vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

proofread and update firewall docs

Browse Source
This commit is contained in:
whyrlpool 2024-07-03 17:26:08 +01:00 committed by GitHub
parent 63ee8dfafa
commit 8214ffe4c6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
10 changed files with 247 additions and 250 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/automation/cloud-init.rst
View File

@ -1,4 +1,4 @@
:lastproofread: 2021-07-12
:lastproofread: 2024-07-03
.. _cloud-init:

4
docs/configuration/container/index.rst
View File

@ -1,10 +1,10 @@
:lastproofread: 2022-06-10
:lastproofread: 2024-07-03
#########
Container
#########
The VyOS container implementation is based on `Podman<https://podman.io/>` as
The VyOS container implementation is based on `Podman <https://podman.io/>`_ as
a deamonless container engine.
*************

48
docs/configuration/firewall/bridge.rst
View File

@ -1,4 +1,4 @@
:lastproofread: 2023-11-08
:lastproofread: 2024-07-03
.. _firewall-configuration:
@ -12,13 +12,13 @@ Bridge Firewall Configuration
Overview
********
In this section there's useful information of all firewall configuration that
can be done regarding bridge, and appropriate op-mode commands.
In this section there's useful information on all firewall configuration that
can be done regarding bridges, and appropriate op-mode commands.
Configuration commands covered in this section:
.. cfgcmd:: set firewall bridge ...
From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>`
From the main structure defined in :doc:`Firewall Overview</configuration/firewall/index>`
in this section you can find detailed information only for the next part
of the general structure:
@ -41,7 +41,7 @@ For traffic that needs to be forwarded internally by the bridge, base chain is
is **forward**, and it's base command for filtering is ``set firewall bridge
forward filter ...``, which happens in stage 4, highlighted with red color.
Custom bridge firewall chains can be create with command ``set firewall bridge
Custom bridge firewall chains can be created with the command ``set firewall bridge
name <name> ...``. In order to use such custom chain, a rule with action jump,
and the appropriate target should be defined in a base chain.
@ -55,9 +55,9 @@ and the appropriate target should be defined in a base chain.
Bridge Rules
************
For firewall filtering, firewall rules needs to be created. Each rule is
For firewall filtering, firewall rules need to be created. Each rule is
numbered, has an action to apply if the rule is matched, and the ability
to specify multiple criteria matchers. Data packets go through the rules
to specify multiple matching criteria. Data packets go through the rules
from 1 - 999999, so order is crucial. At the first match the action of the
rule will be executed.
@ -65,7 +65,7 @@ Actions
=======
If a rule is defined, then an action must be defined for it. This tells the
firewall what to do if all criteria matchers defined for such rule do match.
firewall what to do if all matching criterea in the rule are met.
In firewall bridge rules, the action can be:
@ -101,7 +101,7 @@ In firewall bridge rules, the action can be:
queue <0-65535>
To be used only when action is set to ``queue``. Use this command to specify
queue target to use. Queue range is also supported.
the queue target to use. Queue range is also supported.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
queue-options bypass
@ -121,7 +121,7 @@ In firewall bridge rules, the action can be:
distribute packets between several queues.
Also, **default-action** is an action that takes place whenever a packet does
not match any rule in it's chain. For base chains, possible options for
not match any rule in its' chain. For base chains, possible options for
**default-action** are **accept** or **drop**.
.. cfgcmd:: set firewall bridge forward filter default-action
@ -129,10 +129,10 @@ not match any rule in it's chain. For base chains, possible options for
.. cfgcmd:: set firewall bridge name <name> default-action
[accept | continue | drop | jump | queue | return]
This set the default action of the rule-set if no rule matched a packet
criteria. If default-action is set to ``jump``, then
This sets the default action of the rule-set if a packet does not match
any of the rules in that chain. If default-action is set to ``jump``, then
``default-jump-target`` is also needed. Note that for base chains, default
action can only be set to ``accept`` or ``drop``, while on custom chain,
action can only be set to ``accept`` or ``drop``, while on custom chains
more actions are available.
.. cfgcmd:: set firewall bridge name <name> default-jump-target <text>
@ -141,9 +141,9 @@ not match any rule in it's chain. For base chains, possible options for
command to specify jump target for default rule.
.. note:: **Important note about default-actions:**
If default action for any base chain is not defined, then the default
action is set to **accept** for that chain. For custom chains, if default
action is not defined, then the default-action is set to **drop**.
If the default action for any base chain is not defined, then the default
action is set to **accept** for that chain. For custom chains, if the
default action is not defined, then the default-action is set to **drop**.
Firewall Logs
=============
@ -155,7 +155,7 @@ log options can be defined.
.. cfgcmd:: set firewall bridge name <name> rule <1-999999> log
Enable logging for the matched packet. If this configuration command is not
present, then log is not enabled.
present, then the log is not enabled.
.. cfgcmd:: set firewall bridge forward filter default-log
.. cfgcmd:: set firewall bridge name <name> default-log
@ -170,14 +170,15 @@ log options can be defined.
log-options level [emerg | alert | crit | err | warn | notice
| info | debug]
Define log-level. Only applicable if rule log is enable.
Define log-level. Only applicable if rule log is enabled.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
log-options group <0-65535>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
log-options group <0-65535>
Define log group to send message to. Only applicable if rule log is enable.
Define the log group to send messages to. Only applicable if rule log is
enabled.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
log-options snapshot-length <0-9000>
@ -185,15 +186,16 @@ log options can be defined.
log-options snapshot-length <0-9000>
Define length of packet payload to include in netlink message. Only
applicable if rule log is enable and log group is defined.
applicable if rule log is enabled and the log group is defined.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
log-options queue-threshold <0-65535>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
log-options queue-threshold <0-65535>
Define number of packets to queue inside the kernel before sending them to
userspace. Only applicable if rule log is enable and log group is defined.
Define the number of packets to queue inside the kernel before sending them
to userspace. Only applicable if rule log is enabled and the log group is
defined.
Firewall Description
====================
@ -207,7 +209,7 @@ For reference, a description can be defined for every defined custom chain.
Rule Status
===========
When defining a rule, it is enable by default. In some cases, it is useful to
When defining a rule, it is enabled by default. In some cases, it is useful to
just disable the rule, rather than removing it.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999> disable

