[pve-docs.git] / pve-firewall-rules-opts.adoc

`--dest` `<string>` ::

Restrict packet destination address. This can refer to a single IP address, an
IP set ('+ipsetname') or an IP alias definition. You can also specify an
address range like '20.34.101.207-201.3.9.99', or a list of IP addresses and
networks (entries are separated by comma). Please do not mix IPv4 and IPv6
addresses inside such lists.

`--dport` `<string>` ::

Restrict TCP/UDP destination port. You can use service names or simple numbers
(0-65535), as defined in '/etc/services'. Port ranges can be specified with
'\d+:\d+', for example '80:85', and you can use comma separated list to match
several ports or ranges.

`--icmp-type` `<string>` ::

Restrict ICMP packets to specific types. You can either use the names as
ip[6]tables ('ip[6]tables -p icmp[v6] -h') provides them, or use the
Type[/Code] value, for example 'network-unreachable' which corresponds to
'3/0'.

`--iface` `<string>` ::

Network interface name. You have to use network configuration key names for VMs
and containers ('net\d+'). Host related rules can use arbitrary strings.

`--log` `<alert | crit | debug | emerg | err | info | nolog | notice | warning>` ::

Log level for firewall rule.

`--proto` `<string>` ::

IP protocol. You can use protocol names ('tcp'/'udp') or simple numbers, as
defined in '/etc/protocols'.

`--source` `<string>` ::

Restrict packet source address. This can refer to a single IP address, an IP
set ('+ipsetname') or an IP alias definition. You can also specify an address
range like '20.34.101.207-201.3.9.99', or a list of IP addresses and networks
(entries are separated by comma). Please do not mix IPv4 and IPv6 addresses
inside such lists.

`--sport` `<string>` ::

Restrict TCP/UDP source port. You can use service names or simple numbers
(0-65535), as defined in '/etc/services'. Port ranges can be specified with
'\d+:\d+', for example '80:85', and you can use comma separated list to match
several ports or ranges.
Commit	Line	Data
2489d6df	1	`--dest` `<string>` ::
696fb448	2
580d1297 TL	3	Restrict packet destination address. This can refer to a single IP address, an
	4	IP set ('+ipsetname') or an IP alias definition. You can also specify an
	5	address range like '20.34.101.207-201.3.9.99', or a list of IP addresses and
	6	networks (entries are separated by comma). Please do not mix IPv4 and IPv6
	7	addresses inside such lists.
696fb448	8
2489d6df	9	`--dport` `<string>` ::
696fb448	10
580d1297 TL	11	Restrict TCP/UDP destination port. You can use service names or simple numbers
	12	(0-65535), as defined in '/etc/services'. Port ranges can be specified with
	13	'\d+:\d+', for example '80:85', and you can use comma separated list to match
	14	several ports or ranges.
696fb448	15
4772952b TL	16	`--icmp-type` `<string>` ::
4772952b TL	17
bdb9c34e ML	18	Restrict ICMP packets to specific types. You can either use the names as
	19	ip[6]tables ('ip[6]tables -p icmp[v6] -h') provides them, or use the
	20	Type[/Code] value, for example 'network-unreachable' which corresponds to
	21	'3/0'.
4772952b	22
2489d6df	23	`--iface` `<string>` ::
696fb448	24
580d1297 TL	25	Network interface name. You have to use network configuration key names for VMs
580d1297 TL	26	and containers ('net\d+'). Host related rules can use arbitrary strings.
696fb448	27
95895385 TL	28	`--log` `<alert \| crit \| debug \| emerg \| err \| info \| nolog \| notice \| warning>` ::
	29
	30	Log level for firewall rule.
	31
2489d6df	32	`--proto` `<string>` ::
696fb448	33
580d1297 TL	34	IP protocol. You can use protocol names ('tcp'/'udp') or simple numbers, as
580d1297 TL	35	defined in '/etc/protocols'.
696fb448	36
2489d6df	37	`--source` `<string>` ::
696fb448	38
580d1297 TL	39	Restrict packet source address. This can refer to a single IP address, an IP
	40	set ('+ipsetname') or an IP alias definition. You can also specify an address
	41	range like '20.34.101.207-201.3.9.99', or a list of IP addresses and networks
	42	(entries are separated by comma). Please do not mix IPv4 and IPv6 addresses
	43	inside such lists.
696fb448	44
2489d6df	45	`--sport` `<string>` ::
696fb448	46
580d1297 TL	47	Restrict TCP/UDP source port. You can use service names or simple numbers
	48	(0-65535), as defined in '/etc/services'. Port ranges can be specified with
	49	'\d+:\d+', for example '80:85', and you can use comma separated list to match
	50	several ports or ranges.
696fb448	51