g_fwaccel dos whitelist

Description

Configures the whitelist for source IP addresses in the SecureXL Penalty Box.

This whitelist overrides which packet the SecureXL Penalty Box drops.

Notes:

This command is similar to the g_fwaccel dos pbox whitelist command.
This command supports only IPv4.
You must run these commands on a single Security Group member in the Expert mode:
g_fwaccel dos whitelist ...
On VSX Gateway, first go to the context of an applicable Virtual System.
In Expert mode, run: vsenv <VSID>
This whitelist overrides entries in the blacklist. Before you use a 3rd-party or automatic blacklists, add trusted networks and hosts to the whitelist to avoid outages.
This whitelist unblocks IP Options and IP fragments from trusted sources when you explicitly configure one these SecureXL features:
- --enable-drop-opts
- --enable-drop-frags
See the 'g_fwaccel dos config' and 'g_fwaccel6 dos config' command.
To whitelist the Rate Limiting policy, refer to the bypass action of the g_fw sam_policy command. For example, g_fw samp -a b ...
For more information about the fw sam_policy command, see the R80.30SP Performance Tuning Administration Guide - Section Rate Limiting for DoS Mitigation - Section 'g_fw sam_policy' and 'g_fw6 sam_policy'.

Also, see the fwaccel synatk whitelist command.

Syntax for IPv4

g_fwaccel [-i <SecureXL ID>] dos whitelist

-a <IPv4 Address>[/<Subnet Prefix>]

-d <IPv4 Address>[/<Subnet Prefix>]

-F

-l /<Path>/<Name of File>

-L

-s

Parameters

Parameter	Description
`-i <`SecureXL ID`>`	Specifies the SecureXL instance ID (for IPv4 only).
No Parameters	Shows the applicable built-in usage.
`-a <`IPv4 Address`>[/<`Subnet Prefix`>]`	Adds the specified IP address to the Penalty Box whitelist. `<`IPv4 Address`>` - Can be an IPv4 address of a network or a host. `<`Subnet Prefix`>` - Must specify the length of the subnet mask in the format `/<bits>`. Optional for a host IPv4 address. Mandatory for a network IPv4 address. Range - from /1 to /32. Important - If you do not specify the subnet prefix explicitly, this command uses the subnet prefix /32. Examples: For a host: `192.168.20.30` `192.168.20.30/32` For a network: `192.168.20.0/24`
`-d <`IPv4 Address`>[/<`Subnet Prefix`>]`	Removes the specified IPv4 address from the Penalty Box whitelist. `<`IPv4 Address`>` - Can be an IPv4 address of a network or a host. `<`Subnet Prefix`>` - Optional. Must specify the length of the subnet mask in the format `/<bits>`. Optional for a host IPv4 address. Mandatory for a network IPv4 address. Range - from /1 to /32. Important - If you do not specify the subnet prefix explicitly, this command uses the subnet prefix /32.
`-F`	Removes (flushes) all entries from the Penalty Box whitelist.
`-l /<`Path`>/<`Name of File`>`	Loads the Penalty Box whitelist entries from the specified plain-text file. Note - To replace the current whitelist with the contents of a new file, use both the `-F` and `-l` parameters on the same command line. Important: You must manually create and configure this file with the `touch` or `vi` command. You must assign at least the read permission to this file with the `chmod +x` command. Each entry in this file must be on a separate line. Each entry in this file must be in this format: `<`IPv4 Address`>[/<`Subnet Prefix`>]` SecureXL ignores empty lines and lines that start with the # character in this file.
`-L`	Loads the Penalty Box whitelist entries from the plain-text file with a predefined name: `$FWDIR/conf/pbox-whitelist-v4.conf` Security Group automatically runs this command `g_fwaccel dos pbox whitelist -L` during each boot. Note - To replace the current whitelist with the contents of a new file, use both the `-F` and `-L` parameters on the same command line. Important: This file does not exist by default. You must manually create and configure this file with the `touch` or `vi` command. You must assign at least the read permission to this file with the `chmod +x` command.. Each entry in this file must be on a separate line. Each entry in this file must be in this format: `<`IPv4 Address`>[/<`Subnet Prefix`>]` SecureXL ignores empty lines and lines that start with the # character in this file.
`-s`	Shows the current Penalty Box whitelist entries.

Example - Adding a host IP address without optional subnet prefix

[Expert@HostName-ch0x-0x:0]# g_fwaccel dos whitelist -a 192.168.20.40

[Expert@HostName-ch0x-0x:0]#

[Expert@HostName-ch0x-0x:0]# g_fwaccel dos whitelist -s

192.168.20.40/32

[Expert@HostName-ch0x-0x:0]#

[Expert@HostName-ch0x-0x:0]# g_fwaccel dos whitelist -F

[Expert@HostName-ch0x-0x:0]# g_fwaccel dos whitelist -s

[Expert@HostName-ch0x-0x:0]#

Example - Adding a host IP address with optional subnet prefix

[Expert@HostName-ch0x-0x:0]# g_fwaccel dos whitelist -a 192.168.20.40/32

[Expert@HostName-ch0x-0x:0]#

[Expert@HostName-ch0x-0x:0]# g_fwaccel dos whitelist -s

192.168.20.40/32

[Expert@HostName-ch0x-0x:0]#

[Expert@HostName-ch0x-0x:0]# g_fwaccel dos whitelist -F

[Expert@HostName-ch0x-0x:0]# g_fwaccel dos whitelist -s

[Expert@HostName-ch0x-0x:0]#

Example - Adding a network IP address with mandatory subnet prefix

[Expert@HostName-ch0x-0x:0]# g_fwaccel dos whitelist -a 192.168.20.0/24

[Expert@HostName-ch0x-0x:0]#

[Expert@HostName-ch0x-0x:0]# g_fwaccel dos whitelist -s

192.168.20.0/24

[Expert@HostName-ch0x-0x:0]#

[Expert@HostName-ch0x-0x:0]# g_fwaccel dos whitelist -F

[Expert@HostName-ch0x-0x:0]# g_fwaccel dos whitelist -s

[Expert@HostName-ch0x-0x:0]#

Example - Deleting an entry

[Expert@HostName-ch0x-0x:0]# g_fwaccel dos whitelist -a 192.168.20.40/32

[Expert@HostName-ch0x-0x:0]#

[Expert@HostName-ch0x-0x:0]# g_fwaccel dos whitelist -a 192.168.20.70/32

[Expert@HostName-ch0x-0x:0]#

[Expert@HostName-ch0x-0x:0]# g_fwaccel dos whitelist -s

192.168.20.40/32

192.168.20.70/32

[Expert@HostName-ch0x-0x:0]# g_fwaccel dos whitelist -d 192.168.20.70/32

[Expert@HostName-ch0x-0x:0]#

[Expert@HostName-ch0x-0x:0]# g_fwaccel dos whitelist -s

192.168.20.40/32

[Expert@HostName-ch0x-0x:0]#