mirror of
				https://github.com/vyos/vyos-documentation.git
				synced 2025-10-26 08:41:46 +01:00 
			
		
		
		
	wireless: T6320: Merge remote-tracking branch 'upstream' into T6320
This commit is contained in:
		
						commit
						a95d2c9744
					
				
							
								
								
									
										
											BIN
										
									
								
								docs/_static/images/firewall-and-vrf-blueprints.png
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								docs/_static/images/firewall-and-vrf-blueprints.png
									
									
									
									
										vendored
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							| After Width: | Height: | Size: 82 KiB | 
							
								
								
									
										
											BIN
										
									
								
								docs/_static/images/firewall-fwd-packet-flow.png
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										
											BIN
										
									
								
								docs/_static/images/firewall-fwd-packet-flow.png
									
									
									
									
										vendored
									
									
								
							
										
											Binary file not shown.
										
									
								
							| Before Width: | Height: | Size: 39 KiB After Width: | Height: | Size: 30 KiB | 
							
								
								
									
										
											BIN
										
									
								
								docs/_static/images/firewall-input-packet-flow.png
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										
											BIN
										
									
								
								docs/_static/images/firewall-input-packet-flow.png
									
									
									
									
										vendored
									
									
								
							
										
											Binary file not shown.
										
									
								
							| Before Width: | Height: | Size: 55 KiB After Width: | Height: | Size: 43 KiB | 
							
								
								
									
										12
									
								
								docs/configexamples/firewall.rst
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										12
									
								
								docs/configexamples/firewall.rst
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,12 @@ | |||||||
|  | :lastproofread: 2024-06-14 | ||||||
|  | 
 | ||||||
|  | Firewall Examples | ||||||
|  | ================= | ||||||
|  | 
 | ||||||
|  | This section contains examples of firewall configurations for various deployments. | ||||||
|  | 
 | ||||||
|  | .. toctree:: | ||||||
|  |    :maxdepth: 2 | ||||||
|  | 
 | ||||||
|  |    fwall-and-vrf | ||||||
|  |    zone-policy | ||||||
							
								
								
									
										121
									
								
								docs/configexamples/fwall-and-vrf.rst
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										121
									
