vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Firewall: update firewall bridge docs, and general diagram. Add minor fix to ipv4 firewall doc, and update ipv6

Browse Source
This commit is contained in:
Nicolas Fort 2023-12-05 16:22:24 -03:00
parent 0429c31788
commit 6e545b86f8
5 changed files with 482 additions and 61 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docs/_static/images/firewall-bridge-packet-flow.png vendored
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 22 KiB

After

Width:  |  Height:  |  Size: 26 KiB

BIN
docs/_static/images/firewall-gral-packet-flow.png vendored
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 40 KiB

After

Width:  |  Height:  |  Size: 41 KiB

361
docs/configuration/firewall/bridge.rst
View File

@ -39,4 +39,363 @@ for this layer is shown next:
For traffic that needs to be forwared internally by the bridge, base chain is
is **forward**, and it's base command for filtering is ``set firewall bridge
forward filter ...``
forward filter ...``, which happens in stage 4, highlightened with red color.
Custom bridge firewall chains can be create with command ``set firewall bridge
name <name> ...``. In order to use such custom chain, a rule with action jump,
and the appropiate target should be defined in a base chain.
.. note:: **Layer 3 bridge**:
When an IP address is assigned to the bridge interface, and if traffic
is sent to the router to this IP (for example using such IP as
default gateway), then rules defined for **bridge firewall** won't
match, and firewall analysis continues at **IP layer**.
************
Bridge Rules
************
For firewall filtering, firewall rules needs to be created. Each rule is
numbered, has an action to apply if the rule is matched, and the ability
to specify multiple criteria matchers. Data packets go through the rules
from 1 - 999999, so order is crucial. At the first match the action of the
rule will be executed.
Actions
=======
If a rule is defined, then an action must be defined for it. This tells the
firewall what to do if all criteria matchers defined for such rule do match.
In firewall bridge rules, the action can be:
* ``accept``: accept the packet.
* ``continue``: continue parsing next rule.
* ``drop``: drop the packet.
* ``jump``: jump to another custom chain.
* ``return``: Return from the current chain and continue at the next rule
of the last chain.
* ``queue``: Enqueue packet to userspace.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999> action
[accept | continue | drop | jump | queue | return]
.. cfgcmd:: set firewall bridge name <name> rule <1-999999> action
[accept | continue | drop | jump | queue | return]
This required setting defines the action of the current rule. If action is
set to jump, then jump-target is also needed.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
jump-target <text>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
jump-target <text>
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
queue <0-65535>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
queue <0-65535>
To be used only when action is set to ``queue``. Use this command to specify
queue target to use. Queue range is also supported.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
queue-options bypass
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
queue-options bypass
To be used only when action is set to ``queue``. Use this command to let
packet go through firewall when no userspace software is connected to the
queue.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
queue-options fanout
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
queue-options fanout
To be used only when action is set to ``queue``. Use this command to
distribute packets between several queues.
Also, **default-action** is an action that takes place whenever a packet does
not match any rule in it's chain. For base chains, possible options for
**default-action** are **accept** or **drop**.
.. cfgcmd:: set firewall bridge forward filter default-action
[accept | drop]
.. cfgcmd:: set firewall bridge name <name> default-action
[accept | continue | drop | jump | queue | return]
This set the default action of the rule-set if no rule matched a packet
criteria. If default-action is set to ``jump``, then
``default-jump-target`` is also needed. Note that for base chains, default
action can only be set to ``accept`` or ``drop``, while on custom chain,
more actions are available.
.. cfgcmd:: set firewall bridge name <name> default-jump-target <text>
To be used only when ``defult-action`` is set to ``jump``. Use this
command to specify jump target for default rule.
.. note:: **Important note about default-actions:**
If default action for any base chain is not defined, then the default
action is set to **accept** for that chain. For custom chains, if default
action is not defined, then the default-action is set to **drop**.
Firewall Logs
=============
Logging can be enable for every single firewall rule. If enabled, other
log options can be defined.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999> log
.. cfgcmd:: set firewall bridge name <name> rule <1-999999> log
Enable logging for the matched packet. If this configuration command is not
present, then log is not enabled.
.. cfgcmd:: set firewall bridge forward filter enable-default-log
.. cfgcmd:: set firewall bridge name <name> enable-default-log
Use this command to enable the logging of the default action on
the specified chain.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
log-options level [emerg | alert | crit | err | warn | notice
| info | debug]
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
log-options level [emerg | alert | crit | err | warn | notice
| info | debug]
Define log-level. Only applicable if rule log is enable.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
log-options group <0-65535>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
log-options group <0-65535>
Define log group to send message to. Only applicable if rule log is enable.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
log-options snapshot-length <0-9000>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
log-options snapshot-length <0-9000>
Define length of packet payload to include in netlink message. Only
applicable if rule log is enable and log group is defined.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
log-options queue-threshold <0-65535>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
log-options queue-threshold <0-65535>
Define number of packets to queue inside the kernel before sending them to
userspace. Only applicable if rule log is enable and log group is defined.
Firewall Description
====================
For reference, a description can be defined for every defined custom chain.
.. cfgcmd:: set firewall bridge name <name> description <text>
Provide a rule-set description to a custom firewall chain.
Rule Status
