Firewall

The nv unset commands remove the configuration you set with the equivalent nv set commands. This guide only describes an nv unset command if it differs from the nv set command.


nv set acl acl-default-dos rule <rule-id> action deny

Configures a deny action for the firewall DoS rule to deny packets.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action deny

nv set acl acl-default-dos rule <rule-id> action dest-nat translate-ip <range-id>

Configures an IP address destination NAT for the firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.
<range-id> The IPv4 range; for example, <ip-address> to <ip-address>

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action dest-nat translate-ip 172.30.58.0 to 172.30.58.80

nv set acl acl-default-dos rule <rule-id> action dest-nat translate-port <port-id>

Configures a port destination NAT firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.
<port-id> The port ID or port range.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action dest-nat translate-port 22

nv set acl acl-default-dos rule <rule-id> action erspan dest-ip

Configures the ERSPAN destination IP address for the firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action erspan dest-ip 10.10.10.3

nv set acl acl-default-dos rule <rule-id> action erspan source-ip

Configures the ERSPAN source IP address for the firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action erspan dest-ip 10.10.10.10

nv set acl acl-default-dos rule <rule-id> action erspan ttl

Configures the ERSPAN Time to Live (TTL) for the firewall DoS rule. You can specify a value between 1 and 255.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action erspan ttl 200

nv set acl acl-default-dos rule <rule-id> action log

Configures logging for the firewall DoS rule.


nv set acl acl-default-dos rule <rule-id> action log level

Configures the log level for the firewall DoS rule. You can specify a value between 1 and 7.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action log level 5

nv set acl acl-default-dos rule <rule-id> action log log-prefix <prefix>

Configures logging for packets with a specific prefix for the firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.
<prefix> The prefix with which you want to log matching packets.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action log log-prefix 10.10.10.1/32

nv set acl acl-default-dos rule <rule-id> action log rate

Configures the number of logs per minute you want to generate for the firewall DoS rule. You can set a value between 1 and 50000.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action log rate 30000

nv set acl acl-default-dos rule <rule-id> action permit

Configures a permit action to permit packets for the firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action permit

nv set acl acl-default-dos rule <rule-id> action police burst

Configures quality of service for traffic for the firewall DoS rule. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the police burst rate; the number of packets or kilobytes (KB) allowed to arrive sequentially. You can specify a value between 1 and 2147483647.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action police burst 1000

nv set acl acl-default-dos rule <rule-id> action police class

Configures quality of service for traffic for the firewall DoS rule. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the police action class. You can specify an integer between 0 and 7.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action police class 5

nv set acl acl-default-dos rule <rule-id> action police mode

Configures quality of service for traffic for the firewall DoS rule. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the traffic mode. You can specify packet, kbps, mbps or gbps.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action police mode mbps

nv set acl acl-default-dos rule <rule-id> action police rate

Configures quality of service for traffic for the firewall DoS rule. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the policing rate. You can specify a value between 1 and 2147483647.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action police rate 2000

nv set acl acl-default-dos rule <rule-id> action recent

Configures the firewall DoS rule to be the most recent.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action recent

nv set acl acl-default-dos rule <rule-id> action set class

Modifies the class value for packet classification for the firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action set class 3

nv set acl acl-default-dos rule <rule-id> action set cos

Configures the 802.1p CoS value to modify in the packet for the firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action set cos 6

nv set acl acl-default-dos rule <rule-id> action set dscp

Configures the DSCP value to modify in the packet for the firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action set dscp af12

nv set acl acl-default-dos rule <rule-id> action source-nat translate-ip <range-id>

Configures a dynamic NAT action DoS rule to translate a source IP address range to a public address.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.
<range-id> The IP address range; for example, <ip-address> to <ip-address>.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action source-nat translate-ip 172.30.58.0 to 172.30.58.80

nv set acl acl-default-dos rule <rule-id> action source-nat translate-port <port-id>

Configures a NAT action DoS rule to translate a source IP port.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.
<port-id> The port number or range of ports (separated with a -).

