Adds a filter rule.
-v |
IP version of the filter rule. Valid values are 4 and 6. |
-n |
Filter rule ID. The new rule will be added BEFORE the filter rule you
specify. For IP version 4, the ID must be greater than 1 because the first
filter rule is a system generated rule and cannot be moved. If this flag is not
used, the new rule will be added to the end of the filter rule table. |
-a |
Action. The value of Deny (D) will block traffic, and the value of
Permit (P) will allow traffic. The default is D. |
-s |
Source address. It can be an IP address or a host name. If a host name is
specified, the first IP address returned by the name server for that host will
be used. This value along with the source subnet mask will be compared against
the source address of the IP packets. |
-m |
Source subnet mask: This will be used in the comparison of
the IP packet's source address with the source address of the
filter rule. |
-d |
Destination address. It can be an IP address or a host name. If a host name
is specified, the first IP address returned by the name server for that host
will be used. This value along with the destination subnet mask will be
compared against the destination address of the IP packets. |
-M |
Destination subnet mask: This will be used in the comparison of the IP
packet's destination address with the destination address of the filter rule. |
-g |
Apply to source routing? Must be specified as Y (yes) or N
(No). If Y is specified, this filter rule can apply to IP packets that
use source routing. The default value is yes (Y). This field only
applies to permit rules. |
-c<
/TD> |
Protocol. The valid values are: udp, icmp, icmpv6,
tcp, tcp/ack, ospf, ipip, esp, ah,
and all. Value all indicates that the filter rule will apply to
all the protocols. The protocol can also be specified numerically (between
1 and 252). The default value is all. |
-o |
Source port or ICMP type operation. This is the operation that will be used
in the comparison between the source port/ICMP type of the packet with the
source port or ICMP type(-p flag) specified in this filter rule. The
valid values are: lt, le, gt, ge, eq,
neq, and any. The default value is any. This value must
be any when the -c flag is ospf. |
-p |
Source port or ICMP type. This is the value/type
that will be compared to the source port (or ICMP type) of the IP packet. |
-O |
Destination port or ICMP code operation. This is the operation that will be
used in the comparison between the destination port/ICMP code of the packet
with the destination port or ICMP code (-P flag). The valid values are:
lt, le, gt, ge, eq, neq, and any.
The default value is any. This value must be any when the -c
flag is ospf. |
-P |
Destination port/ICMP code. This is the value/code that will be compared to
the destination port (or ICMP code) of the IP packet. |
-r |
Routing. This specifies whether the rule will apply to forwarded packets
(R), packets destined or originated from the local host (L), or
both (B). The default value is B. |
-w |
Direction. This specifies whether the rule will apply to incoming packets
(I), outgoing packets (O), or both (B). The default value
is B. |
-l |
Log control. Must be specified as Y(yes) or N (No). If
specified as Y, packets that match this filter rule will be included in
the filter log. The default value is N (no). |
-f |
Fragmentation control. This flag specifies that this rule will apply to
either all packets (Y), fragment headers and unfragmented packets only
(H), fragments and fragment headers only (O), or unfragmented
packets only (N). The default value is Y. |
-t |
ID of the tunnel related to this filter rule. All the packets that match
this filter rule must go through the specified tunnel. If this flag is not
specified, this rule will only apply to non-tunnel traffic. |
-i |
The name of IP interface(s) to which the filter rule applies. The examples
of the name are: all, tr0, en0, lo0, and pp0.
The default value is all. |