Owner's Manual
473
This condition does not implicitly check that the protocol is TCP. To check this, specify the
protocol tcp match condition.
-
TCP established
—TCP packets other than the first packet of a connection. This is a synonym
for “(ack | rst)”.
In some screens you can select
Advanced
to bring up additional match condition parameters.
Action Tab
This tab configures the firewall response for data that meets the matching criteria.
ip-options number IP options. In place of the numeric value, you can
specify one of the following text synonyms (the
field values are also listed): loose-source-route
(131), record-route (7), router-alert (148), strict-
source-route (137), or timestamp (68).
tcp-flags number TCP flags. Normally, you specify this match in
conjunction with the protocol match statement to
determine which protocol is being used on the port.
For more details, see How Firewall Filters Test a
Packet's Protocol. In place of the numeric value,
you can specify one of the following text synonyms
(the field values are also listed): ack (0x10), fin
(0x01), push (0x08), rst (0x04), syn (0x02), or
urgent (0x20).
Text Synonyms
first-fragment First fragment of a fragmented packet. This
condition does not match unfragmented packets.
is-fragment This condition matches if the packet is a trailing
fragment; it does not match the first fragment of a
fragmented packet. To match both first and trailing
fragments, you can use two terms.
tcp-established TCP packets other than the first packet of a
connection. This is a synonym for “(ack | rst)”. This
condition does not implicitly check that the
protocol is TCP. To check this, specify the protocol
tcp match condition.
tcp-initial First TCP packet of a connection. This is a
synonym for “(syn & !ack)”.
Match Condition Description
Table 13-1. Bit-Field Firewall Filter Match Conditions