26
docs/configuration/firewall/flowtables.rst
View File

@ -1,4 +1,4 @@
:lastproofread: 2024-06-20
:lastproofread: 2024-07-02
.. _firewall-flowtables-configuration:
@ -12,12 +12,12 @@ Flowtables Firewall Configuration
Overview
********
In this section there's useful information of all firewall configuration that
In this section there's useful information on all firewall configuration that
can be done regarding flowtables.
.. cfgcmd:: set firewall flowtables ...
From main structure defined in
From the main structure defined in
:doc:`Firewall Overview</configuration/firewall/index>`
in this section you can find detailed information only for the next part
of the general structure:
@ -30,7 +30,7 @@ of the general structure:
+ ...
Flowtables allows you to define a fastpath through the flowtable datapath.
Flowtables allow you to define a fastpath through the flowtable datapath.
The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP
and UDP protocols.
@ -107,10 +107,10 @@ Things to be considered in this setup:
* Minimum firewall ruleset is provided, which includes some filtering rules,
and appropriate rules for using flowtable offload capabilities.
As described, first packet will be evaluated by all the firewall path, so
As described, the first packet will be evaluated by the firewall path, so a
desired connection should be explicitly accepted. Same thing should be taken
into account for traffic in reverse order. In most cases state policies are
used in order to accept connection in reverse patch.
used in order to accept a connection in the reverse path.
We will only accept traffic coming from interface eth0, protocol tcp and
destination port 1122. All other traffic trespassing the router should be
@ -142,7 +142,7 @@ Explanation
Analysis on what happens for desired connection:
1. First packet is received on eth0, with destination address 192.0.2.100,
1. Firstly, a packet is received on eth0, with destination address 192.0.2.100,
protocol tcp and destination port 1122. Assume such destination address is
reachable through interface eth1.
@ -151,22 +151,22 @@ Analysis on what happens for desired connection:
3. Rule 110 is hit, so connection is accepted.
4. Once answer from server 192.0.2.100 is seen in opposite direction,
4. Once an answer from server 192.0.2.100 is seen in opposite direction,
connection state will be triggered to **established**, so this reply is
accepted in rule 20.
5. Second packet for this connection is received by the router. Since
5. The second packet for this connection is received by the router. Since
connection state is **established**, then rule 10 is hit, and a new entry
in the flowtable FT01 is added for this connection.
6. All the following packets will skip traditional path, and will be offloaded
and will use the **Fast Path**.
6. All the following packets will skip the traditional path, will be
offloaded and use the **Fast Path**.
Checks
------
It's time to check conntrack table, to see if any connection was accepted,
and if was properly offloaded
It's time to check the conntrack table, to see if any connections were accepted,
and if it was properly offloaded
.. code-block:: none

22
docs/configuration/firewall/global-options.rst
View File

@ -1,4 +1,4 @@
:lastproofread: 2023-12-26
:lastproofread: 2024-07-03
.. _firewall-global-options-configuration:
@ -25,7 +25,7 @@ Configuration
.. cfgcmd:: set firewall global-options all-ping [enable | disable]
By default, when VyOS receives an ICMP echo request packet destined for
itself, it will answer with an ICMP echo reply, unless you avoid it
itself, it will answer with an ICMP echo reply, unless you prevent it
through its firewall.
With the firewall you can set rules to accept, drop or reject ICMP in,
@ -55,7 +55,7 @@ Configuration
.. cfgcmd:: set firewall global-options broadcast-ping [enable | disable]
This setting enable or disable the response of icmp broadcast
This setting enables or disables the response to icmp broadcast
messages. The following system parameter will be altered:
* ``net.ipv4.icmp_echo_ignore_broadcasts``
@ -63,8 +63,8 @@ Configuration
.. cfgcmd:: set firewall global-options ip-src-route [enable | disable]
.. cfgcmd:: set firewall global-options ipv6-src-route [enable | disable]
This setting handle if VyOS accept packets with a source route
option. The following system parameter will be altered:
This setting handles if VyOS accepts packets with a source route
option. The following system parameters will be altered:
* ``net.ipv4.conf.all.accept_source_route``
* ``net.ipv6.conf.all.accept_source_route``
@ -73,22 +73,22 @@ Configuration
.. cfgcmd:: set firewall global-options ipv6-receive-redirects
[enable | disable]
enable or disable of ICMPv4 or ICMPv6 redirect messages accepted
by VyOS. The following system parameter will be altered:
Enable or disable ICMPv4 or ICMPv6 redirect messages being accepted by
VyOS. The following system parameters will be altered:
* ``net.ipv4.conf.all.accept_redirects``
* ``net.ipv6.conf.all.accept_redirects``
.. cfgcmd:: set firewall global-options send-redirects [enable | disable]
enable or disable ICMPv4 redirect messages send by VyOS
Enable or disable ICMPv4 redirect messages being sent by VyOS
The following system parameter will be altered:
* ``net.ipv4.conf.all.send_redirects``
.. cfgcmd:: set firewall global-options log-martians [enable | disable]
enable or disable the logging of martian IPv4 packets.
Enable or disable the logging of martian IPv4 packets.
The following system parameter will be altered:
* ``net.ipv4.conf.all.log_martians``
@ -103,7 +103,7 @@ Configuration
.. cfgcmd:: set firewall global-options syn-cookies [enable | disable]
Enable or Disable if VyOS use IPv4 TCP SYN Cookies.
Enable or disable if VyOS uses IPv4 TCP SYN Cookies.
The following system parameter will be altered:
* ``net.ipv4.tcp_syncookies``
@ -111,7 +111,7 @@ Configuration
.. cfgcmd:: set firewall global-options twa-hazards-protection
[enable | disable]
Enable or Disable VyOS to be :rfc:`1337` conform.
Enable or Disable VyOS to be :rfc:`1337` conformant.
The following system parameter will be altered:
* ``net.ipv4.tcp_rfc1337``

