199 Firewall Policy for handling of all IPv4 ICMP echo requests enable disable enable Enable processing of all IPv4 ICMP echo requests disable Disable processing of all IPv4 ICMP echo requests ^(enable|disable)$ Policy for handling broadcast IPv4 ICMP echo and timestamp requests enable disable enable Enable processing of broadcast IPv4 ICMP echo/timestamp requests disable Disable processing of broadcast IPv4 ICMP echo/timestamp requests ^(enable|disable)$ SNMP trap generation on firewall configuration changes enable disable enable Enable sending SNMP trap on firewall configuration change disable Disable sending SNMP trap on firewall configuration change ^(enable|disable)$ Firewall group Firewall address-group Address-group member ipv4 IPv4 address to match ipv4range IPv4 range to match (e.g. 10.0.0.1-10.0.0.200) #include Firewall ipv6-address-group Address-group member ipv6 IPv6 address to match #include Network-group member #include Network-group member ipv6net IPv6 address to match Firewall network-group #include Network-group member ipv4net IPv4 Subnet to match Firewall port-group #include Port-group member txt Named port (any name in /etc/services, e.g., http) u32:1-65535 Numbered port start-end Numbered port range (e.g. 1001-1050) Policy for handling IPv4 packets with source route option enable disable enable Enable processing of IPv4 packets with source route option disable Disable processing of IPv4 packets with source route option ^(enable|disable)$ IPv6 firewall rule-set name #include #include #include Rule number (1-9999) #include #include Destination parameters #include #include #include Source parameters #include #include #include #include Hop Limit Value to match a hop limit equal to it u32:0-255 Hop limit equal to value Value to match a hop limit greater than or equal to it u32:0-255 Hop limit greater than value Value to match a hop limit less than or equal to it u32:0-255 Hop limit less than value ICMPv6 type and code information ICMP type-name any echo-reply pong destination-unreachable network-unreachable host-unreachable protocol-unreachable port-unreachable fragmentation-needed source-route-failed network-unknown host-unknown network-prohibited host-prohibited TOS-network-unreachable TOS-host-unreachable communication-prohibited host-precedence-violation precedence-cutoff source-quench redirect network-redirect host-redirect TOS-network-redirect TOS host-redirect echo-request ping router-advertisement router-solicitation time-exceeded ttl-exceeded ttl-zero-during-transit ttl-zero-during-reassembly parameter-problem ip-header-bad required-option-missing timestamp-request timestamp-reply address-mask-request address-mask-reply any Any ICMP type/code echo-reply ICMP type/code name pong ICMP type/code name destination-unreachable ICMP type/code name network-unreachable ICMP type/code name host-unreachable ICMP type/code name protocol-unreachable ICMP type/code name port-unreachable ICMP type/code name fragmentation-needed ICMP type/code name source-route-failed ICMP type/code name network-unknown ICMP type/code name host-unknown ICMP type/code name network-prohibited ICMP type/code name host-prohibited ICMP type/code name TOS-network-unreachable ICMP type/code name TOS-host-unreachable ICMP type/code name communication-prohibited ICMP type/code name host-precedence-violation ICMP type/code name precedence-cutoff ICMP type/code name source-quench ICMP type/code name redirect ICMP type/code name network-redirect ICMP type/code name host-redirect ICMP type/code name TOS-network-redirect ICMP type/code name TOS host-redirect ICMP type/code name echo-request ICMP type/code name ping ICMP type/code name router-advertisement ICMP type/code name router-solicitation ICMP type/code name time-exceeded ICMP type/code name ttl-exceeded ICMP type/code name ttl-zero-during-transit ICMP type/code name ttl-zero-during-reassembly ICMP type/code name parameter-problem ICMP type/code name ip-header-bad ICMP type/code name required-option-missing ICMP type/code name timestamp-request ICMP type/code name timestamp-reply ICMP type/code name address-mask-request ICMP type/code name address-mask-reply ICMP type/code name ^(any|echo-reply|pong|destination-unreachable|network-unreachable|host-unreachable|protocol-unreachable|port-unreachable|fragmentation-needed|source-route-failed|network-unknown|host-unknown|network-prohibited|host-prohibited|TOS-network-unreachable|TOS-host-unreachable|communication-prohibited|host-precedence-violation|precedence-cutoff|source-quench|redirect|network-redirect|host-redirect|TOS-network-redirect|TOS host-redirect|echo-request|ping|router-advertisement|router-solicitation|time-exceeded|ttl-exceeded|ttl-zero-during-transit|ttl-zero-during-reassembly|parameter-problem|ip-header-bad|required-option-missing|timestamp-request|timestamp-reply|address-mask-request|address-mask-reply)$ P2P application packets AppleJuice/BitTorrent/Direct Connect/eDonkey/eMule/Gnutella/KaZaA application packets AppleJuice application packets BitTorrent application packets Direct Connect application packets eDonkey/eMule application packets Gnutella application packets KaZaA application packets Policy for handling received ICMPv6 redirect messages enable disable enable Enable processing of received ICMPv6 redirect messages disable Disable processing of received ICMPv6 redirect messages ^(enable|disable)$ Policy for handling IPv6 packets with routing extension header enable disable enable Enable processing of IPv6 packets with routing header type 2 disable Disable processing of IPv6 packets with routing header ^(enable|disable)$ Policy for logging IPv4 packets with invalid addresses enable disable enable Enable logging of IPv4 packets with invalid addresses disable Disable logging of Ipv4 packets with invalid addresses ^(enable|disable)$ IPv4 firewall rule-set name #include #include #include Rule number (1-9999) #include #include Destination parameters #include #include #include Source parameters #include #include #include #include ICMP type and code information ICMP code (0-255) u32:0-255 ICMP code (0-255) ICMP type (0-255) u32:0-255 ICMP type (0-255) #include Policy for handling received IPv4 ICMP redirect messages enable disable enable Enable processing of received IPv4 ICMP redirect messages disable Disable processing of received IPv4 ICMP redirect messages ^(enable|disable)$ Policy for sending IPv4 ICMP redirect messages enable disable enable Enable sending IPv4 ICMP redirect messages disable Disable sending IPv4 ICMP redirect messages ^(enable|disable)$ Policy for source validation by reversed path, as specified in RFC3704 strict loose disable strict Enable Strict Reverse Path Forwarding as defined in RFC3704 loose Enable Loose Reverse Path Forwarding as defined in RFC3704 disable No source validation ^(strict|loose|disable)$ Global firewall state-policy Global firewall policy for packets part of an established connection #include #include Global firewall policy for packets part of an invalid connection #include #include Global firewall policy for packets part of a related connection #include #include Policy for using TCP SYN cookies with IPv4 enable disable enable Enable use of TCP SYN cookies with IPv4 disable Disable use of TCP SYN cookies with IPv4 ^(enable|disable)$ RFC1337 TCP TIME-WAIT assasination hazards protection enable disable enable Enable RFC1337 TIME-WAIT hazards protection disable Disable RFC1337 TIME-WAIT hazards protection ^(enable|disable)$