Create a firewall policy entry for a network service
Availability: This command is available to cluster administrators at the admin privilege level.
Description
The
system services firewall policy create command
creates a firewall policy entry
with the specified name and network service.
This command is used both to create
the first network service associated
with a new firewall policy,
and to add to an existing firewall policy
by associating another network service with an existing policy.
You can optionally specify one or more IP addresses
with corresponding netmasks
that are allowed to use the firewall policy entry.
You can use the network interface modify command
with the -firewall-policy parameter
to put a firewall policy into effect
for a given logical interface by modifying that logical interface
to use the specified firewall policy.
Parameters
- -vserver <vserver> - Vserver Name
- Use this parameter to specify the name of
the Vserver on which the policy is to be created.
- -policy <textpolicy_name> - Policy
- Use this parameter to specify
the name of the policy that is to be created.
- -service <service> - Service
- Use this parameter to specify
the network service that is associated with the policy.
Possible values include:
- dns - The DNS protocol server
- http - The HTTP protocol
- ndmp - The NDMP tape backup protocol
- ndmps - The NDMPS tape backup protocol
- none - No protocol (for creating an empty policy)
- ntp - The NTP protocol
- rsh - The RSH protocol
- snmp - The SNMP protocol
- telnet - The Telnet protocol
- -allow-list <IP Address/Mask>, ... - Allowed IPs
- Use this parameter to specify
one or more IP addresses with corresponding netmasks
that are to be allowed by this firewall policy.
The correct format for this parameter is address/netmask,
similar to "192.0.2.128/25".
Multiple address/netmask pairs should be separated with commas.
Use the value 0.0.0.0/0 for "any".
Examples
The following example creates a firewall policy named data that uses the NDMP protocol and enables access from all IP addresses on the 192.0.2.128/25 subnet:
cluster1::> system services firewall policy create -policy data -service ndmp -allow-list 192.0.2.128/25
The following example adds an entry to the firewall policy named data, associating the DNS protocol with that policy and enabling access from all IP addresses on the 192.0.2.128/25 subnet:
cluster1::> system services firewall policy create -policy data -service dns -allow-list 192.0.2.128/25