19
docs/configuration/firewall/groups.rst
View File

@ -1,4 +1,4 @@
:lastproofread: 2023-11-08
:lastproofread: 2024-07-03
.. _firewall-groups-configuration:
@ -18,8 +18,7 @@ matcher, and/or as inbound/outbound in the case of interface group.
Address Groups
==============
In an **address group** a single IP address or IP address ranges are
defined.
In an **address group** a single IP address or IP address range is defined.
.. cfgcmd:: set firewall group address-group <name> address [address |
address range]
@ -43,7 +42,7 @@ Network Groups
While **network groups** accept IP networks in CIDR notation, specific
IP addresses can be added as a 32-bit prefix. If you foresee the need
to add a mix of addresses and networks, the network group is
to add a mix of addresses and networks, then a network group is
recommended.
.. cfgcmd:: set firewall group network-group <name> network <CIDR>
@ -197,9 +196,9 @@ Commands used for this task are:
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> add-address-to-group
source-address address-group <name>
Also, specific timeout can be defined per rule. In case rule gets a hit,
source or destinatination address will be added to the group, and this
element will remain in the group until timeout expires. If no timeout
Also, specific timeouts can be defined per rule. In case rule gets a hit,
a source or destinatination address will be added to the group, and this
element will remain in the group until the timeout expires. If no timeout
is defined, then the element will remain in the group until next reboot,
or until a new commit that changes firewall configuration is done.
@ -324,7 +323,7 @@ A 4 step port knocking example is shown next:
set firewall ipv4 input filter rule 99 protocol 'tcp'
set firewall ipv4 input filter rule 99 source group dynamic-address-group 'ALLOWED'
Before testing, we can check members of firewall groups:
Before testing, we can check the members of firewall groups:
.. code-block:: none
@ -339,7 +338,7 @@ Before testing, we can check members of firewall groups:
[edit]
vyos@vyos#
With this configuration, in order to get ssh access to the router, user
With this configuration, in order to get ssh access to the router, the user
needs to:
1. Generate a new TCP connection with destination port 9990. As shown next,
@ -390,7 +389,7 @@ a new entry was added to dynamic firewall group **ALLOWED**
[edit]
vyos@vyos#
4. Now user can connect through ssh to the router (assuming ssh is configured).
4. Now the user can connect through ssh to the router (assuming ssh is configured).
**************
Operation-mode

24
docs/configuration/firewall/index.rst
View File

@ -1,4 +1,4 @@
:lastproofread: 2023-11-23
:lastproofread: 2024-07-03
########
Firewall
@ -29,10 +29,10 @@ packet is processed at the **IP Layer**:
* **Prerouting**: All packets that are received by the router
are processed in this stage, regardless of the destination of the packet.
Starting from vyos-1.5-rolling-202406120020, a new section was added to
firewall configuration. There are several actions that can be done in this
stage, and currently these actions are also defined in different parts in
VyOS configuration. Order is important, and relevant configuration that
acts in this stage are:
the firewall configuration. There are several actions that can be done in
this stage, and currently these actions are also defined in different
parts of the VyOS configuration. Order is important, and the relevant
configuration that acts in this stage are:
* **Firewall prerouting**: rules defined under ``set firewall [ipv4 |
ipv6] prerouting raw...``. All rules defined in this section are
@ -50,9 +50,9 @@ packet is processed at the **IP Layer**:
* **Destination NAT**: rules defined under ``set [nat | nat66]
destination...``.
* **Destination is the router?**: choose appropriate path based on
* **Destination is the router?**: choose an appropriate path based on
destination IP address. Transit forward continues to **forward**,
while traffic that destination IP address is configured on the router
while traffic where the destination IP address is configured on the router
continues to **input**.
* **Input**: stage where traffic destined for the router itself can be
@ -73,7 +73,7 @@ packet is processed at the **IP Layer**:
* **Output**: stage where traffic that originates from the router itself
can be filtered and controlled. Bear in mind that this traffic can be a
new connection originated by a internal process running on VyOS router,
new connection originated by a internal process running on the VyOS router
such as NTP, or a response to traffic received externally through
**input** (for example response to an ssh login attempt to the router).
This includes ipv4 and ipv6 rules, and two different sections are present:
@ -181,10 +181,10 @@ Zone-based firewall
zone
With zone-based firewalls a new concept was implemented, in addition to the
standard in and out traffic flows, a local flow was added. This local was for
traffic originating and destined to the router itself. Which means additional
rules were required to secure the firewall itself from the network, in
addition to the existing inbound and outbound rules from the traditional
standard in and out traffic flows, a local flow was added. This local flow was
for traffic originating and destined to the router itself. Which means that
additional rules were required to secure the firewall itself from the network,
in addition to the existing inbound and outbound rules from the traditional
concept above.
To configure VyOS with the

