3COM 4007交换机ICMP包过滤配置办法.docx

3COM 4007交换机ICMP包过滤配置办法.docx

《3COM 4007交换机ICMP包过滤配置办法.docx》由会员分享，可在线阅读，更多相关《3COM 4007交换机ICMP包过滤配置办法.docx（29页珍藏版）》请在冰豆网上搜索。

3COM4007交换机ICMP包过滤配置办法

3COM4007/CB9000交换机包过滤配置办法

一.telnet到交换机；沿下图所示进入packetFilter

二．有三种方法可以创建Packetfilter

nASCIITextEditor

nBuilt-inLineEditor

nWebManagementFilterBuilderTool

1用NotePad创建packetfilter

具体操作如下：

name"noicmp"//filtername

pushField.w12//找到包类型的位置

pushLiteral.w0x0800//包类型是否为IPtype

ne

accept

pushField.b23//找到协议类型位置

pushLiteral.b0x01//是否为ICMP协议

ne

将文件存为*.fil的文件。

PacketFilteringLanguage的具体说明

Opcode

MemoryRequirements

Description

name“”

2+nbytes,

wherenisthelength

ofthe

Assignsauser-definedtothepacketfilter.

ThenamemaybeanysequenceofASCIIcharacters

otherthanquotationmarks.Thenameislimitedto32

characters.Youcanincludeonlyasinglename

statementineachpacketfilterprogram.

pushField.size

3bytes

Pushesafieldfromthetargetpacketontothestack.

Packetdatastartingatiscopiedontothe

stack.Themostsignificantbyteofthefieldisthebyte

atthespecifiedoffset.Thesizefieldoftheinstruction

determinesthenumberofbytespushed.ThepushField

instructionprovidesdirectaccesstoany1,2,4,or6

byte（.b,.w,.l,or.a）fieldcontainedwithinthefirst64

bytesofthetargetpacket.

Specifytheoffsetasanoctal,decimal,orhexadecimal

number.

nPrecedeanoctalnumberbya“0”.

nPrecedeahexadecimalnumberbyeither“0x”or

“0X”.

nUseeitherupperorlowercaselettersforthe

hexadecimaldigits“a”through“f”.

pushLiteral.size

1（.b）

2（.w）

4（.l）

6（.a）bytes

dependingonthe

sizeof

plus1bytefora

totalof2,3,5,or7

bytes

Pushesaliteralconstantontothestack.The

mostsignificantbyteoftheisthefirstbyteof

theliteral.Bytesarecopieddirectlyfromtheoperand

ontothestack.Thesizefieldoftheinstruction

determinesnumberofbytespushed.

Specifythevalueaseitheranoctal,decimal,or

hexadecimalnumber.

nPrecedeanoctalnumberbya“0”.

nPrecedeahexadecimalnumberbyeither“0x”or

“0X”.

nUseeitherupperorlowercaselettersforthe

hexadecimaldigits“a”through“f”.

pushTop

1bytes

Pushesthecurrenttopofthestackontothestack（that

is,itreadsthetopofthestackandpushesthevalue

ontothestack,whicheffectivelyduplicatestheitem

currentlyontopofthestack）.Thesizeofthecontents

ofthestackdeterminesthesizeofthepush.

UsepushTopforeachadditionalcomparisonyou

intendtomakewiththecurrenttopofthestack.The

pushTopinstructionmakesacopyofthefieldmore

efficientlythanifyouuseasecondpushField

instruction.

Ifyouarewritingafilterthatisgoingtocheckthe

sameoffsetmorethanonce,suchascheckingthe

Ethernettypefieldtofiltermultipleprotocols,usethe

followingguidelines.Assumethatyouwanttofilter

DECLAT,IP,andARPtrafficonaport.

pushLiteral.size

1（.b）

2（.w）

4（.l）

6（.a）bytes

dependingonthe

sizeof

plus1bytefora

totalof2,3,5,or7

bytes

Pushesaliteralconstantontothestack.The

mostsignificantbyteoftheisthefirstbyteof

theliteral.Bytesarecopieddirectlyfromtheoperand

ontothestack.Thesizefieldoftheinstruction

determinesnumberofbytespushed.

Specifythevalueaseitheranoctal,decimal,or

hexadecimalnumber.

nPrecedeanoctalnumberbya“0”.

nPrecedeahexadecimalnumberbyeither“0x”or

“0X”.

nUseeitherupperorlowercaselettersforthe

hexadecimaldigits“a”through“f”.

pushTop

1byte

Pushesthecurrenttopofthestackontothestack（that

is,itreadsthetopofthestackandpushesthevalue

ontothestack,whicheffectivelyduplicatestheitem

currentlyontopofthestack）.Thesizeofthecontents

ofthestackdeterminesthesizeofthepush.

UsepushTopforeachadditionalcomparisonyou

intendtomakewiththecurrenttopofthestack.The

pushTopinstructionmakesacopyofthefieldmore

efficientlythanifyouuseasecondpushField

instruction.

Ifyouarewritingafilterthatisgoingtocheckthe

sameoffsetmorethanonce,suchascheckingthe

Ethernettypefieldtofiltermultipleprotocols,usethe

followingguidelines.Assumethatyouwanttofilter

DECLAT,IP,andARPtrafficonaport.

pushTop（continued）

1byte

RatherthanusemultiplepushField.w12

commandstolookatthe12thoffsetwherethe

Ethernettypefieldresides,usemultiplepushTop

commands,asshownhere:

OriginalFilter:

pushField.w12

pushLiteral.w0x6004

eq

reject

pushField.w12

pushLiteral.w0x0800

eq

reject

pushField.w12

pushLiteral.w0x0806

ne

ShortenedFilter:

PushField.w12

pushTop

pushTop

pushLiteral.w0x6004

eq

reject

pushLiteral.w0x0800

eq

reject

pushLiteral.w0x0806

ne

pushSPGM

1byte

Pushesthesourceportgroupmask（SPGM）ontothe

topofthestack.TheSPGMisabitmaprepresenting

thegroupstowhichthesourceportofapacket

belongs.Thisinstructionpushes4bytesontothe

stack.

