vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-12-15 18:12:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

firewall: T2199: adjust to new 1.4 CLI syntax

Browse Source 
"set zone-policy zone <name>" moved to "set firewall zone <name>".
This commit is contained in:
Christian Poessinger 2022-09-14 19:55:56 +02:00
parent 6071376c03
commit 122ecb23fc
9 changed files with 1007 additions and 1040 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/_include/interface-ip.txt
View File

@ -12,7 +12,7 @@
.. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in
1452 bytes on a 1492 byte MTU. 1452 bytes on a 1492 byte MTU.
Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to
automatically set the proper value. automatically set the proper value.
.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} .. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }}

9
docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst
View File

@ -65,7 +65,7 @@ Now you should be able to ping a public IPv6 Address
64 bytes from 2001:470:20::2: icmp_seq=2 ttl=64 time=30.5 ms 64 bytes from 2001:470:20::2: icmp_seq=2 ttl=64 time=30.5 ms
64 bytes from 2001:470:20::2: icmp_seq=3 ttl=64 time=30.8 ms 64 bytes from 2001:470:20::2: icmp_seq=3 ttl=64 time=30.8 ms
64 bytes from 2001:470:20::2: icmp_seq=4 ttl=64 time=90.5 ms 64 bytes from 2001:470:20::2: icmp_seq=4 ttl=64 time=90.5 ms
--- 2001:470:20::2 ping statistics --- --- 2001:470:20::2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms 4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 30.519/45.797/90.546/25.837 ms rtt min/avg/max/mdev = 30.519/45.797/90.546/25.837 ms
@ -89,7 +89,7 @@ You should now be able to ping something by IPv6 DNS name:
64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=2 ttl=48 time=234 ms 64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=2 ttl=48 time=234 ms
64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=3 ttl=48 time=182 ms 64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=3 ttl=48 time=182 ms
64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=4 ttl=48 time=183 ms 64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=4 ttl=48 time=183 ms
--- tunnelbroker.net ping statistics --- --- tunnelbroker.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms 4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 182.224/195.335/233.869/22.248 ms rtt min/avg/max/mdev = 182.224/195.335/233.869/22.248 ms
@ -152,7 +152,7 @@ Now the Client is able to ping a public IPv6 address
64 bytes from 2001:470:20::2: icmp_seq=2 ttl=63 time=31.3 ms 64 bytes from 2001:470:20::2: icmp_seq=2 ttl=63 time=31.3 ms
64 bytes from 2001:470:20::2: icmp_seq=3 ttl=63 time=31.7 ms 64 bytes from 2001:470:20::2: icmp_seq=3 ttl=63 time=31.7 ms
64 bytes from 2001:470:20::2: icmp_seq=4 ttl=63 time=104 ms 64 bytes from 2001:470:20::2: icmp_seq=4 ttl=63 time=104 ms
--- 2001:470:20::2 ping statistics --- --- 2001:470:20::2 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3005ms 4 packets transmitted, 4 received, 0% packet loss, time 3005ms
rtt min/avg/max/mdev = 31.331/56.908/104.282/29.764 ms rtt min/avg/max/mdev = 31.331/56.908/104.282/29.764 ms
@ -204,5 +204,4 @@ instead of `set firewall name NAME`, you would use `set firewall ipv6-name
NAME`. NAME`.
Similarly, to attach the firewall, you would use `set interfaces ethernet eth0 Similarly, to attach the firewall, you would use `set interfaces ethernet eth0
firewall in ipv6-name` or `set zone-policy zone LOCAL from WAN firewall firewall in ipv6-name` or `set firewall zone LOCAL from WAN firewall ipv6-name`.
ipv6-name`.

26
docs/configexamples/zone-policy.rst
View File

@ -5,6 +5,10 @@
Zone-Policy example Zone-Policy example
------------------- -------------------
.. note:: In :vytask:`T2199` the syntax of the zone configuration was changed.
The zone configuration moved from ``zone-policy zone <name>`` to ``firewall
zone <name>``.
Native IPv4 and IPv6 Native IPv4 and IPv6
^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^
@ -171,14 +175,14 @@ the source/destination address is not explicit.
.. code-block:: none .. code-block:: none
WAN DMZ:192.168.200.200 tcp/80 WAN - DMZ:192.168.200.200 - tcp/80
WAN DMZ:192.168.200.200 tcp/443 WAN - DMZ:192.168.200.200 - tcp/443
WAN DMZ:192.168.200.200 tcp/25 WAN - DMZ:192.168.200.200 - tcp/25
WAN DMZ:192.168.200.200 tcp/53 WAN - DMZ:192.168.200.200 - tcp/53
WAN DMZ:2001:0DB8:0:BBBB::200 tcp/80 WAN - DMZ:2001:0DB8:0:BBBB::200 - tcp/80
WAN DMZ:2001:0DB8:0:BBBB::200 tcp/443 WAN - DMZ:2001:0DB8:0:BBBB::200 - tcp/443
WAN DMZ:2001:0DB8:0:BBBB::200 tcp/25 WAN - DMZ:2001:0DB8:0:BBBB::200 - tcp/25
WAN DMZ:2001:0DB8:0:BBBB::200 tcp/53 WAN - DMZ:2001:0DB8:0:BBBB::200 - tcp/53
DMZ - Local - tcp/53 DMZ - Local - tcp/53
DMZ - Local - tcp/123 DMZ - Local - tcp/123
@ -345,8 +349,8 @@ Start by setting the interface and default action for each zone.
.. code-block:: none .. code-block:: none
set zone-policy zone dmz default-action drop set firewall zone dmz default-action drop
set zone-policy zone dmz interface eth0.30 set firewall zone dmz interface eth0.30
In this case, we are setting the v6 ruleset that represents traffic In this case, we are setting the v6 ruleset that represents traffic
sourced from the LAN, destined for the DMZ. Because the zone-policy sourced from the LAN, destined for the DMZ. Because the zone-policy
@ -355,7 +359,7 @@ it backwards.
.. code-block:: none .. code-block:: none
set zone-policy zone dmz from lan firewall ipv6-name lan-dmz-6 set firewall zone dmz from lan firewall ipv6-name lan-dmz-6
DMZ-LAN policy is LAN-DMZ. You can get a rhythm to it when you build out DMZ-LAN policy is LAN-DMZ. You can get a rhythm to it when you build out
a bunch at one time. a bunch at one time.

