vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1634 from markh0338/remote-group-docs

Browse Source 
T7386: firewall: update remote-group docs to support IPv6
This commit is contained in:
Christian Breunig 2025-05-12 20:49:41 +02:00 committed by GitHub
commit 835a750a72
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 14 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
docs/configuration/firewall/groups.rst
View File

@ -41,28 +41,33 @@ Remote Groups
============== ==============
A **remote-group** takes an argument of a URL hosting a linebreak-deliminated A **remote-group** takes an argument of a URL hosting a linebreak-deliminated
list of IPv4s addresses, CIDRs and ranges. VyOS will pull this list periodicity list of IPv4 and/or IPv6 addresses, CIDRs and ranges. VyOS will pull this list periodicity
according to the frequency defined in the firewall **resolver-interval** and load according to the frequency defined in the firewall **resolver-interval** and load
matching entries into the group for use in rules. The list will be cached in matching entries into the group for use in rules. The list will be cached in
persistent storage, so in cases of update failure rules will still function. persistent storage, so in cases of update failure rules will still function.
.. cfgcmd:: set firewall group remote-group <name> url <http(s) url> .. cfgcmd:: set firewall group remote-group <name> url <http(s) url>
Define remote list of IPv4 addresses/ranges/CIDRs to fetch Define remote list of IPv4 and/or IPv6 addresses/ranges/CIDRs to fetch
.. cfgcmd:: set firewall group remote-group <name> description <text> .. cfgcmd:: set firewall group remote-group <name> description <text>
Set a description for a remote group Set a description for a remote group
The format of the remote list is very flexible. VyOS will attempt to parse the The format of the remote list is very flexible. VyOS will attempt to parse the
first word of each line as an entry, and will skip if it cannot find a valid first word of each line as an entry, and will skip if it cannot find a valid
match. Below is a list of acceptable matches that would be parsed correctly: match. Lines that begin with an alphanumeric character but do not match valid IPv4
or IPv6 addresses, ranges, or CIDRs will be logged to the system log. Below is a
list of acceptable matches that would be parsed correctly:
.. code-block:: none .. code-block:: none
127.0.0.1 127.0.0.1
127.0.0.0/24 127.0.0.0/24
127.0.0.1-127.0.0.254 127.0.0.1-127.0.0.254
2001:db8::1
2001:db8:cafe::/48
2001:db8:cafe::1-2001:db8:cafe::ffff
Network Groups Network Groups
============== ==============
@ -258,7 +263,7 @@ As any other firewall group, dynamic firewall groups can be used in firewall
rules as matching options. For example: rules as matching options. For example:
.. code-block:: none .. code-block:: none
set firewall ipv4 input filter rule 10 source group dynamic-address-group FOO set firewall ipv4 input filter rule 10 source group dynamic-address-group FOO
set firewall ipv4 input filter rule 10 destination group dynamic-address-group BAR set firewall ipv4 input filter rule 10 destination group dynamic-address-group BAR
@ -272,10 +277,10 @@ General example
As said before, once firewall groups are created, they can be referenced As said before, once firewall groups are created, they can be referenced
either in firewall, nat, nat66 and/or policy-route rules. either in firewall, nat, nat66 and/or policy-route rules.
Here is an example were multiple groups are created: Here is an example were multiple groups are created:
.. code-block:: none .. code-block:: none
set firewall group address-group SERVERS address 198.51.100.101 set firewall group address-group SERVERS address 198.51.100.101
set firewall group address-group SERVERS address 198.51.100.102 set firewall group address-group SERVERS address 198.51.100.102
set firewall group network-group TRUSTEDv4 network 192.0.2.0/30 set firewall group network-group TRUSTEDv4 network 192.0.2.0/30
@ -290,7 +295,7 @@ Here is an example were multiple groups are created:
And next, some configuration example where groups are used: And next, some configuration example where groups are used:
.. code-block:: none .. code-block:: none
set firewall ipv4 output filter rule 10 action accept set firewall ipv4 output filter rule 10 action accept
set firewall ipv4 output filter rule 10 outbound-interface group !LAN set firewall ipv4 output filter rule 10 outbound-interface group !LAN
set firewall ipv4 forward filter rule 20 action accept set firewall ipv4 forward filter rule 20 action accept
@ -453,4 +458,4 @@ Here is an example of such command:
PORT-SERVERS port_group route-PBR-201 443 PORT-SERVERS port_group route-PBR-201 443
route-PBR-201 5000-5010 route-PBR-201 5000-5010
nat-destination-101 http nat-destination-101 http
vyos@vyos:~$ vyos@vyos:~$