===========
When defining a rule, it is enable by default. In some cases, it is useful to
just disable the rule, rather than removing it.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999> disable
.. cfgcmd:: set firewall bridge name <name> rule <1-999999> disable
Command for disabling a rule but keep it in the configuration.
Matching criteria
=================
There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
destination mac-address <mac-address>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
destination mac-address <mac-address>
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
source mac-address <mac-address>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
source mac-address <mac-address>
Match criteria based on source and/or destination mac-address.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
inbound-interface name <iface>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
inbound-interface name <iface>
Match based on inbound interface. Wilcard ``*`` can be used.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
criteria is also supportd. For example ``!eth2``
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
inbound-interface group <iface_group>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
inbound-interface group <iface_group>
Match based on inbound interface group. Prepending character ``!`` for
inverted matching criteria is also supportd. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
outbound-interface name <iface>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
outbound-interface name <iface>
Match based on outbound interface. Wilcard ``*`` can be used.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
criteria is also supportd. For example ``!eth2``
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
outbound-interface group <iface_group>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
outbound-interface group <iface_group>
Match based on outbound interface group. Prepending character ``!`` for
inverted matching criteria is also supportd. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
vlan id <0-4096>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
vlan id <0-4096>
Match based on vlan ID. Range is also supported.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
vlan priority <0-7>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
vlan priority <0-7>
Match based on vlan priority(pcp). Range is also supported.
***********************
Operation-mode Firewall
***********************
Rule-set overview
=================
In this section you can find all useful firewall op-mode commands.
General commands for firewall configuration, counter and statiscits:
.. opcmd:: show firewall
.. opcmd:: show firewall summary
.. opcmd:: show firewall statistics
And, to print only bridge firewall information:
.. opcmd:: show firewall bridge
.. opcmd:: show firewall bridge forward filter
.. opcmd:: show firewall bridge forward filter rule <rule>
.. opcmd:: show firewall bridge name <name>
.. opcmd:: show firewall bridge name <name> rule <rule>
Show Firewall log
=================
.. opcmd:: show log firewall
.. opcmd:: show log firewall bridge
.. opcmd:: show log firewall bridge forward
.. opcmd:: show log firewall bridge forward filter
.. opcmd:: show log firewall bridge name <name>
.. opcmd:: show log firewall bridge forward filter rule <rule>
.. opcmd:: show log firewall bridge name <name> rule <rule>
Show the logs of all firewall; show all bridge firewall logs; show all logs
for forward hook; show all logs for forward hook and priority filter; show
all logs for particular custom chain; show logs for specific Rule-Set.
Example
=======
Configuration example:
.. code-block:: none
set firewall bridge forward filter default-action 'drop'
set firewall bridge forward filter enable-default-log
set firewall bridge forward filter rule 10 action 'continue'
set firewall bridge forward filter rule 10 inbound-interface name 'eth2'
set firewall bridge forward filter rule 10 vlan id '22'
set firewall bridge forward filter rule 20 action 'drop'
set firewall bridge forward filter rule 20 inbound-interface group 'TRUNK-RIGHT'
set firewall bridge forward filter rule 20 vlan id '60'
set firewall bridge forward filter rule 30 action 'jump'
set firewall bridge forward filter rule 30 jump-target 'TEST'
set firewall bridge forward filter rule 30 outbound-interface name '!eth1'
set firewall bridge forward filter rule 35 action 'accept'
set firewall bridge forward filter rule 35 vlan id '11'
set firewall bridge forward filter rule 40 action 'continue'
set firewall bridge forward filter rule 40 destination mac-address '66:55:44:33:22:11'
set firewall bridge forward filter rule 40 source mac-address '11:22:33:44:55:66'
set firewall bridge name TEST default-action 'accept'
set firewall bridge name TEST enable-default-log
set firewall bridge name TEST rule 10 action 'continue'
set firewall bridge name TEST rule 10 log
set firewall bridge name TEST rule 10 vlan priority '0'
And op-mode commands:
.. code-block:: none
vyos@BRI:~$ show firewall bridge
Rulesets bridge Information
---------------------------------
bridge Firewall "forward filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- ---------------------------------------------------------------------
10 continue all 0 0 iifname "eth2" vlan id 22 continue
20 drop all 0 0 iifname @I_TRUNK-RIGHT vlan id 60
30 jump all 2130 170688 oifname != "eth1" jump NAME_TEST
35 accept all 2080 168616 vlan id 11 accept
40 continue all 0 0 ether daddr 66:55:44:33:22:11 ether saddr 11:22:33:44:55:66 continue
default drop all 0 0
---------------------------------
bridge Firewall "name TEST"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- --------------------------------------------------
10 continue all 2130 170688 vlan pcp 0 prefix "[bri-NAM-TEST-10-C]" continue
default accept all 2130 170688
vyos@BRI:~$
vyos@BRI:~$ show firewall bridge name TEST
Ruleset Information
---------------------------------
bridge Firewall "name TEST"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- --------------------------------------------------
10 continue all 2130 170688 vlan pcp 0 prefix "[bri-NAM-TEST-10-C]" continue
default accept all 2130 170688
vyos@BRI:~$
Inspect logs:
.. code-block:: none
vyos@BRI:~$ show log firewall bridge
Dec 05 14:37:47 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102
Dec 05 14:37:48 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102
Dec 05 14:37:49 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102
...
vyos@BRI:~$ show log firewall bridge forward filter
Dec 05 14:42:22 kernel: [bri-FWD-filter-default-D]IN=eth2 OUT=eth1 MAC=33:33:00:00:00:16:50:00:00:06:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0
Dec 05 14:42:22 kernel: [bri-FWD-filter-default-D]IN=eth2 OUT=eth1 MAC=33:33:00:00:00:16:50:00:00:06:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0