165
docs/configuration/firewall/ipv4.rst
View File

@ -1,4 +1,4 @@
:lastproofread: 2023-11-08
:lastproofread: 2024-07-03
.. _firewall-ipv4-configuration:
@ -10,13 +10,13 @@ IPv4 Firewall Configuration
Overview
********
In this section there's useful information of all firewall configuration that
In this section there's useful information on all firewall configuration that
can be done regarding IPv4, and appropriate op-mode commands.
Configuration commands covered in this section:
.. cfgcmd:: set firewall ipv4 ...
From main structure defined in
From the main structure defined in
:doc:`Firewall Overview</configuration/firewall/index>`
in this section you can find detailed information only for the next part
of the general structure:
@ -51,28 +51,28 @@ This stage includes:
* :doc:`Destination NAT</configuration/nat/nat44>`: commands found under
``set nat destination ...``
For transit traffic, which is received by the router and forwarded, base chain
is **forward**. A simplified packet flow diagram for transit traffic is shown
next:
For transit traffic, which is received by the router and forwarded, the base
chain is **forward**. A simplified packet flow diagram for transit traffic is
shown next:
.. figure:: /_static/images/firewall-fwd-packet-flow.png
Firewall base chain to configure firewall filtering rules for transit traffic
The base firewall chain to configure filtering rules for transit traffic
is ``set firewall ipv4 forward filter ...``, which happens in stage 5,
highlighted with red color.
highlighted in the color red.
For traffic towards the router itself, base chain is **input**, while traffic
originated by the router, base chain is **output**.
For traffic towards the router itself, the base chain is **input**, while
traffic originated by the router has the base chain **output**.
A new simplified packet flow diagram is shown next, which shows the path
for traffic destined to the router itself, and traffic generated by the
router (starting from circle number 6):
.. figure:: /_static/images/firewall-input-packet-flow.png
Base chain for traffic towards the router is ``set firewall ipv4 input
The base chain for traffic towards the router is ``set firewall ipv4 input
filter ...``
And base chain for traffic generated by the router is ``set firewall ipv4
And the base chain for traffic generated by the router is ``set firewall ipv4
output ...``, where two sub-chains are available: **filter** and **raw**:
* **Output Prerouting**: ``set firewall ipv4 output raw ...``.
@ -82,9 +82,9 @@ output ...``, where two sub-chains are available: **filter** and **raw**:
in this section are processed after connection tracking subsystem.
.. note:: **Important note about default-actions:**
If default action for any base chain is not defined, then the default
action is set to **accept** for that chain. For custom chains, if default
action is not defined, then the default-action is set to **drop**
If a default action for any base chain is not defined, then the default
action is set to **accept** for that chain. For custom chains, if the
default action is not defined, then the default-action is set to **drop**
Custom firewall chains can be created, with commands
``set firewall ipv4 name <name> ...``. In order to use
@ -95,9 +95,9 @@ should be defined in a base chain.
Firewall - IPv4 Rules
*********************
For firewall filtering, firewall rules needs to be created. Each rule is
For firewall filtering, firewall rules need to be created. Each rule is
numbered, has an action to apply if the rule is matched, and the ability
to specify multiple criteria matchers. Data packets go through the rules
to specify multiple matching criteria. Data packets go through the rules
from 1 - 999999, so order is crucial. At the first match the action of the
rule will be executed.
@ -105,7 +105,7 @@ Actions
=======
If a rule is defined, then an action must be defined for it. This tells the
firewall what to do if all criteria matchers defined for such rule do match.
firewall what to do if all of the criteria defined for that rule match.
The action can be :
@ -135,8 +135,8 @@ The action can be :
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action
[accept | continue | drop | jump | queue | reject | return]
This required setting defines the action of the current rule. If action is
set to jump, then jump-target is also needed.
This required setting defines the action of the current rule. If the action
is set to jump, then a jump-target is also needed.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
jump-target <text>
@ -148,7 +148,7 @@ The action can be :
jump-target <text>
To be used only when action is set to ``jump``. Use this command to specify
jump target.
the jump target.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
queue <0-65535>
@ -160,7 +160,7 @@ The action can be :
queue <0-65535>
To be used only when action is set to ``queue``. Use this command to specify
queue target to use. Queue range is also supported.
the queue target to use. Queue range is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
queue-options bypass
@ -171,7 +171,7 @@ The action can be :
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
queue-options bypass
To be used only when action is set to ``queue``. Use this command to let
To be used only when action is set to ``queue``. Use this command to let the
packet go through firewall when no userspace software is connected to the
queue.
@ -200,21 +200,21 @@ not match any rule in it's chain. For base chains, possible options for
.. cfgcmd:: set firewall ipv4 name <name> default-action
[accept | drop | jump | queue | reject | return]
This set the default action of the rule-set if no rule matched a packet
criteria. If default-action is set to ``jump``, then
``default-jump-target`` is also needed. Note that for base chains, default
action can only be set to ``accept`` or ``drop``, while on custom chain,
more actions are available.
This sets the default action of the rule-set if a packet does not match the
criteria of any rule. If default-action is set to ``jump``, then
``default-jump-target`` is also needed. Note that for base chains, the
default action can only be set to ``accept`` or ``drop``, while on custom
chains, more actions are available.
.. cfgcmd:: set firewall ipv4 name <name> default-jump-target <text>
To be used only when ``default-action`` is set to ``jump``. Use this
command to specify jump target for default rule.
command to specify the jump target for the default rule.
.. note:: **Important note about default-actions:**
If default action for any base chain is not defined, then the default
action is set to **accept** for that chain. For custom chains, if default
action is not defined, then the default-action is set to **drop**.
If the default action for any base chain is not defined, then the default
action is set to **accept** for that chain. For custom chains if a default
action is not defined then the default-action is set to **drop**.
Firewall Logs
=============
@ -228,7 +228,7 @@ log options can be defined.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log
Enable logging for the matched packet. If this configuration command is not
present, then log is not enabled.
present, then the log is not enabled.
.. cfgcmd:: set firewall ipv4 forward filter default-log
.. cfgcmd:: set firewall ipv4 input filter default-log
@ -251,7 +251,7 @@ log options can be defined.
log-options level [emerg | alert | crit | err | warn | notice
| info | debug]
Define log-level. Only applicable if rule log is enable.
Define log-level. Only applicable if rule log is enabled.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
log-options group <0-65535>
@ -262,7 +262,8 @@ log options can be defined.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
log-options group <0-65535>
Define log group to send message to. Only applicable if rule log is enable.
Define the log group to send messages to. Only applicable if rule log is
enabled.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
log-options snapshot-length <0-9000>
@ -273,8 +274,8 @@ log options can be defined.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
log-options snapshot-length <0-9000>
Define length of packet payload to include in netlink message. Only
applicable if rule log is enable and log group is defined.
Define the length of packet payload to include in a netlink message. Only
applicable if rule log is enabled and log group is defined.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
log-options queue-threshold <0-65535>
@ -285,8 +286,8 @@ log options can be defined.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
log-options queue-threshold <0-65535>
Define number of packets to queue inside the kernel before sending them to
userspace. Only applicable if rule log is enable and log group is defined.
Define the number of packets to queue inside the kernel before sending them
to userspace. Only applicable if rule log is enabled and log group is defined.
Firewall Description
====================
@ -311,7 +312,7 @@ every defined custom chain.
Rule Status
===========
When defining a rule, it is enable by default. In some cases, it is useful to
When defining a rule, it is enabled by default. In some cases, it is useful to
just disable the rule, rather than removing it.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> disable
@ -335,7 +336,7 @@ There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
connection-status nat [destination | source]
Match criteria based on nat connection status.
