ZyNOS CI Command List
Das ist eine Kopie von der Zyxel-Homepage (http://www.zyxel.com/support/supportnote/zywall/ci_cmd/zywall_ci.htm) vom 4. November 2004. Ich stelle sie hier nur für den Fall zur Verfügung, dass die Zyxel-Homepage gerade nicht online ist oder das Dokument gerade nicht zur Verfügung steht. Dieses Dokument versteht sich als Ergänzung zu meinen Zyxel ZyWALL Tips und Tricks
CI Command Reference
- System Related Commands
- TCP/IP Protocol Commands
- Ethernet Debug Commands
- Firewall Related CI Commands
- IPSec Related CI Commands
- PPP Related CI Commands
1. Command Syntax and General User Interface
CI has the following command syntax:
command <iface | device>
subcommand [param]
command subcommand [param]
command ? | help
command subcommand ? | help
General user interface:
1. |
? | Shows the following commands and all major (sub)commands |
2. |
exit | Returns to SMT |
[ch-name]: enet0, enet1
NOTE: A mark with “ * “ means this command is product dependent.
sys | |||||
adjtime | to calibrate system time with NTP server immediately | ||||
baud | <1|2|3|4|5> | change console speed if parameter present 1: 38400 bps 2: 19200 bps 3: 9600 bps 4: 57600 bps 5: 115200 bps |
|||
callhist | |||||
add | <name> <dir> <rate> <uptime> | Add the call history | |||
display | display the call history | ||||
remove | <index> | remove call history | |||
cbuf | |||||
cnt | disp | display cbuf static | |||
clear | clear cbuf static | ||||
disp | [a|f|u] | display cbuf a: all f: free u: used | |||
cmgr | |||||
cnt | [ch-name] | display call related counter | |||
data | display phone number related data | ||||
trace | [display|clear] [ch-name] | display call related event | |||
country | <country code> | set country code | |||
cpu | disp | display CPU utilization | |||
date | <yyyy> <mm> <dd> | Change current date if parameter present | |||
dir | display file directory | ||||
edit | <filename> | edit a text file | |||
errctl | [level] | set the error control level 0:crash no save,not in debug mode (default) 1:crash no save,in debug mode 2:crash save,not in debug mode 3:crash save,in debug mode |
|||
event | |||||
display | display tag flags information | ||||
trace | [display|clear] | display system event information | |||
extraphnum | |||||
add | <set 1-3> <1st phone number> [2nd phone number] | add extra phone number | |||
display | display extra phone number | ||||
node | map the extra phone number for remote node n | ||||
remove | remove the extra phone number for remote node n | ||||
reset | reset the extra phone number | ||||
feature | display feature bit | ||||
fid | display | display function id list | |||
filter | |||||
disp | display filter statistic counters | ||||
clear | clear filter statistic counter | ||||
sw | [on|off] | switch on|off filter counter | |||
netbios | |||||
disp | display all directions of NetBIOS filter status (LAN to WAN, WAN to LAN, ...etc) | ||||
config <type 0-7> [on|off] | Type Direction
Default =========================== 0 LAN to WAN Forward 1 WAN to LAN Forward 2 LAN to DMZ Forward 3 WAN to DMZ Forward 4 DMZ to LAN Forward 5 DMZ to WAN Forward 6 IPSec pass through Forward 7 Trigger dial Disabled Note: Only ZyWALL100 has DMZ port. So type 2, 3, 4, 5 are only available in ZyWALL100. |
||||
firewall | |||||
acl | |||||
clear | clear firewall counter | ||||
cnt clear | clear firewall counter | ||||
cnt display | display firewall counter | ||||
display | display firewall log | ||||
dynamicrule | display firewall dynamic acl rule usage | ||||
icmp | |||||
block_co | set block icmp packet with type 3 code 3 | ||||
display | display current code status | ||||
online | display firewall log online | ||||
pktdump | dump the 64 bytes of packets dropped by firewall | ||||
tcprst | |||||
rst | set sending tcp rst when reject a tcp connection except port 1 | ||||
rst113 | set sending tcp rst when reject a tcp connection on tcp port 113 | ||||
display | display current tcp reset status | ||||
update | update firewall rule | ||||
dos | |||||
smtp [on|off] | to turn on or off smtp defender | ||||
display | to display smtp defender status | ||||
ignore | |||||
triangle all [on|off] | Allow triangle route network
topology. Check release note for more info. Available since ZyWALL100 V3.50(WB.6) ZyWALL50 V3.52 ZyWALL10 V3.50(WA.5) |
||||
dos <lan|wan|dmz*> [on|off] | Bypass DoS checking from
LAN/WAN/DMZ. Default value is off. Available
since ZyWALL100 V3.50(WB.4) ZyWALL50 V3.50(WC.2) ZyWALL10 V3.50(WA.3) |
||||
hostname | display system hostname | ||||
iface | disp | display iface list | |||
log | |||||
disp | display log error | ||||
clear | clear log error | ||||
online | [on|off] | turn on/off error log online display | |||
mbuf | |||||
cnt | [disp|cl] | display or clear system mbuf count | |||
link | link | list system mbuf link | |||
pool | [id] [type] | list system mbuf pool | |||
status | display system mbuf status | ||||
. | . | disp | <address> | display mbuf status | |
memutil | |||||
usage | display memory allocate and heap status | ||||
mq | <address> <len> | display memory queues | |||
mcell | mid [f|u] | display memory cells by given ID | |||
msecs | display memory sections | ||||
pro | |||||
disp | display all process information | ||||
stack | [TAG] | display process's stack by a give TAG | |||
ps | [TAG] | display process's status by a give TAG | |||
queue | |||||
disp | [a|f|u] [start#] [end#] | display queue by given status and range numbers | |||
ndisp | [#] | display a queue by a given number | |||
quit | quit CI command mode | ||||
reboot | [code] | reboot system code =0 cold boot, =1 immediately boot = 2 bootModule debug mode |
|||
reslog | [disp|clear] | display resources trace | |||
. | roadrun | disp | <iface-name> | display roadrunner information iface-name: enif1 (WAN port) |
|
. | . | debug | <level> | enable/disable roadrunner service 0: disable <default> 1: enable |
|
. | . | restart | <iface-name> | . | |
socket | display system socket information | ||||
spt | dump | [root|rn|user|slot] | dump spt raw data | ||
size | display spt record size | ||||
stdio | [second] | change terminal timeout value | |||
syslog | |||||
facility | <facility number> | set UNIX syslog server facility | |||
mode | [on|off] | enable/disable the syslog service | |||
server | <server ip> | ||||
server | Refer to knowledgebase for more info. | ||||
access | [telnet|ftp|web|icmp|snmp|dns] | [0|1|2|3] | 0: ALL, 1: None, 2:LAN only, 3:WAN only | ||
display | display current setting for remote management | ||||
load | before setup, you have to load current parameters into runtime memory | ||||
port | [telnet|ftp|web|icmp|snmp|dns] | <port #> | specify the port number you want to change for remote management service. | ||
save | save the parameters permanently. | ||||
secureip | [telnet|ftp|web|icmp|snmp|dns] | <ip address> | specify the trusted IP address which can manage this router remotely. | ||
time | [hh] [mm] [ss] | set the current system time if the parameter present | |||
timer | |||||
disp | [a|f|u] | display timer cell | |||
trcdisp | monitor packets | ||||
. | . | brief | . | online display packet content briefly | |
. | . | parse | . | online parse packet content | |
trcl | |||||
call | display call event | ||||
clear | clear trace | ||||
disp | display trace log | ||||
level | [#] | set trace level of trace log #:1-10 | |||
online | [on|off] | set on/off trace log online | |||
switch | [on|off] | set system trace log | |||
type | <bitmap> | set trace type of trace log | |||
trcp | |||||
chann | <name> [none|incoming|outgoing|bothway] | <name>=enet0,enet1 set packet trace direction for a given channel |
|||
create | <entry> <size> | create packet trace buffer | |||
destroy | packet trace related commands | ||||
disp | display packet trace | ||||
switch | [on|off] | turn on/off the packet trace | |||
udp | [sw|addr|port] | send packet trace to other system | |||
. | . | brief | . | display packet content briefly | |
. | . | parse | [[begin_idx], end_idx] | parse packet content | |
version | display RAS code and driver version | ||||
wdog | <filename> | view a text file | |||
switch | [on|off] | set on/off wdog | |||
cnt | <value> | display watchdog counts value: 0-34463 | |||
rn | load | load parameter to buffer | |||
mtu | <value> | change WAN port MTU size | |||
save | save change. |
<hostid> format : xxx.xxx.xxx.xxx (ip Address)
<ether addr> format : xx:xx:xx:xx:xx:xx
<iface> : enif0, enif1
<gw> : gateway ip address
ip | address | display host ip address | ||
arp | ||||
add | <hostid> ether <ether addr> | add arp | ||
drop | <hostid> [ether] | drop arp | ||
flush | flush arp | |||
publish | . | add proxy arp | ||
. | . | status | display ip arp status | |
. | dhcp | <iface name>. | . | set dhcp configuration |
. | . | server | arpcount | <num> |
. | . | .. | dnsserver | <dnsIP1> <dnsIP2> <dnsIP3> |
winsserver | <winsIP1> <winsIP2> <winsIP3> | |||
. | . | . | gateway | <gateway IP> |
. | . | .. | hostname | <hostname> |
. | . | . | leasetime | <period> |
. | . | .. | netmask | <netmask> |
. | . | . | pool | <start IP> <num> |
. | . | .. | rebindtime | <period> |
. | . | . | renewaltime | <period> |
. | . | .. | reset | . |
. | . | status | .. | display iface DHCP information iface-name: enif1, enif0. |
. | . | client | release | release DHCP client IP |
. | .. | .. | renew | renew DHCP client IP |
. | dns | . | . | . |
. | . | table | . | display dns table |
. | . | stats | [disp|clear] | display or clear dns statistics |
. | icmp | . | . | . |
. | . | echo | [on|off] | response for ICMP echo request |
. | .. | status | . | display icmp statistic counter |
. | . | trace | [on|off] | turn on/off trace for debugging |
. | . | discovery | <iface name> [on|off] | turn on|off icmp router discovery response |
. | ifconfig | . | . | display ifconfig |
. | nat | iface <iface> | disp | display current NAT statistics |
. | . | timeout | generic [seconds] | change UDP NAT timeout time, default is 180 seconds |
. | .. | timeout | tcp [seconds] | change TCP connection phase timeout time, default is 270 seconds |
. | . | timeout | tcpother [seconds] | change TCP data phase timeout time, default is 9000 seconds |
. | loopback | [on|off] | Enable/disable LAN user to use Internet IP to
access internal server on the LAN Since ZyNOS 3.50(WA.2) |
|
service | irc [on|off] | switch to support IRC connection pass-through
router Since ZyWALL10 3.50(WA.3) |
||
incike | [on|off] | Increase IKE port number for multiple IPSec pass-through to Cisco Access Concentrator. | ||
. | ping | . | <hostid> | ping remote host |
.. | rip | . | . | . |
. | .. | dialin_user | [show|in|out|both|none] | set sending RIP to remote dial-in user |
. | .. | merge | [on|off] | RIP merging |
. | . | mode | <iface> [in|out] [mode] | mode: 0 - 3 |
. | . | status | . | display rip statistic counters |
. | route | . | . | . |
. | . | add | <dest addr>[/<bits>] <gateway> [<metric>] | add route |
. | . | addprivate | . | add private route |
. | . | drop | <host address> [/bits] | drop a route |
. | . | errcnt | [disp|clear] | display|clear routing statistic counters |
. | . | flush | . | flush route table |
.. | .. | status | . | display routing table |
.. | status | . | display ip statistic counters | |
.. | tcp | . | . | . |
. | . | status | . | display TCP statistic counters |
. | udp | status | ||
urlfilter | customize | actionFlags act5 [enable|disable] | enable it to parse full URL string
for key word blocking. Since V3.52 |
|
urlfilter | customize | actionFlags act6 [enable|disable] | enable
it so that key word blocking can be
case insensitive Since V3.52 |
<ch-name> : enet0, enet1
ether | ||||
config | display Ethernet driver configuration information | |||
driver | ||||
cnt | disp <ch-name> | display ether driver counters | ||
clear <ch-name> | ch-name: enet0, enet1 | |||
. | . | reg | . | display LAN hardware related registers |
. | . | status | <ch-name> | ch-name: enet0, enet1 |
. | . | rxmod | <mode> | set LAN receive mode. mode: 1: turn off receiving 2: receive only packets of this interface 3: mode 2+ broadcast 5: mode 2 + multicast 6: all packets |
. | debug | . | . | display Ethernet debug information |
. | . | disp | <ch-name> | display Ethernet debug information |
. | . | level | <ch-name> <level> | set the Ethernet debug level level 0: disable debug log level 1: enable debug log (default) |
edit | load | 1 | load the parameter to buffer | |
edit | mtu | <value> | change LAN port MTU size. | |
edit | save | save change | ||
pkttest | ||||
arp | [ip-addr] | send an arp request | ||
disp event | [ch-name] [on|off] | enable packet test event trace | ||
disp packet | [1|2|3] | packet test display level | ||
sap | send an sap packet | |||
version | display driver version |
The value for <set#> can be 1 to 9. Please note that only
ZyWALL100 has DMZ port, so if your device is ZyWALL 1/10/50, please ignore set
3, 4, 5, 6, 9.