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action source-nat translate-port 1024-1200

nv set acl acl-default-dos rule <rule-id> action span <interface-id>

Configures the SPAN session for the specified interface for the firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.
<interface-id> The interface name.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 action span swp1

nv set acl acl-default-dos rule <rule-id> match ip connection-state

Configures the connection state you want to match for the firewall DoS rule. You can set the value to established, related, new, or invalid.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip connection-state related

nv set acl acl-default-dos rule <rule-id> match ip dest-ip <ip-address-id>

Configures the destination IP address you want to match for the firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.
<ip-address-id> The destination IP address.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip dest-ip 10.0.15.8/32

nv set acl acl-default-dos rule <rule-id> match ip dscp

Configures the DSCP value you want to match for the firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip dscp af13

nv set acl acl-default-dos rule <rule-id> match ip ecn flags tcp-cwr

Configures the firewall DoS rule to match on the TCP Congestion Window Reduced Flag.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip ecn flags tcp-cwr

nv set acl acl-default-dos rule <rule-id> match ip ecn flags tcp-ece

Configures the firewall DoS rule to match on the TCP ECN Echo Flag.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip ecn flags tcp-ece

nv set acl acl-default-dos rule <rule-id> match ip ecn ip-ect

Configures the firewall DoS rule to match on the ECT bit. The ECT codepoints negotiate if the connection is ECN capable by setting one of the two bits to 1. Routers also use the ECT bit to indicate that they are experiencing congestion by setting both the ECT codepoints to 1.

By default, ECN rules match a packet with the bit set. You can reverse the match by using an explanation point (!).

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip ecn ip-ect

nv set acl acl-default-dos rule <rule-id> match ip fragment

Configures IP fragment packet match for the firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip fragment

nv set acl acl-default-dos rule <rule-id> match ip hashlimit burst

Configures the hashlimit burst rate you want to match for the firewall DoS rule. You can specify a value between 1 and 4294967295.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip hashlimit burst 10

nv set acl acl-default-dos rule <rule-id> match ip hashlimit destination-mask

Configures the hashlimit destination mask you want to match for the firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip hashlimit destination-mask 32

nv set acl acl-default-dos rule <rule-id> match ip hashlimit expire

Configures the hashlimit expire time (in milliseconds) you want to match for the firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip hashlimit expire 1000

nv set acl acl-default-dos rule <rule-id> match ip hashlimit mode

Configures the hashlimit mode you want to match for the firewall DoS rule. You can specify src-ip or dst-ip.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip hashlimit mode dst-ip

nv set acl acl-default-dos rule <rule-id> match ip hashlimit name

Configures the hashlimit name you want to match for the firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip hashlimit name SSH

nv set acl acl-default-dos rule <rule-id> match ip hashlimit rate-above

Configures how much above the hashlimit rate you want to match for the firewall DoS rule. You can specify an <integer>/second, <integer>/min, or <integer>/hour. The maximum rate is 1000000/second.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip hashlimit rate-above 1000/min

nv set acl acl-default-dos rule <rule-id> match ip hashlimit source-mask

Configures the hashlimit source mask you want to match for the firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip hashlimit source-mask 32

nv set acl acl-default-dos rule <rule-id> match ip icmp-type

Configures the IP ICMP type you want to match for the firewall DoS rule. You can specify: dest-unreachable, echo-reply, echo-request, port-unreachable, time-exceeded, or an integer between 0 and 255.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip icmp-type dest-unreachable

nv set acl acl-default-dos rule <rule-id> match ip icmpv6-type

Configures the IP ICMPv6 type you want to match for the firewall DoS rule. You can specify router-solicitation, router-advertisement, neighbor-solicitation, neighbor-advertisement, or an integer between 0 and 255.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip icmpv6-type router-solicitation

