Usage: rule srcaddr = (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server) dstaddr = (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 ...

Usage:
  rule [ srcaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server)
       [ dstaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server)
       [ mmpolicy = ] 
       [ [ qmpolicy = ]  ]
       [ [ protocol = ] (ANY | ICMP | TCP | UDP | RAW | ) ]
       [ [ srcport = ]  ]
       [ [ dstport = ]  ]
       [ [ mirrored = ] (yes | no) ]
       [ [ conntype = ] (lan | dialup | all) ]
       [ [ actioninbound = ] (permit | block | negotiate) ]
       [ [ actionoutbound = ] (permit | block | negotiate) ]
       [ [ srcmask = ] (mask | prefix) ]
       [ [ dstmask = ] (mask | prefix) ]
       [ [ tunneldstaddress = ] (ip | dns) ]
       [ [ kerberos = ] (yes | no) ]
       [ [ psk = ]  ]
       [ [ rootca = ] " certmap:(yes | no) excludecaname:(yes | no)" ]

  Adds a Rule.

Parameters:

  Tag               Value
  srcaddr          - Source ip address (ipv4 or ipv6), address range, dns name, or server type.
  dstaddr          -Destination ip address (ipv4 or ipv6), address range, dns name, or server type.
  mmpolicy         -Main mode policy
  qmpolicy         -Quick mode policy
  protocol         -Can be ANY, ICMP, TCP, UDP, RAW, or an integer.
                    If you specify a port, acceptable value is TCP or UDP. 
  srcport          -Source port(0 means any port)
  dstport          -Destination port(0 means any port)
  mirrored         -‘Yes' creates two filters, one in each direction.
  conntype         -Connection type
  actioninbound    -Action for inbound packets
  actionoutbound   -Action for outbound packets
  srcmask          -Source address mask or a prefix of 1 through 32. Not applicable if srcaddr is set to a range 
  dstmask          -Destination address mask or a prefix of 1 through 32. Not applicable if dstaddr is set to a range 
  tunneldstaddress -Tunnel destination ip address or dns name.
  kerberos         -Provides kerberos authentication if ‘yes' is specified.
  psk              -Provides authentication using a specified preshared key.
  rootca           -Provides authentication using a specified root certificate,
                    attempts to map the cert if certmap:Yes is specified,
                    excludes the CA name if excludecaname:Yes is specified.

Remarks: 1. Port valid for TCP and UDP.
         2. Server type can be WINS, DNS, DHCP or GATEWAY
         3. Default for actioninbound and actionoutbound is ‘negotiate'.
         4. For tunnel rules, mirrored must be set to 'no'.
         5. Certificate, mapping, and CA name settings are all to be within
            quotes; embedded quotes are to be replaced with \'.
         6. Certificate mapping is valid only for domain members.
         7. Multiple certificates can be provided by using the rootca
            parameter multiple times.
         8. The preference of each authentication method is determined by its
            order in the command.
         9. If no auth methods are stated, dynamic defaults are used.
        10. Excluding the root certification authority (CA) name prevents the
            name from being sent as part of the certificate request.
        11. If an address range is specified, the endpoints need to be specific addresses (not lists, or subnets) and of the same type (both should be v4 or both should be v6).

Example: add rule srcaddr=192.168.145.110 dstaddr=192.168.145.215 mmpolicy=mmp
         qmpolicy=qmp mirrored=no srcmask=32 dstmask=255.255.255.255
         rootca="C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority"
         rootca="C=US,O=MSFT,CN=\'Microsoft North, South, East, and West Root
         Authority\' certmap:yes excludecaname:no"