See explanations and examples of parts of a firewall rule, which includes clauses, conditions, and expressions.
A firewall rule consists of several statements (or clauses) that define the traffic for which the rule applies. When you manually create firewall rules, use this syntax.
A firewall rule consists of several clauses that are chained together to match specific criteria for each packet. The clauses represent specific layers in the protocol stack. Each clause can be broken down into conditions and expressions. The expressions are the variable part of the rule in which you put the address, port, or numeric parameters.
Header | Header | |
---|---|---|
Adapter clause | Specifies a set of adapters from A through P that attaches the rule to a specific adapter. The adapter clause indicates a specific adapter where the rule is applied. The supported adapter expressions are any and the letters A through P. If you do not specify an adapter clause, the rule matches packets on any adapter. |
|
Ethernet clause | Specifies either a network protocol type or virtual LAN (VLAN) identifier to match the 802.1 frame. You can use the Ethernet clause to filter 802.1q VLAN traffic or allow/deny specific types of Ethernet protocols. You can find the list of protocol types at the Internet Assigned Numbers Authority (IANA) site. Ethernet protocol constants can be specified in decimal, octal, hexadecimal, or alias notation. To make it easier to block specific types of Ethernet traffic, you can specify an alias instead of the well-known number. In some cases, the alias blocks more than one port (for example, IPX and PPPoE). |
|
IPv4 datagram clause | Specifies IPv4 addresses and the transport level filtering fields such as TCP/UDP source or destination ports, ICMP type or code, or a specific IP protocol number. The IP datagram clause identifies the protocol and the protocol-specific conditions that must be satisfied in order for the statement to match. Currently, only ICMP, TCP, and UDP conditions are supported, but you can specify filters that are based on any IP protocol. If you do not specify an IP datagram clause, the statement matches any IP datagram protocol. The first and second statements block IP packets that match the IP address expression. The third statement blocks IP packets that match the IP address expression. The fourth statement blocks IP packets that match the protocol type. The fifth statement is a combination of the first and second statements. The sixth statement is a combination of the first, second, and fourth statements. |
Examples
|
IPv6 datagram clause | The IPv6 datagram clause identifies the protocol and the protocol-specific conditions that must be satisfied in order for the statement to match. Currently, only ICMPv6, TCP, and UDP conditions are supported, but filters can be specified based on any IPv6 protocol. If no IPv6 datagram clause is specified, the statement matches any IPv6 datagram protocol. The first and second statements block source and destination IPv6 packets that match the IPv6 address expression. The third statement blocks source or destination IPv6 packets that match the IPv6 address expression. The fourth statement blocks IPv6 packets that match the protocol type. The fifth statement is a combination of the first and second statements. The sixth statement is a combination of the first, second, and fourth statements. |
|
Header | Header | Header |
---|---|---|
TCP and UDP conditions | Specify TCP and UDP port numbers in decimal, octal, or hexadecimal notation. The value range is 0 through 65535. |
|
ICMP conditions | Specify ICMP conditions in decimal, octal, or hexadecimal notation. You can find the valid number for type and code at the Internet Assigned Numbers Authority (IANA) site. |
|
ICMPv6 conditions | Specify ICMPv6 conditions in decimal, octal, or hexadecimal notation. You can find the valid number for type and code at the Internet Assigned Numbers Authority (IANA) site. |
|
Expressions that begin with an exclamation mark (!) are called not-expressions. Not-expressions match all values except those values that you specify. Not-expressions that do not match any values generate an error.
The <n> can be either hex or decimal number in a range from 0 to 255. All hex numbers must use a 0x prefix.
Example | Description |
---|---|
n.n.n.n | Single address |
n.n.n.n, n.n.n.n | Address list |
n.n.n.n/<netmask> | Specific address that uses CIDR format; netmask value must range from 1 to 32 |
n.n.n.n - n.n.n.n | Address range, where the first value is smaller than last |
The <n> must be a hexadecimal digit (0 - F). Reduce any four-digit group of zeros within an IPv6 address to a single zero or omit altogether.
Example | Description |
---|---|
nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn | Single address |
nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn, nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn | Address list |
nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn/<prefix> | Specific address that uses CIDR format; prefix value must range from 1 to 128 |
nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn - nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn:nnnn | Address range, where the first value is smaller than last |
The values that are listed for any constant must be within the fields required range; otherwise the parser refuses the parse clause.