< Home

firewall defend ip-spoofing enable

Function

The firewall defend ip-spoofing enable command enables the IP spoofing attack defense.

The undo firewall defend ip-spoofing enable command disables the IP Spoofing attack defense.

Format

firewall defend ip-spoofing enable

undo firewall defend ip-spoofing enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

By default, the IP spoofing attack defense is disabled.

After IP spoofing attack defense is enabled, the device checks the routing table for the source IP addresses of IP packets. If the optimal next hop of an IP packet is not the incoming interface of the IP packet, the packet is considered and processed the packet based on the action configured in firewall defend action.

The attack defense mechanism is based on whether the device is routable to the source IP address. If the source IP address is not routable to the device, false positives may occur. Therefore, employ IP spoofing attack defense with caution.

When the device works in transparent or multi-egress mode, or the policy-based routing is applied, IP spoofing attack defense cannot be configured.

Example

# Enable the IP spoofing attack defense.

<sysname> system-view
[sysname] firewall defend ip-spoofing enable
Parent Topic: Single-Packet Attack Defense Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >