ZyNOS CI Command List
Das ist eine Kopie von der Zyxel-Homepage (http://www.zyxel.com/support/supportnote/zywall/ci_cmd/zywall_ci.htm) vom 4. November 2004. Ich stelle sie hier nur für den Fall zur Verfügung, dass die Zyxel-Homepage gerade nicht online ist oder das Dokument gerade nicht zur Verfügung steht. Dieses Dokument versteht sich als Ergänzung zu meinen Zyxel ZyWALL Tips und Tricks
CI Command Reference
- System Related Commands
- TCP/IP Protocol Commands
- Ethernet Debug Commands
- Firewall Related CI Commands
- IPSec Related CI Commands
- PPP Related CI Commands
1. Command Syntax and General User Interface
CI has the following command syntax:
command <iface | device>
subcommand [param]
command subcommand [param]
command ? | help
command subcommand ? | help
General user interface:
|
1. |
? | Shows the following commands and all major (sub)commands |
|
2. |
exit | Returns to SMT |
[ch-name]: enet0, enet1
NOTE: A mark with “ * “ means this command is product dependent.
| sys | |||||
| adjtime | to calibrate system time with NTP server immediately | ||||
| baud | <1|2|3|4|5> | change console speed if parameter present 1: 38400 bps 2: 19200 bps 3: 9600 bps 4: 57600 bps 5: 115200 bps |
|||
| callhist | |||||
| add | <name> <dir> <rate> <uptime> | Add the call history | |||
| display | display the call history | ||||
| remove | <index> | remove call history | |||
| cbuf | |||||
| cnt | disp | display cbuf static | |||
| clear | clear cbuf static | ||||
| disp | [a|f|u] | display cbuf a: all f: free u: used | |||
| cmgr | |||||
| cnt | [ch-name] | display call related counter | |||
| data | display phone number related data | ||||
| trace | [display|clear] [ch-name] | display call related event | |||
| country | <country code> | set country code | |||
| cpu | disp | display CPU utilization | |||
| date | <yyyy> <mm> <dd> | Change current date if parameter present | |||
| dir | display file directory | ||||
| edit | <filename> | edit a text file | |||
| errctl | [level] | set the error control level 0:crash no save,not in debug mode (default) 1:crash no save,in debug mode 2:crash save,not in debug mode 3:crash save,in debug mode |
|||
| event | |||||
| display | display tag flags information | ||||
| trace | [display|clear] | display system event information | |||
| extraphnum | |||||
| add | <set 1-3> <1st phone number> [2nd phone number] | add extra phone number | |||
| display | display extra phone number | ||||
| node | map the extra phone number for remote node n | ||||
| remove | remove the extra phone number for remote node n | ||||
| reset | reset the extra phone number | ||||
| feature | display feature bit | ||||
| fid | display | display function id list | |||
| filter | |||||
| disp | display filter statistic counters | ||||
| clear | clear filter statistic counter | ||||
| sw | [on|off] | switch on|off filter counter | |||
| netbios | |||||
| disp | display all directions of NetBIOS filter status (LAN to WAN, WAN to LAN, ...etc) | ||||
| config <type 0-7> [on|off] | Type Direction
Default =========================== 0 LAN to WAN Forward 1 WAN to LAN Forward 2 LAN to DMZ Forward 3 WAN to DMZ Forward 4 DMZ to LAN Forward 5 DMZ to WAN Forward 6 IPSec pass through Forward 7 Trigger dial Disabled Note: Only ZyWALL100 has DMZ port. So type 2, 3, 4, 5 are only available in ZyWALL100. |
||||
| firewall | |||||
| acl | |||||
| clear | clear firewall counter | ||||
| cnt clear | clear firewall counter | ||||
| cnt display | display firewall counter | ||||
| display | display firewall log | ||||
| dynamicrule | display firewall dynamic acl rule usage | ||||
| icmp | |||||
| block_co | set block icmp packet with type 3 code 3 | ||||
| display | display current code status | ||||
| online | display firewall log online | ||||
| pktdump | dump the 64 bytes of packets dropped by firewall | ||||
| tcprst | |||||
| rst | set sending tcp rst when reject a tcp connection except port 1 | ||||
| rst113 | set sending tcp rst when reject a tcp connection on tcp port 113 | ||||
| display | display current tcp reset status | ||||
| update | update firewall rule | ||||
| dos | |||||
| smtp [on|off] | to turn on or off smtp defender | ||||
| display | to display smtp defender status | ||||
| ignore | |||||
| triangle all [on|off] | Allow triangle route network
topology. Check release note for more info. Available since ZyWALL100 V3.50(WB.6) ZyWALL50 V3.52 ZyWALL10 V3.50(WA.5) |
||||
| dos <lan|wan|dmz*> [on|off] | Bypass DoS checking from
LAN/WAN/DMZ. Default value is off. Available
since ZyWALL100 V3.50(WB.4) ZyWALL50 V3.50(WC.2) ZyWALL10 V3.50(WA.3) |
||||
| hostname | display system hostname | ||||
| iface | disp | display iface list | |||
| log | |||||
| disp | display log error | ||||
| clear | clear log error | ||||
| online | [on|off] | turn on/off error log online display | |||
| mbuf | |||||
| cnt | [disp|cl] | display or clear system mbuf count | |||
| link | link | list system mbuf link | |||
| pool | [id] [type] | list system mbuf pool | |||
| status | display system mbuf status | ||||
| . | . | disp | <address> | display mbuf status | |
| memutil | |||||
| usage | display memory allocate and heap status | ||||
| mq | <address> <len> | display memory queues | |||
| mcell | mid [f|u] | display memory cells by given ID | |||
| msecs | display memory sections | ||||
| pro | |||||
| disp | display all process information | ||||
| stack | [TAG] | display process's stack by a give TAG | |||
| ps | [TAG] | display process's status by a give TAG | |||
| queue | |||||
| disp | [a|f|u] [start#] [end#] | display queue by given status and range numbers | |||
| ndisp | [#] | display a queue by a given number | |||
| quit | quit CI command mode | ||||
| reboot | [code] | reboot system code =0 cold boot, =1 immediately boot = 2 bootModule debug mode |
|||
| reslog | [disp|clear] | display resources trace | |||
| . | roadrun | disp | <iface-name> | display roadrunner information iface-name: enif1 (WAN port) |
|
| . | . | debug | <level> | enable/disable roadrunner service 0: disable <default> 1: enable |
|
| . | . | restart | <iface-name> | . | |
| socket | display system socket information | ||||
| spt | dump | [root|rn|user|slot] | dump spt raw data | ||
| size | display spt record size | ||||
| stdio | [second] | change terminal timeout value | |||
| syslog | |||||
| facility | <facility number> | set UNIX syslog server facility | |||
| mode | [on|off] | enable/disable the syslog service | |||
| server | <server ip> | ||||
| server | Refer to knowledgebase for more info. | ||||
| access | [telnet|ftp|web|icmp|snmp|dns] | [0|1|2|3] | 0: ALL, 1: None, 2:LAN only, 3:WAN only | ||
| display | display current setting for remote management | ||||
| load | before setup, you have to load current parameters into runtime memory | ||||
| port | [telnet|ftp|web|icmp|snmp|dns] | <port #> | specify the port number you want to change for remote management service. | ||
| save | save the parameters permanently. | ||||
| secureip | [telnet|ftp|web|icmp|snmp|dns] | <ip address> | specify the trusted IP address which can manage this router remotely. | ||
| time | [hh] [mm] [ss] | set the current system time if the parameter present | |||
| timer | |||||
| disp | [a|f|u] | display timer cell | |||
| trcdisp | monitor packets | ||||
| . | . | brief | . | online display packet content briefly | |
| . | . | parse | . | online parse packet content | |
| trcl | |||||
| call | display call event | ||||
| clear | clear trace | ||||
| disp | display trace log | ||||
| level | [#] | set trace level of trace log #:1-10 | |||
| online | [on|off] | set on/off trace log online | |||
| switch | [on|off] | set system trace log | |||
| type | <bitmap> | set trace type of trace log | |||
| trcp | |||||
| chann | <name> [none|incoming|outgoing|bothway] | <name>=enet0,enet1 set packet trace direction for a given channel |
|||
| create | <entry> <size> | create packet trace buffer | |||
| destroy | packet trace related commands | ||||
| disp | display packet trace | ||||
| switch | [on|off] | turn on/off the packet trace | |||
| udp | [sw|addr|port] | send packet trace to other system | |||
| . | . | brief | . | display packet content briefly | |
| . | . | parse | [[begin_idx], end_idx] | parse packet content | |
| version | display RAS code and driver version | ||||
| wdog | <filename> | view a text file | |||
| switch | [on|off] | set on/off wdog | |||
| cnt | <value> | display watchdog counts value: 0-34463 | |||
| rn | load | load parameter to buffer | |||
| mtu | <value> | change WAN port MTU size | |||
| save | save change. | ||||
<hostid> format : xxx.xxx.xxx.xxx (ip Address)
<ether addr> format : xx:xx:xx:xx:xx:xx
<iface> : enif0, enif1
<gw> : gateway ip address
| ip | address | display host ip address | ||
| arp | ||||
| add | <hostid> ether <ether addr> | add arp | ||
| drop | <hostid> [ether] | drop arp | ||
| flush | flush arp | |||
| publish | . | add proxy arp | ||
| . | . | status | display ip arp status | |
| . | dhcp | <iface name>. | . | set dhcp configuration |
| . | . | server | arpcount | <num> |
| . | . | .. | dnsserver | <dnsIP1> <dnsIP2> <dnsIP3> |
| winsserver | <winsIP1> <winsIP2> <winsIP3> | |||
| . | . | . | gateway | <gateway IP> |
| . | . | .. | hostname | <hostname> |
| . | . | . | leasetime | <period> |
| . | . | .. | netmask | <netmask> |
| . | . | . | pool | <start IP> <num> |
| . | . | .. | rebindtime | <period> |
| . | . | . | renewaltime | <period> |
| . | . | .. | reset | . |
| . | . | status | .. | display iface DHCP information iface-name: enif1, enif0. |
| . | . | client | release | release DHCP client IP |
| . | .. | .. | renew | renew DHCP client IP |
| . | dns | . | . | . |
| . | . | table | . | display dns table |
| . | . | stats | [disp|clear] | display or clear dns statistics |
| . | icmp | . | . | . |
| . | . | echo | [on|off] | response for ICMP echo request |
| . | .. | status | . | display icmp statistic counter |
| . | . | trace | [on|off] | turn on/off trace for debugging |
| . | . | discovery | <iface name> [on|off] | turn on|off icmp router discovery response |
| . | ifconfig | . | . | display ifconfig |
| . | nat | iface <iface> | disp | display current NAT statistics |
| . | . | timeout | generic [seconds] | change UDP NAT timeout time, default is 180 seconds |
| . | .. | timeout | tcp [seconds] | change TCP connection phase timeout time, default is 270 seconds |
| . | . | timeout | tcpother [seconds] | change TCP data phase timeout time, default is 9000 seconds |
| . | loopback | [on|off] | Enable/disable LAN user to use Internet IP to
access internal server on the LAN Since ZyNOS 3.50(WA.2) |
|
| service | irc [on|off] | switch to support IRC connection pass-through
router Since ZyWALL10 3.50(WA.3) |
||
| incike | [on|off] | Increase IKE port number for multiple IPSec pass-through to Cisco Access Concentrator. | ||
| . | ping | . | <hostid> | ping remote host |
| .. | rip | . | . | . |
| . | .. | dialin_user | [show|in|out|both|none] | set sending RIP to remote dial-in user |
| . | .. | merge | [on|off] | RIP merging |
| . | . | mode | <iface> [in|out] [mode] | mode: 0 - 3 |
| . | . | status | . | display rip statistic counters |
| . | route | . | . | . |
| . | . | add | <dest addr>[/<bits>] <gateway> [<metric>] | add route |
| . | . | addprivate | . | add private route |
| . | . | drop | <host address> [/bits] | drop a route |
| . | . | errcnt | [disp|clear] | display|clear routing statistic counters |
| . | . | flush | . | flush route table |
| .. | .. | status | . | display routing table |
| .. | status | . | display ip statistic counters | |
| .. | tcp | . | . | . |
| . | . | status | . | display TCP statistic counters |
| . | udp | status | ||
