5.14.6.1. Rule methods

MethodDescription
__init__(self, **kw)Initializes a rule

Table 5.97. Method summary

Method __init__(self, **kw)

Initializes a rule

Arguments of __init__
dst_iface (interface)
Default: n/a
Permit traffic only for connections that target a configured IP address of the listed interfaces. This parameter can be used to provide nontransparent service on an interface that received its IP address dynamically. For example, dst_iface='eth0', or dst_iface=('eth0', 'tun1'),.

dst_port (integer)
Default: n/a
Permit traffic only if the client targets the listed port. For example, dst_port=80, or dst_port=(80, 443). To specify port ranges, use the PortRange class, for example, dst_port=PortRange(2000, 2100).

dst_subnet (subnet)
Default: n/a
Permit traffic only for connections targeting a listed IP address, or an address belonging to the listed subnet. The subnet can be IPv4 or IPv6 subnet. When listing multiple subnets, you can list both IPv4 and IPv6 subnets. IP addresses are treated as subnets with a /32 (IPv4) or /128 (IPv6) netmask. If no netmask is set for a subnet, it is treated as a specific IP address. For example, dst_subnet='192.168.10.16' or dst_subnet=('192.168.0.0/16', '2001:db8:c001:ba80::/58').

dst_zone (zone)
Default: n/a
Permit traffic only for connections targeting an address belonging to the listed zones. For example, dst_zone='office' or dst_zone=('office', 'finance'). Note that this applies to destination address of the client-side connection request: the actual address of the server-side connection can be different (for example, if a DirectedRouter is used in the service).

icmp_code (integer)
Default: n/a
If proto is set to ICMP (1), restrict further what the ICMP packet is used for.

If absent, the rule will match to any ICMP code value.

icmp_type (integer)
Default: n/a
If proto is set to ICMP (1), restrict further what the ICMP packet is used for.

If absent, the rule will match to any ICMP type value.

proto (integer)
Default: n/a
Permit only connections using the specified transport protocol. This is the transport layer (Layer 4) protocol of the OSI model, for example, TCP, UDP, ICMP, and so on. The protocol must be specified using a number: the decimal value of the "protocol" field of the IP header. This value is 6 for the TCP and 17 for the UDP protocol. For a list of protocol numbers, see the Assigned Internet Protocol Numbers page of IANA. For example: proto=(6,17).

To permit any protocol, do not add the proto parameter to the rule.

rule_id (integer)
Default: n/a
A unique ID number for the rule. This parameter is optional, an ID number is automatically generated for the rule during startup.

service (service)
Default: n/a
The name of the service to start for matching connections. This is the only required parameter for the rule, everything else is optional. For example, service='MyService'

src_iface (interface)
Default: n/a
Permit traffic only for connections received on the listed interface. For example, src_iface='eth0', or src_iface=('eth0', 'tun1'),.

src_port (integer)
Default: n/a
Permit traffic only if the client sends the connection request from the listed port. For example, src_port=4455. To specify port ranges, use the PortRange class, for example, src_port=PortRange(2000, 2100).

src_subnet (subnet)
Default: n/a
Permit traffic only for the clients of the listed subnet or IP addresses. The subnet can be IPv4 or IPv6 subnet. When listing multiple subnets, you can list both IPv4 and IPv6 subnets. IP addresses are treated as subnets with a /32 (IPv4) or /128 (IPv6) netmask. If no netmask is set for a subnet, it is treated as a specific IP address. For example, src_subnet='192.168.10.16' or src_subnet=('192.168.0.0/16', '2001:db8:c001:ba80::/58').

src_zone (zone)
Default: n/a
Permit traffic only for the clients of the listed zones. For example, src_zone='office' or src_zone=('office', 'finance').

Previous Up Next
 Home