3COM 4007交换机ICMP包过滤配置办法.docx
《3COM 4007交换机ICMP包过滤配置办法.docx》由会员分享,可在线阅读,更多相关《3COM 4007交换机ICMP包过滤配置办法.docx(29页珍藏版)》请在冰点文库上搜索。
3COM4007交换机ICMP包过滤配置办法
3COM4007/CB9000交换机包过滤配置办法
一.telnet到交换机;沿下图所示进入packetFilter
二.有三种方法可以创建Packetfilter
nASCIITextEditor
nBuilt-inLineEditor
nWebManagementFilterBuilderTool
1用NotePad创建packetfilter
具体操作如下:
name"noicmp"//filtername
pushField.w12//找到包类型的位置
pushLiteral.w0x0800//包类型是否为IPtype
ne
accept
pushField.b23//找到协议类型位置
pushLiteral.b0x01//是否为ICMP协议
ne
将文件存为*.fil的文件。
PacketFilteringLanguage的具体说明
Opcode
MemoryRequirements
Description
name“”
2+nbytes,
wherenisthelength
ofthe
Assignsauser-definedtothepacketfilter.
ThenamemaybeanysequenceofASCIIcharacters
otherthanquotationmarks.Thenameislimitedto32
characters.Youcanincludeonlyasinglename
statementineachpacketfilterprogram.
pushField.size
3bytes
Pushesafieldfromthetargetpacketontothestack.
Packetdatastartingatiscopiedontothe
stack.Themostsignificantbyteofthefieldisthebyte
atthespecifiedoffset.Thesizefieldoftheinstruction
determinesthenumberofbytespushed.ThepushField
instructionprovidesdirectaccesstoany1,2,4,or6
byte(.b,.w,.l,or.a)fieldcontainedwithinthefirst64
bytesofthetargetpacket.
Specifytheoffsetasanoctal,decimal,orhexadecimal
number.
nPrecedeanoctalnumberbya“0”.
nPrecedeahexadecimalnumberbyeither“0x”or
“0X”.
nUseeitherupperorlowercaselettersforthe
hexadecimaldigits“a”through“f”.
pushLiteral.size
1(.b)
2(.w)
4(.l)
6(.a)bytes
dependingonthe
sizeof
plus1bytefora
totalof2,3,5,or7
bytes
Pushesaliteralconstantontothestack.The
mostsignificantbyteoftheisthefirstbyteof
theliteral.Bytesarecopieddirectlyfromtheoperand
ontothestack.Thesizefieldoftheinstruction
determinesnumberofbytespushed.
Specifythevalueaseitheranoctal,decimal,or
hexadecimalnumber.
nPrecedeanoctalnumberbya“0”.
nPrecedeahexadecimalnumberbyeither“0x”or
“0X”.
nUseeitherupperorlowercaselettersforthe
hexadecimaldigits“a”through“f”.
pushTop
1bytes
Pushesthecurrenttopofthestackontothestack(that
is,itreadsthetopofthestackandpushesthevalue
ontothestack,whicheffectivelyduplicatestheitem
currentlyontopofthestack).Thesizeofthecontents
ofthestackdeterminesthesizeofthepush.
UsepushTopforeachadditionalcomparisonyou
intendtomakewiththecurrenttopofthestack.The
pushTopinstructionmakesacopyofthefieldmore
efficientlythanifyouuseasecondpushField
instruction.
Ifyouarewritingafilterthatisgoingtocheckthe
sameoffsetmorethanonce,suchascheckingthe
Ethernettypefieldtofiltermultipleprotocols,usethe
followingguidelines.Assumethatyouwanttofilter
DECLAT,IP,andARPtrafficonaport.
pushLiteral.size
1(.b)
2(.w)
4(.l)
6(.a)bytes
dependingonthe
sizeof
plus1bytefora
totalof2,3,5,or7
bytes
Pushesaliteralconstantontothestack.The
mostsignificantbyteoftheisthefirstbyteof
theliteral.Bytesarecopieddirectlyfromtheoperand
ontothestack.Thesizefieldoftheinstruction
determinesnumberofbytespushed.
Specifythevalueaseitheranoctal,decimal,or
hexadecimalnumber.
nPrecedeanoctalnumberbya“0”.
nPrecedeahexadecimalnumberbyeither“0x”or
“0X”.
nUseeitherupperorlowercaselettersforthe
hexadecimaldigits“a”through“f”.
pushTop
1byte
Pushesthecurrenttopofthestackontothestack(that
is,itreadsthetopofthestackandpushesthevalue
ontothestack,whicheffectivelyduplicatestheitem
currentlyontopofthestack).Thesizeofthecontents
ofthestackdeterminesthesizeofthepush.
UsepushTopforeachadditionalcomparisonyou
intendtomakewiththecurrenttopofthestack.The
pushTopinstructionmakesacopyofthefieldmore
efficientlythanifyouuseasecondpushField
instruction.
Ifyouarewritingafilterthatisgoingtocheckthe
sameoffsetmorethanonce,suchascheckingthe
Ethernettypefieldtofiltermultipleprotocols,usethe
followingguidelines.Assumethatyouwanttofilter
DECLAT,IP,andARPtrafficonaport.
pushTop(continued)
1byte
RatherthanusemultiplepushField.w12
commandstolookatthe12thoffsetwherethe
Ethernettypefieldresides,usemultiplepushTop
commands,asshownhere:
OriginalFilter:
pushField.w12
pushLiteral.w0x6004
eq
reject
pushField.w12
pushLiteral.w0x0800
eq
reject
pushField.w12
pushLiteral.w0x0806
ne
ShortenedFilter:
PushField.w12
pushTop
pushTop
pushLiteral.w0x6004
eq
reject
pushLiteral.w0x0800
eq
reject
pushLiteral.w0x0806
ne
pushSPGM
1byte
Pushesthesourceportgroupmask(SPGM)ontothe
topofthestack.TheSPGMisabitmaprepresenting
thegroupstowhichthesourceportofapacket
belongs.Thisinstructionpushes4bytesontothe
stack.
