Fast Packet Drop
Fast Packet Drop can be used in situations, such as a DoS attack, to drop unwanted packets as early as possible in the packet processing path. This makes the gateway’s resources available to process legitimate traffic. The Rule Base is in a configuration file that defines which packets are dropped.
Syntax
> sim dropcfg -l
> sim dropcfg -f <file> [-y]
> sim dropcfg -r [-y]
> sim dropcfg -h
Parameter
|
Description
|
-l
|
Show current configuration
|
-f <file>
|
Set configuration file name
|
-r
|
Reset drop rules
|
-y
|
Do not require confirmation
|
-h
|
Show usage information
|
To configure Fast Packet Drop:
- Create the Rule Base configuration file (see details below)
- Copy the configuration file to all SGMs:
# asg_cp2blades <file_path> - Apply Fast Packet Drop:
# sim dropcfg –f <conf_file>
The Rule Base configuration is specified using –f. It contains drop rules. Each line must contain one rule.
Each rule line must contain one or more of these parameters:
Parameter
|
Description
|
src <src_ip>/<subnet>
|
Source IP address and subnet. Subnet is optional
|
dst <dst_ip>/<subnet>
|
Destination IP address and subnet. Subnet is optional
|
dport <dst_port>
|
Destination port.
|
proto <ip_proto>
|
IP Protocol (e.g. TCP=6,UDP=17,ICMP=1)
|
Example Configuration File
src 1.1.1.1
dport 80 proto 6
src 1.1.1.0/24 dst 2.2.0.0/16 dport 53 proto 17
To make sure Fast Packet Drop rules are enforced:
> sim dropcfg –l
The output shows list of active drop rules:
Drop rules (Match after conn lookup):
Source Destination DPort PR
------------------ ------------------ ----- ---
1.1.1.1/32 * * *
* * 80 6
1.1.1.0/24 2.2.0.0/16 53 17
To disable Fast Packet Drop:
Run:
> sim dropcfg -r
Notes:
- If subnet is not specified, one IP address is used.
- Use
* to specify 'Any'. It is the same as not specifying the parameter. - Use
# at the start of the line to add comments. - Empty lines are ignored.
|
