489 Firewall #include Flowtable [a-zA-Z0-9][\w\-\.]* #include #include Offloading method hardware software hardware Hardware offload software Software offload (hardware|software) software Firewall group Firewall address-group #include Name of firewall group can only contain alphanumeric letters, hyphen, underscores and dot Address-group member ipv4 IPv4 address to match ipv4range IPv4 range to match (e.g. 10.0.0.1-10.0.0.200) Include another address-group firewall group address-group #include Firewall domain-group [a-zA-Z_][a-zA-Z0-9]?[\w\-\.]* Name of domain-group can only contain alphanumeric letters, hyphen, underscores and not start with numeric Domain-group member txt Domain address to match #include Firewall dynamic group Firewall dynamic address group #include Name of firewall group can only contain alphanumeric letters, hyphen, underscores and dot #include Firewall dynamic IPv6 address group [a-zA-Z0-9][\w\-\.]* #include Firewall interface-group #include Name of firewall group can only contain alphanumeric letters, hyphen, underscores and dot #include Include another interface-group firewall group interface-group #include Firewall ipv6-address-group #include Name of firewall group can only contain alphanumeric letters, hyphen, underscores and dot Address-group member ipv6 IPv6 address to match ipv6range IPv6 range to match (e.g. 2002::1-2002::ff) Include another ipv6-address-group firewall group ipv6-address-group #include Firewall ipv6-network-group #include Name of firewall group can only contain alphanumeric letters, hyphen, underscores and dot #include Network-group member ipv6net IPv6 address to match Include another ipv6-network-group firewall group ipv6-network-group Firewall mac-group #include Name of firewall group can only contain alphanumeric letters, hyphen, underscores and dot #include Mac-group member macaddr MAC address to match Include another mac-group firewall group mac-group Firewall network-group #include Name of firewall group can only contain alphanumeric letters, hyphen, underscores and dot #include Network-group member ipv4net IPv4 Subnet to match Include another network-group firewall group network-group Firewall port-group #include Name of firewall group can only contain alphanumeric letters, hyphen, underscores and dot #include Port-group member txt Named port (any name in /etc/services, e.g., http) u32:1-65535 Numbered port start-end Numbered port range (e.g. 1001-1050) Include another port-group firewall group port-group Bridge firewall #include #include #include #include #include IPv4 firewall #include #include #include #include #include IPv6 firewall #include #include #include #include #include Zone-policy txt Zone name [a-zA-Z0-9][\w\-\.]* #include #include Default-action for traffic coming into this zone drop reject drop Drop silently reject Drop and notify source (drop|reject) drop Zone from which to filter traffic firewall zone Firewall options IPv6 firewall ruleset firewall ipv6 name IPv4 firewall ruleset firewall ipv4 name Interface associated with zone #include VRF associated with zone vrf VRF associated with zone vrf name Intra-zone filtering Action for intra-zone traffic accept drop accept Accept traffic drop Drop silently (accept|drop) Use the specified firewall chain IPv6 firewall ruleset firewall ipv6 name IPv4 firewall ruleset firewall ipv4 name Zone to be local-zone