								
								docs/configexamples/fwall-and-vrf.rst
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,121 @@ | |||||||
|  | VRF and firewall example | ||||||
|  | ------------------------ | ||||||
|  | 
 | ||||||
|  | Scenario and requirements | ||||||
|  | ^^^^^^^^^^^^^^^^^^^^^^^^^ | ||||||
|  | 
 | ||||||
|  | This example shows how to configure a VyOS router with VRFs and firewall rules. | ||||||
|  | 
 | ||||||
|  | Diagram used in this example: | ||||||
|  | 
 | ||||||
|  | .. image:: /_static/images/firewall-and-vrf-blueprints.png | ||||||
|  |     :width: 80% | ||||||
|  |     :align: center | ||||||
|  |     :alt: Network Topology Diagram | ||||||
|  | 
 | ||||||
|  | As exposed in the diagram, there are four VRFs. These VRFs are ``MGMT``, | ||||||
|  | ``WAN``, ``LAN`` and ``PROD``, and their requirements are: | ||||||
|  | 
 | ||||||
|  | * VRF MGMT: | ||||||
|  |    * Allow connections to LAN and PROD. | ||||||
|  |    * Deny connections to internet(WAN). | ||||||
|  |    * Allow connections to the router. | ||||||
|  | * VRF LAN: | ||||||
|  |    * Allow connections to PROD. | ||||||
|  |    * Allow connections to internet(WAN). | ||||||
|  | * VRF PROD: | ||||||
|  |    * Only accepts connections. | ||||||
|  | * VRF WAN: | ||||||
|  |    * Allow connection to PROD. | ||||||
|  | 
 | ||||||
|  | Configuration | ||||||
|  | ^^^^^^^^^^^^^ | ||||||
|  | 
 | ||||||
|  | First, we need to configure the interfaces and VRFs: | ||||||
|  | 
 | ||||||
|  | .. code-block:: none | ||||||
|  | 
 | ||||||
|  |   set interfaces ethernet eth1 address '10.100.100.1/24' | ||||||
|  |   set interfaces ethernet eth1 vrf 'MGMT' | ||||||
|  |   set interfaces ethernet eth2 vif 150 address '10.150.150.1/24' | ||||||
|  |   set interfaces ethernet eth2 vif 150 vrf 'LAN' | ||||||
|  |   set interfaces ethernet eth2 vif 160 address '10.160.160.1/24' | ||||||
|  |   set interfaces ethernet eth2 vif 160 vrf 'LAN' | ||||||
|  |   set interfaces ethernet eth2 vif 3500 address '172.16.20.1/24' | ||||||
|  |   set interfaces ethernet eth2 vif 3500 vrf 'PROD' | ||||||
|  |   set interfaces loopback lo | ||||||
|  |   set interfaces pppoe pppoe0 authentication password 'p4ssw0rd' | ||||||
|  |   set interfaces pppoe pppoe0 authentication username 'vyos' | ||||||
|  |   set interfaces pppoe pppoe0 source-interface 'eth0' | ||||||
|  |   set interfaces pppoe pppoe0 vrf 'WAN' | ||||||
|  |   set vrf bind-to-all | ||||||
|  |   set vrf name LAN protocols static route 0.0.0.0/0 interface pppoe0 vrf 'WAN' | ||||||
|  |   set vrf name LAN protocols static route 10.100.100.0/24 interface eth1 vrf 'MGMT' | ||||||
|  |   set vrf name LAN protocols static route 172.16.20.0/24 interface eth2.3500 vrf 'PROD' | ||||||
|  |   set vrf name LAN table '103' | ||||||
|  |   set vrf name MGMT protocols static route 10.150.150.0/24 interface eth2.150 vrf 'LAN' | ||||||
|  |   set vrf name MGMT protocols static route 10.160.160.0/24 interface eth2.160 vrf 'LAN' | ||||||
|  |   set vrf name MGMT protocols static route 172.16.20.0/24 interface eth2.3500 vrf 'PROD' | ||||||
|  |   set vrf name MGMT table '102' | ||||||
|  |   set vrf name PROD protocols static route 0.0.0.0/0 interface pppoe0 vrf 'WAN' | ||||||
|  |   set vrf name PROD protocols static route 10.100.100.0/24 interface eth1 vrf 'MGMT' | ||||||
|  |   set vrf name PROD protocols static route 10.150.150.0/24 interface eth2.150 vrf 'LAN' | ||||||
|  |   set vrf name PROD protocols static route 10.160.160.0/24 interface eth2.160 vrf 'LAN' | ||||||
|  |   set vrf name PROD table '104' | ||||||
|  |   set vrf name WAN protocols static route 10.150.150.0/24 interface eth2.150 vrf 'LAN' | ||||||
|  |   set vrf name WAN protocols static route 10.160.160.0/24 interface eth2.160 vrf 'LAN' | ||||||
|  |   set vrf name WAN protocols static route 172.16.20.0/24 interface eth2.3500 vrf 'PROD' | ||||||
|  |   set vrf name WAN table '101' | ||||||
|  | 
 | ||||||
|  | And before firewall rules are shown, we need to pay attention how to configure | ||||||
|  | and match interfaces and VRFs. In case where an interface is assigned to a | ||||||
|  | non-default VRF, if we want to use inbound-interface or outbound-interface in | ||||||
|  | firewall rules, we need to: | ||||||
|  | 
 | ||||||
|  | * For **inbound-interface**: use the interface name with the VRF name, like | ||||||