Set No. Interface Direction
----------------------------------------------------
Set 1 LAN to WAN
Set 2 WAN to LAN
Set 3 DMZ to LAN
Set 4 DMZ to WAN
Set 5 WAN to DMZ
Set 6 LAN to DMZ
Set 7 LAN to LAN/ZyWALL
Set 8 WAN to WAN/ZyWALL
Set 9 DMZ to DMZ/ZyWALL
----------------------------------------------------
The value for <rule #> starts from 1 to 10, i.e., 10 rules in total for a set
config | ||||||
edit | firewall | active <yes|no> | Activate or deactivate the saved firewall settings | |||
retrieve | firewall | Retrieve current saved firewall settings | ||||
save | firewall | Save the current firewall settings | ||||
display | firewall | Displays all the firewall settings | ||||
. | . | set <set#> | Display current entries of a set configuration; including timeout values, name, default-permit, and number of rules in the set. | |||
. | . | set <set#> | rule <rule#> | Display current entries of a rule in a set. | ||
. | . | attack | Display all the attack alert settings in PNC | |||
. | Display all the e-mail settings in PNC | |||||
. | . | ? | Display all the available sub commands | |||
. | . | mail-server <mail server IP> | Edit the mail server IP to send the alert | |||
return-addr <e-mail address> | Edit the mail address for returning an email alert | |||||
e-mail-to <e-mail address> | Edit the mail address to send the alert | |||||
policy <full | hourly |daily | weekly> | Edit email schedule when log is full or per hour, day, week. | |||||
day <sunday | monday | tuesday | wednesday | thursday | friday | saturday> | Edit the day to send the log when the email policy is set to Weekly | |||||
hour <0~23> | Edit the hour to send the log when the email policy is set to daily or weekly | |||||
minute <0~59> | Edit the minute to send to log when the email policy is set to daily or weekly | |||||
attack | send-alert <yes|no> | Activate or deactivate the firewall DoS attacks notification emails | ||||
block <yes|no> | Yes: Block the traffic when exceeds the tcp-max-incomplete
threshold No: Delete the oldest half-open session when exceeds the tcp-max-incomplete threshold |
|||||
block-minute <0~255> | Only valid when sets 'Block' to yes. The unit is minute | |||||
minute-high <0~255> | The threshold to start to delete the old half-opened sessions to minute-low | |||||
minute-low <0~255> | The threshold to stop deleting the old half-opened session | |||||
max-incomplete-high <0~255> | The threshold to start to delete the old half-opened sessions to max-incomplete-low | |||||
max-incomplete-low <0~255> | The threshold to stop deleting the half-opened session | |||||
tcp-max-incomplete <0~255> | The threshold to start executing the block field | |||||
set <set#> | name <desired name> | Edit the name for a set | ||||
default-permit <forward|block> | Edit whether a packet is dropped or allowed when it does not match the default set | |||||
icmp-timeout <seconds> | Edit the timeout for an idle ICMP session before it is terminated | |||||
udp-idle-timeout <seconds> | Edit the timeout for an idle UDP session before it is terminated | |||||
connection-timeout <seconds> | Edit the wait time for the SYN TCP sessions before it is terminated | |||||
fin-wait-timeout <seconds> | Edit the wait time for FIN in concluding a TCP session before it is terminated | |||||
tcp-idle-timeout <seconds> | Edit the timeout for an idle TCP session before it is terminated | |||||
pnc <yes|no> | PNC is allowed when 'yes' is set even there is a rule to block PNC | |||||
log <yes|no> | Switch on/off sending the log for matching the default permit | |||||
rule <rule#> | permit <forward|block> | Edit whether a packet is dropped or allowed when it matches this rule | ||||
active <yes|no> | Edit whether a rule is enabled or not | |||||
protocol <0~255> | Edit the protocol number for a rule. 1=ICMP, 6=TCP, 17=UDP... | |||||
log <none|match|not-match|both> | Sending a log for a rule when the packet none|matches|not match|both the rule | |||||
alert <yes|no> | Activate or deactivate the notification when a DoS attack occurs or there is a violation of any alert settings. In case of such instances, the function will send an email to the SMTP destination address and log an alert. | |||||
srcaddr-single <ip address> | Select and edit a source address of a packet which complies to this rule | |||||
srcaddr-subnet <ip address> <subnet mask> | Select and edit a source address and subnet mask if a packet which complies to this rule. | |||||
srcaddr-range <start ip address> <end ip address> | Select and edit a source address range of a packet which complies to this rule. | |||||
