vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #802 from Diekos/geoip-inverse-match

Browse Source 
Firewall: T4299: Add inverse-match to geoip
This commit is contained in:
Robert Göhler 2022-07-07 17:08:11 +02:00 committed by GitHub
commit 2d5878c407
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
docs/configuration/firewall/index.rst
View File

@ -325,15 +325,25 @@ There are a lot of matching criteria against which the package can be tested.
.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code .. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code
<country> <country>
.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
country-code <country> country-code <country>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
inverse-match
.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip .. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
country-code <country> country-code <country>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
inverse-match
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
country-code <country> country-code <country>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
inverse-match
Match IP addresses based on its geolocation. More info: `geoip matching Match IP addresses based on its geolocation.
<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_ More info: `geoip matching
<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
Use inverse-match to match anything except the given country-codes.
Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
permits redistribution so we can include a database in images(~3MB permits redistribution so we can include a database in images(~3MB
@ -531,10 +541,10 @@ Applying a Rule-Set to a Zone
Before you are able to apply a rule-set to a zone you have to create the zones Before you are able to apply a rule-set to a zone you have to create the zones
first. first.
It helps to think of the syntax as: (see below). The 'rule-set' should be It helps to think of the syntax as: (see below). The 'rule-set' should be
written from the perspective of: *Source Zone*-to->*Destination Zone* written from the perspective of: *Source Zone*-to->*Destination Zone*
.. cfgcmd:: set zone-policy zone <Destination Zone> from <Source Zone> .. cfgcmd:: set zone-policy zone <Destination Zone> from <Source Zone>
firewall name <rule-set> firewall name <rule-set>
.. cfgcmd:: set zone-policy zone <name> from <name> firewall name .. cfgcmd:: set zone-policy zone <name> from <name> firewall name
@ -829,4 +839,4 @@ Update geoip database
.. opcmd:: update geoip .. opcmd:: update geoip
Command used to update GeoIP database and firewall sets. Command used to update GeoIP database and firewall sets.