888
docs/configuration/firewall/general.rst Normal file
View File

@ -0,0 +1,888 @@
:lastproofread: 2021-06-29
.. _firewall:
########
Firewall
########
********
Overview
********
VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet
filtering.
The firewall supports the creation of groups for ports, addresses, and
networks (implemented using netfilter ipset) and the option of interface
or zone based firewall policy.
.. note:: **Important note on usage of terms:**
The firewall makes use of the terms `in`, `out`, and `local`
for firewall policy. Users experienced with netfilter often confuse
`in` to be a reference to the `INPUT` chain, and `out` the `OUTPUT`
chain from netfilter. This is not the case. These instead indicate
the use of the `FORWARD` chain and either the input or output
interface. The `INPUT` chain, which is used for local traffic to the
OS, is a reference to as `local` with respect to its input interface.
***************
Global settings
***************
Some firewall settings are global and have an affect on the whole system.
.. cfgcmd:: set firewall all-ping [enable | disable]
By default, when VyOS receives an ICMP echo request packet destined for
itself, it will answer with an ICMP echo reply, unless you avoid it
through its firewall.
With the firewall you can set rules to accept, drop or reject ICMP in,
out or local traffic. You can also use the general **firewall all-ping**
command. This command affects only to LOCAL (packets destined for your
VyOS system), not to IN or OUT traffic.
.. note:: **firewall all-ping** affects only to LOCAL and it always
behaves in the most restrictive way
.. code-block:: none
set firewall all-ping enable
When the command above is set, VyOS will answer every ICMP echo request
addressed to itself, but that will only happen if no other rule is
applied dropping or rejecting local echo requests. In case of conflict,
VyOS will not answer ICMP echo requests.
.. code-block:: none
set firewall all-ping disable
When the command above is set, VyOS will answer no ICMP echo request
addressed to itself at all, no matter where it comes from or whether
more specific rules are being applied to accept them.
.. cfgcmd:: set firewall broadcast-ping [enable | disable]
This setting enable or disable the response of icmp broadcast
messages. The following system parameter will be altered:
* ``net.ipv4.icmp_echo_ignore_broadcasts``
.. cfgcmd:: set firewall ip-src-route [enable | disable]
.. cfgcmd:: set firewall ipv6-src-route [enable | disable]
This setting handle if VyOS accept packets with a source route
option. The following system parameter will be altered:
* ``net.ipv4.conf.all.accept_source_route``
* ``net.ipv6.conf.all.accept_source_route``
.. cfgcmd:: set firewall receive-redirects [enable | disable]
.. cfgcmd:: set firewall ipv6-receive-redirects [enable | disable]
enable or disable of ICMPv4 or ICMPv6 redirect messages accepted
by VyOS. The following system parameter will be altered:
* ``net.ipv4.conf.all.accept_redirects``
* ``net.ipv6.conf.all.accept_redirects``
.. cfgcmd:: set firewall send-redirects [enable | disable]
enable or disable ICMPv4 redirect messages send by VyOS
The following system parameter will be altered:
* ``net.ipv4.conf.all.send_redirects``
.. cfgcmd:: set firewall log-martians [enable | disable]
enable or disable the logging of martian IPv4 packets.
The following system parameter will be altered:
* ``net.ipv4.conf.all.log_martians``
.. cfgcmd:: set firewall source-validation [strict | loose | disable]
Set the IPv4 source validation mode.
The following system parameter will be altered:
* ``net.ipv4.conf.all.rp_filter``
.. cfgcmd:: set firewall syn-cookies [enable | disable]
Enable or Disable if VyOS use IPv4 TCP SYN Cookies.
The following system parameter will be altered:
* ``net.ipv4.tcp_syncookies``
.. cfgcmd:: set firewall twa-hazards-protection [enable | disable]
Enable or Disable VyOS to be :rfc:`1337` conform.
The following system parameter will be altered:
* ``net.ipv4.tcp_rfc1337``
.. cfgcmd:: set firewall state-policy established action [accept | drop |
reject]
.. cfgcmd:: set firewall state-policy established log enable
Set the global setting for an established connection.
.. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject]
.. cfgcmd:: set firewall state-policy invalid log enable
Set the global setting for invalid packets.
.. cfgcmd:: set firewall state-policy related action [accept | drop | reject]
.. cfgcmd:: set firewall state-policy related log enable
Set the global setting for related connections.
******
Groups
******
Firewall groups represent collections of IP addresses, networks, or
ports. Once created, a group can be referenced by firewall rules as
either a source or destination. Members can be added or removed from a
group without changes to, or the need to reload, individual firewall
rules.
Groups need to have unique names. Even though some contain IPv4
addresses and others contain IPv6 addresses, they still need to have
unique names, so you may want to append "-v4" or "-v6" to your group
names.
Address Groups
==============
In an **address group** a single IP address or IP address ranges are
defined.
.. cfgcmd:: set firewall group address-group <name> address [address |
address range]
.. cfgcmd:: set firewall group ipv6-address-group <name> address <address>
Define a IPv4 or a IPv6 address group
.. code-block:: none
set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1
set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8
set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1
.. cfgcmd:: set firewall group address-group <name> description <text>
.. cfgcmd:: set firewall group ipv6-address-group <name> description <text>
Provide a IPv4 or IPv6 address group description
Network Groups
==============
While **network groups** accept IP networks in CIDR notation, specific
IP addresses can be added as a 32-bit prefix. If you foresee the need
to add a mix of addresses and networks, the network group is
recommended.
.. cfgcmd:: set firewall group network-group <name> network <CIDR>
.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR>
Define a IPv4 or IPv6 Network group.
.. code-block:: none
set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24
set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24
set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64
.. cfgcmd:: set firewall group network-group <name> description <text>
.. cfgcmd:: set firewall group ipv6-network-group <name> description <text>
Provide a IPv4 or IPv6 network group description.
Port Groups
===========
A **port group** represents only port numbers, not the protocol. Port
groups can be referenced for either TCP or UDP. It is recommended that
TCP and UDP groups are created separately to avoid accidentally
filtering unnecessary ports. Ranges of ports can be specified by using
`-`.
.. cfgcmd:: set firewall group port-group <name> port
[portname | portnumber | startport-endport]
Define a port group. A port name can be any name defined in
/etc/services. e.g.: http
.. code-block:: none
set firewall group port-group PORT-TCP-SERVER1 port http
set firewall group port-group PORT-TCP-SERVER1 port 443
set firewall group port-group PORT-TCP-SERVER1 port 5000-5010
.. cfgcmd:: set firewall group port-group <name> description <text>
Provide a port group description.
*********
Rule-Sets
*********
A rule-set is a named collection of firewall rules that can be applied
to an interface or a zone. Each rule is numbered, has an action to apply
if the rule is matched, and the ability to specify the criteria to
match. Data packets go through the rules from 1 - 999999, at the first match
the action of the rule will be executed.
.. cfgcmd:: set firewall name <name> description <text>
.. cfgcmd:: set firewall ipv6-name <name> description <text>
Provide a rule-set description.
.. cfgcmd:: set firewall name <name> default-action [drop | reject | accept]
.. cfgcmd:: set firewall ipv6-name <name> default-action [drop | reject |
accept]
This set the default action of the rule-set if no rule matched a packet
criteria.
.. cfgcmd:: set firewall name <name> enable-default-log
.. cfgcmd:: set firewall ipv6-name <name> enable-default-log
Use this command to enable the logging of the default action.
.. cfgcmd:: set firewall name <name> rule <1-999999> action [drop | reject |
accept]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [drop |
