199 Firewall #include Firewall group Firewall address-group [a-zA-Z0-9][\w\-\.]* Address-group member ipv4 IPv4 address to match ipv4range IPv4 range to match (e.g. 10.0.0.1-10.0.0.200) Include another address-group firewall group address-group #include Firewall domain-group [a-zA-Z_][a-zA-Z0-9][\w\-\.]* Name of domain-group can only contain alpha-numeric letters, hyphen, underscores and not start with numeric Domain-group member txt Domain address to match #include Firewall interface-group [a-zA-Z0-9][\w\-\.]* Interface-group member Include another interface-group firewall group interface-group #include Firewall ipv6-address-group [a-zA-Z0-9][\w\-\.]* Address-group member ipv6 IPv6 address to match ipv6range IPv6 range to match (e.g. 2002::1-2002::ff) Include another ipv6-address-group firewall group ipv6-address-group #include Firewall ipv6-network-group [a-zA-Z0-9][\w\-\.]* #include Network-group member ipv6net IPv6 address to match Include another ipv6-network-group firewall group ipv6-network-group Firewall mac-group [a-zA-Z0-9][\w\-\.]* #include Mac-group member macaddr MAC address to match Include another mac-group firewall group mac-group Firewall network-group [a-zA-Z0-9][\w\-\.]* #include Network-group member ipv4net IPv4 Subnet to match Include another network-group firewall group network-group Firewall port-group [a-zA-Z0-9][\w\-\.]* #include Port-group member txt Named port (any name in /etc/services, e.g., http) u32:1-65535 Numbered port start-end Numbered port range (e.g. 1001-1050) Include another port-group firewall group port-group Bridge firewall #include #include IPv4 firewall #include #include #include #include IPv6 firewall #include #include #include #include Zone-policy txt Zone name [a-zA-Z0-9][\w\-\.]* #include #include Default-action for traffic coming into this zone drop reject drop Drop silently reject Drop and notify source (drop|reject) drop Zone from which to filter traffic zone-policy zone Firewall options IPv6 firewall ruleset firewall ipv6 name IPv4 firewall ruleset firewall ipv4 name Interface associated with zone txt Interface associated with zone vrf VRF associated with zone vrf name Intra-zone filtering Action for intra-zone traffic accept drop accept Accept traffic drop Drop silently (accept|drop) Use the specified firewall chain IPv6 firewall ruleset firewall ipv6 name IPv4 firewall ruleset firewall ipv4 name Zone to be local-zone