Usage: rule srcaddr = (ip | dns | server) dstaddr = (ip | dns | server) mmpolicy = qmpolicy = protocol = (ANY | ICMP | TCP ...

Usage:   rule [ srcaddr = ] (ip | dns | server)        [ dstaddr = ] (ip | dns | server)        [ mmpolicy = ]         [ [ qmpolicy = ]  ]        [ [ protocol = ] (ANY | ICMP | TCP | UDP | RAW | ) ]        [ [ srcport = ]  ]        [ [ dstport = ]  ]        [ [ mirrored = ] (yes | no) ]        [ [ conntype = ] (lan | dialup | all) ]        [ [ actioninbound = ] (permit | block | negotiate) ]        [ [ actionoutbound = ] (permit | block | negotiate) ]        [ [ srcmask = ] (mask | prefix) ]        [ [ dstmask = ] (mask | prefix) ]        [ [ tunneldstaddress = ] (ip | dns) ]        [ [ kerberos = ] (yes | no) ]        [ [ psk = ]  ]        [ [ rootca = ] " certmap:(yes | no) excludecaname:(yes | no)" ]    Adds a Rule.  Parameters:    Tag               Value   srcaddr          -Source ip address, dns name, or server type.   dstaddr          -Destination ip address, dns name, or server type.   mmpolicy         -Main mode policy   qmpolicy         -Quick mode policy   protocol         -Can be ANY, ICMP, TCP, UDP, RAW, or an integer.   srcport          -Source port(0 means any port)   dstport          -Destination port(0 means any port)   mirrored         -‘Yes' creates two filters, one in each direction.   conntype         -Connection type   actioninbound    -Action for inbound packets   actionoutbound   -Action for outbound packets   srcmask          -Source address mask or a prefix of 1 through 32.   dstmask          -Destination address mask or a prefix of 1 through 32.   tunneldstaddress -Tunnel destination ip address or dns name.   kerberos         -Provides kerberos authentication if ‘yes' is specified.   psk              -Provides authentication using a specified preshared key.   rootca           -Provides authentication using a specified root certificate,                     attempts to map the cert if certmap:Yes is specified,                     excludes the CA name if excludecaname:Yes is specified.  Remarks: 1. Port valid for TCP and UDP.          2. Server type can be WINS, DNS, DHCP or GATEWAY          3. Default for actioninbound and actionoutbound is ‘negotiate'.          4. For tunnel rules, mirrored must be set to 'no'.          5. Certificate, mapping, and CA name settings are all to be within             quotes; embedded quotes are to be replaced with \'.          6. Certificate mapping is valid only for domain members.          7. Multiple certificates can be provided by using the rootca             parameter multiple times.          8. The preference of each authentication method is determined by its             order in the command.          9. If no auth methods are stated, dynamic defaults are used.         10. Excluding the root certification authority (CA) name prevents the             name from being sent as part of the certificate request.  Example: add rule srcaddr=192.168.145.110 dstaddr=192.168.145.215 mmpolicy=mmp          qmpolicy=qmp mirrored=no srcmask=32 dstmask=255.255.255.255          rootca="C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority"          rootca="C=US,O=MSFT,CN=\'Microsoft North, South, East, and West Root          Authority\' certmap:yes excludecaname:no"