| urlfilter | customize | actionFlags act5 [enable|disable] | enable it to parse full URL string
for key word blocking. Since V3.52 |
|
| urlfilter | customize | actionFlags act6 [enable|disable] | enable
it so that key word blocking can be
case insensitive Since V3.52 |
<ch-name> : enet0, enet1
| ether | ||||
| config | display Ethernet driver configuration information | |||
| driver | ||||
| cnt | disp <ch-name> | display ether driver counters | ||
| clear <ch-name> | ch-name: enet0, enet1 | |||
| . | . | reg | . | display LAN hardware related registers |
| . | . | status | <ch-name> | ch-name: enet0, enet1 |
| . | . | rxmod | <mode> | set LAN receive mode. mode: 1: turn off receiving 2: receive only packets of this interface 3: mode 2+ broadcast 5: mode 2 + multicast 6: all packets |
| . | debug | . | . | display Ethernet debug information |
| . | . | disp | <ch-name> | display Ethernet debug information |
| . | . | level | <ch-name> <level> | set the Ethernet debug level level 0: disable debug log level 1: enable debug log (default) |
| edit | load | 1 | load the parameter to buffer | |
| edit | mtu | <value> | change LAN port MTU size. | |
| edit | save | save change | ||
| pkttest | ||||
| arp | [ip-addr] | send an arp request | ||
| disp event | [ch-name] [on|off] | enable packet test event trace | ||
| disp packet | [1|2|3] | packet test display level | ||
| sap | send an sap packet | |||
| version | display driver version |
The value for <set#> can be 1 to 9. Please note that only
ZyWALL100 has DMZ port, so if your device is ZyWALL 1/10/50, please ignore set
3, 4, 5, 6, 9.
Set No. Interface Direction
----------------------------------------------------
Set 1 LAN to WAN
Set 2 WAN to LAN
Set 3 DMZ to LAN
Set 4 DMZ to WAN
Set 5 WAN to DMZ
Set 6 LAN to DMZ
Set 7 LAN to LAN/ZyWALL
Set 8 WAN to WAN/ZyWALL
Set 9 DMZ to DMZ/ZyWALL
----------------------------------------------------
The value for <rule #> starts from 1 to 10, i.e., 10 rules in total for a set
| config | ||||||
| edit | firewall | active <yes|no> | Activate or deactivate the saved firewall settings | |||
| retrieve | firewall | Retrieve current saved firewall settings | ||||
| save | firewall | Save the current firewall settings | ||||
| display | firewall | Displays all the firewall settings | ||||
| . | . | set <set#> | Display current entries of a set configuration; including timeout values, name, default-permit, and number of rules in the set. | |||
| . | . | set <set#> | rule <rule#> | Display current entries of a rule in a set. | ||
| . | . | attack | Display all the attack alert settings in PNC | |||
| . | Display all the e-mail settings in PNC | |||||
| . | . | ? | Display all the available sub commands | |||
| . | . | mail-server <mail server IP> | Edit the mail server IP to send the alert | |||
| return-addr <e-mail address> | Edit the mail address for returning an email alert | |||||
| e-mail-to <e-mail address> | Edit the mail address to send the alert | |||||
| policy <full | hourly |daily | weekly> | Edit email schedule when log is full or per hour, day, week. | |||||
| day <sunday | monday | tuesday | wednesday | thursday | friday | saturday> | Edit the day to send the log when the email policy is set to Weekly | |||||
| hour <0~23> | Edit the hour to send the log when the email policy is set to daily or weekly | |||||
| minute <0~59> | Edit the minute to send to log when the email policy is set to daily or weekly | |||||
| attack | send-alert <yes|no> | Activate or deactivate the firewall DoS attacks notification emails | ||||
| block <yes|no> | Yes: Block the traffic when exceeds the tcp-max-incomplete
threshold No: Delete the oldest half-open session when exceeds the tcp-max-incomplete threshold |
|||||
| block-minute <0~255> | Only valid when sets 'Block' to yes. The unit is minute | |||||
| minute-high <0~255> | The threshold to start to delete the old half-opened sessions to minute-low | |||||