Match based on nat connection status.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
connection-mark <1-2147483647>
@ -346,7 +347,7 @@ There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
connection-mark <1-2147483647>
Match criteria based on connection mark.
Match based on connection mark.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
conntrack-helper <module>
@ -445,8 +446,8 @@ There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination fqdn <fqdn>
Specify a Fully Qualified Domain Name as source/destination matcher. Ensure
router is able to resolve such dns query.
Specify a Fully Qualified Domain Name as source/destination to match. Ensure
that the router is able to resolve this dns query.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source geoip country-code <country>
@ -503,14 +504,13 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
source mac-address <mac-address>
Only in the source criteria, you can specify a mac-address.
You can only specify a source mac-address to match.
.. code-block:: none
set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33
set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source port [1-65535 | portname | start-end]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
@ -529,8 +529,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination port [1-65535 | portname | start-end]
A port can be set with a port number or a name which is here
defined: ``/etc/services``.
A port can be set by number or name as defined in ``/etc/services``.
.. code-block:: none
@ -559,8 +558,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination group address-group <name | !name>
Use a specific address-group. Prepend character ``!`` for inverted matching
criteria.
Use a specific address-group. Prepending the character ``!`` to invert the
criteria to match is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source group dynamic-address-group <name | !name>
@ -580,8 +579,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination group dynamic-address-group <name | !name>
Use a specific dynamic-address-group. Prepend character ``!`` for inverted
matching criteria.
Use a specific dynamic-address-group. Prepending the character ``!`` to
invert the criteria to match is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source group network-group <name | !name>
@ -601,8 +600,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination group network-group <name | !name>
Use a specific network-group. Prepend character ``!`` for inverted matching
criteria.
Use a specific network-group. Prepending the character ``!`` to invert the
criteria to match is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source group port-group <name | !name>
@ -622,8 +621,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination group port-group <name | !name>
Use a specific port-group. Prepend character ``!`` for inverted matching
criteria.
Use a specific port-group. Prepending the character ``!`` to invert the
criteria to match is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source group domain-group <name | !name>
@ -643,8 +642,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination group domain-group <name | !name>
Use a specific domain-group. Prepend character ``!`` for inverted matching
criteria.
Use a specific domain-group. Prepending the character ``!`` to invert the
criteria to match is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source group mac-group <name | !name>
@ -664,8 +663,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination group mac-group <name | !name>
Use a specific mac-group. Prepend character ``!`` for inverted matching
criteria.
Use a specific mac-group. Prepending the character ``!`` to invert the
criteria to match is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
dscp [0-63 | start-end]
@ -696,7 +695,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
fragment [match-frag | match-non-frag]
Match based on fragment criteria.
Match based on fragmentation.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
icmp [code | type] <0-255>
@ -718,7 +717,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
icmp type-name <text>
Match based on icmp type-name criteria. Use tab for information
Match based on icmp type-name. Use tab for information
about what **type-name** criteria are supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
@ -729,11 +728,11 @@ geoip) to keep database and rules updated.
inbound-interface name <iface>
Match based on inbound interface. Wildcard ``*`` can be used.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
criteria is also supported. For example ``!eth2``
For example: ``eth2*``. Prepending the character ``!`` to invert the
criteria to match is also supported. For example ``!eth2``
.. note:: If an interface is attached to a non-default vrf, when using
**inbound-interface**, vrf name must be used. For example ``set firewall
**inbound-interface**, the vrf name must be used. For example ``set firewall
ipv4 forward filter rule 10 inbound-interface name MGMT``
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
@ -743,8 +742,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
inbound-interface group <iface_group>
Match based on inbound interface group. Prepending character ``!`` for
inverted matching criteria is also supported. For example ``!IFACE_GROUP``
Match based on the inbound interface group. Prepending the character ``!``
to invert the criteria to match is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
outbound-interface name <iface>
@ -754,11 +753,11 @@ geoip) to keep database and rules updated.
outbound-interface name <iface>
Match based on outbound interface. Wildcard ``*`` can be used.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
criteria is also supported. For example ``!eth2``
For example: ``eth2*``. Prepending the character ``!`` to invert the
criteria to match is also supported. For example ``!eth2``
.. note:: If an interface is attached to a non-default vrf, when using
**outbound-interface**, real interface name must be used. For example
**outbound-interface**, the real interface name must be used. For example
``set firewall ipv4 forward filter rule 10 outbound-interface name eth0``
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
@ -768,8 +767,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
outbound-interface group <iface_group>
Match based on outbound interface group. Prepending character ``!`` for
inverted matching criteria is also supported. For example ``!IFACE_GROUP``
Match based on outbound interface group. Prepending the character ``!`` to
invert the criteria to match is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
ipsec [match-ipsec | match-none]
@ -780,7 +779,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
ipsec [match-ipsec | match-none]
Match based on ipsec criteria.
Match based on ipsec.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
limit burst <0-4294967295>
@ -823,7 +822,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
packet-length-exclude <text>
Match based on packet length criteria. Multiple values from 1 to 65535
Match based on the packet length. Multiple values from 1 to 65535
and ranges are supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
@ -835,7 +834,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
packet-type [broadcast | host | multicast | other]
Match based on packet type criteria.
Match based on the packet type.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
protocol [<text> | <0-255> | all | tcp_udp]
@ -846,10 +845,9 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
protocol [<text> | <0-255> | all | tcp_udp]
Match a protocol criteria. A protocol number or a name which is here
defined: ``/etc/protocols``.
Match based on protocol number or name as defined in ``/etc/protocols``.
Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
based packets. The ``!`` negate the selected protocol.
based packets. The ``!`` negates the selected protocol.
.. code-block:: none
@ -874,7 +872,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
recent time [second | minute | hour]
Match bases on recently seen sources.
Match based on recently seen sources.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
tcp flags [not] <text>
@ -958,8 +956,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
ttl <eq | gt | lt> <0-255>
Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for
'greater than', and 'lt' stands for 'less than'.
Match the time to live parameter, where 'eq' stands for 'equal'; 'gt' stands
for 'greater than', and 'lt' stands for 'less than'.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
recent count <1-255>
@ -994,7 +992,7 @@ Synproxy connections
.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999>
synproxy tcp mss <501-65535>
Set TCP-MSS (maximum segment size) for the connection
Set the TCP-MSS (maximum segment size) for the connection
.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999>
synproxy tcp window-scale <1-14>
@ -1028,7 +1026,6 @@ Requirements to enable synproxy:
set firewall ipv4 input filter rule 1000 action 'drop'
set firewall ipv4 input filter rule 1000 state invalid
***********************
Operation-mode Firewall
***********************
@ -1038,7 +1035,7 @@ Rule-set overview
.. opcmd:: show firewall
This will show you a basic firewall overview, for all ruleset, and not
This will show you a basic firewall overview, for all rule-sets, and not
only for ipv4
.. code-block:: none