destaddr-single <ip address> | Select and edit a destination address of a packet which complies to this rule | |||||
destaddr-subnet <ip address> <subnet mask> | Select and edit a destination address and subnet mask if a packet which complies to this rule. | |||||
destaddr-range <start ip address> <end ip address> | Select and edit a destination address range of a packet which complies to this rule. | |||||
tcp destport-single <port#> | Select and edit the destination port of a packet which comply to this rule. For non-consecutive port numbers, the user may repeat this command line to enter the multiple port numbers. | |||||
tcp destport-range <start port#> <end port#> | Select and edit a destination port range of a packet which comply to this rule. | |||||
udp destport-single <port#> | Select and edit the destination port of a packet which comply to this rule. For non-consecutive port numbers, users may repeat this command line to enter the multiple port numbers. | |||||
udp destport-range <start port#> <end port#> | Select and edit a destination port range of a packet which comply to this rule. | |||||
desport-custom <desired custom port name> | Type in the desired custom port name | |||||
delete | firewall | Remove all email alert settings | ||||
attack | Reset all alert settings to defaults | |||||
set <set#> | Remove a specified set from the firewall configuration | |||||
set <set#> | rule <rule#> | Remove a specified rule in a set from the firewall configuration |
NOTE: A mark with "*" means this command is product dependent.
ipsec | . | . | . | . |
. | debug | <1|0> | . | turn on|off trace for IPsec debug information |
. | dial | <rule #> | .. | Initiate IPSec rule <#> from ZyWALL box Since 3.50(WA.3) |
display | <rule #> | Display configuration of VPN rule <#> | ||
. | ipsec_log_disp | . | . | show IPSec log, same as menu 27.3 |
. | route | *dmz | <on|off> | After a packet is IPSec processed and will be
sent to DMZ side, this switch is to control if this packet can be applied IPSec again. Only available in ZyWALL100 |
. | . | lan | <on|off> | After a packet is IPSec processed and will be
sent to LAN side, this switch is to control if this packet can be applied IPSec again. Since 3.50(WA.3) |
. | . | wan | <on|off> | After a packet is IPSec processed and will be
sent to WAN side, this switch is to control if this packet can be applied IPSec again. Since 3.50(WA.3) |
.. | show_runtime | sa | . | display runtime phase 1 and phase 2 SA information |
. | ... | spd | .. | When a dynamic rule accepts a request and a tunnel is established, a runtime SPD is created according to peer local IP address. This command is to show these runtime SPD. |
... | switch | <on|off> | . | As long as there exists one active IPSec rule, all packets will run into IPSec process to check SPD. This switch is to control if a packet should do this. If it is turned on, even there exists active IPSec rules, packets will not run IPSec process. |
. | timer | chk_my_ip | <1~3600> | - Adjust timer to check if WAN IP in menu is
changed - Interval is in seconds - Default is 10 seconds - 0 is not a valid value |
.. | .. | chk_conn. | <0~255> | - Adjust auto-timer to check if any IPsec
connection has no traffic for certain period. If yes, system will disconnect it. - Interval is in minutes - Default is 2 minuets - 0 means never timeout |
. | .. | update_peer | <5~255> | - Adjust auto-timer to update IPSec rules which
use domain name as the secure gateway IP. - Interval is in minutes - Default is 30 minutes - minimum value is 5 minutes Since 3.50(WA.3) |
. | updatePeerIp | .... | .. | Force system to update IPSec rules which use
domain name as the secure gateway IP right away. Since 3.50(WA.3) |
. | *remote | *key | <string> | Add
a secured remote access tunnel with pre-shared key. It is a dynamic rule with local: the
route's WAN IP. The algorithms with it are fixed to phase1: DES+MD5, DH1 and SA
lifetime 28800 seconds; phase2: DES+MD5, PFS off, no anti-replay and SA lifetime 28800
seconds. The length of pre-shared key is between 8 to 31 ASCII characters. Only available in ZyWALL1. |
. | *switch | <on|off> | Activate or de-activate the secured remote access tunnel. |
ppp | lcp | echo | time <sec> | Specify the time interval that the router will wait for ppp lcp echo request time out. Default value is 10 seconds. 0 to disable this checking. |
retry <#> | Specify the number of retrial times before the router judge that WAN port fails. |
All contents copyright (c) 2000 ZyXEL Communications Corporation.