| minute-low <0~255> | The threshold to stop deleting the old half-opened session | |||||
| max-incomplete-high <0~255> | The threshold to start to delete the old half-opened sessions to max-incomplete-low | |||||
| max-incomplete-low <0~255> | The threshold to stop deleting the half-opened session | |||||
| tcp-max-incomplete <0~255> | The threshold to start executing the block field | |||||
| set <set#> | name <desired name> | Edit the name for a set | ||||
| default-permit <forward|block> | Edit whether a packet is dropped or allowed when it does not match the default set | |||||
| icmp-timeout <seconds> | Edit the timeout for an idle ICMP session before it is terminated | |||||
| udp-idle-timeout <seconds> | Edit the timeout for an idle UDP session before it is terminated | |||||
| connection-timeout <seconds> | Edit the wait time for the SYN TCP sessions before it is terminated | |||||
| fin-wait-timeout <seconds> | Edit the wait time for FIN in concluding a TCP session before it is terminated | |||||
| tcp-idle-timeout <seconds> | Edit the timeout for an idle TCP session before it is terminated | |||||
| pnc <yes|no> | PNC is allowed when 'yes' is set even there is a rule to block PNC | |||||
| log <yes|no> | Switch on/off sending the log for matching the default permit | |||||
| rule <rule#> | permit <forward|block> | Edit whether a packet is dropped or allowed when it matches this rule | ||||
| active <yes|no> | Edit whether a rule is enabled or not | |||||
| protocol <0~255> | Edit the protocol number for a rule. 1=ICMP, 6=TCP, 17=UDP... | |||||
| log <none|match|not-match|both> | Sending a log for a rule when the packet none|matches|not match|both the rule | |||||
| alert <yes|no> | Activate or deactivate the notification when a DoS attack occurs or there is a violation of any alert settings. In case of such instances, the function will send an email to the SMTP destination address and log an alert. | |||||
| srcaddr-single <ip address> | Select and edit a source address of a packet which complies to this rule | |||||
| srcaddr-subnet <ip address> <subnet mask> | Select and edit a source address and subnet mask if a packet which complies to this rule. | |||||
| srcaddr-range <start ip address> <end ip address> | Select and edit a source address range of a packet which complies to this rule. | |||||
| destaddr-single <ip address> | Select and edit a destination address of a packet which complies to this rule | |||||
| destaddr-subnet <ip address> <subnet mask> | Select and edit a destination address and subnet mask if a packet which complies to this rule. | |||||
| destaddr-range <start ip address> <end ip address> | Select and edit a destination address range of a packet which complies to this rule. | |||||
| tcp destport-single <port#> | Select and edit the destination port of a packet which comply to this rule. For non-consecutive port numbers, the user may repeat this command line to enter the multiple port numbers. | |||||
| tcp destport-range <start port#> <end port#> | Select and edit a destination port range of a packet which comply to this rule. | |||||
| udp destport-single <port#> | Select and edit the destination port of a packet which comply to this rule. For non-consecutive port numbers, users may repeat this command line to enter the multiple port numbers. | |||||
| udp destport-range <start port#> <end port#> | Select and edit a destination port range of a packet which comply to this rule. | |||||
| desport-custom <desired custom port name> | Type in the desired custom port name | |||||
| delete | firewall | Remove all email alert settings | ||||
| attack | Reset all alert settings to defaults | |||||
| set <set#> | Remove a specified set from the firewall configuration | |||||
| set <set#> | rule <rule#> | Remove a specified rule in a set from the firewall configuration | ||||
NOTE: A mark with "*" means this command is product dependent.
