Fibre Channel (SAN)

Reply
Occasional Contributor
Posts: 6
Registered: ‎06-10-2010

How to disable a ipfilter policy via cli ?

      I tried creating a policy to block telnet and in turn got locked from webtool , telnet,ssh . I am sure i created wrong policy. I connected serial console to gain access however i wasnt able to delete the policy as policy was in active state. I wasnt able to get any command to disable the policy. I also tried reenabling the blocked port by deleting the rule and adding another rule but i was still unable to get things work.

I am guessing if i am able to disable this policy i should be able to login again. I would appreciate any help.

Best Regards

Amit

Super Contributor
Posts: 260
Registered: ‎04-09-2008

Re: How to disable a ipfilter policy via cli ?

pls post

ipfilter --show

Occasional Contributor
Posts: 6
Registered: ‎06-10-2010

Re: How to disable a ipfilter policy via cli ?

swd77:amit> ipfilter --show

Name: default_ipv4, Type: ipv4, State: defined
Rule    Source IP                               Protocol   Dest Port   Action
1     any                                            tcp       22     permit
2     any                                            tcp       23     permit
3     any                                            tcp      897     permit
4     any                                            tcp      898     permit
5     any                                            tcp      111     permit
6     any                                            tcp       80     permit
7     any                                            tcp      443     permit
8     any                                            udp      161     permit
9     any                                            udp      111     permit
10    any                                            udp      123     permit
11    any                                            tcp      600 - 1023     permit
12    any                                            udp      600 - 1023     permit

Name: default_ipv6, Type: ipv6, State: active
Rule    Source IP                               Protocol   Dest Port   Action
1     any                                            tcp       22     permit
2     any                                            tcp       23     permit
3     any                                            tcp      897     permit
4     any                                            tcp      898     permit
5     any                                            tcp      111     permit
6     any                                            tcp       80     permit
7     any                                            tcp      443     permit
8     any                                            udp      161     permit
9     any                                            udp      111     permit
10    any                                            udp      123     permit
11    any                                            tcp      600 - 1023     permit
12    any                                            udp      600 - 1023     permit

Name: disableipv4telnet, Type: ipv4, State: active
Rule    Source IP                               Protocol   Dest Port   Action
1     any

I deleted the rule from disableipv4telnet that was blocking the telnet. I am able to login to the switch via telnet now. but ssh and webtool are still not working , i wonder whats wrong.

When i try to save disableipv4telnet or delete the policy itself. I get an error message that policy is active and cant be deleted. I did ipfilter --activate default_ipv4 to be able to login to the switch via telnet but i am unable to make ssh and webool work and i am unable to disable the policy before i can delete it.

Please help.

Super Contributor
Posts: 260
Registered: ‎04-09-2008

Re: How to disable a ipfilter policy via cli ?

Hi,

If the o/p you provided is current then you will find that default_ipv4 is not active. disableipv4telnet is still active and you cannot delete an active policy.

First activate that

1. ipfilter --activate default_ipv4

Then try deleting

2. ipfilter --delrule disableipv4telnet

If not you can try aborting any transactions pending

3. ipfilter -transabort

After 3 try steps 1 & 2 again.

Occasional Contributor
Posts: 6
Registered: ‎06-10-2010

Re: How to disable a ipfilter policy via cli ?

I tried all the other command didnt work. ipfilter --transabort did the trick . After that i was able to delete the rule and then created a new one and now telnet is blocked and everything else is working .

Thanks a ton Biju. You got me out of a big mess. Kudos to you.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.