This page viewed best in a version 5 browser (Mozilla tested).

PCX Firewall - VeryTight Rules documentation

XML Config File documentation
Perl Data Structure documentation
Change Log

The XML Config file is defined as follows:

<firewall module="VeryTight" moduleVersion="2.2">

module="VeryTight or VeryTight2" is required as it allows us to determine what Rule module this config file is supposed to work with. moduleVersion specifies that the XML Config file is at version 2.2 and is used to make sure you don't try to use too old of a config file on a newer parser.

You must install PCXFireWall Rules version 2.4 to upgrade any config files from version 1.7 or 2.0 to the 2.1 config file version.

Version 2.5 automatically attempts to upgrade all config files it can find in the known locations. It first copies them to /var/tmp/firewall-rules-upgrade and then backs up the original file with a .upgrade-2.2 file extension if the upgrade appears to have been successfull.

The following tags are available to configure what subsystems are used and the values to use for limits when logging and accepting different types of traffic.

<internal enabled="boolean"/>
<ipsec enabled="boolean"/>
<dmz enabled="boolean"/>
<dialin enabled="boolean"/>
<networkCommand command="ip or ifconfig"/>
<mangleRules enabled="boolean"/>
<ecn enabled="boolean"/>
<log prefix="" level=""/>
<logRate taint="" reserved="" policy="" reject="" normal=""/>
<limitRate icmp=""/>
<moduleSupport kernel="modular or monolithic">
<module name="iptables module to load"/> - you can have multiple <module /> tags defined, as long as they are unique and do not have the same name as a <conntracker /> entry.
<conntracker name="iptables conntracker name - ftp, irc, tftp, amanda, etc." params="" active="boolean"/> - you can have multiple <conntracker /> tags defined, as long as they are unique and do not have the same name as a <module /> entry.
</moduleSupport>
<validityChecks unclean="boolean" tcpFlags="boolean"/>
<bridgeSupport enabled="boolean"/> - see the Perl Data structure for more details.
<snortInlineSupport enabled="boolean"/> - Enable support for snort-inline QUEUE'ing of ESTABLISHED,RELATED traffic.
<dynamicInterfaces mode="lookupIP|ignoreIP"/> - Allow dynamic interfaces to not lookup and use their IP's, when mode = 'ignoreIP' so that laptops don't have issues when they move between networks. This means you don't have to restart the firewall rules everytime your IP changes or you change a network. If this option not set, it defaults to 'lookupIP' which implements the old behaviour.

If <log>, <logRate> and/or <limitRate> are not specified, then the defaults will be used. If you specify a value of 0 for any <logRate> or <limitRate> tag then the logging rules generated will not be limited for that part of the firewall.
If <mangleRules> is not specified, then it defaults to true.
boolean = true or false.

The following tags are available to define all networks or hosts that are allowed to come into the firewall through a specific interface or that we want to limit traffic coming from or going to for specific services.

<addr value="" index="" type="" active="boolean"comment=""/>

You can repeat the <addr> tag as many times as needed. Make sure that the index value is unique since that will be what is used to select the network or host to limit incoming or outgoing traffic by.

type can be normal (default) or mac to indicate a MAC address. When type = mac then the code to generate will use the mac address matching feature instead of source or destination matching. You do not need to specify the type attribute unless you are specifying a MAC address as it will default to normal.

comment allows you to specify a user friendly string that describes the network entry being made.

active allows you to specify whether or not the network index is available.
boolean = true or false.

The following tags are available to define all networks that should be treated as never being valid coming in the external interfaces (from the internet).

<addr value="" limitTo="" active="boolean" comment=""/>

You can repeat the <addr> tag as many times as needed.

comment allows you to specify a user friendly string that describes the reserved network entry being made.

limitTo specifies a comma seperated list of external interfaces this entry will be blocked from entering. If none are specified then it applies to all external interfaces that are not disabled.

active allows you to specify whether or not this reserved network entry will be used.
boolean = true or false.

The following zones are used when defining the interfaces the system should use:
<external> <internal> <ipsec> <dmz> <dialin>

<zone type="external">

The following tags are available to define the network interface(s) to be used in this zone.

<interface name="" alias="" ip="" ipsec="boolean" ipsecLimitFrom="" network="" proxyarp="boolean" active="boolean" comment=""/>

You can repeat the <interface> tag as many times as needed. You must specify unique interfaces that will exist on the system and they must have valid IP Addresses specified for them. Make sure that you specify the network(s) (comma seperated list) that the interface is a part of (they come from the <networks> section). Currently the network is not used in the generated rules for external interfaces, but this may change in the future. boolean = true or false.