reject | accept]
This required setting defines the action of the current rule.
.. cfgcmd:: set firewall name <name> rule <1-999999> description <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> description <text>
Provide a description for each rule.
.. cfgcmd:: set firewall name <name> rule <1-999999> log [disable | enable]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable |
enable]
Enable or disable logging for the matched packet.
.. cfgcmd:: set firewall name <name> rule <1-999999> log-level [emerg |
alert | crit | err | warn | notice | info | debug]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-level [emerg |
alert | crit | err | warn | notice | info | debug]
Define log-level. Only applicable if rule log is enable.
.. cfgcmd:: set firewall name <name> rule <1-999999> disable
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> disable
If you want to disable a rule but let it in the configuration.
Matching criteria
=================
There are a lot of matching criteria against which the package can be tested.
.. cfgcmd:: set firewall name <name> rule <1-999999> connection-status nat
[destination | source]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-status
nat [destination | source]
Match criteria based on nat connection status.
.. cfgcmd:: set firewall name <name> rule <1-999999> source address
[address | addressrange | CIDR]
.. cfgcmd:: set firewall name <name> rule <1-999999> destination address
[address | addressrange | CIDR]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address
[address | addressrange | CIDR]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination address
[address | addressrange | CIDR]
This is similar to the network groups part, but here you are able to negate
the matching addresses.
.. code-block:: none
set firewall name WAN-IN-v4 rule 100 source address 192.0.2.10-192.0.2.11
# with a '!' the rule match everything except the specified subnet
set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24
set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202
.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code
<country>
.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
country-code <country>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
inverse-match
.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
country-code <country>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
inverse-match
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
country-code <country>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
inverse-match
Match IP addresses based on its geolocation.
More info: `geoip matching
<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
Use inverse-match to match anything except the given country-codes.
Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
permits redistribution so we can include a database in images(~3MB
compressed). Includes cron script (manually callable by op-mode update
geoip) to keep database and rules updated.
.. cfgcmd:: set firewall name <name> rule <1-999999> source mac-address
<mac-address>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source mac-address
<mac-address>
Only in the source criteria, you can specify a mac-address.
.. code-block:: none
set firewall name LAN-IN-v4 rule 100 source mac-address 00:53:00:11:22:33
set firewall name LAN-IN-v4 rule 101 source mac-address !00:53:00:aa:12:34
.. cfgcmd:: set firewall name <name> rule <1-999999> source port
[1-65535 | portname | start-end]
.. cfgcmd:: set firewall name <name> rule <1-999999> destination port
[1-65535 | portname | start-end]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source port
[1-65535 | portname | start-end]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination port
[1-65535 | portname | start-end]
A port can be set with a port number or a name which is here
defined: ``/etc/services``.
.. code-block:: none
set firewall name WAN-IN-v4 rule 10 source port '22'
set firewall name WAN-IN-v4 rule 11 source port '!http'
set firewall name WAN-IN-v4 rule 12 source port 'https'
Multiple source ports can be specified as a comma-separated list.
The whole list can also be "negated" using '!'. For example:
.. code-block:: none
set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338'
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
address-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
address-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
address-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
address-group <name | !name>
Use a specific address-group. Prepend character '!' for inverted matching
criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
network-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
network-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
network-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
network-group <name | !name>
Use a specific network-group. Prepend character '!' for inverted matching
criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
port-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
port-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
port-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
port-group <name | !name>
Use a specific port-group. Prepend character '!' for inverted matching
criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
domain-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
domain-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
domain-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
domain-group <name | !name>
Use a specific domain-group. Prepend character '!' for inverted matching
criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
mac-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
mac-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
mac-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
mac-group <name | !name>
Use a specific mac-group. Prepend character '!' for inverted matching
criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> fragment [match-frag |
match-non-frag]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> fragment [match-frag
| match-non-frag]
Match based on fragment criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> icmp [code | type]
<0-255>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 [code | type]
<0-255>
Match based on icmp|icmpv6 code and type.
.. cfgcmd:: set firewall name <name> rule <1-999999> icmp type-name <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 type-name
<text>
Match based on icmp|icmpv6 type-name criteria. Use tab for information
about what **type-name** criteria are supported.
.. cfgcmd:: set firewall name <name> rule <1-999999> ipsec [match-ipsec
| match-none]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> ipsec [match-ipsec
| match-none]
Match based on ipsec criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> limit burst
<0-4294967295>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit burst
<0-4294967295>
Match based on the maximum number of packets to allow in excess of rate.
.. cfgcmd:: set firewall name <name> rule <1-999999> limit rate
<text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit rate
<text>
Match based on the maximum average rate, specified as **integer/unit**.
For example **5/minutes**
.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length
<text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length
<text>
.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length-exclude
<text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length-exclude
<text>
Match based on packet length criteria. Multiple values from 1 to 65535
and ranges are supported.
.. cfgcmd:: set firewall name <name> rule <1-999999> protocol [<text> |
<0-255> | all | tcp_udp]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> protocol [<text> |
<0-255> | all | tcp_udp]
Match a protocol criteria. A protocol number or a name which is here
defined: ``/etc/protocols``.
Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
based packets. The ``!`` negate the selected protocol.
.. code-block:: none
set firewall name WAN-IN-v4 rule 10 protocol tcp_udp
set firewall name WAN-IN-v4 rule 11 protocol !tcp_udp
set firewall ipv6-name WAN-IN-v6 rule 10 protocol tcp
.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
.. cfgcmd:: set firewall name <name> rule <1-999999> recent time
[second | minute | hour]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time