| ipsec | . | . | . | . |
| . | debug | <1|0> | . | turn on|off trace for IPsec debug information |
| . | dial | <rule #> | .. | Initiate IPSec rule <#> from ZyWALL box Since 3.50(WA.3) |
| display | <rule #> | Display configuration of VPN rule <#> | ||
| . | ipsec_log_disp | . | . | show IPSec log, same as menu 27.3 |
| . | route | *dmz | <on|off> | After a packet is IPSec processed and will be
sent to DMZ side, this switch is to control if this packet can be applied IPSec again. Only available in ZyWALL100 |
| . | . | lan | <on|off> | After a packet is IPSec processed and will be
sent to LAN side, this switch is to control if this packet can be applied IPSec again. Since 3.50(WA.3) |
| . | . | wan | <on|off> | After a packet is IPSec processed and will be
sent to WAN side, this switch is to control if this packet can be applied IPSec again. Since 3.50(WA.3) |
| .. | show_runtime | sa | . | display runtime phase 1 and phase 2 SA information |
| . | ... | spd | .. | When a dynamic rule accepts a request and a tunnel is established, a runtime SPD is created according to peer local IP address. This command is to show these runtime SPD. |
| ... | switch | <on|off> | . | As long as there exists one active IPSec rule, all packets will run into IPSec process to check SPD. This switch is to control if a packet should do this. If it is turned on, even there exists active IPSec rules, packets will not run IPSec process. |
| . | timer | chk_my_ip | <1~3600> | - Adjust timer to check if WAN IP in menu is
changed - Interval is in seconds - Default is 10 seconds - 0 is not a valid value |
| .. | .. | chk_conn. | <0~255> | - Adjust auto-timer to check if any IPsec
connection has no traffic for certain period. If yes, system will disconnect it. - Interval is in minutes - Default is 2 minuets - 0 means never timeout |
| . | .. | update_peer | <5~255> | - Adjust auto-timer to update IPSec rules which
use domain name as the secure gateway IP. - Interval is in minutes - Default is 30 minutes - minimum value is 5 minutes Since 3.50(WA.3) |
| . | updatePeerIp | .... | .. | Force system to update IPSec rules which use
domain name as the secure gateway IP right away. Since 3.50(WA.3) |
| . | *remote | *key | <string> | Add
a secured remote access tunnel with pre-shared key. It is a dynamic rule with local: the
route's WAN IP. The algorithms with it are fixed to phase1: DES+MD5, DH1 and SA
lifetime 28800 seconds; phase2: DES+MD5, PFS off, no anti-replay and SA lifetime 28800
seconds. The length of pre-shared key is between 8 to 31 ASCII characters. Only available in ZyWALL1. |
| . | *switch | <on|off> | Activate or de-activate the secured remote access tunnel. |
| ppp | lcp | echo | time <sec> | Specify the time interval that the router will wait for ppp lcp echo request time out. Default value is 10 seconds. 0 to disable this checking. |
| retry <#> | Specify the number of retrial times before the router judge that WAN port fails. |
All contents copyright (c) 2000 ZyXEL Communications Corporation.