Eachportgroupmaskisrepresentedbyasinglebitin
theSPGMbitmap.Portgroupmasksareassignedto
thebitmapinsequence,startingwithportgroupmask
1astheleastsignificantbitthroughportgroupmask
32asthemostsignificantbit.
UsepushSPGMtofilterbyportgroups.See“Using
PortGroupsinCustomPacketFilters”formore
information.
pushDPGM
1byte
Pushesthedestinationportgroupmask(DPGM)onto
thetopofthestack.TheDPGMisabitmap
representingthegroupstowhichthedestinationport
ofapacketbelongs.Pushes4bytesontothestack.
Eachportgroupmaskisrepresentedbyasinglebitin
theDPGMbitmap.Portgroupmasksareassignedto
thebitmapinsequence,startingwithportgroupmask
1astheleastsignificantbitthroughportgroupmask
32asthemostsignificantbit.
UsepushDPGMtofilterbyportgroups.See“Using
PortGroupsinCustomPacketFilters”formore
information.
eq(equal)
1byte
Popstwovaluesfromthestackandcomparesthem.If
theyareequal,abytecontainingthenon-zerovalueis
pushedontothestack;otherwise,abytecontaining0
ispushed.Thecontentsofthestackdeterminesthe
sizeoftheoperands.
ne(notequal)
1byte
Popstwovaluesfromthestackandcomparesthem.If
theyarenotequal,abytecontainingthenon-zero
valueispushedontothestack;otherwise,abyte
containing0ispushed.Thesizeoftheoperandsis
determinedbythecontentsofthestack.
lt(lessthan)
1byte
Popstwovaluesfromthestackandperformsan
unsignedcomparison.Ifthefirstislessthanthe
second,abytecontainingthenon-zerovalueispushed
ontothestack;otherwise,abytecontaining0is
pushed.Thecontentsofthestackdeterminethesize
oftheoperands.
le(lessthanorequal
to)
1byte
Popstwovaluesfromthestackandperformsan
unsignedcomparison.Ifthefirstislessthanorequalto
thesecond,abytecontainingthenon-zerovalueis
pushedontothestack;otherwise,abytecontaining0
ispushed.Thecontentsofthestackdeterminethesize
oftheoperands.
gt(greaterthan)
1byte
Popstwovaluesfromthestackandperformsan
unsignedcomparison.Ifthefirstisgreaterthanthe
second,abytecontainingthenon-zerovalueispushed
ontothestack;otherwise,abytecontaining0is
pushed.Thecontentsofthestackdeterminesizeof
theoperands.
ge(greaterthanor
equalto)
1byte
Popstwovaluesfromthestackandperformsan
unsignedcomparison.Ifthefirstisgreaterthanor
equaltothesecond,abytecontainingthenon-zero
valueispushedontothestack;otherwise,abyte
containing0ispushed.Thecontentsofthestack
determinethesizeoftheoperands.
and(bit-wiseAND)
1byte
Popstwovaluesfromthestackandpushesthebit-wise
ANDofthesevaluesbackontothestack.Thecontents
ofthestackdeterminethesizeoftheoperandsandthe
result.
Thisisabit-wiseoperator.Eachbitoftheoperandsis
logicallycomparedtoproducetheresultingbit
or(bit-wiseOR)
1byte
Popstwovaluesfromthestackandpushesthebit-wise
ORofthesevaluesbackontothestack.Thecontents
ofthestackdeterminetheoperandsizeandtheresult.
Thisisabit-wiseoperator.Eachbitoftheoperandsis
logicallycomparedtoproducetheresultingbit
xor(bit-wise
exclusive-OR)
1byte
Popstwovaluesfromthestackandpushesthebit-wise
exclusive-ORofthesevaluesbackontothestack.The
contentsofthestackdeterminestheoperandsizeand
theresult.
Thisisabit-wiseoperator.Eachbitoftheoperandsis
logicallycomparedtoproducetheresultingbit
not
1byte
Popsabytefromthestack;ifitsvalueisnon-zero,a
bytecontaining0ispushedbackontothestack.
Otherwise,abytecontainingthevalueispushedback
ontothestack.
accept
1byte
Conditionallyacceptsthepacketthatisbeing
examined.Popsabytefromthestack.Ifitsvalueis
non-zero,thepacketisacceptedandevaluationofthe
filterendsimmediately;otherwise,filterevaluation
continueswiththenextinstruction.
Useacceptwithandandoroperatorswhenyou
havesequentialtestsandyouwouldlikethefilterto
acceptapacketbeforetheentireexpressionhasbeen
evaluated.Usingacceptcansignificantlyimprovethe
performanceofcertaintypesoffilters.See
“ImplementingSequentialTestsinaPacketFilter”
elsewhereinthechapterformoreinformation.
reject
1byte
Conditionallyrejectsthepacketbeingexamined.Pops
abytefromthestack.Ifitsvalueisnon-zero,the
packetisrejectedandfilterevaluationends
immediately;otherwise,thefilterevaluationcontinues
withthenextinstruction.
Userejectwithandandoroperatorswhenyou
havesequentialtestsandyouwouldlikethef
升级会员 