Fibre Channel (SAN)

Reply
Occasional Contributor
Posts: 6
Registered: ‎06-10-2010

How to disable a ipfilter policy via cli ?

      I tried creating a policy to block telnet and in turn got locked from webtool , telnet,ssh . I am sure i created wrong policy. I connected serial console to gain access however i wasnt able to delete the policy as policy was in active state. I wasnt able to get any command to disable the policy. I also tried reenabling the blocked port by deleting the rule and adding another rule but i was still unable to get things work.

I am guessing if i am able to disable this policy i should be able to login again. I would appreciate any help.

Best Regards

Amit

Super Contributor
Posts: 260
Registered: ‎04-09-2008

Re: How to disable a ipfilter policy via cli ?

pls post

ipfilter --show

Occasional Contributor
Posts: 6
Registered: ‎06-10-2010

Re: How to disable a ipfilter policy via cli ?

swd77:amit> ipfilter --show

Name: default_ipv4, Type: ipv4, State: defined
Rule    Source IP                               Protocol   Dest Port   Action
1     any                                            tcp       22     permit
2     any                                            tcp       23     permit
3     any                                            tcp      897     permit
4     any                                            tcp      898     permit
5     any                                            tcp      111     permit
6     any                                            tcp       80     permit
7     any                                            tcp      443     permit
8     any                                            udp      161     permit
9     any                                            udp      111     permit
10    any                                            udp      123     permit
11    any                                            tcp      600 - 1023     permit
12    any                                            udp      600 - 1023     permit

Name: default_ipv6, Type: ipv6, State: active
Rule    Source IP                               Protocol   Dest Port   Action
1     any                                            tcp       22     permit
2     any                                            tcp       23     permit
3     any                                            tcp      897     permit
4     any                                            tcp      898     permit
5     any                                            tcp      111     permit
6     any                                            tcp       80     permit
7     any                                            tcp      443     permit
8     any                                            udp      161     permit
9     any                                            udp      111     permit
10    any                                            udp      123     permit
11    any                                            tcp      600 - 1023     permit
12    any                                            udp      600 - 1023     permit

Name: disableipv4telnet, Type: ipv4, State: active
Rule    Source IP                               Protocol   Dest Port   Action
1     any

I deleted the rule from disableipv4telnet that was blocking the telnet. I am able to login to the switch via telnet now. but ssh and webtool are still not working , i wonder whats wrong.

When i try to save disableipv4telnet or delete the policy itself. I get an error message that policy is active and cant be deleted. I did ipfilter --activate default_ipv4 to be able to login to the switch via telnet but i am unable to make ssh and webool work and i am unable to disable the policy before i can delete it.

Please help.

Super Contributor
Posts: 260
Registered: ‎04-09-2008

Re: How to disable a ipfilter policy via cli ?

Hi,

If the o/p you provided is current then you will find that default_ipv4 is not active. disableipv4telnet is still active and you cannot delete an active policy.

First activate that

1. ipfilter --activate default_ipv4

Then try deleting

2. ipfilter --delrule disableipv4telnet

If not you can try aborting any transactions pending

3. ipfilter -transabort

After 3 try steps 1 & 2 again.

Occasional Contributor
Posts: 6
Registered: ‎06-10-2010

Re: How to disable a ipfilter policy via cli ?

I tried all the other command didnt work. ipfilter --transabort did the trick . After that i was able to delete the rule and then created a new one and now telnet is blocked and everything else is working .

Thanks a ton Biju. You got me out of a big mess. Kudos to you.

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook