matching inbound IP packet. When you add a rule on a SteelHead, the destination specifies the SteelHead itself, and the source specifies a remote host.
The ACL rules list contains default rules that allow you to use the management ACL with the RiOS features such as DNS caching. These default rules allow access to certain ports required by these features. The list also includes a default rule that allows access to the SCC. As an example, enter the commands below for your feature if you delete the default ACL rule and need to restore it.
To restore the default rule for DNS cache:
access inbound rule add allow protocol udp dstport 53 description "DNS Caching" rulenum 1
If you have a firewall rule set on server-side SteelHead that prevents access to the server-side SteelHead, you might not be able to transfer data using active FTP in out-of-path deployments. To solve this problem, Riverbed recommends you use passive FTP or if you have permission to change the configuration on the server-side SteelHead you can add a rule to allow packets from source port 20. For example:
access inbound rule add allow protocol tcp srcport 20
To delete a rule, use the syntax:
no access inbound rule <rulenum>
Example
amnesiac (config) # access inbound rule add allow protocol tcp
dstport 1234 srcaddr 10.0.0.1/16 interface primary rulenum 2
Product
SCC, Interceptor, Mobile Controller, SteelHead CX, SteelHead EX, SteelHead-v, SteelHead-c
Related Commands