Usage: rule srcaddr = (ip | dns | server) dstaddr = (ip | dns | server) protocol = (ANY | ICMP | TCP | UDP | RAW | ) srcport ...

Usage:
  rule [ srcaddr = ] (ip | dns | server)
       [ dstaddr = ] (ip | dns | server)
       [ protocol = ] (ANY | ICMP | TCP | UDP | RAW | )
       [ srcport = ] 
       [ dstport = ] 
       [ mirrored = ] (yes | no)
       [ conntype = ] (lan | dialup | all)
       [ [ srcmask = ] (mask | prefix) ]
       [ [ dstmask = ] (mask | prefix) ]
       [ [ tunneldstaddress = ] (ip | dns) ]
       [ [ mmpolicy = ]  ]
       [ [ qmpolicy = ]  ]
       [ [ actioninbound = ] (permit | block | negotiate) ]
       [ [ actionoutbound = ] (permit | block | negotiate) ]
       [ [ kerberos = ] (yes | no) ]
       [ [ psk = ]  ]
       [ [ rootca = ] " certmap:(yes | no) excludecaname:(yes | no)" ]

  Modifies a rule and associated filters in SPD.

Parameters:

  Tag               Value
  srcaddr          - Source ip address (ipv4 or ipv6), address range, dns name, or server type.
  dstaddr          -Destination ip address (ipv4 or ipv6), address range,  dns name, or server type.
  protocol         -Can be ANY, ICMP, TCP, UDP, RAW, or an integer.
  srcport          -Source port (0 means any port)
  dstport          -Destination port (0 means any port)
  mirrored         -'Yes' creates two filters, one in each direction.
  conntype         -Connection type
  srcmask          -Source address mask or a prefix of 1 through 32. Not applicable if srcaddr is set to a range 
  dstmask          -Destination address mask or a prefix of 1 through 32. Not applicable if dstaddr is set to a range 
  tunneldstaddress -Tunnel destination ip address or dns name.
  mmpolicy         -Main mode policy
  qmpolicy         -Quick mode policy
  actioninbound    -Action for inbound packets
  actionoutbound   -Action for outbound packets
  kerberos         -Provides kerberos authentication if ‘yes' is specified
  psk              -Provides authentication using a specified preshared key
  rootca           -Provides authentication using a specified root certificate,
                    attempts to map the cert if certmap:Yes is specified,
                    excludes the CA name if excludecaname:Yes is specified.

Remarks:  1. Mmpolicy, qmpolicy, actioninbound, actionoutbound
             and authmethods can be set; other fields are identifiers.
          2. Server type can be WINS, DNS, DHCP or GATEWAY
          3. Certificate, mapping, and CA name settings are all to be within
             quotes; embedded quotes are to be replaced with \'.
          4. Certificate mapping is valid only for domain members.
          5. Multiple certificates can be provided by using the rootca
             parameter multiple times.
          6. The preference of each authentication method is determined by
             its order in the command.
          7. If no auth methods are stated, dynamic defaults are used.
          8. All authentication methods are overwritten with the stated list.
          9. Excluding the root certification authority (CA) name prevents
             the name from being sent as part of the certificate request.
         10. If an address range is specified, the endpoints need to be specific addresses (not lists, or subnets) and of the same type (both should be v4 or both should be v6).

Examples: 1. set rule srca=WINS dsta=0.0.0.0 srcmask=32 dstmask=32
             tunneldst=192.168.145.1
             proto=tcp srcport=80 dstport=80 mir=no con=lan
             qmp=qmp actionin=negotiate actionout=permit
          2. set rule srcaddr=192.168.145.110 dstaddr=192.168.145.215
             mmpolicy=mmp qmpolicy=qmp mirrored=no srcmask=32
             rootca="C=US,O=MSFT,CN=Microsoft Authenticode(tm) Root Authority"
             rootca="C=US,O=MSFT,CN=\'Microsoft North, South, East, and West
             Root Authority\' certmap:yes excludecaname:no"