1997-02-09 22:50:16 +00:00
|
|
|
filter-rule = [ insert ] action in-out [ options ] [ tos ] [ ttl ]
|
2005-04-25 17:31:50 +00:00
|
|
|
[ proto ] [ ip ] [ group ] [ tag ] [ pps ] .
|
1997-02-09 22:50:16 +00:00
|
|
|
|
|
|
|
insert = "@" decnumber .
|
2005-04-25 17:31:50 +00:00
|
|
|
action = block | "pass" | log | "count" | auth | call .
|
1997-02-09 22:50:16 +00:00
|
|
|
in-out = "in" | "out" .
|
2005-04-25 17:31:50 +00:00
|
|
|
options = [ log ] [ "quick" ] [ onif [ dup ] [ froute ] ] .
|
1997-02-09 22:50:16 +00:00
|
|
|
tos = "tos" decnumber | "tos" hexnumber .
|
|
|
|
ttl = "ttl" decnumber .
|
|
|
|
proto = "proto" protocol .
|
|
|
|
ip = srcdst [ flags ] [ with withopt ] [ icmp ] [ keep ] .
|
1997-11-16 04:52:19 +00:00
|
|
|
group = [ "head" decnumber ] [ "group" decnumber ] .
|
2005-04-25 17:31:50 +00:00
|
|
|
pps = "pps" decnumber .
|
1997-02-09 22:50:16 +00:00
|
|
|
|
2005-04-25 17:31:50 +00:00
|
|
|
onif = "on" interface-name [ "out-via" interface-name ] .
|
2002-03-19 11:45:20 +00:00
|
|
|
block = "block" [ return-icmp[return-code] | "return-rst" ] .
|
1997-11-16 04:52:19 +00:00
|
|
|
auth = "auth" | "preauth" .
|
1999-11-08 20:51:23 +00:00
|
|
|
log = "log" [ "body" ] [ "first" ] [ "or-block" ] [ "level" loglevel ] .
|
2005-04-25 17:31:50 +00:00
|
|
|
tag = "tag" tagid .
|
|
|
|
call = "call" [ "now" ] function-name "/" decnumber.
|
1997-02-09 22:50:16 +00:00
|
|
|
dup = "dup-to" interface-name[":"ipaddr] .
|
2005-04-25 17:31:50 +00:00
|
|
|
froute = "fastroute" | "to" interface-name .
|
|
|
|
replyto = "reply-to" interface-name [ ":" ipaddr ] .
|
1997-02-09 22:50:16 +00:00
|
|
|
protocol = "tcp/udp" | "udp" | "tcp" | "icmp" | decnumber .
|
|
|
|
srcdst = "all" | fromto .
|
|
|
|
fromto = "from" object "to" object .
|
|
|
|
|
2002-03-19 11:45:20 +00:00
|
|
|
return-icmp = "return-icmp" | "return-icmp-as-dest" .
|
1999-11-08 20:51:23 +00:00
|
|
|
loglevel = facility"."priority | priority .
|
1997-02-09 22:50:16 +00:00
|
|
|
object = addr [ port-comp | port-range ] .
|
|
|
|
addr = "any" | nummask | host-name [ "mask" ipaddr | "mask" hexnumber ] .
|
|
|
|
port-comp = "port" compare port-num .
|
|
|
|
port-range = "port" port-num range port-num .
|
|
|
|
flags = "flags" flag { flag } [ "/" flag { flag } ] .
|
|
|
|
with = "with" | "and" .
|
|
|
|
icmp = "icmp-type" icmp-type [ "code" decnumber ] .
|
|
|
|
return-code = "("icmp-code")" .
|
2005-04-25 17:31:50 +00:00
|
|
|
keep = "keep" "state" [ "limit" number ] | "keep" "frags" .
|
1997-02-09 22:50:16 +00:00
|
|
|
|
|
|
|
nummask = host-name [ "/" decnumber ] .
|
|
|
|
host-name = ipaddr | hostname | "any" .
|
|
|
|
ipaddr = host-num "." host-num "." host-num "." host-num .
|
|
|
|
host-num = digit [ digit [ digit ] ] .
|
|
|
|
port-num = service-name | decnumber .
|
|
|
|
|
2005-04-25 17:31:50 +00:00
|
|
|
withopt = [ "not" | "no" ] opttype [ [ "," ] withopt ] .
|
|
|
|
opttype = "ipopts" | "short" | "nat" | "bad-src" | "lowttl" | "frag" |
|
|
|
|
"mbcast" | "opt" ipopts .
|
1997-02-09 22:50:16 +00:00
|
|
|
optname = ipopts [ "," optname ] .
|
|
|
|
ipopts = optlist | "sec-class" [ secname ] .
|
|
|
|
secname = seclvl [ "," secname ] .
|
|
|
|
seclvl = "unclass" | "confid" | "reserv-1" | "reserv-2" | "reserv-3" |
|
|
|
|
"reserv-4" | "secret" | "topsecret" .
|
|
|
|
icmp-type = "unreach" | "echo" | "echorep" | "squench" | "redir" |
|
|
|
|
"timex" | "paramprob" | "timest" | "timestrep" | "inforeq" |
|
1997-11-16 04:52:19 +00:00
|
|
|
"inforep" | "maskreq" | "maskrep" | "routerad" |
|
|
|
|
"routersol" | decnumber .
|
1997-02-09 22:50:16 +00:00
|
|
|
icmp-code = decumber | "net-unr" | "host-unr" | "proto-unr" | "port-unr" |
|
|
|
|
"needfrag" | "srcfail" | "net-unk" | "host-unk" | "isolate" |
|
2000-02-09 20:46:45 +00:00
|
|
|
"net-prohib" | "host-prohib" | "net-tos" | "host-tos" |
|
|
|
|
"filter-prohib" | "host-preced" | "cutoff-preced" .
|
1997-02-09 22:50:16 +00:00
|
|
|
optlist = "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" |
|
|
|
|
"sec" | "lsrr" | "e-sec" | "cipso" | "satid" | "ssrr" | "addext" |
|
|
|
|
"visa" | "imitd" | "eip" | "finn" .
|
1999-11-08 20:51:23 +00:00
|
|
|
facility = "kern" | "user" | "mail" | "daemon" | "auth" | "syslog" |
|
|
|
|
"lpr" | "news" | "uucp" | "cron" | "ftp" | "authpriv" |
|
|
|
|
"audit" | "logalert" | "local0" | "local1" | "local2" |
|
|
|
|
"local3" | "local4" | "local5" | "local6" | "local7" .
|
|
|
|
priority = "emerg" | "alert" | "crit" | "err" | "warn" | "notice" |
|
|
|
|
"info" | "debug" .
|
1997-02-09 22:50:16 +00:00
|
|
|
|
|
|
|
hexnumber = "0" "x" hexstring .
|
|
|
|
hexstring = hexdigit [ hexstring ] .
|
|
|
|
decnumber = digit [ decnumber ] .
|
|
|
|
|
|
|
|
compare = "=" | "!=" | "<" | ">" | "<=" | ">=" | "eq" | "ne" | "lt" | "gt" |
|
|
|
|
"le" | "ge" .
|
|
|
|
range = "<>" | "><" .
|
|
|
|
hexdigit = digit | "a" | "b" | "c" | "d" | "e" | "f" .
|
|
|
|
digit = "0" | "1" | "2" | "3" | "4" | "5" | "6" | "7" | "8" | "9" .
|
2005-04-25 17:31:50 +00:00
|
|
|
flag = "F" | "S" | "R" | "P" | "A" | "U" | "C" | "W" .
|