Eachportgroupmaskisrepresentedbyasinglebitin

theSPGMbitmap.Portgroupmasksareassignedto

thebitmapinsequence,startingwithportgroupmask

1astheleastsignificantbitthroughportgroupmask

32asthemostsignificantbit.

UsepushSPGMtofilterbyportgroups.See“Using

PortGroupsinCustomPacketFilters”formore

information.

pushDPGM

1byte

Pushesthedestinationportgroupmask（DPGM）onto

thetopofthestack.TheDPGMisabitmap

representingthegroupstowhichthedestinationport

ofapacketbelongs.Pushes4bytesontothestack.

Eachportgroupmaskisrepresentedbyasinglebitin

theDPGMbitmap.Portgroupmasksareassignedto

thebitmapinsequence,startingwithportgroupmask

1astheleastsignificantbitthroughportgroupmask

32asthemostsignificantbit.

UsepushDPGMtofilterbyportgroups.See“Using

PortGroupsinCustomPacketFilters”formore

information.

eq（equal）

1byte

Popstwovaluesfromthestackandcomparesthem.If

theyareequal,abytecontainingthenon-zerovalueis

pushedontothestack;otherwise,abytecontaining0

ispushed.Thecontentsofthestackdeterminesthe

sizeoftheoperands.

ne（notequal）

1byte

Popstwovaluesfromthestackandcomparesthem.If

theyarenotequal,abytecontainingthenon-zero

valueispushedontothestack;otherwise,abyte

containing0ispushed.Thesizeoftheoperandsis

determinedbythecontentsofthestack.

lt（lessthan）

1byte

Popstwovaluesfromthestackandperformsan

unsignedcomparison.Ifthefirstislessthanthe

second,abytecontainingthenon-zerovalueispushed

ontothestack;otherwise,abytecontaining0is

pushed.Thecontentsofthestackdeterminethesize

oftheoperands.

le（lessthanorequal

to）

1byte

Popstwovaluesfromthestackandperformsan

unsignedcomparison.Ifthefirstislessthanorequalto

thesecond,abytecontainingthenon-zerovalueis

pushedontothestack;otherwise,abytecontaining0

ispushed.Thecontentsofthestackdeterminethesize

oftheoperands.

gt（greaterthan）

1byte

Popstwovaluesfromthestackandperformsan

unsignedcomparison.Ifthefirstisgreaterthanthe

second,abytecontainingthenon-zerovalueispushed

ontothestack;otherwise,abytecontaining0is

pushed.Thecontentsofthestackdeterminesizeof

theoperands.

ge（greaterthanor

equalto）

1byte

Popstwovaluesfromthestackandperformsan

unsignedcomparison.Ifthefirstisgreaterthanor

equaltothesecond,abytecontainingthenon-zero

valueispushedontothestack;otherwise,abyte

containing0ispushed.Thecontentsofthestack

determinethesizeoftheoperands.

and（bit-wiseAND）

1byte

Popstwovaluesfromthestackandpushesthebit-wise

ANDofthesevaluesbackontothestack.Thecontents

ofthestackdeterminethesizeoftheoperandsandthe

result.

Thisisabit-wiseoperator.Eachbitoftheoperandsis

logicallycomparedtoproducetheresultingbit

or（bit-wiseOR）

1byte

Popstwovaluesfromthestackandpushesthebit-wise

ORofthesevaluesbackontothestack.Thecontents

ofthestackdeterminetheoperandsizeandtheresult.

Thisisabit-wiseoperator.Eachbitoftheoperandsis

logicallycomparedtoproducetheresultingbit

xor（bit-wise

exclusive-OR）

1byte

Popstwovaluesfromthestackandpushesthebit-wise

exclusive-ORofthesevaluesbackontothestack.The

contentsofthestackdeterminestheoperandsizeand

theresult.

Thisisabit-wiseoperator.Eachbitoftheoperandsis

logicallycomparedtoproducetheresultingbit

not

1byte

Popsabytefromthestack;ifitsvalueisnon-zero,a

bytecontaining0ispushedbackontothestack.

Otherwise,abytecontainingthevalueispushedback

ontothestack.

accept

1byte

Conditionallyacceptsthepacketthatisbeing

examined.Popsabytefromthestack.Ifitsvalueis

non-zero,thepacketisacceptedandevaluationofthe

filterendsimmediately;otherwise,filterevaluation

continueswiththenextinstruction.

Useacceptwithandandoroperatorswhenyou

havesequentialtestsandyouwouldlikethefilterto

acceptapacketbeforetheentireexpressionhasbeen

evaluated.Usingacceptcansignificantlyimprovethe

performanceofcertaintypesoffilters.See

“ImplementingSequentialTestsinaPacketFilter”

elsewhereinthechapterformoreinformation.

reject

1byte

Conditionallyrejectsthepacketbeingexamined.Pops

abytefromthestack.Ifitsvalueisnon-zero,the

packetisrejectedandfilterevaluationends

immediately;otherwise,thefilterevaluationcontinues

withthenextinstruction.

Userejectwithandandoroperatorswhenyou

havesequentialtestsandyouwouldlikethef