nv set acl acl-default-dos rule <rule-id> match ip protocol

Configures the IP protocol you want to match for the firewall DoS rule. You can specify tcp, udp, ospf, pim, icmp, icmpv6, or igmp.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip protocol tcp

nv set acl acl-default-dos rule <rule-id> match ip recent-list action

Configures the IP recent list action you want to match for the firewall DoS rule. You can specify set or update.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip recent-list action update

nv set acl acl-default-dos rule <rule-id> match ip recent-list hit-count

Configures the IP recent list hit count you want to match for the firewall DoS rule. You can specify a value between 1 and 4294967295.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip recent-list hit-count 2000

nv set acl acl-default-dos rule <rule-id> match ip recent-list name

Configures the IP recent list name you want to match for the firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip recent-list name list1

nv set acl acl-default-dos rule <rule-id> match ip recent-list update-interval

Configures the IP recent list update interval you want to match for the firewall DoS rule. You can specify a value between 1 and 4294967295

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip recent-list update-interval 1000 

nv set acl acl-default-dos rule <rule-id> match ip source-ip

Configures the source IP address you want to match for the firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip source-ip 10.0.14.2/32

nv set acl acl-default-dos rule <rule-id> match ip tcp all-mss-except

Configures the firewall DoS rule to match all TCP maximum segment size (MSS) values except for the specified value.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip tcp all-mss-except 536

nv set acl acl-default-dos rule <rule-id> match ip tcp flags

Configures the IP TCP flag you want match in the packet for the firewall DoS rule. You can specify ack, all, fin, none, psh, rst, syn, or urg.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip tcp flags syn

nv set acl acl-default-dos rule <rule-id> match ip tcp mask

Configures the IP TCP mask you want match in the packet for the firewall DoS rule. You can specify ack, all, fin, none, psh, rst, syn, or urg.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip tcp mask ack

nv set acl acl-default-dos rule <rule-id> match ip tcp mss

Configures the TCP maximum segment size (MSS) you want match in the packet for the firewall DoS rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip tcp mss 536

nv set acl acl-default-dos rule <rule-id> match ip tcp state established

Configures the firewall DoS rule to match on the TCP established state.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip tcp state established 

nv set acl acl-default-dos rule <rule-id> match ip ttl

Configures the firewall DoS rule to match on the IP TTL.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip ttl 100

nv set acl acl-default-dos rule <rule-id> match ip udp dest-port

Configures the firewall DoS rule to match on the specified IP UDP destination port. You can specify ANY,bootps, http, ntp, telnet, bfd, clag, https, pop3, tftp, bfd-echo, dhcp-client, imap2, smtp, bfd-multihop, dhcp-server, ldap, snmp, bgp, domain, ldaps, snmp-trap, bootpc, ftp, msdp, or ssh.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip udp dest-port https

nv set acl acl-default-dos rule <rule-id> match ip udp source-port

Configures the firewall DoS rule to match on the specified IP UDP source port. You can specify ANY,bootps, http, ntp, telnet, bfd, clag, https, pop3, tftp, bfd-echo, dhcp-client, imap2, smtp, bfd-multihop, dhcp-server, ldap, snmp, bgp, domain, ldaps, snmp-trap, bootpc, ftp, msdp, or ssh.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match ip udp source-port https

nv set acl acl-default-dos rule <rule-id> match mac dest-mac

Configures the firewall DoS rule to match on the specified destination MAC address.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match mac dest-mac any

nv set acl acl-default-dos rule <rule-id> match mac dest-mac-mask

Configures the firewall DoS rule to match on the specified destination MAC address mask.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match mac dest-mac-mask 00:00:00:00:00:12

nv set acl acl-default-dos rule <rule-id> match mac protocol

Configures the firewall DoS rule to match on the specified destination MAC protocol. You can specify ANY, arp, ipv4, ipv6, or a value between 0 and 255.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match mac protocol arp