[second | minute | hour]
Match bases on recently seen sources.
.. cfgcmd:: set firewall name <name> rule <1-999999> tcp flags <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> tcp flags <text>
Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``,
``PSH``, ``ALL`` When specifying more than one flag, flags should be comma
separated. The ``!`` negate the selected protocol.
.. code-block:: none
set firewall name WAN-IN-v4 rule 10 tcp flags 'ACK'
set firewall name WAN-IN-v4 rule 12 tcp flags 'SYN'
set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST'
.. cfgcmd:: set firewall name <name> rule <1-999999> state [established |
invalid | new | related] [enable | disable]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> state [established |
invalid | new | related] [enable | disable]
Match against the state of a packet.
.. cfgcmd:: set firewall name <name> rule <1-999999> time startdate <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time startdate <text>
.. cfgcmd:: set firewall name <name> rule <1-999999> time starttime <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time starttime <text>
.. cfgcmd:: set firewall name <name> rule <1-999999> time stopdate <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stopdate <text>
.. cfgcmd:: set firewall name <name> rule <1-999999> time stoptime <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stoptime <text>
.. cfgcmd:: set firewall name <name> rule <1-999999> time weekdays <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time weekdays <text>
Time to match the defined rule.
.. cfgcmd:: set firewall name <name> rule <1-999999> ttl <eq | gt | lt> <0-255>
Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for
'greater than', and 'lt' stands for 'less than'.
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> hop-limit <eq | gt |
lt> <0-255>
Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
'greater than', and 'lt' stands for 'less than'.
.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second |
minute | hour>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second |
minute | hour>
Match when 'count' amount of connections are seen within 'time'. These
matching criteria can be used to block brute-force attempts.
***********************************
Applying a Rule-Set to an Interface
***********************************
A Rule-Set can be applied to every interface:
* ``in``: Ruleset for forwarded packets on an inbound interface
* ``out``: Ruleset for forwarded packets on an outbound interface
* ``local``: Ruleset for packets destined for this router
.. cfgcmd:: set interface ethernet <ethN> firewall [in | out | local]
[name | ipv6-name] <rule-set>
Here are some examples for applying a rule-set to an interface
.. code-block:: none
set interface ethernet eth1 vif 100 firewall in name LANv4-IN
set interface ethernet eth1 vif 100 firewall out name LANv4-OUT
set interface bonding bond0 firewall in name LANv4-IN
set interfaces openvpn vtun1 firewall in name Lanv4-IN
.. note::
As you can see in the example here, you can assign the same rule-set to
several interfaces. An interface can only have one rule-set per chain.
***********************
Operation-mode Firewall
***********************
Rule-set overview
=================
.. opcmd:: show firewall
This will show you a basic firewall overview
.. code-block:: none
vyos@vyos:~$ show firewall
------------------------
Firewall Global Settings
------------------------
Firewall state-policy for all IPv4 and Ipv6 traffic
state action log
----- ------ ---
invalid accept disabled
established accept disabled
related accept disabled
-----------------------------
Rulesets Information
-----------------------------
--------------------------------------------------------------------------
IPv4 Firewall "DMZv4-1-IN":
Active on (eth0,IN)
rule action proto packets bytes
---- ------ ----- ------- -----
10 accept icmp 0 0
condition - saddr 10.1.0.0/24 daddr 0.0.0.0/0 LOG enabled
10000 drop all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled
--------------------------------------------------------------------------
IPv4 Firewall "DMZv4-1-OUT":
Active on (eth0,OUT)
rule action proto packets bytes
---- ------ ----- ------- -----
10 accept tcp_udp 1 60
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-DST-PORT-GROUP DMZ-Ports /*
DMZv4-1-OUT-10 */LOG enabled
11 accept icmp 1 84
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* DMZv4-1-OUT-11 */LOG enabled
10000 drop all 6 360
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled
--------------------------------------------------------------------------
IPv4 Firewall "LANv4-IN":
Inactive - Not applied to any interfaces or zones.
rule action proto packets bytes
---- ------ ----- ------- -----
10 accept all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* LANv4-IN-10 */
10000 drop all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0
.. opcmd:: show firewall summary
This will show you a summary of rule-sets and groups
.. code-block:: none
vyos@vyos:~$ show firewall summary
------------------------
Firewall Global Settings
------------------------
Firewall state-policy for all IPv4 and Ipv6 traffic
state action log
----- ------ ---
invalid accept disabled
related accept disabled
established accept disabled
------------------------
Firewall Rulesets
------------------------
IPv4 name:
Rule-set name Description References
------------- ----------- ----------
DMZv4-1-OUT (eth0,OUT)
DMZv4-1-IN (eth0,IN)
------------------------
Firewall Groups
------------------------
Port Groups:
Group name Description References
---------- ----------- ----------
DMZ-Ports DMZv4-1-OUT-10-destination
Network Groups:
Group name Description References
---------- ----------- ----------
LANv4 LANv4-IN-10-source,
DMZv4-1-OUT-10-source,
DMZv4-1-OUT-11-source
.. opcmd:: show firewall statistics
This will show you a statistic of all rule-sets since the last boot.
.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999>
This command will give an overview of a rule in a single rule-set
.. opcmd:: show firewall group <name>
Overview of defined groups. You see the type, the members, and where the
group is used.
.. code-block:: none
vyos@vyos:~$ show firewall group DMZ-Ports
Name : DMZ-Ports
Type : port
References : none
Members :
80
443
8080
8443
vyos@vyos:~$ show firewall group LANv4
Name : LANv4
Type : network
References : LANv4-IN-10-source
Members :
10.10.0.0/16
.. opcmd:: show firewall [name | ipv6name] <name>
This command will give an overview of a single rule-set.
.. opcmd:: show firewall [name | ipv6name] <name> statistics
This will show you a rule-set statistic since the last boot.
.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999>
This command will give an overview of a rule in a single rule-set.
Zone-Policy Overview
====================
.. opcmd:: show zone-policy zone <name>
Use this command to get an overview of a zone.
.. code-block:: none
vyos@vyos:~$ show zone-policy zone DMZ
-------------------
Name: DMZ
Interfaces: eth0 eth1
From Zone:
name firewall
---- --------
LAN DMZv4-1-OUT
Show Firewall log
=================
.. opcmd:: show log firewall [name | ipv6name] <name>
Show the logs of a specific Rule-Set.
.. note::
At the moment it not possible to look at the whole firewall log with VyOS
operational commands. All logs will save to ``/var/logs/messages``.
For example: ``grep '10.10.0.10' /var/log/messages``
Example Partial Config
======================
.. code-block:: none
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
group {
network-group BAD-NETWORKS {
network 198.51.100.0/24
network 203.0.113.0/24
}
network-group GOOD-NETWORKS {
network 192.0.2.0/24
}
port-group BAD-PORTS {
port 65535
}
}
name FROM-INTERNET {
default-action accept
description "From the Internet"
rule 10 {
action accept
description "Authorized Networks"
protocol all
source {
group {
network-group GOOD-NETWORKS
}
}
}
rule 11 {
action drop
description "Bad Networks"
protocol all
source {
group {
network-group BAD-NETWORKS
}
}
}
rule 30 {
action drop
description "BAD PORTS"
destination {
group {
port-group BAD-PORTS
}
}
log enable
protocol all
}
}
}
interfaces {
ethernet eth1 {
address dhcp
description OUTSIDE
duplex auto
firewall {
in {
name FROM-INTERNET
}
}
}
}
Update geoip database
=====================
.. opcmd:: update geoip
Command used to update GeoIP database and firewall sets.