52
docs/configuration/firewall/ipv4.rst
View File

@ -123,9 +123,46 @@ The action can be :
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
jump-target <text>
To be used only when action is set to jump. Use this command to specify
To be used only when action is set to ``jump``. Use this command to specify
jump target.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
queue <0-65535>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
queue <0-65535>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
queue <0-65535>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
queue <0-65535>
To be used only when action is set to ``queue``. Use this command to specify
queue target to use. Queue range is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
queue-options bypass
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
queue-options bypass
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
queue-options bypass
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
queue-options bypass
To be used only when action is set to ``queue``. Use this command to let
packet go through firewall when no userspace software is connected to the
queue.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
queue-options fanout
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
queue-options fanout
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
queue-options fanout
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
queue-options fanout
To be used only when action is set to ``queue``. Use this command to
distribute packets between several queues.
Also, **default-action** is an action that takes place whenever a packet does
not match any rule in it's chain. For base chains, possible options for
**default-action** are **accept** or **drop**.
@ -140,7 +177,7 @@ not match any rule in it's chain. For base chains, possible options for
[accept | drop | jump | queue | reject | return]
This set the default action of the rule-set if no rule matched a packet
criteria. If defacult-action is set to ``jump``, then
criteria. If default-action is set to ``jump``, then
``default-jump-target`` is also needed. Note that for base chains, default
action can only be set to ``accept`` or ``drop``, while on custom chain,
more actions are available.
@ -153,7 +190,7 @@ not match any rule in it's chain. For base chains, possible options for
.. note:: **Important note about default-actions:**
If default action for any base chain is not defined, then the default
action is set to **accept** for that chain. For custom chains, if default
action is not defined, then the default-action is set to **drop**
action is not defined, then the default-action is set to **drop**.
Firewall Logs
=============
@ -162,15 +199,12 @@ Logging can be enable for every single firewall rule. If enabled, other
log options can be defined.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log
[disable | enable]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> log
[disable | enable]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> log
[disable | enable]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log
[disable | enable]
Enable or disable logging for the matched packet.
Enable logging for the matched packet. If this configuration command is not
present, then log is not enabled.
.. cfgcmd:: set firewall ipv4 forward filter enable-default-log
.. cfgcmd:: set firewall ipv4 input filter enable-default-log
@ -266,7 +300,7 @@ just disable the rule, rather than removing it.
Matching criteria
=================
There are a lot of matching criteria against which the package can be tested.
There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
connection-status nat [destination | source]

