199 Firewall Policy for handling of all IPv4 ICMP echo requests enable disable enable Enable processing of all IPv4 ICMP echo requests disable Disable processing of all IPv4 ICMP echo requests (enable|disable) enable Policy for handling broadcast IPv4 ICMP echo and timestamp requests enable disable enable Enable processing of broadcast IPv4 ICMP echo/timestamp requests disable Disable processing of broadcast IPv4 ICMP echo/timestamp requests (enable|disable) disable SNMP trap generation on firewall configuration changes enable disable enable Enable sending SNMP trap on firewall configuration change disable Disable sending SNMP trap on firewall configuration change (enable|disable) disable Firewall group Firewall address-group [a-zA-Z0-9][\w\-\.]* Address-group member ipv4 IPv4 address to match ipv4range IPv4 range to match (e.g. 10.0.0.1-10.0.0.200) Include another address-group firewall group address-group #include Firewall domain-group [a-zA-Z_][a-zA-Z0-9][\w\-\.]* Name of domain-group can only contain alpha-numeric letters, hyphen, underscores and not start with numeric Domain-group member txt Domain address to match #include Firewall ipv6-address-group [a-zA-Z0-9][\w\-\.]* Address-group member ipv6 IPv6 address to match ipv6range IPv6 range to match (e.g. 2002::1-2002::ff) Include another ipv6-address-group firewall group ipv6-address-group #include Firewall ipv6-network-group [a-zA-Z0-9][\w\-\.]* #include Network-group member ipv6net IPv6 address to match Include another ipv6-network-group firewall group ipv6-network-group Firewall mac-group [a-zA-Z0-9][\w\-\.]* #include Mac-group member macaddr MAC address to match Include another mac-group firewall group mac-group Firewall network-group [a-zA-Z0-9][\w\-\.]* #include Network-group member ipv4net IPv4 Subnet to match Include another network-group firewall group network-group Firewall port-group [a-zA-Z0-9][\w\-\.]* #include Port-group member txt Named port (any name in /etc/services, e.g., http) u32:1-65535 Numbered port start-end Numbered port range (e.g. 1001-1050) Include another port-group firewall group port-group Interface name to apply firewall configuration Forwarded packets on inbound interface #include Forwarded packets on outbound interface #include Packets destined for this router #include Policy for handling IPv4 packets with source route option enable disable enable Enable processing of IPv4 packets with source route option disable Disable processing of IPv4 packets with source route option (enable|disable) disable IPv6 firewall rule-set name [a-zA-Z0-9][\w\-\.]* #include #include #include Set jump target. Action jump must be defined in default-action to use this setting firewall ipv6-name Firewall rule number (IPv6) u32:1-999999 Number for this Firewall rule Firewall rule number must be between 1 and 999999 #include #include Destination parameters #include #include #include #include #include #include Source parameters #include #include #include #include #include #include #include #include #include #include ICMPv6 type and code information ICMPv6 code u32:0-255 ICMPv6 code (0-255) ICMPv6 type u32:0-255 ICMPv6 type (0-255) #include Set jump target. Action jump must be defined to use this setting firewall ipv6-name Policy for handling received ICMPv6 redirect messages enable disable enable Enable processing of received ICMPv6 redirect messages disable Disable processing of received ICMPv6 redirect messages (enable|disable) disable Policy for handling IPv6 packets with routing extension header enable disable enable Enable processing of IPv6 packets with routing header type 2 disable Disable processing of IPv6 packets with routing header (enable|disable) disable Policy for logging IPv4 packets with invalid addresses enable disable enable Enable logging of IPv4 packets with invalid addresses disable Disable logging of Ipv4 packets with invalid addresses (enable|disable) enable IPv4 firewall rule-set name [a-zA-Z0-9][\w\-\.]* #include #include #include Set jump target. Action jump must be defined in default-action to use this setting firewall name Firewall rule number (IPv4) u32:1-999999 Number for this Firewall rule Firewall rule number must be between 1 and 999999 #include #include Destination parameters #include #include #include #include #include #include Source parameters #include #include #include #include #include #include #include #include #include ICMP type and code information ICMP code u32:0-255 ICMP code (0-255) ICMP type u32:0-255 ICMP type (0-255) #include Set jump target. Action jump must be defined to use this setting firewall name #include Policy for handling received IPv4 ICMP redirect messages enable disable enable Enable processing of received IPv4 ICMP redirect messages disable Disable processing of received IPv4 ICMP redirect messages (enable|disable) disable Retains last successful value if domain resolution fails Domain resolver update interval u32:10-3600 Interval (seconds) 300 Policy for sending IPv4 ICMP redirect messages enable disable enable Enable sending IPv4 ICMP redirect messages disable Disable sending IPv4 ICMP redirect messages (enable|disable) enable Policy for source validation by reversed path, as specified in RFC3704 strict loose disable strict Enable Strict Reverse Path Forwarding as defined in RFC3704 loose Enable Loose Reverse Path Forwarding as defined in RFC3704 disable No source validation (strict|loose|disable) disable Global firewall state-policy Global firewall policy for packets part of an established connection #include #include #include Global firewall policy for packets part of an invalid connection #include #include #include Global firewall policy for packets part of a related connection #include #include #include Policy for using TCP SYN cookies with IPv4 enable disable enable Enable use of TCP SYN cookies with IPv4 disable Disable use of TCP SYN cookies with IPv4 (enable|disable) enable RFC1337 TCP TIME-WAIT assasination hazards protection enable disable enable Enable RFC1337 TIME-WAIT hazards protection disable Disable RFC1337 TIME-WAIT hazards protection (enable|disable) disable Zone-policy txt Zone name [a-zA-Z0-9][\w\-\.]* #include #include Default-action for traffic coming into this zone drop reject drop Drop silently reject Drop and notify source (drop|reject) drop Zone from which to filter traffic zone-policy zone Firewall options IPv6 firewall ruleset firewall ipv6-name IPv4 firewall ruleset firewall name Interface associated with zone txt Interface associated with zone Intra-zone filtering Action for intra-zone traffic accept drop accept Accept traffic drop Drop silently (accept|drop) Use the specified firewall chain IPv6 firewall ruleset firewall ipv6-name IPv4 firewall ruleset firewall name Zone to be local-zone