Usage: rule srcaddr = (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server) dstaddr = (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 ...

Usage:   rule [ srcaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server)        [ dstaddr = ] (ipv4 | ipv6 | ipv4-ipv4 | ipv6-ipv6 | dns | server)        [ mmpolicy = ]         [ [ qmpolicy = ]  ]        [ [ protocol = ] (ANY | ICMP | TCP | UDP | RAW | ) ]        [ [ srcport = ]  ]        [ [ dstport = ]  ]        [ [ mirrored = ] (yes | no) ]        [ [ conntype = ] (lan | dialup | all) ]        [ [ actioninbound = ] (permit | block | negotiate) ]        [ [ actionoutbound = ] (permit | block | negotiate) ]        [ [ srcmask = ] (mask | prefix) ]        [ [ dstmask = ] (mask | prefix) ]        [ [ tunneldstaddress = ] (ip | dns) ]        [ [ kerberos = ] (yes | no) ]        [ [ psk = ]  ]        [ [ rootca = ] " certmap:(yes | no) excludecaname:(yes | no)" ]    Adds a Rule.  Parameters:    Tag               Value   srcaddr          - Source ip address (ipv4 or ipv6), address range, dns name, or server type.   dstaddr          -Destination ip address (ipv4 or ipv6), address range, dns name, or server type.   mmpolicy         -Main mode policy   qmpolicy         -Quick mode policy   protocol         -Can be ANY, ICMP, TCP, UDP, RAW, or an integer.                     If you specify a port, acceptable value is TCP or UDP.    srcport          -Source port(0 means any port)   dstport          -Destination port(0 means any port)   mirrored         -‘Yes' creates two filters, one in each direction.   conntype         -Connection type   actioninbound    -Action for inbound packets   actionoutbound   -Action for outbound packets   srcmask          -Source address mask or a prefix of 1 through 32. Not applicable if srcaddr is set to a range    dstmask          -Destination address mask or a prefix of 1 through 32. Not applicable if dstaddr is set to a range    tunneldstaddress -Tunnel destination ip address or dns name.   kerberos         -Provides kerberos authentication if ‘yes' is specified.   psk              -Provides authentication using a specified preshared key.   rootca           -Provides authentication using a specified root certificate,                     attempts to map the cert if certmap:Yes is specified,                     excludes the CA name if excludecaname:Yes is specified.  Remarks: 1. Port valid for TCP and UDP.          2. Server type can be WINS, DNS, DHCP or GATEWAY          3. Default for actioninbound and actionoutbound is ‘negotiate'.          4. For tunnel rules, mirrored must be set to 'no'.          5. Certificate, mapping, and CA name settings are all to be within             quotes; embedded quotes are to be replaced with \'.          6. Certificate mapping is valid only for domain members.          7. Multiple certificates can be provided by using the rootca             parameter multiple times.          8. The preference of each authentication method is determined by its             order in the command.          9. If no auth methods are stated, dynamic defaults are used.         10. Excluding the root certification authority (CA) name prevents the             name from being sent as part of the certificate request.         11. If an address range is specified, the endpoints need to be specific addresses (not lists, or subnets) and of the same type (both should be v4 or both should be v6).  Example: add rule srcaddr=192.168.145.110 dstaddr=192.168.145.215 mmpolicy=mmp          qmpolicy=qmp mirrored=no srcmask=32 dstmask=255.255.255.255          rootca="C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority"          rootca="C=US,O=MSFT,CN=\'Microsoft North, South, East, and West Root          Authority\' certmap:yes excludecaname:no"