Definitions

All rules are defined by using a keyword and an assignment. Three categories of keywords exists:

Simple:: These are simple keywords that can only be assigned one value. These keywords are used on the form KEYWORD=value.
Array:: Array keywords defines an array of rules. The keyword is indexed by postfixing it with [n], where n is the position in the array. The first element in the array is one, no indexes must be left out in a sequence. If two rules have the same index, there is no guarantee on which rules will be chosen.
Sets:: Keyword sets are on the form KEYWORD_<identifier>=value, where the identifier can be replaced by any string. In sets there is no specified order of the rules. If two identical rule names are specified, only one will be used in a non-deterministic fashion.

The syntax of all rules will be presented as BNF. Before presenting the rules, a list of definitions will be given, which will be used when specifying the syntax of the rules:

$\begin{grammar} <zone_name> ::= .string. <zone> ::= <zone_name> \vert 'ALL' \par... ...NOLOG' \alt 'LOG' \par <proto_ip> ::= <protocol> <src_dst_ip> \par \end{grammar}$
A rule consists of an action/policy and a set of matches which must be fulfilled in order for the action/policy to be applied to the connection. If this is the case, it is said that the rules matches the connection.

The <proto_ip> defines a general connection match used throughout the configuration files. The first argument <protocol> matches connections of this type. If the protocol is either tcp or udp then the port specifies the destination port. If the protocol is icmp a icmp type is required. The last argument <src_dst_ip> specifies the source and destination ip address of the connection, i.e. the source ip address must match the initiator of the connection, and the destination for the endpoint of the connection.

Anders Peter Fugmann 2011-03-20