Important: This configuration mode is only available in StarOS 8.1 and in StarOS 9.0 and later. This configuration mode must be used to configure Policy-based Stateful Firewall and NAT features.
Important: The commands or keywords/variables that are available are dependent on platform type, product version, and installed license(s).
access-rule { no-ruledef-matches { downlink | uplink } action { deny [ charging-action charging_action ] | permit [ bypass-nat | nat-realm nat_realm ] } | priority priority { [ dynamic-only | static-and-dynamic ] access-ruledef ruledef_name { deny [ charging-action charging_action ] | permit [ [ bypass-nat | nat-realm nat_realm ] trigger open-port { port_number | range start_port to end_port } direction { both | reverse | same } ] } } }no access-rule priority prioritycharging-action charging_actioncharging_action must be an alpha and/or numeric string of 1 through 63 characters in length.nat-realm nat_realmnat_realm must be an alpha and/or numeric string of 1 through 31 characters in length.priority prioritypriority must be an integer from 1 through 65535, and must be unique for each access ruledef in the Firewall-and-NAT policy.[ dynamic-only | static-and-dynamic ] access-ruledef ruledef_name
• dynamic-only: Dynamic Ruledef—Predefined ruledef that can be enabled/disabled by the policy server, and is disabled by default.
• static-and-dynamic: Static and Dynamic Ruledef—Predefined ruledef that can be enabled/disabled by the policy server, and is enabled by default.
• access-ruledef ruledef_name: Specifies the access ruledef name. ruledef_name must be an alpha and/or numeric string of 1 through 63 characters in length.trigger open-port { port_number | range start_port to end_port } direction { both | reverse | same }
• port_number: Specifies the auxiliary port number to open for traffic, and must be an integer from 1 through 65535.
•
• start_port must be an integer from 1 through 65535.
• end_port must be an integer from 1 through 65535, and must be greater than start_port.
• direction { both | reverse | same }: Specifies the direction from which the auxiliary connection is initiated. This direction can be same as the direction of control connection, or the reverse of the control connection direction, or in both directions.
• both: Provides the trigger to open port for traffic in either direction of the control connection.
• reverse: Provides the trigger to open port for traffic in the reverse direction of the control connection (from where the connection is initiated).
• same: Provides the trigger to open port for traffic in the same direction of the control connection (from where the connection is initiated).
• Access ruledef matching is done. If a rule matches, the packet is allowed or dropped as per the access-rule priority configuration.
• If no access ruledef matches, the packet is allowed or dropped as per the access-rule no-ruledef-matches configuration.For a packet dropped due to access ruledef match or no match (first packet of a flow), the charging action applied is the one configured in the access-rule priority or the access-rule no-ruledef-matches command respectively.For action on packets dropped due to any error condition after data session is created, the charging action must be configured in the flow any-error charging-action command in the Rulebase Configuration Mode.For Stateful Firewall, the following command assigns a priority of 10 to the access ruledef test_rule, adds it to the policy, and permits port trigger to be used for the rule to open ports in the range of 1000 to 2000 in either direction of the control connection:access-rule priority 1 access-ruledef test_rule permit trigger open-port range 1000 to 2000 direction bothImportant: In StarOS 8.0, this configuration is available in the ACS Configuration Mode. In StarOS 8.1, for Rulebase-based Stateful Firewall configuration, this configuration is available in the Rulebase Configuration Mode. In StarOS 8.3, this configuration is available in the Rulebase Configuration Mode.
• icmp: Enables protection against ICMP Flood attack
• tcp-syn: Enables protection against TCP Syn Flood attack
• udp: Enables protection against UDP Flood attackImportant: In StarOS 8.0, this configuration is available in the ACS Configuration Mode. In StarOS 8.1, for Rulebase-based Stateful Firewall configuration, this configuration is available in the Rulebase Configuration Mode. In StarOS 8.3, this configuration is available in the Rulebase Configuration Mode.
firewall flooding { protocol { icmp | tcp-syn | udp } packet limit packets } | sampling-interval interval }
• icmp: Configuration for ICMP protocol.
• tcp-syn: Configuration for TCP-SYN packet limit.
• udp: Configuration for UDP protocol.packet limit packetspackets must be an integer from 1 through 4294967295.sampling-interval intervalinterval must be an integer from 1 through 60.Default: dropImportant: In StarOS 8.0, this configuration is available in the ACS Configuration Mode. In StarOS 8.1, for Rulebase-based Stateful Firewall configuration, this configuration is available in the Rulebase Configuration Mode. In StarOS 8.3, this configuration is available in the Rulebase Configuration Mode.