nv set acl acl-default-dos rule <rule-id> match mac source-mac

Configures the firewall DoS rule to match on the specified source MAC address.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match mac source-mac any

nv set acl acl-default-dos rule <rule-id> match mac source-mac-mask

Configures the firewall DoS rule to match on the specified source MAC address mask.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match mac source-mac-mask any

nv set acl acl-default-dos rule <rule-id> match vlan

Configures the firewall DoS rule to match on the specified VLAN ID.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 match vlan 10

nv set acl acl-default-dos rule <rule-id> remark

Configures a remark (description) about deny or permit conditions in the firewall DoS rule. You must enclose multiple words in double quotes (").

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-dos rule 10 remark "The following line permits TCP packets"

nv set acl acl-default-whitelist rule <rule-id> action deny

Configures a deny action for the firewall whitelist rule to deny packets.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action deny

nv set acl acl-default-whitelist rule <rule-id> action dest-nat translate-ip <range-id>

Configures an IP address destination NAT for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.
<range-id> The IPv4 range; for example, <ip-address> to <ip-address>

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action dest-nat translate-ip 172.30.58.0 to 172.30.58.80

nv set acl acl-default-whitelist rule <rule-id> action dest-nat translate-port <port-id>

Configures a port destination NAT for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.
<port-id> The port ID or port range.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action dest-nat translate-port 22

nv set acl acl-default-whitelist rule <rule-id> action erspan dest-ip

Configures the ERSPAN destination IP address for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action erspan dest-ip 10.10.10.3

nv set acl acl-default-whitelist rule <rule-id> action erspan source-ip

Configures the ERSPAN source IP address for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action erspan source-ip 10.10.10.10

nv set acl acl-default-whitelist rule <rule-id> action erspan ttl

Configures the ERSPAN Time to Live (TTL) for the firewall whitelist rule. You can specify a value between 1 and 255.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action erspan ttl 200

nv set acl acl-default-whitelist rule <rule-id> action log

Configures logging for the firewall whitelist rule.


nv set acl acl-default-whitelist rule <rule-id> action log level

Configures the log level for the firewall whitelist rule. You can specify a value between 1 and 7.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action log level 5

nv set acl acl-default-whitelist rule <rule-id> action log log-prefix <prefix>

Configures logging for packets with a specific prefix for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.
<prefix> The prefix with which you want to log matching packets.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action log log-prefix 10.10.10.1/32

nv set acl acl-default-whitelist rule <rule-id> action log rate

Configures the number of logs per minute you want to generate for the firewall whitelist rule. You can set a value between 1 and 50000.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action log rate 30000

nv set acl acl-default-whitelist rule <rule-id> action permit

Configures a permit action to permit packets for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action permit

nv set acl acl-default-whitelist rule <rule-id> action police burst

Configures quality of service for traffic for the firewall whitelist rule. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the police burst rate; the number of packets or kilobytes (KB) allowed to arrive sequentially. You can specify a value between 1 and 2147483647.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action police burst 1000

nv set acl acl-default-whitelist rule <rule-id> action police class

Configures quality of service for traffic for the firewall whitelist rule. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the police action class. You can specify an integer between 0 and 7.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action police class 5

nv set acl acl-default-whitelist rule <rule-id> action police mode

Configures quality of service for traffic for the firewall whitelist rule. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the traffic mode. You can specify packet, kbps, mbps, or gbps.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action police mode mbps

nv set acl acl-default-whitelist rule <rule-id> action police rate

Configures quality of service for traffic for the firewall whitelist rule. Using QoS policers, you can rate limit traffic so incoming packets get dropped if they exceed specified thresholds. This command configures the policing rate. You can specify a value between 1 and 2147483647.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action police rate 2000

nv set acl acl-default-whitelist rule <rule-id> action recent

Configures the firewall whitelist rule to be the most recent.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action recent

nv set acl acl-default-whitelist rule <rule-id> action set class

Modifies the class value for packet classification for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action set class 3

nv set acl acl-default-whitelist rule <rule-id> action set cos

Configures the 802.1p CoS value to modify in the packet for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action set cos 6

nv set acl acl-default-whitelist rule <rule-id> action set dscp

Configures the DSCP value to modify in the packet for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action set dscp af12

nv set acl acl-default-whitelist rule <rule-id> action source-nat translate-ip <range-id>