167
docs/configuration/firewall/ipv6.rst
View File

@ -1,4 +1,4 @@
:lastproofread: 2023-11-08
:lastproofread: 2024-07-03
.. _firewall-ipv6-configuration:
@ -10,13 +10,13 @@ IPv6 Firewall Configuration
Overview
********
In this section there's useful information of all firewall configuration that
In this section there's useful information on all firewall configuration that
can be done regarding IPv6, and appropriate op-mode commands.
Configuration commands covered in this section:
.. cfgcmd:: set firewall ipv6 ...
From main structure defined in
From the main structure defined in
:doc:`Firewall Overview</configuration/firewall/index>`
in this section you can find detailed information only for the next part
of the general structure:
@ -51,29 +51,29 @@ This stage includes:
* :doc:`Destination NAT</configuration/nat/nat44>`: commands found under
``set nat66 destination ...``
For transit traffic, which is received by the router and forwarded, base chain
is **forward**. A simplified packet flow diagram for transit traffic is shown
next:
For transit traffic, which is received by the router and forwarded, the base
chain is **forward**. A simplified packet flow diagram for transit traffic is
shown next:
.. figure:: /_static/images/firewall-fwd-packet-flow.png
Firewall base chain to configure firewall filtering rules for transit traffic
The base firewall chain to configure filtering rules for transit traffic
is ``set firewall ipv6 forward filter ...``, which happens in stage 5,
highlighted with red color.
highlighted in the color red.
For traffic towards the router itself, base chain is **input**, while traffic
originated by the router, base chain is **output**.
For traffic towards the router itself, the base chain is **input**, while
traffic originated by the router has the base chain **output**.
A new simplified packet flow diagram is shown next, which shows the path
for traffic destined to the router itself, and traffic generated by the
router (starting from circle number 6):
.. figure:: /_static/images/firewall-input-packet-flow.png
Base chain for traffic towards the router is ``set firewall ipv6 input
The base chain for traffic towards the router is ``set firewall ipv6 input
filter ...``
And base chain for traffic generated by the router is ``set firewall ipv6
output filter ...``, where two sub-chains are available: **filter** and **raw**:
And the base chain for traffic generated by the router is ``set firewall ipv6
output ...``, where two sub-chains are available: **filter** and **raw**:
* **Output Prerouting**: ``set firewall ipv6 output raw ...``.
As described in **Prerouting**, rules defined in this section are
@ -82,9 +82,9 @@ output filter ...``, where two sub-chains are available: **filter** and **raw**:
in this section are processed after connection tracking subsystem.
.. note:: **Important note about default-actions:**
If default action for any base chain is not defined, then the default
action is set to **accept** for that chain. For custom chains, if default
action is not defined, then the default-action is set to **drop**
If a default action for any base chain is not defined, then the default
action is set to **accept** for that chain. For custom chains, if the
default action is not defined, then the default-action is set to **drop**
Custom firewall chains can be created, with commands
``set firewall ipv6 name <name> ...``. In order to use
@ -95,9 +95,9 @@ should be defined in a base chain.
Firewall - IPv6 Rules
******************************
For firewall filtering, firewall rules needs to be created. Each rule is
For firewall filtering, firewall rules need to be created. Each rule is
numbered, has an action to apply if the rule is matched, and the ability
to specify multiple criteria matchers. Data packets go through the rules
to specify multiple matching criteria. Data packets go through the rules
from 1 - 999999, so order is crucial. At the first match the action of the
rule will be executed.
@ -105,7 +105,7 @@ Actions
=======
If a rule is defined, then an action must be defined for it. This tells the
firewall what to do if all criteria matchers defined for such rule do match.
firewall what to do if all of the criteria defined for that rule match.
The action can be :
@ -135,8 +135,8 @@ The action can be :
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> action
[accept | continue | drop | jump | queue | reject | return]
This required setting defines the action of the current rule. If action is
set to jump, then jump-target is also needed.
This required setting defines the action of the current rule. If the action
is set to jump, then a jump-target is also needed.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
jump-target <text>
@ -148,7 +148,7 @@ The action can be :
jump-target <text>
To be used only when action is set to ``jump``. Use this command to specify
jump target.
the jump target.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
queue <0-65535>
@ -160,7 +160,7 @@ The action can be :
queue <0-65535>
To be used only when action is set to ``queue``. Use this command to specify
queue target to use. Queue range is also supported.
the queue target to use. Queue range is also supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
queue-options bypass
@ -171,7 +171,7 @@ The action can be :
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
queue-options bypass
To be used only when action is set to ``queue``. Use this command to let
To be used only when action is set to ``queue``. Use this command to let the
packet go through firewall when no userspace software is connected to the
queue.
@ -200,21 +200,21 @@ not match any rule in it's chain. For base chains, possible options for
.. cfgcmd:: set firewall ipv6 name <name> default-action
[accept | drop | jump | queue | reject | return]
This set the default action of the rule-set if no rule matched a packet
criteria. If default-action is set to ``jump``, then
``default-jump-target`` is also needed. Note that for base chains, default
action can only be set to ``accept`` or ``drop``, while on custom chain,
more actions are available.
This sets the default action of the rule-set if a packet does not match the
criteria of any rule. If default-action is set to ``jump``, then
``default-jump-target`` is also needed. Note that for base chains, the
default action can only be set to ``accept`` or ``drop``, while on custom
chains, more actions are available.
.. cfgcmd:: set firewall ipv6 name <name> default-jump-target <text>
To be used only when ``default-action`` is set to ``jump``. Use this
command to specify jump target for default rule.
command to specify the jump target for the default rule.
.. note:: **Important note about default-actions:**
If default action for any base chain is not defined, then the default
action is set to **accept** for that chain. For custom chains, if default
action is not defined, then the default-action is set to **drop**.
If the default action for any base chain is not defined, then the default
action is set to **accept** for that chain. For custom chains if a default
action is not defined then the default-action is set to **drop**.
Firewall Logs
=============
@ -228,7 +228,7 @@ log options can be defined.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> log
Enable logging for the matched packet. If this configuration command is not
present, then log is not enabled.
present, then the log is not enabled.
.. cfgcmd:: set firewall ipv6 forward filter default-log
.. cfgcmd:: set firewall ipv6 input filter default-log
@ -251,7 +251,7 @@ log options can be defined.
log-options level [emerg | alert | crit | err | warn | notice
| info | debug]
Define log-level. Only applicable if rule log is enable.
Define log-level. Only applicable if rule log is enabled.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
log-options group <0-65535>
@ -262,7 +262,8 @@ log options can be defined.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
log-options group <0-65535>
Define log group to send message to. Only applicable if rule log is enable.
Define the log group to send messages to. Only applicable if rule log is
enabled.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
log-options snapshot-length <0-9000>
@ -273,8 +274,8 @@ log options can be defined.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
log-options snapshot-length <0-9000>
Define length of packet payload to include in netlink message. Only
applicable if rule log is enable and log group is defined.
Define the length of packet payload to include in a netlink message. Only
applicable if rule log is enabled and log group is defined.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
log-options queue-threshold <0-65535>
@ -285,8 +286,8 @@ log options can be defined.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
log-options queue-threshold <0-65535>
Define number of packets to queue inside the kernel before sending them to
userspace. Only applicable if rule log is enable and log group is defined.
Define the number of packets to queue inside the kernel before sending them
to userspace. Only applicable if rule log is enabled and log group is defined.
Firewall Description
====================
@ -311,7 +312,7 @@ every defined custom chain.
Rule Status
===========
When defining a rule, it is enable by default. In some cases, it is useful to
When defining a rule, it is enabled by default. In some cases, it is useful to
just disable the rule, rather than removing it.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> disable