Use the ipsecLimitFrom attribute to specify a comma seperated list of network entries that you only want to allow to make IPSec connections to the firewall through the specified interface.

If the ip="dynamic" then the interface is treated as getting it's IP Address from a DHCP server and we will use MASQUERADE instead of SNAT when traffic goes out it. It is up to the server (dhcp client) to restart the firewall rules (and possibly IPSec) when the IP Address changes as the rules being generated rely on the IP Address of the External Interface to help limit the traffic we respond to. (Note: The External Zone is the only zone that we support Dynamic Interfaces in.)

alias is the interface name that will be used in all paths to specify the incoming or outgoing interface. This way you don't have to go through every single rule and fixup the interfaces when you add/remove network cards or go to a machine with a different layout.

comment allows you to specify a user friendly string that describes the interface being configured.

proxyarp allows you to specify if proxy arp support needs to be enabled for this interface. By default it is disabled.

</zone> top

<zone type="internal">

</zone> top

<zone type="ipsec">

The following tags are available to define the network interface(s) to be used in this zone.

<interface name="" alias="" boundTo="" network="" proxyarp="boolean" active="boolean" comment=""/>

You can repeat the <interface> tag as many times as needed. You must specify unique interfaces that will exist on the system and must specify aliases of the interfaces to bind to via boundTo that are defined in the other <interfaces> sections. Make sure that you specify the network(s) that the interface will allow traffic from in a comma seperated list (they come from the <networks> section).

alias is the interface name that will be used in all paths to specify the incoming or outgoing interface. This way you don't have to go through every single rule and fixup the interfaces when you add/remove network cards or go to a machine with a different layout.

comment allows you to specify a user friendly string that describes the interface being configured.

proxyarp allows you to specify if proxy arp support needs to be enabled for this interface. By default it is disabled.

</zone> top

<zone type="dmz">

</zone> top

<zone type="dialin">

</zone> top

The services section is made up of 1 or more <service> tags. Each service defined must be unique.

<service name="" comment="">

The following tags are available to define what protocols, ports, etc. this service is composed of. These tags may be defined multiple times.

<info proto="" dport="" sport="" icmpType=""/>

If you leave proto empty then this service will match on all types of traffic.
dport and sport should be empty when dealing with a non-tcp or non-udp protocol or when the port is not required.
icmpType should be empty when dealing with a non-icmp protocol or when we want to match all icmp types.

</service> top

The paths section is made up of 1 or more <serviceGroup> tags that define the name of the service to be defined. Each service defined must be unique.

<serviceGroup name="" active="boolean" comment="">

The following tag types are available to define what pathways this service may take into, out and through the firewall. These tags may be defined multiple times as long as no duplicates are created.
<firewallToInternal> <firewallToExternal> <firewallToIPSec> <firewallToDMZ> <firewallToDialin> <firewallToFirewall> <internalBroadcast> <externalBroadcast> <ipsecBroadcast> <dmzBroadcast> <dialinBroadcast> <internalToFirewall> <internalToInternal> <internalToExternal> <internalToIPSec> <internalToDMZ> <internalToDialin> <externalToExternal> <externalToFirewall> <externalToInternal> <externalToIPSec> <externalToDMZ> <externalToDialin> <ipsecToFirewall> <ipsecToInternal> <ipsecToExternal> <ipsecToIPSec> <ipsecToDMZ> <ipsecToDialin> <dmzToFirewall> <dmzToInternal> <dmzToExternal> <dmzToIPSec> <dmzToDMZ> <dmzToDialin> <dialinToFirewall> <dialinToInternal> <dialinToExternal> <dialinToIPSec> <dialinToDMZ> <dialinToDialin>

boolean - true or false

Note: If you want to temporarily disable a serviceGroup entry or path, add active="false" to the serviceGroup or path tag and it will not be processed.

comment allows you to specify a user friendly string that describes the serviceGroup being configured.

<path type="firewallToInternal" o="" limitTo="" active="boolean" comment="">

o must be assigned an interface that the packet is leaving the firewall from (internal zone) as defined in the <internal> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the network(s) that the interface is a member of will be used to limit the outgoing traffic to. The interface specified in o will be used to determine the IP Address that the traffic has to be coming from for it to be accepted.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags.
<reject/> - The traffic is rejected.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="firewallToExternal" o="" limitTo="" active="boolean" comment="">

o must be assigned an interface that the packet is leaving the firewall from (external zone) as defined in the <external> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the network(s) that the interface is a member of will be used to limit the outgoing traffic to. The interface specified in o will be used to determine the IP Address that the traffic has to be coming from for it to be accepted.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags.
<reject/> - The traffic is rejected.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="firewallToIPSec" o="" limitTo="" active="boolean" comment="">

o must be assigned an interface that the packet is leaving the firewall from (ipsec zone) as defined in the <ipsec> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the network(s) that the interface is a member of will be used to limit the outgoing traffic to. The interface specified in o will be used to determine the IP Address that the traffic has to be coming from for it to be accepted.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags.
<reject/> - The traffic is rejected.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="firewallToDMZ" o="" limitTo="" active="boolean" comment="">

o must be assigned an interface that the packet is leaving the firewall from (dmz zone) as defined in the <dmz> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the network(s) that the interface is a member of will be used to limit the outgoing traffic to. The interface specified in o will be used to determine the IP Address that the traffic has to be coming from for it to be accepted.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags.
<reject/> - The traffic is rejected.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="firewallToDialin" o="" limitTo="" active="boolean" comment="">

o must be assigned an interface that the packet is leaving the firewall from (dialin zone) as defined in the <dialin> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the network(s) that the interface is a member of will be used to limit the outgoing traffic to. The interface specified in o will be used to determine the IP Address that the traffic has to be coming from for it to be accepted.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags.
<reject/> - The traffic is rejected.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="firewallToFirewall" o="" active="boolean" comment="">

This requires the newNAT and localNAT patches in your kernel.

o must be assigned an interface that the packet is headed to on the firewall from the loopback interface lo. The interface specified in o will be used to determine the IP Address that the traffic is going to.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="internalBroadcast" i="" limitFrom="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <internal> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. If i="*" then all interfaces in the internal zone will be used.

This tag allows you to catch traffic that is coming from the internal network doing a broadcast (destination 255.255.255.255) and do something with it.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="externalBroadcast" i="" limitFrom="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <external> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. If i="*" then all interfaces in the external zone will be used.

This tag allows you to catch traffic that is coming from the external network doing a broadcast (destination 255.255.255.255) and do something with it.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="ipsecBroadcast" i="" limitFrom="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <ipsec> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. If i="*" then all interfaces in the ipsec zone will be used.

This tag allows you to catch traffic that is coming from the ipsec network doing a broadcast (destination 255.255.255.255) and do something with it.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="dmzBroadcast" i="" limitFrom="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <dmz> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. If i="*" then all interfaces in the dmz zone will be used.

This tag allows you to catch traffic that is coming from the dmz network doing a broadcast (destination 255.255.255.255) and do something with it.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="dialinBroadcast" i="" limitFrom="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <dialin> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. If i="*" then all interfaces in the dialin zone will be used.

This tag allows you to catch traffic that is coming from the dialin network doing a broadcast (destination 255.255.255.255) and do something with it.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="internalToFirewall" i="" ip="" limitFrom="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <internal> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. The interface specified in i will be used to determine the IP Address that the traffic has to be going to for it to be accepted. If i="*" then all interfaces in the internal zone will be used.

If ip is specified, then it should have a network entry that represents the IP Address on the firewall that you want the incoming traffic to be matched against. ip allows you to match traffic coming from the internal network but destined for a different IP address of the firewall (say the external IP address) that you want to do something special with. Using this feature you can dnat or redirect traffic that may not have been possible using any of the other constructs.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="internalToInternal" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">

Note: This path is designed to allow a machine acting as a router for internal networks to let the routed packets get back into the internal network. This will create a rule in the FORWARD chain which lets the specified packets enter and leave the firewall, but only for the internal zone(s).

i must be assigned an interface that the packet is coming into the firewall with as defined in the <internal> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. The interface specified in i will be used to determine where the traffic has to be coming from for it to be accepted. If i="*" then all interfaces in the internal zone will be used.

o must be assigned an interface that the packet will leave the firewall from (internal zone) and must be defined in the <internal> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the traffic is allowed to go to anywhere in the Intranet that the o interface has a network entry created for.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="internalToExternal" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <internal> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. The interface specified in i will be used to determine where the traffic has to be coming from for it to be accepted. If i="*" then all interfaces in the internal zone will be used.