Specifies the threshold on the number of ICMP error messages sent by the subscriber for a particular data flow. messages must be an integer from 1 through 100.firewall icmp-destination-unreachable-message-threshold 10 then-block-serverDefault: Enabled. Same as firewall icmp-fsm.Default: permitDefault: permitImportant: In StarOS 8.0, this configuration is available in the ACS Configuration Mode. In StarOS 8.1, for Rulebase-based Stateful Firewall configuration, this configuration is available in the Rulebase Configuration Mode. In StarOS 8.3, this configuration is available in the Rulebase Configuration Mode.
packet_size must be an integer from 30000 through 65535.
• icmp: Configuration for ICMP protocol.
• non-icmp: Configuration for protocols other than ICMP.The following command allows a maximum packet size of 60000 for ICMP protocol:firewall max-ip-packet-size 60000 protocol icmpImportant: In StarOS 8.0, this configuration is available in the ACS Configuration Mode. In StarOS 8.1, for Rulebase-based Stateful Firewall configuration, this configuration is available in the Rulebase Configuration Mode. In StarOS 8.3, this configuration is available in the Rulebase Configuration Mode.
http-headers-limit max_limitmax_limit must be an integer from 1 through 256.max-http-header-field-size max_sizemax_size must be an integer from 1 through 8192.This command is only effective if Stateful Firewall DoS protection for MIME flood attacks has been enabled using the firewall dos-protection mime-flood command, and the route command has been configured to send HTTP packets to the HTTP analyzer.Important: In StarOS 8.0, this configuration is available in the ACS Configuration Mode. In StarOS 8.1, for Rulebase-based Stateful Firewall configuration, this configuration is available in the Rulebase Configuration Mode. In StarOS 8.3, this configuration is available in the Rulebase Configuration Mode.
Default: dropDefault: dropDefault: firewall tcp-fsm first-packet-non-syn drop
• drop: Specifies to drop the packet.
• permit: Specifies to permit the packet.
• send-reset: Specifies to drop the packet and send TCP RST.Default: dropDefault: resetdrop: Drops the session.reset: Sends TCP RST. When configured to reset, the session is dropped, and the system can avoid packets arriving for the idle flow from getting dropped.Default: permitmessages must be an integer from 1 through 100.firewall tcp-reset-message-threshold 10 then-block-serverImportant: In StarOS 8.0, this configuration is available in the ACS Configuration Mode. In StarOS 8.1, for Rulebase-based Stateful Firewall configuration, this configuration is available in the Rulebase Configuration Mode. In StarOS 8.3, this configuration is available in the Rulebase Configuration Mode.
firewall tcp-syn-flood-intercept { mode { none | watch [ aggressive ] } | watch-timeout intercept_watch_timeout }
• none: Disables the TCP SYN Flood Intercept feature.
• watch: Configures TCP SYN flood intercept feature in watch mode. The Stateful Firewall passively watches to see if TCP connections become established within a configurable interval. If connections are not established within the timeout period, the Stateful Firewall clears the half-open connections by sending RST to TCP client and server. The default watch-timeout for connection establishment is 30 seconds.
• aggressive: Configures TCP SYN flood Intercept or Watch feature for aggressive behavior. Each new connection request causes the oldest incomplete connection to be deleted. When operating in watch mode, the watch timeout is reduced by half. If the watch-timeout is 30 seconds, under aggressive conditions it becomes 15 seconds. When operating in intercept mode, the retransmit timeout is reduced by half (i.e. if the timeout is 60 seconds, it is reduced to 30 seconds). Thus the amount of time waiting for connections to be established is reduced by half (i.e. it is reduced to 150 seconds from 300 seconds under aggressive conditions).Default: nonewatch-timeout intercept_watch_timeoutintercept_watch_timeout must be an integer from 5 through 30.This command configures Stateful Firewall action on TCP SYN packets with either ECN or CWR flag set.Default: permitDefault: dropDefault: Disabled. Same as no firewall validate-ip-optionsDefault: port-chunk-releaseedr-format edr_formatedr_format must be an alpha and/or numeric string of 1 through 63 characters in length.The following command configures an EDR format named test123 and specifies generating NAT Binding Records when a port chunk is allocated:nat binding-record edr-format test123 port-chunk-allocationdefault-nat-realm nat_realm_namenat_realm_name must be the name of an existing NAT realm, and must be an alpha and/or numeric string of 1 through 31 characters in length.In StarOS 8.1, to enable NAT support for a subscriber, Stateful Firewall must also be enabled for that subscriber. See the firewall policy CLI command.Once NAT is enabled for a subscriber, the NAT IP address to be used is chosen from the NAT realms specified in the rules. See the access-rule CLI command.nat private-ip-flow-timeout timeouttimeout must be an integer from 180 through 86400.This command suppresses sending NAT Bind Update (NBU) to the AAA server when PPP disconnect happens.
![]() |
Cisco Systems Inc. |
Tel: 408-526-4000 |
Fax: 408-527-0883 |