Update manpage..BTW,if somebody wit good English
would go through it and fix it would be a really good idea.
This commit is contained in:
parent
3c3f8b95a8
commit
009f85df0b
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=6854
@ -36,6 +36,9 @@ These are <entry-actions>:
|
||||
dela[ccounting] - remove entry from accounting chain.
|
||||
clr[accounting] - clear counters for accounting chain entry.
|
||||
|
||||
If no <entry-action> specified,default addf[irewall] or add[accounting]
|
||||
will be used,depending on <chain-entry pattern> specified.
|
||||
|
||||
These are <chain-actions>:
|
||||
f[lush] - remove all entries in firewall/accounting chains.
|
||||
l[ist] - show all entries in firewall/accounting chains.
|
||||
@ -44,17 +47,20 @@ These are <chain-actions>:
|
||||
|
||||
This is <chain-entry pattern> structure:
|
||||
For forwarding/blocking chains:
|
||||
lr[eject] <proto/addr pattern> reject packet,send ICMP unreachable and log.
|
||||
r[eject] <proto/addr pattern> reject packet,send ICMP unreachable.
|
||||
ld[eny] <proto/addr pattern> reject packet,log it.
|
||||
d[eny] <proto/addr pattern> reject packet.
|
||||
l[og] <proto/addr pattern> allow packet,log it.
|
||||
a[ccept] <proto/addr pattern> allow packet.
|
||||
lreject <proto/addr pattern> reject packet,send ICMP unreachable and log.
|
||||
reject <proto/addr pattern> reject packet,send ICMP unreachable.
|
||||
ldeny <proto/addr pattern> reject packet,log it.
|
||||
deny <proto/addr pattern> reject packet.
|
||||
log <proto/addr pattern> allow packet,log it.
|
||||
accept <proto/addr pattern> allow packet.
|
||||
pass <proto/addr pattern> allow packet.
|
||||
For accounting chain:
|
||||
s[ingle] <proto/addr pattern> log packets matching entry.
|
||||
b[idirectional] <proto/addr pattern> log packets matching entry and
|
||||
single <proto/addr pattern> log packets matching entry.
|
||||
bidirectional <proto/addr pattern> log packets matching entry and
|
||||
those going in opposite direction (from entry
|
||||
"dst" to "src").
|
||||
|
||||
Each keyword will be recognized by the shortest unambigious prefix.
|
||||
|
||||
The <proto/addr pattern> is:
|
||||
all|icmp from <src addr/mask> to <dst addr/mask> [via <via>]
|
||||
@ -62,11 +68,17 @@ The <proto/addr pattern> is:
|
||||
all matches any IP packet.
|
||||
icmp,tcp and udp - packets for corresponding protocols.
|
||||
tcpsyn - tcp SYN packets (which used when initiating connection).
|
||||
|
||||
|
||||
The order of from/to/via keywords is unimportant.You can skip any
|
||||
of them,which will be then substituted by default entry matching
|
||||
any from/to/via packet kind.
|
||||
|
||||
The <src addr/mask>:
|
||||
<INET IP addr | domain name> [/mask bits | :mask pattern]
|
||||
Mask bits is a decimal number of bits set in the address mask.
|
||||
Mask pattern has form of IP address and AND'ed logically with address given.
|
||||
Keyword "any" can be used to specify 'any IP'.
|
||||
[ports]: [ port,port....|port:port]
|
||||
Name of service can be used instead of port numeric value.
|
||||
|
||||
@ -74,6 +86,7 @@ The via <via> is optional and may specify IP address/domain name of local
|
||||
IP interface, or interface name (e.g. ed0) to match only packets coming
|
||||
through this interface.The IP or name given is NOT checked, and wrong
|
||||
value of IP causes entry to not match anything.
|
||||
Keyword 'via' can be substituted by 'on',for readability reasons.
|
||||
|
||||
To l[ist] command may be passed:
|
||||
f[irewall] | a[ccounting] to list specific chain or none to list
|
||||
|
Loading…
Reference in New Issue
Block a user