Adds a filter rule.
| -v |
IP version of the filter rule. Valid values are 4 and 6. |
| -v |
IP version to which the filter rule will apply. |
| -n |
Filter rule ID. The new rule will be added BEFORE the filter rule you specify.
For IP version 4, the ID must be greater than 1 because the first filter rule is a system generated rule and
cannot be moved. If this flag is not used, the new rule will be added to the end of the filter rule
table. |
| -n |
Filter rule ID. The new rule will be added BEFORE the filter rule you specified.
For an IPv4 filter rule, the ID must be greater than 1 because the first filter rule for IPv4 is a special
rule and is not replaceable. If omitted, the new rule will be added to the end of the filter rule
table. |
| -a |
Action. The value of Deny (D) will block traffic, and the value of Permit
(P) will allow traffic. The default is D. |
| -a |
Action. Deny (D) or Permit (P). Default is P. |
| -s |
Source address. It can be an IP address or a host name. If a host name is specified,
the first IP address returned by the name server for that host will be used. This value along with the source
subnet mask will be compared against the source address of the IP packets. |
| -s |
Source address. It can be a IP address
or a host name. If a host name is specified, the first IP address returned by the name server for that host
name will be used. |
| -m |
Source subnet mask: This will be used in the comparison of
the IP packet's source address with the source address of the
filter rule. |
| -m |
Source subnet mask. |
| -d |
Destination address. It can be an IP address or a host name. If a host name is
specified, the first IP address returned by the name server for that host will be used. This value along with
the destination subnet mask will be compared against the destination address of the IP packets. |
| -M |
Destination subnet mask: This will be used in the
comparison
of the IP packet's destination address with the destination
address of the filter rule. |
| -g |
Apply to source routing? Must be specified as Y (yes) or N (No). If
Y is specified, this filter rule can apply to IP packets that use source routing. The default value is
yes (Y). This field only applies to permit rules. |
| -g |
Apply to source routing? Must be
specified as Y (yes) or N (No). Default is yes (Y). |
| -c |
Protocol. The valid values are: udp, icmp, icmpv6, tcp,
tcp/ack, ospf, ipip, esp, ah, and all. Value all indicates
that the filter rule will apply to all the protocols. The protocol can also be specified numerically (between
1 and 252). The default value is all. |
| -c |
Protocol. The valid values are: udp, icmp, icmpV6, tcp, tcp/ack, ospf, ipip, esp,
ah, and all. Value all indicates that the filter rule will apply to all the protocols. The protocol
numbers (between 1 and 252) are also valid. |
| -o |
Source port or ICMP type operation. This is the operation that will be used in the
comparison between the source port/ICMP type of the packet with the source port or ICMP type(-p flag)
specified in this filter rule. The valid values are: lt, le, gt, ge, eq,
neq, and any. The default value is any. This value must be any when the -c
flag is ospf. |
| -o |
Source port or ICMP type operation.
This is the operation that will be used in the comparison of the source port/ICMP type (-p flag). The valid
values are: lt, le, gt, ge, eq, neq and any. Default value is "any". This value must be any when -c option is
ospf. |
| -p |
Source port or ICMP type. This is the
value/type that will be compared to the source port (or ICMP type) of the IP packet. |
| -p |
Source port or ICMP type. This is the
value/type that will be used in the comparison of the source port (or ICMP type). |
| -O |
Destination port or ICMP code operation. This is the
operation that will be used in the
comparison between the destination port/ICMP code of the packet with the
destination port or ICMP code
(-P flag). The valid values are: lt, le, gt, ge, eq, neq,
and any. The default value is any. This value must be any when the -c flag is
ospf. |
| -O |
Destination port or ICMP code
operation. This is the operation that will be
used in the comparison of the destination port/ICMP code (-P flag). The valid
values are: lt, le, gt, ge, eq, neq and any. Default value is "any". This
value must be any when -c option is ospf. |
| -P |
Destination port/ICMP code. This is the value/code that will be compared to the
destination port (or ICMP code) of the IP packet. |
| -P |
Destination port / ICMP code. This is
the value/code that will be used in the comparison of the destination port (or ICMP code). |
| -r |
Routing. This specifies whether the rule will apply to forwarded packets (R),
packets destined or originated from the local host (L), or both (B). The default value is
B. |
| -r |
Routing. This specifies whether the
rule will apply to forward packets (R), local packets (L), or both (B). Default value is B. |
| -w |
Direction. This specifies whether the rule will apply to incoming packets (I),
outgoing packets (O), or both (B). The default value is B. |
| -w |
Direction. This specifies whether the
rule will apply to incoming packets (I), outgoing packets (O), or both (B). Default value is B. |
| -l |
Log control. Must be specified as Y(yes) or N (No). If specified as
Y, packets that match this filter rule will be included in the filter log. The default value is
N (no). |
| -l |
Log control. Must be specified as Y
(yes) or N (No). Default value is N (no). |
| -f |
Fragmentation control. This flag specifies that this rule will apply to either all
packets (Y), fragment headers and unfragmented packets only (H), fragments and fragment headers
only (O), or unfragmented packets only (N). The default value is Y. |
| -f |
Fragmentation control. Specifies if
this rule applies to all packets(Y), fragment headers and unfragmented packets only (H), fragments and
fragment headers only (O), or unfragmented packets only(N). Default value is Y. |
| -t |
ID of the tunnel related to this filter rule. All the packets that match this filter
rule must go through the specified tunnel. If this flag is not specified, this rule will only apply to
non-tunnel traffic. |
| -t |
ID of the tunnel related to this filter
rule. All the packets which match this filter rule should go through the tunnel. |
| -i |
The name of IP interface(s) to which the filter rule applies. The examples of
the name are: all, tr0, en0, lo0, and pp0. The default value is
all. |
| -i |
The name of IP interface(s) on which
the filter rule applies. The examples of the name are: all, tr0, en0, lo0, pp0. The default value is
all. |