3 Restrict packet destination address. This can refer to a single IP address, an
4 IP set ('+ipsetname') or an IP alias definition. You can also specify an
5 address range like '20.34.101.207-201.3.9.99', or a list of IP addresses and
6 networks (entries are separated by comma). Please do not mix IPv4 and IPv6
7 addresses inside such lists.
9 `--dport` `<string>` ::
11 Restrict TCP/UDP destination port. You can use service names or simple numbers
12 (0-65535), as defined in '/etc/services'. Port ranges can be specified with
13 '\d+:\d+', for example '80:85', and you can use comma separated list to match
14 several ports or ranges.
16 `--icmp-type` `<string>` ::
18 Restrict ICMP packets to specific types. You can either use the names as
19 ip[6]tables ('ip[6]tables -p icmp[v6] -h') provides them, or use the
20 Type[/Code] value, for example 'network-unreachable' which corresponds to
23 `--iface` `<string>` ::
25 Network interface name. You have to use network configuration key names for VMs
26 and containers ('net\d+'). Host related rules can use arbitrary strings.
28 `--log` `<alert | crit | debug | emerg | err | info | nolog | notice | warning>` ::
30 Log level for firewall rule.
32 `--proto` `<string>` ::
34 IP protocol. You can use protocol names ('tcp'/'udp') or simple numbers, as
35 defined in '/etc/protocols'.
37 `--source` `<string>` ::
39 Restrict packet source address. This can refer to a single IP address, an IP
40 set ('+ipsetname') or an IP alias definition. You can also specify an address
41 range like '20.34.101.207-201.3.9.99', or a list of IP addresses and networks
42 (entries are separated by comma). Please do not mix IPv4 and IPv6 addresses
45 `--sport` `<string>` ::
47 Restrict TCP/UDP source port. You can use service names or simple numbers
48 (0-65535), as defined in '/etc/services'. Port ranges can be specified with
49 '\d+:\d+', for example '80:85', and you can use comma separated list to match
50 several ports or ranges.
projects / pve-docs.git / blob