199 Firewall Policy for handling of all IPv4 ICMP echo requests enable disable enable Enable processing of all IPv4 ICMP echo requests disable Disable processing of all IPv4 ICMP echo requests (enable|disable) enable Policy for handling broadcast IPv4 ICMP echo and timestamp requests enable disable enable Enable processing of broadcast IPv4 ICMP echo/timestamp requests disable Disable processing of broadcast IPv4 ICMP echo/timestamp requests (enable|disable) disable SNMP trap generation on firewall configuration changes enable disable enable Enable sending SNMP trap on firewall configuration change disable Disable sending SNMP trap on firewall configuration change (enable|disable) disable Firewall group Firewall address-group [a-zA-Z0-9][\w\-\.]* Address-group member ipv4 IPv4 address to match ipv4range IPv4 range to match (e.g. 10.0.0.1-10.0.0.200) Include another address-group firewall group address-group #include Firewall domain-group [a-zA-Z_][a-zA-Z0-9][\w\-\.]* Name of domain-group can only contain alpha-numeric letters, hyphen, underscores and not start with numeric Domain-group member txt Domain address to match [a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,99}?(\/.*)? #include Firewall ipv6-address-group [a-zA-Z0-9][\w\-\.]* Address-group member ipv6 IPv6 address to match ipv6range IPv6 range to match (e.g. 2002::1-2002::ff) Include another ipv6-address-group firewall group ipv6-address-group #include Firewall ipv6-network-group [a-zA-Z0-9][\w\-\.]* #include Network-group member ipv6net IPv6 address to match Include another ipv6-network-group firewall group ipv6-network-group Firewall mac-group [a-zA-Z0-9][\w\-\.]* #include Mac-group member <MAC address> MAC address to match Include another mac-group firewall group mac-group Firewall network-group [a-zA-Z0-9][\w\-\.]* #include Network-group member ipv4net IPv4 Subnet to match Include another network-group firewall group network-group Firewall port-group [a-zA-Z0-9][\w\-\.]* #include Port-group member txt Named port (any name in /etc/services, e.g., http) u32:1-65535 Numbered port start-end Numbered port range (e.g. 1001-1050) Include another port-group firewall group port-group Policy for handling IPv4 packets with source route option enable disable enable Enable processing of IPv4 packets with source route option disable Disable processing of IPv4 packets with source route option (enable|disable) disable IPv6 firewall rule-set name [a-zA-Z0-9][\w\-\.]* #include #include #include Firewall rule number (IPv6) u32:1-999999 Number for this Firewall rule Firewall rule number must be between 1 and 999999 #include #include Destination parameters #include #include #include #include Source parameters #include #include #include #include #include Payload size in bytes, including any extension header u32:1-65535 Numbered packet length <start-end> Packet length range (e.g. 1001-1005) \n\n Multiple values can be specified as a comma-separated list.\n For example: '64, 512,1001-1005' Hop Limit Value to match a hop limit equal to it u32:0-255 Hop limit equal to value Value to match a hop limit greater than or equal to it u32:0-255 Hop limit greater than value Value to match a hop limit less than or equal to it u32:0-255 Hop limit less than value ICMPv6 type and code information ICMPv6 code (0-255) u32:0-255 ICMPv6 code (0-255) ICMPv6 type (0-255) u32:0-255 ICMPv6 type (0-255) #include Policy for handling received ICMPv6 redirect messages enable disable enable Enable processing of received ICMPv6 redirect messages disable Disable processing of received ICMPv6 redirect messages (enable|disable) disable Policy for handling IPv6 packets with routing extension header enable disable enable Enable processing of IPv6 packets with routing header type 2 disable Disable processing of IPv6 packets with routing header (enable|disable) disable Policy for logging IPv4 packets with invalid addresses enable disable enable Enable logging of IPv4 packets with invalid addresses disable Disable logging of Ipv4 packets with invalid addresses (enable|disable) enable IPv4 firewall rule-set name [a-zA-Z0-9][\w\-\.]* #include #include #include Firewall rule number (IPv4) u32:1-999999 Number for this Firewall rule Firewall rule number must be between 1 and 999999 #include #include Destination parameters #include #include #include #include Source parameters #include #include #include #include #include Packet size in bytes, including header and data u32:1-65535 Numbered packet length <start-end> Packet length range (e.g. 1001-1005) \n\n Multiple values can be specified as a comma-separated list.\n For example: '64, 512,1001-1005' ICMP type and code information ICMP code (0-255) u32:0-255 ICMP code (0-255) ICMP type (0-255) u32:0-255 ICMP type (0-255) #include Time to live limit Value to match a ttl equal to it u32:0-255 ttl equal to value Value to match a ttl greater than or equal to it u32:0-255 ttl greater than value Value to match a ttl less than or equal to it u32:0-255 ttl less than value Policy for handling received IPv4 ICMP redirect messages enable disable enable Enable processing of received IPv4 ICMP redirect messages disable Disable processing of received IPv4 ICMP redirect messages (enable|disable) disable Policy for sending IPv4 ICMP redirect messages enable disable enable Enable sending IPv4 ICMP redirect messages disable Disable sending IPv4 ICMP redirect messages (enable|disable) enable Policy for source validation by reversed path, as specified in RFC3704 strict loose disable strict Enable Strict Reverse Path Forwarding as defined in RFC3704 loose Enable Loose Reverse Path Forwarding as defined in RFC3704 disable No source validation (strict|loose|disable) disable Global firewall state-policy Global firewall policy for packets part of an established connection #include #include Global firewall policy for packets part of an invalid connection #include #include Global firewall policy for packets part of a related connection #include #include Policy for using TCP SYN cookies with IPv4 enable disable enable Enable use of TCP SYN cookies with IPv4 disable Disable use of TCP SYN cookies with IPv4 (enable|disable) enable RFC1337 TCP TIME-WAIT assasination hazards protection enable disable enable Enable RFC1337 TIME-WAIT hazards protection disable Disable RFC1337 TIME-WAIT hazards protection (enable|disable) disable