@ -335,7 +336,7 @@ There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
connection-status nat [destination | source]
Match criteria based on nat connection status.
Match based on nat connection status.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
connection-mark <1-2147483647>
@ -346,7 +347,7 @@ There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
connection-mark <1-2147483647>
Match criteria based on connection mark.
Match based on connection mark.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
source address [address | addressrange | CIDR]
@ -366,9 +367,8 @@ There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
destination address [address | addressrange | CIDR]
Match criteria based on source and/or destination address. This is similar
to the network groups part, but here you are able to negate the matching
addresses.
Match based on source and/or destination address. This is similar to the
network groups part, but here you are able to negate the matching addresses.
.. code-block:: none
@ -433,8 +433,8 @@ There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
destination fqdn <fqdn>
Specify a Fully Qualified Domain Name as source/destination matcher. Ensure
router is able to resolve such dns query.
Specify a Fully Qualified Domain Name as source/destination to match. Ensure
that the router is able to resolve this dns query.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
source geoip country-code <country>
@ -491,7 +491,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
source mac-address <mac-address>
Only in the source criteria, you can specify a mac-address.
You can only specify a source mac-address to match.
.. code-block:: none
@ -516,8 +516,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
destination port [1-65535 | portname | start-end]
A port can be set with a port number or a name which is here
defined: ``/etc/services``.
A port can be set by number or name as defined in ``/etc/services``.
.. code-block:: none
@ -550,8 +549,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
destination group address-group <name | !name>
Use a specific address-group. Prepend character ``!`` for inverted matching
criteria.
Use a specific address-group. Prepending the character ``!`` to invert the
criteria to match is also supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
source group dynamic-address-group <name | !name>
@ -571,8 +570,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
destination group dynamic-address-group <name | !name>
Use a specific dynamic-address-group. Prepend character ``!`` for inverted
matching criteria.
Use a specific dynamic-address-group. Prepending the character ``!`` to
invert the criteria to match is also supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
source group network-group <name | !name>
@ -592,8 +591,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
destination group network-group <name | !name>
Use a specific network-group. Prepend character ``!`` for inverted matching
criteria.
Use a specific network-group. Prepending the character ``!`` to invert the
criteria to match is also supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
source group port-group <name | !name>
@ -613,8 +612,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
destination group port-group <name | !name>
Use a specific port-group. Prepend character ``!`` for inverted matching
criteria.
Use a specific port-group. Prepending the character ``!`` to invert the
criteria to match is also supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
source group domain-group <name | !name>
@ -634,8 +633,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
destination group domain-group <name | !name>
Use a specific domain-group. Prepend character ``!`` for inverted matching
criteria.
Use a specific domain-group. Prepending the character ``!`` to invert the
criteria to match is also supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
source group mac-group <name | !name>
@ -655,8 +654,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
destination group mac-group <name | !name>
Use a specific mac-group. Prepend character ``!`` for inverted matching
criteria.
Use a specific mac-group. Prepending the character ``!`` to invert the
criteria to match is also supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
dscp [0-63 | start-end]
@ -687,7 +686,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
fragment [match-frag | match-non-frag]
Match based on fragment criteria.
Match based on fragmentation.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
icmpv6 [code | type] <0-255>
@ -709,7 +708,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
icmpv6 type-name <text>
Match based on icmpv6 type-name criteria. Use tab for information
Match based on icmpv6 type-name. Use tab for information
about what **type-name** criteria are supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
@ -720,11 +719,11 @@ geoip) to keep database and rules updated.
inbound-interface name <iface>
Match based on inbound interface. Wildcard ``*`` can be used.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
criteria is also supported. For example ``!eth2``
For example: ``eth2*``. Prepending the character ``!`` to invert the
criteria to match is also supported. For example ``!eth2``
.. note:: If an interface is attached to a non-default vrf, when using
**inbound-interface**, vrf name must be used. For example ``set firewall
**inbound-interface**, the vrf name must be used. For example ``set firewall
ipv6 forward filter rule 10 inbound-interface name MGMT``
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
@ -734,8 +733,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
inbound-interface group <iface_group>
Match based on inbound interface group. Prepending character ``!`` for
inverted matching criteria is also supported. For example ``!IFACE_GROUP``
Match based on the inbound interface group. Prepending the character ``!``
to invert the criteria to match is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
outbound-interface name <iface>
@ -745,11 +744,11 @@ geoip) to keep database and rules updated.
outbound-interface name <iface>
Match based on outbound interface. Wildcard ``*`` can be used.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
criteria is also supported. For example ``!eth2``
For example: ``eth2*``. Prepending the character ``!`` to invert the
criteria to match is also supported. For example ``!eth2``
.. note:: If an interface is attached to a non-default vrf, when using
**outbound-interface**, real interface name must be used. For example
**outbound-interface**, the real interface name must be used. For example
``set firewall ipv6 forward filter rule 10 outbound-interface name eth0``
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
@ -759,8 +758,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
outbound-interface group <iface_group>
Match based on outbound interface group. Prepending character ``!`` for
inverted matching criteria is also supported. For example ``!IFACE_GROUP``
Match based on outbound interface group. Prepending the character ``!`` to
invert the criteria to match is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
ipsec [match-ipsec | match-none]
@ -771,7 +770,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
ipsec [match-ipsec | match-none]
Match based on ipsec criteria.
Match based on ipsec.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
limit burst <0-4294967295>
@ -814,7 +813,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
packet-length-exclude <text>
Match based on packet length criteria. Multiple values from 1 to 65535
Match based on the packet length. Multiple values from 1 to 65535
and ranges are supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
@ -826,7 +825,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
packet-type [broadcast | host | multicast | other]
Match based on packet type criteria.
Match based on the packet type.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
protocol [<text> | <0-255> | all | tcp_udp]
@ -837,10 +836,9 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
protocol [<text> | <0-255> | all | tcp_udp]
Match a protocol criteria. A protocol number or a name which is here
defined: ``/etc/protocols``.
Match based on protocol number or name as defined in ``/etc/protocols``.
Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
based packets. The ``!`` negate the selected protocol.
based packets. The ``!`` negates the selected protocol.
.. code-block:: none
@ -948,7 +946,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
hop-limit <eq | gt | lt> <0-255>
Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
Match the hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
'greater than', and 'lt' stands for 'less than'.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
@ -984,7 +982,7 @@ Synproxy connections
.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>
synproxy tcp mss <501-65535>
Set TCP-MSS (maximum segment size) for the connection
Set the TCP-MSS (maximum segment size) for the connection
.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>
synproxy tcp window-scale <1-14>
@ -1027,7 +1025,8 @@ Rule-set overview
.. opcmd:: show firewall
This will show you a basic firewall overview
This will show you a basic firewall overview, for all rule-sets, and not
only for ipv6
.. code-block:: none