953
docs/configuration/firewall/index.rst
View File

@ -1,953 +1,10 @@
:lastproofread: 2021-06-29
.. _firewall:
######## ########
Firewall Firewall
######## ########
******** .. toctree::
Overview :maxdepth: 1
******** :includehidden:
VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet general
filtering. zone
The firewall supports the creation of groups for ports, addresses, and
networks (implemented using netfilter ipset) and the option of interface
or zone based firewall policy.
.. note:: **Important note on usage of terms:**
The firewall makes use of the terms `in`, `out`, and `local`
for firewall policy. Users experienced with netfilter often confuse
`in` to be a reference to the `INPUT` chain, and `out` the `OUTPUT`
chain from netfilter. This is not the case. These instead indicate
the use of the `FORWARD` chain and either the input or output
interface. The `INPUT` chain, which is used for local traffic to the
OS, is a reference to as `local` with respect to its input interface.
***************
Global settings
***************
Some firewall settings are global and have an affect on the whole system.
.. cfgcmd:: set firewall all-ping [enable | disable]
By default, when VyOS receives an ICMP echo request packet destined for
itself, it will answer with an ICMP echo reply, unless you avoid it
through its firewall.
With the firewall you can set rules to accept, drop or reject ICMP in,
out or local traffic. You can also use the general **firewall all-ping**
command. This command affects only to LOCAL (packets destined for your
VyOS system), not to IN or OUT traffic.
.. note:: **firewall all-ping** affects only to LOCAL and it always
behaves in the most restrictive way
.. code-block:: none
set firewall all-ping enable
When the command above is set, VyOS will answer every ICMP echo request
addressed to itself, but that will only happen if no other rule is
applied dropping or rejecting local echo requests. In case of conflict,
VyOS will not answer ICMP echo requests.
.. code-block:: none
set firewall all-ping disable
When the command above is set, VyOS will answer no ICMP echo request
addressed to itself at all, no matter where it comes from or whether
more specific rules are being applied to accept them.
.. cfgcmd:: set firewall broadcast-ping [enable | disable]
This setting enable or disable the response of icmp broadcast
messages. The following system parameter will be altered:
* ``net.ipv4.icmp_echo_ignore_broadcasts``
.. cfgcmd:: set firewall ip-src-route [enable | disable]
.. cfgcmd:: set firewall ipv6-src-route [enable | disable]
This setting handle if VyOS accept packets with a source route
option. The following system parameter will be altered:
* ``net.ipv4.conf.all.accept_source_route``
* ``net.ipv6.conf.all.accept_source_route``
.. cfgcmd:: set firewall receive-redirects [enable | disable]
.. cfgcmd:: set firewall ipv6-receive-redirects [enable | disable]
enable or disable of ICMPv4 or ICMPv6 redirect messages accepted
by VyOS. The following system parameter will be altered:
* ``net.ipv4.conf.all.accept_redirects``
* ``net.ipv6.conf.all.accept_redirects``
.. cfgcmd:: set firewall send-redirects [enable | disable]
enable or disable ICMPv4 redirect messages send by VyOS
The following system parameter will be altered:
* ``net.ipv4.conf.all.send_redirects``
.. cfgcmd:: set firewall log-martians [enable | disable]
enable or disable the logging of martian IPv4 packets.
The following system parameter will be altered:
* ``net.ipv4.conf.all.log_martians``
.. cfgcmd:: set firewall source-validation [strict | loose | disable]
Set the IPv4 source validation mode.
The following system parameter will be altered:
* ``net.ipv4.conf.all.rp_filter``
.. cfgcmd:: set firewall syn-cookies [enable | disable]
Enable or Disable if VyOS use IPv4 TCP SYN Cookies.
The following system parameter will be altered:
* ``net.ipv4.tcp_syncookies``
.. cfgcmd:: set firewall twa-hazards-protection [enable | disable]
Enable or Disable VyOS to be :rfc:`1337` conform.
The following system parameter will be altered:
* ``net.ipv4.tcp_rfc1337``
.. cfgcmd:: set firewall state-policy established action [accept | drop |
reject]
.. cfgcmd:: set firewall state-policy established log enable
Set the global setting for an established connection.
.. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject]
.. cfgcmd:: set firewall state-policy invalid log enable
Set the global setting for invalid packets.
.. cfgcmd:: set firewall state-policy related action [accept | drop | reject]
.. cfgcmd:: set firewall state-policy related log enable
Set the global setting for related connections.
******
Groups
******
Firewall groups represent collections of IP addresses, networks, or
ports. Once created, a group can be referenced by firewall rules as
either a source or destination. Members can be added or removed from a
group without changes to, or the need to reload, individual firewall
rules.
Groups need to have unique names. Even though some contain IPv4
addresses and others contain IPv6 addresses, they still need to have
unique names, so you may want to append "-v4" or "-v6" to your group
names.
Address Groups
==============
In an **address group** a single IP address or IP address ranges are
defined.
.. cfgcmd:: set firewall group address-group <name> address [address |
address range]
.. cfgcmd:: set firewall group ipv6-address-group <name> address <address>
Define a IPv4 or a IPv6 address group
.. code-block:: none
set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1
set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8
set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1
.. cfgcmd:: set firewall group address-group <name> description <text>
.. cfgcmd:: set firewall group ipv6-address-group <name> description <text>
Provide a IPv4 or IPv6 address group description
Network Groups
==============
While **network groups** accept IP networks in CIDR notation, specific
IP addresses can be added as a 32-bit prefix. If you foresee the need
to add a mix of addresses and networks, the network group is
recommended.
.. cfgcmd:: set firewall group network-group <name> network <CIDR>
.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR>
Define a IPv4 or IPv6 Network group.
.. code-block:: none
set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24
set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24
set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64
.. cfgcmd:: set firewall group network-group <name> description <text>
.. cfgcmd:: set firewall group ipv6-network-group <name> description <text>
Provide a IPv4 or IPv6 network group description.
Port Groups
===========
A **port group** represents only port numbers, not the protocol. Port
groups can be referenced for either TCP or UDP. It is recommended that
TCP and UDP groups are created separately to avoid accidentally
filtering unnecessary ports. Ranges of ports can be specified by using
`-`.
.. cfgcmd:: set firewall group port-group <name> port
[portname | portnumber | startport-endport]
Define a port group. A port name can be any name defined in
/etc/services. e.g.: http
.. code-block:: none
set firewall group port-group PORT-TCP-SERVER1 port http
set firewall group port-group PORT-TCP-SERVER1 port 443
set firewall group port-group PORT-TCP-SERVER1 port 5000-5010
.. cfgcmd:: set firewall group port-group <name> description <text>
Provide a port group description.
*********
Rule-Sets
*********
A rule-set is a named collection of firewall rules that can be applied
to an interface or a zone. Each rule is numbered, has an action to apply
if the rule is matched, and the ability to specify the criteria to
match. Data packets go through the rules from 1 - 999999, at the first match
the action of the rule will be executed.
.. cfgcmd:: set firewall name <name> description <text>
.. cfgcmd:: set firewall ipv6-name <name> description <text>
Provide a rule-set description.
.. cfgcmd:: set firewall name <name> default-action [drop | reject | accept]
.. cfgcmd:: set firewall ipv6-name <name> default-action [drop | reject |
accept]
This set the default action of the rule-set if no rule matched a packet
criteria.
.. cfgcmd:: set firewall name <name> enable-default-log
.. cfgcmd:: set firewall ipv6-name <name> enable-default-log
Use this command to enable the logging of the default action.
.. cfgcmd:: set firewall name <name> rule <1-999999> action [drop | reject |
accept]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [drop |
reject | accept]
This required setting defines the action of the current rule.
.. cfgcmd:: set firewall name <name> rule <1-999999> description <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> description <text>
Provide a description for each rule.
.. cfgcmd:: set firewall name <name> rule <1-999999> log [disable | enable]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable |
enable]
Enable or disable logging for the matched packet.
.. cfgcmd:: set firewall name <name> rule <1-999999> log-level [emerg |
alert | crit | err | warn | notice | info | debug]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-level [emerg |