Configures a dynamic NAT action whitelist rule to translate a source IP address range to a public address.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.
<range-id> The IP address range; for example, <ip-address> to <ip-address>.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action source-nat translate-ip 172.30.58.0 to 172.30.58.80

nv set acl acl-default-whitelist rule <rule-id> action source-nat translate-port <port-id>

Configures a NAT action whitelist rule to translate a source IP port.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.
<port-id> The port number or range of ports (separated with a -).

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action source-nat translate-port 1024-1200

nv set acl acl-default-whitelist rule <rule-id> action span <interface-id>

Configures the SPAN session for the specified interface for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.
<interface-id> The interface name.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 action span swp1

nv set acl acl-default-whitelist rule <rule-id> match ip connection-state

Configures the connection state you want to match for the firewall whitelist rule. You can set the value to established, related, new, or invalid.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip connection-state related

nv set acl acl-default-whitelist rule <rule-id> match ip dest-ip <ip-address-id>

Configures the destination IP address you want to match for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.
<ip-address-id> The destination IP address.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip dest-ip 10.0.15.8/32

nv set acl acl-default-whitelist rule <rule-id> match ip dscp

Configures the DSCP value you want to match for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip dscp af13

nv set acl acl-default-whitelist rule <rule-id> match ip ecn flags tcp-cwr

Configures the firewall whitelist rule to match on the TCP Congestion Window Reduced Flag.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip ecn flags tcp-cwr

nv set acl acl-default-whitelist rule <rule-id> match ip ecn flags tcp-ece

Configures the firewall whitelist rule to match on the TCP ECN Echo Flag.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip ecn flags tcp-ece

nv set acl acl-default-whitelist rule <rule-id> match ip ecn ip-ect

Configures the firewall whitelist rule to match on the ECT bit. The ECT codepoints negotiate if the connection is ECN capable by setting one of the two bits to 1. Routers also use the ECT bit to indicate that they are experiencing congestion by setting both the ECT codepoints to 1.

By default, ECN rules match a packet with the bit set. You can reverse the match by using an explanation point (!).

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip ecn ip-ect

nv set acl acl-default-whitelist rule <rule-id> match ip fragment

Configures IP fragment packet match for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip fragment

nv set acl acl-default-whitelist rule <rule-id> match ip hashlimit burst

Configures the hashlimit burst rate you want to match for the firewall whitelist rule. You can specify a value between 1 and 4294967295.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip hashlimit burst 10

nv set acl acl-default-whitelist rule <rule-id> match ip hashlimit destination-mask

Configures the hashlimit destination mask you want to match for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip hashlimit destination-mask 32

nv set acl acl-default-whitelist rule <rule-id> match ip hashlimit expire

Configures the hashlimit expire time (in milliseconds) you want to match for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip hashlimit expire 1000

nv set acl acl-default-whitelist rule <rule-id> match ip hashlimit mode

Configures the hashlimit mode you want to match for the firewall whitelist rule. You can specify src-ip or dst-ip.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip hashlimit mode dst-ip

nv set acl acl-default-whitelist rule <rule-id> match ip hashlimit name

Configures the hashlimit name you want to match for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip hashlimit name SSH

nv set acl acl-default-whitelist rule <rule-id> match ip hashlimit rate-above

Configures how much above the hashlimit rate you want to match for the firewall whitelist rule. You can specify an <integer>/second, <integer>/min, or <integer>/hour. The maximum rate is 1000000/second.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip hashlimit rate-above 1000/min

