fwaccel dos deny

In the R81.10.X releases, this command is available starting from the versions R81.10.15 JHF (Build B996004039) and R81.10.17.

Description

The "fwaccel dos deny" and "fwaccel6 dos deny" commands control the IP deny-list in SecureXL.

The deny-list blocks all traffic to and from the specified IP addresses.

The deny-list drops occur in SecureXL, which is more efficient than an Access Control Policy to drop the packets.

Important:

  • In a Cluster, you must configure all the Cluster Members in the same way.

  • To enforce the IP deny-list in SecureXL, you must first enable the IP deny-lists.

    See fwaccel dos config.

Syntax for IPv4

fwaccel dos deny

      -a <IPv4 Address>

      -d <IPv4 Address>

      -F

      -L

      -l /<Path>/<Name of File>

      -M {on | off}

      -m

      -N "<Name of IP Deny-list>"

      -n

      -R {on | off}

      -r

      -s

Syntax for IPv6

fwaccel6 dos deny

      -a <IPv6 Address>

      -d <IPv6 Address>

      -F

      -L

      -l /<Path>/<Name of File>

      -M {on | off}

      -m

      -N "<Name of IP Deny-list>"

      -n

      -R {on | off}

      -r

      -s

Parameters

Parameter

Description

No Parameters

Shows the applicable built-in usage.

-a <IP Address>

Adds the specified IP address to the deny-list.

To add more than one IP address, run this command for each applicable IP address.

-d <IP Address>

Removes the specified IP addresses from the deny-list.

To remove more than one IP address, run this command for each applicable IP address.

-F

Removes (flushes) all IP addresses from the IP deny-list.

-L

Loads the IP addresses from all files in the $FWDIR/conf/deny_lists/ directory into the deny-list.

-l /<Path>/<Name of File>

Loads the IP addresses from the specified file into the deny-list.

-M {on | off}

Enables (on) or disables (off) the monitor-only mode for the IP deny-list.

By default, this feature is disabled.

In the monitor-only mode you can test the IP deny-list without blocking the traffic.

This command affects only the IP deny-list (does not affect the fw samp rules, etc.).

-m

Shows the current status of the monitor-only mode for the IP deny-list (enabled or disabled).

-N "<Name of IP Deny-list>"

Configures the name for the IP deny-list.

This name appears in the Security Gateway logs.

Notes:

  • The default name: "Deny List"

  • Maximal length is 79 characters.

  • You must only use ASCII characters.

-n

Shows the configured name for the IP deny-list.

-R {on | off}

Enables (on) or disables (off) the sending of the TCP [RST] packet for blocked TCP connections.

By default, this feature is disabled.

-r

Shows the current configuration for sending the TCP [RST] packet for blocked TCP connections.

-s

Shows the configured deny-list.

Example

[Expert@MyGW]# fwaccel dos deny -s
Table dos_deny_list_ips is empty
[Expert@MyGW]#
[Expert@MyGW]# fwaccel dos deny -a 1.1.1.1
Adding 1.1.1.1
1 IPv4 addresses loaded
[Expert@MyGW]#
[Expert@MyGW]# fwaccel dos deny -s
Deny List 31:
        1.1.1.1
[Expert@MyGW]# fwaccel dos deny -a 2.2.2.2
Adding 2.2.2.2
1 IPv4 addresses loaded
[Expert@MyGW]#
[Expert@MyGW]# fwaccel dos deny -s
Deny List 31:
        1.1.1.1
        2.2.2.2
[Expert@MyGW]#
[Expert@MyGW]# fwaccel dos deny -d 2.2.2.2
Deleting 2.2.2.2
[Expert@MyGW]#
[Expert@MyGW]# fwaccel dos deny -s
Deny List 31:
        1.1.1.1
[Expert@MyGW]#
[Expert@MyGW]# fwaccel dos deny -F
All deny list entries deleted
[Expert@MyGW]#
[Expert@MyGW]# fwaccel dos deny -s
Table dos_deny_list_ips is empty
[Expert@MyGW]#