o must be assigned an interface that the packet will leave the firewall from (external zone) and must be defined in the <external> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the traffic is allowed to go to anywhere on the Internet.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="internalToIPSec" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <internal> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. The interface specified in i will be used to determine where the traffic has to be coming from for it to be accepted. If i="*" then all interfaces in the internal zone will be used.

o must be assigned an interface that the packet will leave the firewall from (ipsec zone) and must be defined in the <ipsec> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the traffic is allowed to go to anywhere in the VPN.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="internalToDMZ" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <internal> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. The interface specified in i will be used to determine where the traffic has to be coming from for it to be accepted. If i="*" then all interfaces in the internal zone will be used.

o must be assigned an interface that the packet will leave the firewall from (dmz zone) and must be defined in the <dmz> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the traffic is allowed to go to anywhere in the DMZ.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="internalToDialin" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <internal> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. The interface specified in i will be used to determine where the traffic has to be coming from for it to be accepted. If i="*" then all interfaces in the internal zone will be used.

o must be assigned an interface that the packet will leave the firewall from (dialin zone) and must be defined in the <dialin> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the traffic is allowed to go to anywhere in the dialed in network.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="externalToExternal" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">

Note: This path is designed to allow a machine acting as a router for external networks to let the routed packets get back into the external network. This will create a rule in the FORWARD chain which lets the specified packets enter and leave the firewall, but only for the external zone(s).

i must be assigned an interface that the packet is coming into the firewall with as defined in the <external> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. The interface specified in i will be used to determine where the traffic has to be coming from for it to be accepted. If i="*" then all interfaces in the external zone will be used.

o must be assigned an interface that the packet will leave the firewall from (external zone) and must be defined in the <external> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the traffic is allowed to go to anywhere in the Internet that the o interface has a network entry created for.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="externalToFirewall" i="" ip="" limitFrom="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <external> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. The interface specified in i will be used to determine the IP Address that the traffic has to be going to for it to be accepted. If i="*" then all interfaces in the external zone will be used.

If ip is specified, then it should have a network entry that represents the IP Address on the firewall that you want the incoming traffic to be matched against. ip allows you to match traffic coming from the external network but destined for a different IP address of the firewall (say the internal IP address) that you want to do something special with. Using this feature you can dnat or redirect traffic that may not have been possible using any of the other constructs.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="externalToInternal" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <external> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. The interface specified in i will be used to determine where the traffic has to be coming from for it to be accepted. If i="*" then all interfaces in the external zone will be used.

o must be assigned an interface that the packet will leave the firewall from (internal zone) and must be defined in the <internal> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the traffic is allowed to go to anywhere in the Intranet.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="externalToIPSec" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <external> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. The interface specified in i will be used to determine where the traffic has to be coming from for it to be accepted. If i="*" then all interfaces in the external zone will be used.

o must be assigned an interface that the packet will leave the firewall from (ipsec zone) and must be defined in the <ipsec> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the traffic is allowed to go to anywhere in the VPN.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="externalToDMZ" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <external> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. The interface specified in i will be used to determine where the traffic has to be coming from for it to be accepted. If i="*" then all interfaces in the external zone will be used.

o must be assigned an interface that the packet will leave the firewall from (dmz zone) and must be defined in the <dmz> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the traffic is allowed to go to anywhere in the DMZ.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="externalToDialin" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <external> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. The interface specified in i will be used to determine where the traffic has to be coming from for it to be accepted. If i="*" then all interfaces in the external zone will be used.

o must be assigned an interface that the packet will leave the firewall from (dialin zone) and must be defined in the <dialin> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the traffic is allowed to go to anywhere in the Dialed in network.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="ipsecToFirewall" i="" ip="" limitFrom="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <ipsec> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. The interface specified in i will be used to determine where the traffic has to be coming from for it to be accepted. If i="*" then all interfaces in the ipsec zone will be used.

