Usage: rule srcaddr = (ip | dns | server) dstaddr = (ip | dns | server) protocol = (ANY | ICMP | TCP | UDP | RAW | ) srcport ...

Usage:   rule [ srcaddr = ] (ip | dns | server)        [ dstaddr = ] (ip | dns | server)        [ protocol = ] (ANY | ICMP | TCP | UDP | RAW | )        [ srcport = ]         [ dstport = ]         [ mirrored = ] (yes | no)        [ conntype = ] (lan | dialup | all)        [ [ srcmask = ] (mask | prefix) ]        [ [ dstmask = ] (mask | prefix) ]        [ [ tunneldstaddress = ] (ip | dns) ]        [ [ mmpolicy = ]  ]        [ [ qmpolicy = ]  ]        [ [ actioninbound = ] (permit | block | negotiate) ]        [ [ actionoutbound = ] (permit | block | negotiate) ]        [ [ kerberos = ] (yes | no) ]        [ [ psk = ]  ]        [ [ rootca = ] " certmap:(yes | no) excludecaname:(yes | no)" ]    Modifies a rule and associated filters in SPD.  Parameters:    Tag               Value   srcaddr          - Source ip address (ipv4 or ipv6), address range, dns name, or server type.   dstaddr          -Destination ip address (ipv4 or ipv6), address range,  dns name, or server type.   protocol         -Can be ANY, ICMP, TCP, UDP, RAW, or an integer.   srcport          -Source port (0 means any port)   dstport          -Destination port (0 means any port)   mirrored         -'Yes' creates two filters, one in each direction.   conntype         -Connection type   srcmask          -Source address mask or a prefix of 1 through 32. Not applicable if srcaddr is set to a range    dstmask          -Destination address mask or a prefix of 1 through 32. Not applicable if dstaddr is set to a range    tunneldstaddress -Tunnel destination ip address or dns name.   mmpolicy         -Main mode policy   qmpolicy         -Quick mode policy   actioninbound    -Action for inbound packets   actionoutbound   -Action for outbound packets   kerberos         -Provides kerberos authentication if ‘yes' is specified   psk              -Provides authentication using a specified preshared key   rootca           -Provides authentication using a specified root certificate,                     attempts to map the cert if certmap:Yes is specified,                     excludes the CA name if excludecaname:Yes is specified.  Remarks:  1. Mmpolicy, qmpolicy, actioninbound, actionoutbound              and authmethods can be set; other fields are identifiers.           2. Server type can be WINS, DNS, DHCP or GATEWAY           3. Certificate, mapping, and CA name settings are all to be within              quotes; embedded quotes are to be replaced with \'.           4. Certificate mapping is valid only for domain members.           5. Multiple certificates can be provided by using the rootca              parameter multiple times.           6. The preference of each authentication method is determined by              its order in the command.           7. If no auth methods are stated, dynamic defaults are used.           8. All authentication methods are overwritten with the stated list.           9. Excluding the root certification authority (CA) name prevents              the name from being sent as part of the certificate request.          10. If an address range is specified, the endpoints need to be specific addresses (not lists, or subnets) and of the same type (both should be v4 or both should be v6).  Examples: 1. set rule srca=WINS dsta=0.0.0.0 srcmask=32 dstmask=32              tunneldst=192.168.145.1              proto=tcp srcport=80 dstport=80 mir=no con=lan              qmp=qmp actionin=negotiate actionout=permit           2. set rule srcaddr=192.168.145.110 dstaddr=192.168.145.215              mmpolicy=mmp qmpolicy=qmp mirrored=no srcmask=32              rootca="C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority"              rootca="C=US,O=MSFT,CN=\'Microsoft North, South, East, and West              Root Authority\' certmap:yes excludecaname:no"