#include #include Option to disable firewall rule IP fragment match Second and further fragments of fragmented packets Head fragments or unfragmented packets Inbound IPsec packets Inbound IPsec packets Inbound non-IPsec packets Rate limit using a token bucket filter Maximum number of packets to allow in excess of rate u32:0-4294967295 Maximum number of packets to allow in excess of rate Maximum average matching rate u32:0-4294967295 Maximum average matching rate Option to log packets matching rule enable disable enable Enable log disable Disable log ^(enable|disable)$ Protocol to match (protocol name, number, or "all") all All IP protocols tcp_udp Both TCP and UDP 0-255 IP protocol number !<protocol> IP protocol number all Parameters for matching recently seen sources Source addresses seen more than N times u32:1-255 Source addresses seen more than N times Source addresses seen in the last N seconds u32:0-4294967295 Source addresses seen in the last N seconds Packet modifications Packet Differentiated Services Codepoint (DSCP) u32:0-63 DSCP number Packet marking u32:1-2147483647 Packet marking Routing table to forward packet with u32:1-200 Table number main Main table ^(main)$ TCP Maximum Segment Size u32:500-1460 Explicitly set TCP MSS value Source parameters #include #include Source MAC address <MAC address> MAC address to match !<MAC address> Match everything except the specified MAC address #include Session state Established state enable disable enable Enable disable Disable ^(enable|disable)$ Invalid state enable disable enable Enable disable Disable ^(enable|disable)$ New state enable disable enable Enable disable Disable ^(enable|disable)$ Related state enable disable enable Enable disable Disable ^(enable|disable)$ TCP flags to match TCP flags to match txt Multiple comma-separated flags syn Syncronise flag ack Acknowledge flag fin Finish flag rst Reset flag urg Urgent flag psh Push flag \n When specifying more than one flag, flags should be comma-separated.\n For example: value of 'SYN,!ACK,!FIN,!RST' will only match packets with\n the SYN flag set, and the ACK, FIN and RST flags unset syn ack fin rst urg psh Time to match rule Monthdays to match rule on Date to start matching rule Time of day to start matching rule Date to stop matching rule Time of day to stop matching rule Interpret times for startdate, stopdate, starttime and stoptime to be UTC Weekdays to match rule on ICMPv6 type and code information ICMP type-name any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply packet-too-big any Any ICMP type/code echo-reply ICMP type/code name pong ICMP type/code name destination-unreachable ICMP type/code name network-unreachable ICMP type/code name host-unreachable ICMP type/code name protocol-unreachable ICMP type/code name port-unreachable ICMP type/code name fragmentation-needed ICMP type/code name source-route-failed ICMP type/code name network-unknown ICMP type/code name host-unknown ICMP type/code name network-prohibited ICMP type/code name host-prohibited ICMP type/code name TOS-network-unreachable ICMP type/code name TOS-host-unreachable ICMP type/code name communication-prohibited ICMP type/code name host-precedence-violation ICMP type/code name precedence-cutoff ICMP type/code name source-quench ICMP type/code name redirect ICMP type/code name network-redirect ICMP type/code name host-redirect ICMP type/code name TOS-network-redirect ICMP type/code name TOS host-redirect ICMP type/code name echo-request ICMP type/code name ping ICMP type/code name router-advertisement ICMP type/code name router-solicitation ICMP type/code name time-exceeded ICMP type/code name ttl-exceeded ICMP type/code name ttl-zero-during-transit ICMP type/code name ttl-zero-during-reassembly ICMP type/code name parameter-problem ICMP type/code name ip-header-bad ICMP type/code name required-option-missing ICMP type/code name timestamp-request ICMP type/code name timestamp-reply ICMP type/code name address-mask-request ICMP type/code name address-mask-reply ICMP type/code name packet-too-big ICMP type/code name ^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply|packet-too-big)$