alert | crit | err | warn | notice | info | debug]
Define log-level. Only applicable if rule log is enable.
.. cfgcmd:: set firewall name <name> rule <1-999999> disable
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> disable
If you want to disable a rule but let it in the configuration.
Matching criteria
=================
There are a lot of matching criteria against which the package can be tested.
.. cfgcmd:: set firewall name <name> rule <1-999999> connection-status nat
[destination | source]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-status
nat [destination | source]
Match criteria based on nat connection status.
.. cfgcmd:: set firewall name <name> rule <1-999999> source address
[address | addressrange | CIDR]
.. cfgcmd:: set firewall name <name> rule <1-999999> destination address
[address | addressrange | CIDR]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address
[address | addressrange | CIDR]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination address
[address | addressrange | CIDR]
This is similar to the network groups part, but here you are able to negate
the matching addresses.
.. code-block:: none
set firewall name WAN-IN-v4 rule 100 source address 192.0.2.10-192.0.2.11
# with a '!' the rule match everything except the specified subnet
set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24
set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202
.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code
<country>
.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
country-code <country>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
inverse-match
.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
country-code <country>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
inverse-match
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
country-code <country>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
inverse-match
Match IP addresses based on its geolocation.
More info: `geoip matching
<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
Use inverse-match to match anything except the given country-codes.
Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
permits redistribution so we can include a database in images(~3MB
compressed). Includes cron script (manually callable by op-mode update
geoip) to keep database and rules updated.
.. cfgcmd:: set firewall name <name> rule <1-999999> source mac-address
<mac-address>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source mac-address
<mac-address>
Only in the source criteria, you can specify a mac-address.
.. code-block:: none
set firewall name LAN-IN-v4 rule 100 source mac-address 00:53:00:11:22:33
set firewall name LAN-IN-v4 rule 101 source mac-address !00:53:00:aa:12:34
.. cfgcmd:: set firewall name <name> rule <1-999999> source port
[1-65535 | portname | start-end]
.. cfgcmd:: set firewall name <name> rule <1-999999> destination port
[1-65535 | portname | start-end]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source port
[1-65535 | portname | start-end]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination port
[1-65535 | portname | start-end]
A port can be set with a port number or a name which is here
defined: ``/etc/services``.
.. code-block:: none
set firewall name WAN-IN-v4 rule 10 source port '22'
set firewall name WAN-IN-v4 rule 11 source port '!http'
set firewall name WAN-IN-v4 rule 12 source port 'https'
Multiple source ports can be specified as a comma-separated list.
The whole list can also be "negated" using '!'. For example:
.. code-block:: none
set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338'
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
address-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
address-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
address-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
address-group <name | !name>
Use a specific address-group. Prepend character '!' for inverted matching
criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
network-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
network-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
network-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
network-group <name | !name>
Use a specific network-group. Prepend character '!' for inverted matching
criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
port-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
port-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
port-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
port-group <name | !name>
Use a specific port-group. Prepend character '!' for inverted matching
criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
domain-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
domain-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
domain-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
domain-group <name | !name>
Use a specific domain-group. Prepend character '!' for inverted matching
criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
mac-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
mac-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
mac-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
mac-group <name | !name>
Use a specific mac-group. Prepend character '!' for inverted matching
criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> fragment [match-frag |
match-non-frag]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> fragment [match-frag
| match-non-frag]
Match based on fragment criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> icmp [code | type]
<0-255>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 [code | type]
<0-255>
Match based on icmp|icmpv6 code and type.
.. cfgcmd:: set firewall name <name> rule <1-999999> icmp type-name <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 type-name
<text>
Match based on icmp|icmpv6 type-name criteria. Use tab for information
about what **type-name** criteria are supported.
.. cfgcmd:: set firewall name <name> rule <1-999999> ipsec [match-ipsec
| match-none]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> ipsec [match-ipsec
| match-none]
Match based on ipsec criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> limit burst
<0-4294967295>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit burst
<0-4294967295>
Match based on the maximum number of packets to allow in excess of rate.
.. cfgcmd:: set firewall name <name> rule <1-999999> limit rate
<text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit rate
<text>
Match based on the maximum average rate, specified as **integer/unit**.
For example **5/minutes**
.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length
<text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length
<text>
.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length-exclude
<text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length-exclude
<text>
Match based on packet length criteria. Multiple values from 1 to 65535
and ranges are supported.
.. cfgcmd:: set firewall name <name> rule <1-999999> protocol [<text> |
<0-255> | all | tcp_udp]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> protocol [<text> |
<0-255> | all | tcp_udp]
Match a protocol criteria. A protocol number or a name which is here
defined: ``/etc/protocols``.
Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
based packets. The ``!`` negate the selected protocol.
.. code-block:: none
set firewall name WAN-IN-v4 rule 10 protocol tcp_udp
set firewall name WAN-IN-v4 rule 11 protocol !tcp_udp
set firewall ipv6-name WAN-IN-v6 rule 10 protocol tcp
.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
.. cfgcmd:: set firewall name <name> rule <1-999999> recent time
[second | minute | hour]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time
[second | minute | hour]
Match bases on recently seen sources.
.. cfgcmd:: set firewall name <name> rule <1-999999> tcp flags <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> tcp flags <text>
Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``,
``PSH``, ``ALL`` When specifying more than one flag, flags should be comma
separated. The ``!`` negate the selected protocol.
.. code-block:: none
set firewall name WAN-IN-v4 rule 10 tcp flags 'ACK'
set firewall name WAN-IN-v4 rule 12 tcp flags 'SYN'
set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST'
.. cfgcmd:: set firewall name <name> rule <1-999999> state [established |
invalid | new | related] [enable | disable]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> state [established |
invalid | new | related] [enable | disable]
Match against the state of a packet.
.. cfgcmd:: set firewall name <name> rule <1-999999> time startdate <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time startdate <text>
.. cfgcmd:: set firewall name <name> rule <1-999999> time starttime <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time starttime <text>
.. cfgcmd:: set firewall name <name> rule <1-999999> time stopdate <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stopdate <text>
