firewall packet-filter basic-protocol enable

By default, the controlling function of security policies for BGP packets, LDP packets, BFD packets, DHCP unicast packets, DHCPv6 unicast packets and OSPF/OSPFv3 unicast packets is disenabled.However, the factory settings include the firewall packet-filter basic-protocol enable command, which enables this function.

After the function is enabled, the forwarding of these packets can be controlled by the security policies. You can configure the security policies or the default packet filtering rules to control the forwarding of these packets.

After the function is disabled, the device can forward these packets directly. Even if the security policies with the deny action are configured, they cannot take effect.

This function is effective only for DHCP unicast packets, DHCPv6 unicast packets and OSPF/OSPFv3 unicast packets and packets of BGP, LDP and BFD which have the fixed destination port numbers and transfer protocols. The following types of protocol packets are under the control of security policies:

• IPv4:

  • OSPF unicast packets (protocol number: 89), BGP packets (TCP destination port: 179), LDP packets (TCP destination port: 646), and BFD packets (UDP destination port: 3784)

• IPv6:

  • OSPFv3 unicast packets (protocol number: 89), BGP packets (TCP destination port: 179), LDP packets (TCP destination port: 646), and DHCPv6 unicast packets (UDP destination port: 546, 547)

The FW directly forwards OSPF multicast packets, which are not controlled by the firewall packet-filter basic-protocol enable command or security policies.