If ip is specified, then it should have a network entry that represents the IP Address on the firewall that you want the incoming traffic to be matched against. ip allows you to match traffic coming from the ipsec network but destined for a different IP address of the firewall (say the internal IP address) that you want to do something special with. Using this feature you can dnat or redirect traffic that may not have been possible using any of the other constructs.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="ipsecToInternal" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <ipsec> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. The interface specified in i will be used to determine where the traffic has to be coming from for it to be accepted. If i="*" then all interfaces in the ipsec zone will be used.

o must be assigned an interface that the packet will leave the firewall from (internal zone) and must be defined in the <internal> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the traffic is allowed to go to anywhere in the Intranet.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="ipsecToExternal" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <ipsec> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. The interface specified in i will be used to determine where the traffic has to be coming from for it to be accepted. If i="*" then all interfaces in the ipsec zone will be used.

o must be assigned an interface that the packet will leave the firewall from (external zone) and must be defined in the <external> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the traffic is allowed to go to anywhere in the Internet.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="ipsecToIPSec" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">

Note: This path is designed to allow a machine acting as a router for ipsec networks to let the routed packets get back into the ipsec network. This will create a rule in the FORWARD chain which lets the specified packets enter and leave the firewall, but only for the ipsec zone(s).

i must be assigned an interface that the packet is coming into the firewall with as defined in the <ipsec> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. The interface specified in i will be used to determine where the traffic has to be coming from for it to be accepted. If i="*" then all interfaces in the ipsec zone will be used.

o must be assigned an interface that the packet will leave the firewall from (ipsec zone) and must be defined in the <ipsec> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the traffic is allowed to go to anywhere in the VPN that the o interface has a network entry created for.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="ipsecToDMZ" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <ipsec> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. The interface specified in i will be used to determine where the traffic has to be coming from for it to be accepted. If i="*" then all interfaces in the ipsec zone will be used.

o must be assigned an interface that the packet will leave the firewall from (dmz zone) and must be defined in the <dmz> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the traffic is allowed to go to anywhere in the DMZ.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="ipsecToDialin" i="" o="" limitFrom="" limitTo="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <ipsec> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. The interface specified in i will be used to determine where the traffic has to be coming from for it to be accepted. If i="*" then all interfaces in the ipsec zone will be used.

o must be assigned an interface that the packet will leave the firewall from (dialin zone) and must be defined in the <dialin> <interfaces> section. limitTo is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to go to. If no networks are defined then the traffic is allowed to go to anywhere in the Dialed in network.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport value from the <service> will be used.
<queue/> - The traffic is made available to user space via libipq.
<log comment="" level=""/> - The traffic is LOGged and then processed.

</path> top

<path type="dmzToFirewall" i="" ip="" limitFrom="" active="boolean" comment="">

i must be assigned an interface that the packet is coming into the firewall with as defined in the <dmz> <interfaces> section. limitFrom is a comma seperated list (which can be empty) of networks and/or hosts as defined in the <networks> section which you want to only allow this traffic to originate from. If no networks are defined then the network(s) that the interface is a member of will be used to limit the incoming traffic from. The interface specified in i will be used to determine where the traffic has to be coming from for it to be accepted. If i="*" then all interfaces in the dmz zone will be used.

If ip is specified, then it should have a network entry that represents the IP Address on the firewall that you want the incoming traffic to be matched against. ip allows you to match traffic coming from the dmz network but destined for a different IP address of the firewall (say the external IP address) that you want to do something special with. Using this feature you can dnat or redirect traffic that may not have been possible using any of the other constructs.

comment allows you to specify a user friendly string that describes the pathway being configured.

<service name=""/> - Defines what the properties of this service are.

The following tags are optional and are mutually exclusive except for the <log/> tag it can co-exist with any of the tags except for the <dropNoLog/> tag.
<reject/> - The traffic is rejected.
<dropNoLog/> - The traffic is DROPped without being logged.
<dnat destination="" zone="" interface="" dnatPort=""/> - The traffic is DNATted to the specified host as defined in the <networks> section. zone can be one of internal, dmz, dialin or ipsec and is used to determine the location of the destination machine. interface is used to know which interface the traffic will be going out and must be a valid interface in the specified zone. If dnatPort is empty, then the dport value from the <service> will be used.
<redirect redirectPort=""/> - The traffic is redirected to the local machine. If redirectPort is empty, then the dport val

PCX Firewall - VeryTight Rules documentation

<firewall module="VeryTight" moduleVersion="2.2">

</config> top

</networks> top

</reserved> top

</zone> top

</zone> top

</zone> top

</zone> top

</zone> top

</zones> top

<service name="" comment="">

</service> top

</services> top

<serviceGroup name="" active="boolean" comment="">

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top

</path> top