.. cfgcmd:: set firewall name <name> rule <1-999999> time stoptime <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stoptime <text>
.. cfgcmd:: set firewall name <name> rule <1-999999> time weekdays <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time weekdays <text>
Time to match the defined rule.
.. cfgcmd:: set firewall name <name> rule <1-999999> ttl <eq | gt | lt> <0-255>
Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for
'greater than', and 'lt' stands for 'less than'.
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> hop-limit <eq | gt |
lt> <0-255>
Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
'greater than', and 'lt' stands for 'less than'.
.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second |
minute | hour>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second |
minute | hour>
Match when 'count' amount of connections are seen within 'time'. These
matching criteria can be used to block brute-force attempts.
***********************************
Applying a Rule-Set to an Interface
***********************************
A Rule-Set can be applied to every interface:
* ``in``: Ruleset for forwarded packets on an inbound interface
* ``out``: Ruleset for forwarded packets on an outbound interface
* ``local``: Ruleset for packets destined for this router
.. cfgcmd:: set interface ethernet <ethN> firewall [in | out | local]
[name | ipv6-name] <rule-set>
Here are some examples for applying a rule-set to an interface
.. code-block:: none
set interface ethernet eth1 vif 100 firewall in name LANv4-IN
set interface ethernet eth1 vif 100 firewall out name LANv4-OUT
set interface bonding bond0 firewall in name LANv4-IN
set interfaces openvpn vtun1 firewall in name Lanv4-IN
.. note::
As you can see in the example here, you can assign the same rule-set to
several interfaces. An interface can only have one rule-set per chain.
**************************
Zone-based Firewall Policy
**************************
As an alternative to applying policy to an interface directly, a
zone-based firewall can be created to simplify configuration when
multiple interfaces belong to the same security zone. Instead of
applying rule-sets to interfaces, they are applied to source
zone-destination zone pairs.
An basic introduction to zone-based firewalls can be found `here
<https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_,
and an example at :ref:`examples-zone-policy`.
Define a Zone
=============
To define a zone setup either one with interfaces or a local zone.
.. cfgcmd:: set zone-policy zone <name> interface <interfacenames>
Set interfaces to a zone. A zone can have multiple interfaces.
But an interface can only be a member in one zone.
.. cfgcmd:: set zone-policy zone <name> local-zone
Define the zone as a local zone. A local zone has no interfaces and
will be applied to the router itself.
.. cfgcmd:: set zone-policy zone <name> default-action [drop | reject]
Change the default-action with this setting.
.. cfgcmd:: set zone-policy zone <name> description
Set a meaningful description.
Applying a Rule-Set to a Zone
=============================
Before you are able to apply a rule-set to a zone you have to create the zones
first.
It helps to think of the syntax as: (see below). The 'rule-set' should be
written from the perspective of: *Source Zone*-to->*Destination Zone*
.. cfgcmd:: set zone-policy zone <Destination Zone> from <Source Zone>
firewall name <rule-set>
.. cfgcmd:: set zone-policy zone <name> from <name> firewall name
<rule-set>
.. cfgcmd:: set zone-policy zone <name> from <name> firewall ipv6-name
<rule-set>
You apply a rule-set always to a zone from an other zone, it is recommended
to create one rule-set for each zone pair.
.. code-block:: none
set zone-policy zone DMZ from LAN firewall name LANv4-to-DMZv4
set zone-policy zone LAN from DMZ firewall name DMZv4-to-LANv4
***********************
Operation-mode Firewall
***********************
Rule-set overview
=================
.. opcmd:: show firewall
This will show you a basic firewall overview
.. code-block:: none
vyos@vyos:~$ show firewall
------------------------
Firewall Global Settings
------------------------
Firewall state-policy for all IPv4 and Ipv6 traffic
state action log
----- ------ ---
invalid accept disabled
established accept disabled
related accept disabled
-----------------------------
Rulesets Information
-----------------------------
--------------------------------------------------------------------------
IPv4 Firewall "DMZv4-1-IN":
Active on (eth0,IN)
rule action proto packets bytes
---- ------ ----- ------- -----
10 accept icmp 0 0
condition - saddr 10.1.0.0/24 daddr 0.0.0.0/0 LOG enabled
10000 drop all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled
--------------------------------------------------------------------------
IPv4 Firewall "DMZv4-1-OUT":
Active on (eth0,OUT)
rule action proto packets bytes
---- ------ ----- ------- -----
10 accept tcp_udp 1 60
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-DST-PORT-GROUP DMZ-Ports /*
DMZv4-1-OUT-10 */LOG enabled
11 accept icmp 1 84
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* DMZv4-1-OUT-11 */LOG enabled
10000 drop all 6 360
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled
--------------------------------------------------------------------------
IPv4 Firewall "LANv4-IN":
Inactive - Not applied to any interfaces or zones.
rule action proto packets bytes
---- ------ ----- ------- -----
10 accept all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* LANv4-IN-10 */
10000 drop all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0
.. opcmd:: show firewall summary
This will show you a summary of rule-sets and groups
.. code-block:: none
vyos@vyos:~$ show firewall summary
------------------------
Firewall Global Settings
------------------------
Firewall state-policy for all IPv4 and Ipv6 traffic
state action log
----- ------ ---
invalid accept disabled
related accept disabled
established accept disabled
------------------------
Firewall Rulesets
------------------------
IPv4 name:
Rule-set name Description References
------------- ----------- ----------
DMZv4-1-OUT (eth0,OUT)
DMZv4-1-IN (eth0,IN)
------------------------
Firewall Groups
------------------------
Port Groups:
Group name Description References
---------- ----------- ----------
DMZ-Ports DMZv4-1-OUT-10-destination
Network Groups:
Group name Description References
---------- ----------- ----------
LANv4 LANv4-IN-10-source,
DMZv4-1-OUT-10-source,
DMZv4-1-OUT-11-source
.. opcmd:: show firewall statistics
This will show you a statistic of all rule-sets since the last boot.
.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999>
This command will give an overview of a rule in a single rule-set
.. opcmd:: show firewall group <name>
Overview of defined groups. You see the type, the members, and where the
group is used.
.. code-block:: none
vyos@vyos:~$ show firewall group DMZ-Ports
Name : DMZ-Ports
Type : port
References : none
Members :
80
443
8080
8443
vyos@vyos:~$ show firewall group LANv4
Name : LANv4
Type : network
References : LANv4-IN-10-source
Members :
10.10.0.0/16
.. opcmd:: show firewall [name | ipv6name] <name>
This command will give an overview of a single rule-set.
.. opcmd:: show firewall [name | ipv6name] <name> statistics
This will show you a rule-set statistic since the last boot.
.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999>
This command will give an overview of a rule in a single rule-set.
Zone-Policy Overview
====================
.. opcmd:: show zone-policy zone <name>
Use this command to get an overview of a zone.
.. code-block:: none
vyos@vyos:~$ show zone-policy zone DMZ
-------------------
Name: DMZ
Interfaces: eth0 eth1
From Zone:
name firewall
---- --------
LAN DMZv4-1-OUT
Show Firewall log
=================
.. opcmd:: show log firewall [name | ipv6name] <name>
Show the logs of a specific Rule-Set.
.. note::
At the moment it not possible to look at the whole firewall log with VyOS
operational commands. All logs will save to ``/var/logs/messages``.
For example: ``grep '10.10.0.10' /var/log/messages``
Example Partial Config
======================
.. code-block:: none
firewall {
all-ping enable
broadcast-ping disable
config-trap disable
group {
network-group BAD-NETWORKS {
network 198.51.100.0/24
network 203.0.113.0/24
}
network-group GOOD-NETWORKS {
network 192.0.2.0/24
}
port-group BAD-PORTS {
port 65535
}
}
name FROM-INTERNET {
default-action accept
description "From the Internet"
rule 10 {
action accept
description "Authorized Networks"
protocol all
source {
group {
network-group GOOD-NETWORKS
}
}
}
rule 11 {
action drop
description "Bad Networks"
protocol all
source {
group {
network-group BAD-NETWORKS
}
}
}
rule 30 {
action drop
description "BAD PORTS"
destination {
group {
port-group BAD-PORTS
}
}
log enable
protocol all
}
}
}
interfaces {
ethernet eth1 {
address dhcp
description OUTSIDE
duplex auto
firewall {
in {
name FROM-INTERNET
}
}
}
}
Update geoip database
=====================
.. opcmd:: update geoip
Command used to update GeoIP database and firewall sets.

