When you create packet rules, specify the IP addresses and services to which you want the rules to apply.
Defined addresses are interface specifications that have been given symbolic names. You should define addresses when the address you want to represent is a range of addresses, a subnet, a list of point-to-point identifiers, or a list of non-contiguous addresses. A defined address statement is required when you plan to create map address translation rules. If the address you want to represent is a single IP address in a filter statement, then a defined address statement is not required. Service aliases allow you to define services and then to reuse them in any number of filters. Service aliases also keep track of the purposes of different service definitions.
Defining addresses and service aliases makes it easier to create your packet rules. When you create the rules, you refer to the address nickname or service alias rather than the specific address or service details. Using nicknames and aliases in your filter rules has the following advantages:
For example, you have users on your network who need Internet access. However, you want to restrict these users to Web access only. You have two choices about how to create the filter rules that you need in this situation.
The first choice increases your chances of making typographical errors, as well as increasing the amount of maintenance that perform for your rules file. Using the second choice, you only need to create two filter rules. Use a nickname in each rule to refer to the entire set of addresses to which the rule applies.
You can also create nicknames for services and use them in the same manner as address nicknames. The service alias defines what TCP, User Datagram Protocol (UDP), and Internet Control Message Protocol (ICMP) criteria you want to select. You select the source and destination port that you want to use.
For instructions on how to define addresses, service aliases, and ICMP services, use the Packet Rules Editor online help.
If you plan to use network addresses translation, go to create NAT rules. Otherwise, go to Creating IP filter rules to filter IP traffic coming into and going out of your network.