The aspf packet-filter command configures filtering rules for the packets that match the 3-tuple server map.
The undo aspf packet-filter command cancels the above configurations.
aspf packet-filter acl-number { inbound | outbound }
undo aspf packet-filter { inbound | outbound }
| Parameter | Description | Value |
|---|---|---|
| acl-number | Specifies the number of an ACL. | You can specify either of the following ACLs:
|
| inbound | Enables inbound packet filtering in the interzone. This parameter applies only to the security interzone view. | - |
| outbound | Enables outbound packet filtering in the interzone. This parameter applies only to the security interzone view. | - |
When configuring ASPF packet filtering, first define a basic or an advanced ACL rule to match traffic. If the rule action is set to permit, the device implements application-layer detection on the traffic. If the rule action is set to deny, the device does not generate any 3-tuple server map entry for the traffic. The traffic of the multi-channel protocols for which no 3-tuple server map entry is generated cannot be forwarded.
# Configure filtering rules for the packets that match the 3-tuple server map.
<sysname> system view [sysname] acl number 2001 [sysname-acl-basic-2001] rule deny source 10.1.1.1 0 [sysname-acl-basic-2001] quit [sysname] firewall interzone trust untrust [sysname-interzone-trust-untrust] aspf packet-filter 2001 outbound