91
docs/configuration/firewall/zone.rst Normal file
View File

@ -0,0 +1,91 @@
:lastproofread: 2022-09-14
.. _firewall-zone:
###################
Zone Based Firewall
###################
In zone-based policy, interfaces are assigned to zones, and inspection policy
is applied to traffic moving between the zones and acted on according to
firewall rules. A Zone is a group of interfaces that have similar functions or
features. It establishes the security borders of a network. A zone defines a
boundary where traffic is subjected to policy restrictions as it crosses to
another region of a network.
Key Points:
* A zone must be configured before an interface is assigned to it and an
interface can be assigned to only a single zone.
* All traffic to and from an interface within a zone is permitted.
* All traffic between zones is affected by existing policies
* Traffic cannot flow between zone member interface and any interface that is
not a zone member.
* You need 2 separate firewalls to define traffic: one for each direction.
.. note:: In :vytask:`T2199` the syntax of the zone configuration was changed.
The zone configuration moved from ``zone-policy zone <name>`` to ``firewall
zone <name>``.
*************
Configuration
*************
As an alternative to applying policy to an interface directly, a zone-based
firewall can be created to simplify configuration when multiple interfaces
belong to the same security zone. Instead of applying rule-sets to interfaces,
they are applied to source zone-destination zone pairs.
An basic introduction to zone-based firewalls can be found `here
<https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_,
and an example at :ref:`examples-zone-policy`.
Define a Zone
=============
To define a zone setup either one with interfaces or a local zone.
.. cfgcmd:: set firewall zone <name> interface <interface>
Set interfaces to a zone. A zone can have multiple interfaces.
But an interface can only be a member in one zone.
.. cfgcmd:: set firewall zone <name> local-zone
Define the zone as a local zone. A local zone has no interfaces and
will be applied to the router itself.
.. cfgcmd:: set firewall zone <name> default-action [drop | reject]
Change the default-action with this setting.
.. cfgcmd:: set firewall zone <name> description
Set a meaningful description.
Applying a Rule-Set to a Zone
=============================
Before you are able to apply a rule-set to a zone you have to create the zones
first.
It helps to think of the syntax as: (see below). The 'rule-set' should be
written from the perspective of: *Source Zone*-to->*Destination Zone*
.. cfgcmd:: set firewall zone <Destination Zone> from <Source Zone>
firewall name <rule-set>
.. cfgcmd:: set firewall zone <name> from <name> firewall name
<rule-set>
.. cfgcmd:: set firewall zone <name> from <name> firewall ipv6-name
<rule-set>
You apply a rule-set always to a zone from an other zone, it is recommended
to create one rule-set for each zone pair.
.. code-block:: none
set firewall zone DMZ from LAN firewall name LANv4-to-DMZv4
set firewall zone LAN from DMZ firewall name DMZv4-to-LANv4

1
docs/configuration/index.rst
View File

@ -22,4 +22,3 @@ The following structure respresent the cli structure.
trafficpolicy/index trafficpolicy/index
vpn/index vpn/index
vrf/index vrf/index
zonepolicy/index

71
docs/configuration/zonepolicy/index.rst
View File

@ -1,71 +0,0 @@
###########
Zone Policy
###########
.. toctree::
:maxdepth: 1
:includehidden:
In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to firewall rules.
A Zone is a group of interfaces that have similar functions or features. It establishes the security borders of a network.
A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network.
Key Points:
* A zone must be configured before an interface is assigned to it and an interface can be assigned to only a single zone.
* All traffic to and from an interface within a zone is permitted.
* All traffic between zones is affected by existing policies
* Traffic cannot flow between zone member interface and any interface that is not a zone member.
* You need 2 separate firewalls to define traffic: one for each direction.
Example: LAN Network is given SSH access to VyOS box.
Firewall rules:
.. code-block:: none
set firewall name lan-local default-action 'drop'
set firewall name lan-local rule 1 action 'accept'
set firewall name lan-local rule 1 state established 'enable'
set firewall name lan-local rule 1 state related 'enable'
set firewall name lan-local rule 2 action 'drop'
set firewall name lan-local rule 2 state invalid 'enable'
set firewall name lan-local rule 2 log enable
set firewall name lan-local rule 100 action 'accept'
set firewall name lan-local rule 100 destination port '22'
set firewall name lan-local rule 100 log 'enable'
set firewall name lan-local rule 100 protocol 'tcp'
set firewall name local-lan default-action 'drop'
set firewall name local-lan rule 1 action 'accept'
set firewall name local-lan rule 1 state established 'enable'
set firewall name local-lan rule 1 state related 'enable'
set firewall name local-lan rule 2 action 'drop'
set firewall name local-lan rule 2 state invalid 'enable'
set firewall name local-lan rule 2 log enable
set firewall name local-lan rule 100 action 'accept'
set firewall name local-lan rule 100 destination address '192.168.0.0/24'
set firewall name local-lan rule 100 log 'enable'
set firewall name local-lan rule 100 protocol 'tcp'
Zone-policy Config:
.. code-block:: none
set zone-policy zone lan default-action 'drop'
set zone-policy zone lan description 'Local Area Network'
set zone-policy zone lan interface 'eth2'
set zone-policy zone lan from local firewall name 'lan-local'
set zone-policy zone local default-action 'drop'
set zone-policy zone local description 'system-defined zone'
set zone-policy zone local from lan firewall name 'local-lan'
set zone-policy zone local local-zone
A detailed zone-based policy example is written in the Configuration-Blueprints_ section.
.. stop_vyoslinter
.. _Configuration-Blueprints: https://docs.vyos.io/en/latest/configexamples/zone-policy.html
.. start_vyoslinter

6
docs/documentation.rst
View File

@ -196,7 +196,7 @@ to use an alternative hyperlink use it this way:
handle build errors handle build errors
""""""""""""""""""" """""""""""""""""""
The plugin will warn on build if a headline has a duplicate name in the The plugin will warn on build if a headline has a duplicate name in the
same document. To prevent this warning, you have to put a custom link on same document. To prevent this warning, you have to put a custom link on
top of the headline. top of the headline.
@ -216,7 +216,7 @@ top of the headline.
========== ==========
Lorem ipsum dolor sit amet, consetetur sadipscing elitr Lorem ipsum dolor sit amet, consetetur sadipscing elitr
.. _section B example: .. _section B example:
Example Example
@ -404,7 +404,7 @@ stability for URLs used in the forum or blogpost.
For example: For example:
* ``set zone-policy`` is written in ``zone-policy/index.rst`` * ``set firewall zone`` is written in ``firewall/zone.rst``
* ``set interfaces ethernet`` is written in ``interfaces/ethernet.rst`` * ``set interfaces ethernet`` is written in ``interfaces/ethernet.rst``
The article starts with a short introduction about the command or the The article starts with a short introduction about the command or the