130
docs/configuration/firewall/ipv6.rst
View File

@ -123,9 +123,46 @@ The action can be :
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
jump-target <text>
To be used only when action is set to jump. Use this command to specify
To be used only when action is set to ``jump``. Use this command to specify
jump target.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
queue <0-65535>
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
queue <0-65535>
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
queue <0-65535>
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
queue <0-65535>
To be used only when action is set to ``queue``. Use this command to specify
queue target to use. Queue range is also supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
queue-options bypass
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
queue-options bypass
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
queue-options bypass
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
queue-options bypass
To be used only when action is set to ``queue``. Use this command to let
packet go through firewall when no userspace software is connected to the
queue.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
queue-options fanout
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
queue-options fanout
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
queue-options fanout
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
queue-options fanout
To be used only when action is set to ``queue``. Use this command to
distribute packets between several queues.
Also, **default-action** is an action that takes place whenever a packet does
not match any rule in it's chain. For base chains, possible options for
**default-action** are **accept** or **drop**.
@ -140,7 +177,7 @@ not match any rule in it's chain. For base chains, possible options for
[accept | drop | jump | queue | reject | return]
This set the default action of the rule-set if no rule matched a packet
criteria. If defacult-action is set to ``jump``, then
criteria. If default-action is set to ``jump``, then
``default-jump-target`` is also needed. Note that for base chains, default
action can only be set to ``accept`` or ``drop``, while on custom chain,
more actions are available.
@ -153,7 +190,7 @@ not match any rule in it's chain. For base chains, possible options for
.. note:: **Important note about default-actions:**
If default action for any base chain is not defined, then the default
action is set to **accept** for that chain. For custom chains, if default
action is not defined, then the default-action is set to **drop**
action is not defined, then the default-action is set to **drop**.
Firewall Logs
=============
@ -162,15 +199,12 @@ Logging can be enable for every single firewall rule. If enabled, other
log options can be defined.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> log
[disable | enable]
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> log
[disable | enable]
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> log
[disable | enable]
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> log
[disable | enable]
Enable or disable logging for the matched packet.
Enable logging for the matched packet. If this configuration command is not
present, then log is not enabled.
.. cfgcmd:: set firewall ipv6 forward filter enable-default-log
.. cfgcmd:: set firewall ipv6 input filter enable-default-log
@ -266,7 +300,7 @@ just disable the rule, rather than removing it.
Matching criteria
=================
There are a lot of matching criteria against which the package can be tested.
There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
connection-status nat [destination | source]
@ -936,7 +970,7 @@ Rule-set overview
.. code-block:: none
vyos@vyos:~$ show firewall
vyos@vyos:~$ show firewall
Rulesets Information
---------------------------------
@ -999,7 +1033,7 @@ Rule-set overview
.. code-block:: none
vyos@vyos:~$ show firewall summary
vyos@vyos:~$ show firewall summary
Ruleset Summary
IPv6 Ruleset:
@ -1049,29 +1083,30 @@ Rule-set overview
.. opcmd:: show firewall ipv6 [forward | input | output] filter
.. opcmd:: show firewall ipv4 name <name>
.. opcmd:: show firewall ipv6 ipv6-name <name>
This command will give an overview of a single rule-set.
.. code-block:: none
vyos@vyos:~$ show firewall ipv4 input filter
vyos@vyos:~$ show firewall ipv6 input filter
Ruleset Information
---------------------------------
IPv4 Firewall "input filter"
ipv6 Firewall "input filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- -----------------------------------------
5 jump all 0 0 iifname "eth2" jump NAME_VyOS_MANAGEMENT
default accept all
------- -------- ---------- --------- ------- ------------------------------------------------------------------------------
10 jump all 13 1456 iifname "eth1" jump NAME6_INP-ETH1
20 accept ipv6-icmp 10 1112 meta l4proto ipv6-icmp iifname "eth0" prefix "[ipv6-INP-filter-20-A]" accept
default accept all 14 1584
vyos@vyos:~$
.. opcmd:: show firewall ipv6 [forward | input | output]
filter rule <1-999999>
.. opcmd:: show firewall ipv4 name <name> rule <1-999999>
.. opcmd:: show firewall ipv6 name <name> rule <1-999999>
.. opcmd:: show firewall ipv6 ipv6-name <name> rule <1-999999>
@ -1084,7 +1119,7 @@ Rule-set overview
.. code-block:: none
vyos@vyos:~$ show firewall group LAN
vyos@vyos:~$ show firewall group LAN
Firewall Groups
Name Type References Members
@ -1119,45 +1154,38 @@ Example Partial Config
.. code-block:: none
firewall {
group {
network-group BAD-NETWORKS {
network 198.51.100.0/24
network 203.0.113.0/24
}
network-group GOOD-NETWORKS {
network 192.0.2.0/24
}
port-group BAD-PORTS {
port 65535
}
}
ipv4 {
forward {
filter {
default-action accept
rule 5 {
action accept
source {
group {
network-group GOOD-NETWORKS
firewall {
ipv6 {
input {
filter {
rule 10 {
action jump
inbound-interface {
name eth1
}
jump-target INP-ETH1
}
rule 20 {
action accept
inbound-interface {
name eth0
}
log
protocol ipv6-icmp
}
}
}
name INP-ETH1 {
default-action drop
enable-default-log
rule 10 {
action drop
description "Bad Networks"
protocol all
source {
group {
network-group BAD-NETWORKS
}
}
action accept
protocol tcp_udp
}
}
}
}
}
Update geoip database
=====================