18
docs/configuration/firewall/zone.rst
View File

@ -1,4 +1,4 @@
:lastproofread: 2023-11-01
:lastproofread: 2024-07-03
.. _firewall-zone:
@ -11,9 +11,9 @@ Overview
********
.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall
structure can be found on all VyOS installations. Zone based firewall was
removed in that version, but re introduced in VyOS 1.4 and 1.5. All
versions built after 2023-10-22 has this feature.
structure can be found on all VyOS installations. The Zone based firewall
was removed in that version, but re introduced in VyOS 1.4 and 1.5. All
versions built after 2023-10-22 have this feature.
Documentation for most of the new firewall CLI can be
found in the `firewall
<https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_
@ -22,13 +22,13 @@ Overview
:doc:`legacy firewall configuration </configuration/firewall/general-legacy>`
chapter.
In this section there's useful information of all firewall configuration that
is needed for zone-based firewall.
In this section there's useful information on all firewall configuration that
is needed for the zone-based firewall.
Configuration commands covered in this section:
.. cfgcmd:: set firewall zone ...
From main structure defined in
From the main structure defined in
:doc:`Firewall Overview</configuration/firewall/index>`
in this section you can find detailed information only for the next part
of the general structure:
@ -53,7 +53,7 @@ Key Points:
interface can be assigned to only a single zone.
* All traffic to and from an interface within a zone is permitted.
* All traffic between zones is affected by existing policies
* Traffic cannot flow between zone member interface and any interface that is
* Traffic cannot flow between a zone member interface and any interface that is
not a zone member.
* You need 2 separate firewalls to define traffic: one for each direction.
@ -129,7 +129,7 @@ Operation-mode
.. opcmd:: show firewall zone-policy
This will show you a basic summary of zones configuration.
This will show you a basic summary of the zone configuration.
.. code-block:: none