fwaccel dos deny

In the R82.00.X releases, this command is available starting from the R82.00.00 version.

Description

The "fwaccel dos deny" and "fwaccel6 dos deny" commands control the IP deny-list in SecureXL.

The deny-list blocks all traffic to and from the specified IP addresses.

The deny-list drops occur in SecureXL, which is more efficient than an Access Control Policy to drop the packets.

Important:

  • In a Cluster, you must configure all the Cluster Members in the same way.

  • To enforce the IP deny-list in SecureXL, you must first enable the IP deny-lists.

    See fwaccel dos config.

Syntax for IPv4

fwaccel dos deny

      -a <IPv4 Address>

      -d <IPv4 Address>

      -F

      -L

      -l /<Path>/<Name of File>

      -M {on | off}

      -m

      -N "<Name of IP Deny-list>"

      -n

      -R {on | off}

      -r

      -s

Syntax for IPv6

fwaccel6 dos deny

      -a <IPv6 Address>

      -d <IPv6 Address>

      -F

      -L

      -l /<Path>/<Name of File>

      -M {on | off}

      -m

      -N "<Name of IP Deny-list>"

      -n

      -R {on | off}

      -r

      -s

Parameters

Parameter

Description

No Parameters

Shows the applicable built-in usage.

-a <IP Address>

Adds the specified IP address to the deny-list.

To add more than one IP address, run this command for each applicable IP address.

-d <IP Address>

Removes the specified IP addresses from the deny-list.

To remove more than one IP address, run this command for each applicable IP address.

-F

Removes (flushes) all IP addresses from the IP deny-list.

-L

Loads the IP addresses from all files in the $FWDIR/conf/deny_lists/ directory into the deny-list.

-l /<Path>/<Name of File>

Loads the IP addresses from the specified file into the deny-list.

-M {on | off}

Enables (on) or disables (off) the monitor-only mode for the IP deny-list.

By default, this feature is disabled.

In the monitor-only mode you can test the IP deny-list without blocking the traffic.

This command affects only the IP deny-list (does not affect the fw samp rules, etc.).

-m

Shows the current status of the monitor-only mode for the IP deny-list (enabled or disabled).

-N "<Name of IP Deny-list>"

Configures the name for the IP deny-list.

This name appears in the Security Gateway logs.

Notes:

  • The default name: "Deny List"

  • Maximal length is 79 characters.

  • You must only use ASCII characters.

-n

Shows the configured name for the IP deny-list.

-R {on | off}

Enables (on) or disables (off) the sending of the TCP [RST] packet for blocked TCP connections.

By default, this feature is disabled.

-r

Shows the current configuration for sending the TCP [RST] packet for blocked TCP connections.

-s

Shows the configured deny-list.

Example

[Expert@MyGW]# fwaccel dos deny -s
Table dos_deny_list_ips is empty
[Expert@MyGW]#
[Expert@MyGW]# fwaccel dos deny -a 1.1.1.1
Adding 1.1.1.1
1 IPv4 addresses loaded
[Expert@MyGW]#
[Expert@MyGW]# fwaccel dos deny -s
Deny List 31:
        1.1.1.1
[Expert@MyGW]# fwaccel dos deny -a 2.2.2.2
Adding 2.2.2.2
1 IPv4 addresses loaded
[Expert@MyGW]#
[Expert@MyGW]# fwaccel dos deny -s
Deny List 31:
        1.1.1.1
        2.2.2.2
[Expert@MyGW]#
[Expert@MyGW]# fwaccel dos deny -d 2.2.2.2
Deleting 2.2.2.2
[Expert@MyGW]#
[Expert@MyGW]# fwaccel dos deny -s
Deny List 31:
        1.1.1.1
[Expert@MyGW]#
[Expert@MyGW]# fwaccel dos deny -F
All deny list entries deleted
[Expert@MyGW]#
[Expert@MyGW]# fwaccel dos deny -s
Table dos_deny_list_ips is empty
[Expert@MyGW]#