system services firewall policy create

Create a firewall policy entry for a network service

Availability: This command is available to cluster administrators at the admin privilege level.

Description

The system services firewall policy create command creates a firewall policy entry with the specified name and network service. This command is used both to create the first network service associated with a new firewall policy, or to add to an existing firewall policy by associating another network service with an existing policy. You can optionally specify one or more IP addresses with corresponding netmasks that are allowed to use the firewall policy entry.

You can use the network interface modify command with the -firewall-policy parameter to put a firewall policy into effect for a given logical interface by modifying that logical interface to use the specified firewall policy.

Parameters

-vserver <vserver> - Vserver Name
Use this parameter to specify the name of the Vserver on which the policy is to be created.
-policy <textpolicy_name> - Policy
Use this parameter to specify the name of the policy that is to be created.
-service <service> - Service
Use this parameter to specify the network service that is associated with the policy. Possible values include:
  • default - The default protocol or protocols for the port to which the firewall is applied
  • http - The HTTP protocol
  • https - The HTTPS protocol
  • ntp - The NTP protocol
  • rsh - The RSH protocol
  • snmp - The SNMP protocol
  • ssh - The SSH protocol
  • telnet - The Telnet protocol
-allow-list <IP Address/Mask>, ... - Allowed IPs
Use this parameter to specify one or more IP addresses with corresponding netmasks that are to be allowed by this firewall policy. The correct format for this parameter is address/netmask, similar to "192.0.2.128/25". Multiple address/netmask pairs should be separated with commas. Use the value 0.0.0.0/0 for "any".

Examples

The following example creates a firewall policy named data that uses the SSH protocol and enables access from all IP addresses on the 192.0.2.128/25 subnet:
cluster1::> system services firewall policy create -policy data -service ssh -allow-list 192.0.2.128/25

The following example adds an entry to the firewall policy named data, associating the HTTPS protocol with that policy and enabling access from all IP addresses on the 192.0.2.128/25 subnet:

cluster1::> system services firewall policy create -policy data -service https -allow-list 192.0.2.128/25