nv set acl acl-default-whitelist rule <rule-id> match ip hashlimit source-mask

Configures the hashlimit source mask you want to match for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip hashlimit source-mask 32

nv set acl acl-default-whitelist rule <rule-id> match ip icmp-type

Configures the IP ICMP type you want to match for the firewall whitelist rule. You can specify: dest-unreachable, echo-reply, echo-request, port-unreachable, time-exceeded, or an integer between 0 and 255.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip icmp-type dest-unreachable

nv set acl acl-default-whitelist rule <rule-id> match ip icmpv6-type

Configures the IP ICMPv6 type you want to match for the firewall whitelist rule. You can specify router-solicitation, router-advertisement, neighbor-solicitation, neighbor-advertisement, or an integer between 0 and 255.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip icmpv6-type router-solicitation

nv set acl acl-default-whitelist rule <rule-id> match ip protocol

Configures the IP protocol you want to match for the firewall whitelist rule. You can specify tcp, udp, ospf, pim, icmp, icmpv6, or igmp.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip protocol tcp

nv set acl acl-default-whitelist rule <rule-id> match ip recent-list action

Configures the IP recent list action you want to match for the firewall whitelist rule. You can specify set or update.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip recent-list action update

nv set acl acl-default-whitelist rule <rule-id> match ip recent-list hit-count

Configures the IP recent list hit count you want to match for the firewall whitelist rule. You can specify a value between 1 and 4294967295.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip recent-list hit-count 2000

nv set acl acl-default-whitelist rule <rule-id> match ip recent-list name

Configures the IP recent list name you want to match for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip recent-list name list1

nv set acl acl-default-whitelist rule <rule-id> match ip recent-list update-interval

Configures the IP recent list update interval you want to match for the firewall whitelist rule. You can specify a value between 1 and 4294967295

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip recent-list update-interval 1000 

nv set acl acl-default-whitelist rule <rule-id> match ip source-ip

Configures the source IP address you want to match for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip source-ip 10.0.14.2/32

nv set acl acl-default-whitelist rule <rule-id> match ip tcp all-mss-except

Configures the firewall whitelist rule to match all TCP maximum segment size (MSS) values except for the specified value.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip tcp all-mss-except 536

nv set acl acl-default-whitelist rule <rule-id> match ip tcp flags

Configures the IP TCP flag you want match in the packet for the firewall whitelist rule. You can specify ack, all, fin, none, psh, rst, syn, or urg.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip tcp flags syn

nv set acl acl-default-whitelist rule <rule-id> match ip tcp mask

Configures the IP TCP mask you want match in the packet for the firewall whitelist rule. You can specify ack, all, fin, none, psh, rst, syn, or urg.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip tcp mask ack

nv set acl acl-default-whitelist rule <rule-id> match ip tcp mss

Configures the TCP maximum segment size (MSS) you want match in the packet for the firewall whitelist rule.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip tcp mss 536

nv set acl acl-default-whitelist rule <rule-id> match ip tcp state established

Configures the firewall whitelist rule to match on the TCP established state.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip tcp state established 

nv set acl acl-default-whitelist rule <rule-id> match ip ttl

Configures the firewall whitelist rule to match on the IP TTL.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip ttl 100

nv set acl acl-default-whitelist rule <rule-id> match ip udp dest-port

Configures the firewall whitelist rule to match on the specified IP UDP destination port. You can specify ANY,bootps, http, ntp, telnet, bfd, clag, https, pop3, tftp, bfd-echo, dhcp-client, imap2, smtp, bfd-multihop, dhcp-server, ldap, snmp, bgp, domain, ldaps, snmp-trap, bootpc, ftp, msdp, or ssh.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip udp dest-port https

