-------------------
IP := A.B.C.D
IPM := A.B.C.D/M
IP-RANGE := A.B.C.D-X.Y.Z.T | IP | IPM
MAC := AA:BB:CC:DD:EE:FF
PORT := 1 -> 65536
PORTRANGE := PORT:PORT | PORT
MPORT := PORT[-PORT]
MULTI-PORTRANGE := PORTRANGE[,PORTRANGE]

INTERFACE := inside | outside | dmz | extend
INTERFACES := inside,outside,dmz,extend

NETWORK := A.B.C.0/M
HOST := IP | hostname

MULTI-IP-RANGE := IP-RANGE[,IP-RANGE]

RULESET := INTERFACE INTERFACE
ACTION := allow | deny | reset
ICMP-TYPE := any | ping | pong| source-quench | destination-unreachable |
	redirect | router-advertisement | router-solicitation | ttl-exceeded |
	parameter-problem | timestamp-request | timestamp-reply |
	address-mask-request | address-mask-reply
PROTOCOLS := ip | icmp | igmp | ipip | ahp | esp
srcIP dstIP := any | IP | IPM 
srcPORT dstPORT := any | PORT | PORTRANGE
lan_net := IP | NETWORK

-------------------
show version

name ip <NAME> MULTI-IP-RANGE
name { tcp_port | udp_port } <NAME> MULTI-PORTRANGE
name { tcp_port | udp_port } <NAME> MPORT
no name { ip | tcp_port | udp_port } <NAME>
show name

ip route { default | NETWORK } IP
no ip route { default | NETWORK } IP
show ip route

policy filter <RULESET> ACTION { tcp | udp } srcIP srcPORT dstIP dstPORT
policy filter <RULESET> ACTION icmp type ICMP-TYPE srcIP dstIP
policy filter <RULESET> ACTION PROTOCOLS srcIP dstIP
	+  day 1-7
	|  time HH:MM-HH:MM
	|  state ESTABLISHED,RELATED,INVALID,NEW
policy portfw <RULESET> { tcp | udp } wanPort lanIP lanPort
policy portfw_lan <RULESET> { tcp | udp } wanPort lanIP lanPort lan_net

MATCHPROTO TRIGGERPROTO := { tcp | udp | all }
policy trigger <RULESET> MATCHPROTO matchMPort TRIGGERPROTO openMPort
policy domainblock <RULESET> webPort domain
policy permproto ipv4 PROTONUM
move <RULESET> <1-65535> <1-65535>
no policy <RULESET> <1-65535>
show policy
show policy <RULESET>

bind <RULESET>
unbind <RULESET>

trigger { on | off }

write flush
load default
quit
