set firewall name SOME-NAME rule 20
set firewall name SOME-NAME rule 20 action accept
set firewall name SOME-NAME rule 20 description "Some TCP..."
set firewall name SOME-NAME rule 20 source address 1.2.3.4
set firewall name SOME-NAME rule 20 protocol tcp
set firewall name SOME-NAME rule 20 tcp flags <flags>
are SYN, ACK, FIN, RST, URG, PSH, and ALL. You may use a comma-separated list and use the “!” to negate the flag.
I tries to use something like this
set firewall name SOME-NAME rule 20 state established enable
set firewall name SOME-NAME rule 20 state new disable
set firewall name SOME-NAME rule 20 state related enable
the established, new and related are easier to understand for most people. But if you have some specific requirements for the tcp flags it’s supported by the tcp flag statement.
Using tcp flags I can only negate single flags, not groups of flags, so I can’t mimic the exact same rule. If there were a way to negate a whole rule it would be easy, but theres neither a way to negate the group of flags, nor the whole rule, as far as I can see.
Thanks! I guess I will take your approach and use state based rules instead of the tcp flags ones. Like you said, those are much too cryptic after all.