nv set acl acl-default-whitelist rule <rule-id> match ip udp source-port

Configures the firewall whitelist rule to match on the specified IP UDP source port. You can specify ANY,bootps, http, ntp, telnet, bfd, clag, https, pop3, tftp, bfd-echo, dhcp-client, imap2, smtp, bfd-multihop, dhcp-server, ldap, snmp, bgp, domain, ldaps, snmp-trap, bootpc, ftp, msdp, or ssh.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match ip udp source-port https

nv set acl acl-default-whitelist rule <rule-id> match mac dest-mac

Configures the firewall whitelist rule to match on the specified destination MAC address.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match mac dest-mac any

nv set acl acl-default-whitelist rule <rule-id> match mac dest-mac-mask

Configures the firewall whitelist rule to match on the specified destination MAC address mask.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match mac dest-mac-mask 00:00:00:00:00:12

nv set acl acl-default-whitelist rule <rule-id> match mac protocol

Configures the firewall whitelist rule to match on the specified destination MAC protocol. You can specify ANY, arp, ipv4, ipv6, or a value between 0 and 255.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.
——— ————–

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match mac protocol arp

nv set acl acl-default-whitelist rule <rule-id> match mac source-mac

Configures the firewall whitelist rule to match on the specified source MAC address.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match mac source-mac any

nv set acl acl-default-whitelist rule <rule-id> match mac source-mac-mask

Configures the firewall whitelist rule to match on the specified source MAC address mask.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match mac source-mac-mask any

nv set acl acl-default-whitelist rule <rule-id> match vlan

Configures the firewall whitelist rule to match on the specified VLAN ID.

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 match vlan 10

nv set acl acl-default-whitelist rule <rule-id> remark

Configures a remark (description) about deny or permit conditions in the firewall whitelist rule. You must enclose multiple words in double quotes (").

Command Syntax

Syntax Description
<rule-id> The ACL rule number.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv set acl acl-default-whitelist rule 10 remark "The following line permits TCP packets"

nv set system control-plane acl acl-default-dos inbound

Enables or disables the Cumulus Linux default Dos firewall rules that protect the switch control plane and CPU from DOS attacks. Cumulus Linux provides firewall DoS rules to:

  • Allow only internal traffic to the loopback interfaces.
  • Accept already established connections and outbound traffic.
  • Set the - allow option to color the packets from a specific interface. Used when different policies - need to be applied for different eth interfaces.
  • Drop packets if the first TCP segment is not SYN.
  • Drop fragmented IP packets.
  • Drop Christmas tree packets; packets with all TCP flags set.
  • Drop NULL packets.
  • Drop invalid packets.
  • Drop strange MSS values.
  • Provide brute-force protection.
  • Drop packets with routing Header Type 0.
  • Drop packets with a hop limit greater than 1.
  • Limit excessive TCP reset packets.
  • Protect against SYN flood.
  • Rate limit new TCP connections for each IP address.
  • Log all remaining packets, then drop them.

In Cumulus Linux 5.8 and earlier, the set of default firewall rules are more open; Cumulus Linux accepts packets from all addresses and protocols. Cumulus Linux 5.9 and later provides a set of default firewall rules that allows only specific addresses and ports, and drops packets that are disallowed.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv unset system control-plane acl acl-default-dos inbound 

nv set system control-plane acl acl-default-whitelist inbound

Enables or disables the Cumulus Linux default whitelist firewall rules that specify the services or application ports enabled on the switch. Cumulus Linux provides firewall whitelist rules to enable TCP ports and UDP ports.

In Cumulus Linux 5.8 and earlier, the set of default firewall rules are more open; Cumulus Linux accepts packets from all addresses and protocols. Cumulus Linux 5.9 and later provides a set of default firewall rules that allows only specific addresses and ports, and drops packets that are disallowed.

Version History

Introduced in Cumulus Linux 5.9.0

Example

cumulus@switch:~$ nv unset system control-plane acl acl-default-whitelist inbound