|  |   ``MGMT`` or ``LAN``. | ||||||
|  | * For **outbound-interface**: use the interface name, like ``eth0``, ``vtun0``, | ||||||
|  |   ``eth2*`` or similar.  | ||||||
|  | 
 | ||||||
|  | Next, we need to configure the firewall rules. First we will define all rules | ||||||
|  | for transit traffic between VRFs. | ||||||
|  | 
 | ||||||
|  | .. code-block:: none | ||||||
|  | 
 | ||||||
|  |   set firewall ipv4 forward filter default-action 'drop' | ||||||
|  |   set firewall ipv4 forward filter default-log | ||||||
|  |   set firewall ipv4 forward filter rule 10 action 'accept' | ||||||
|  |   set firewall ipv4 forward filter rule 10 description 'MGMT - Allow to LAN and PROD' | ||||||
|  |   set firewall ipv4 forward filter rule 10 inbound-interface name 'MGMT' | ||||||
|  |   set firewall ipv4 forward filter rule 10 outbound-interface name 'eth2*' | ||||||
|  |   set firewall ipv4 forward filter rule 99 action 'drop' | ||||||
|  |   set firewall ipv4 forward filter rule 99 description 'MGMT - Drop all going to mgmt' | ||||||
|  |   set firewall ipv4 forward filter rule 99 outbound-interface name 'eth1' | ||||||
|  |   set firewall ipv4 forward filter rule 120 action 'accept' | ||||||
|  |   set firewall ipv4 forward filter rule 120 description 'LAN - Allow to PROD' | ||||||
|  |   set firewall ipv4 forward filter rule 120 inbound-interface name 'LAN' | ||||||
|  |   set firewall ipv4 forward filter rule 120 outbound-interface name 'eth2.3500' | ||||||
|  |   set firewall ipv4 forward filter rule 130 action 'accept' | ||||||
|  |   set firewall ipv4 forward filter rule 130 description 'LAN - Allow internet' | ||||||
|  |   set firewall ipv4 forward filter rule 130 inbound-interface name 'LAN' | ||||||
|  |   set firewall ipv4 forward filter rule 130 outbound-interface name 'pppoe0' | ||||||
|  | 
 | ||||||
|  | Also, we are adding global state policies, in order to allow established and | ||||||
|  | related traffic, in order not to drop valid responses: | ||||||
|  | 
 | ||||||
|  | .. code-block:: none | ||||||
|  | 
 | ||||||
|  |   set firewall global-options state-policy established action 'accept' | ||||||
|  |   set firewall global-options state-policy invalid action 'drop' | ||||||
|  |   set firewall global-options state-policy related action 'accept' | ||||||
|  | 
 | ||||||
|  | And finally, we need to allow input connections to the router itself only from | ||||||
|  | vrf MGMT: | ||||||
|  | 
 | ||||||
|  | .. code-block:: none | ||||||
|  | 
 | ||||||
|  |   set firewall ipv4 input filter default-action 'drop' | ||||||
|  |   set firewall ipv4 input filter default-log | ||||||
|  |   set firewall ipv4 input filter rule 10 action 'accept' | ||||||
|  |   set firewall ipv4 input filter rule 10 description 'MGMT - Allow input' | ||||||
|  |   set firewall ipv4 input filter rule 10 inbound-interface name 'MGMT' | ||||||
| @ -8,7 +8,7 @@ This chapter contains various configuration examples: | |||||||
| .. toctree:: | .. toctree:: | ||||||
|    :maxdepth: 2 |    :maxdepth: 2 | ||||||
| 
 | 
 | ||||||
|    zone-policy |    firewall | ||||||
|    bgp-ipv6-unnumbered |    bgp-ipv6-unnumbered | ||||||
|    ospf-unnumbered |    ospf-unnumbered | ||||||
|    azure-vpn-bgp |    azure-vpn-bgp | ||||||
|  | |||||||
| @ -1,20 +1,10 @@ | |||||||
| :lastproofread: 2021-06-29 | :lastproofread: 2024-06-14 | ||||||
| 
 | 
 | ||||||
| .. _examples-zone-policy: | .. _examples-zone-policy: | ||||||
| 
 | 
 | ||||||
| Zone-Policy example | Zone-Policy example | ||||||
| ------------------- | ------------------- | ||||||
| 
 | 
 | ||||||
| .. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall |  | ||||||
|    structure can be found on all vyos installations, and zone based firewall is |  | ||||||
|    no longer supported. Documentation for most of the new firewall CLI can be |  | ||||||
|    found in the `firewall |  | ||||||
|    <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ |  | ||||||
|    chapter. The legacy firewall is still available for versions before |  | ||||||
|    1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` |  | ||||||
|    chapter. The examples in this section use the legacy firewall configuration |  | ||||||
|    commands, since this feature has been removed in earlier releases. |  | ||||||
| 
 |  | ||||||
| .. note:: In :vytask:`T2199` the syntax of the zone configuration was changed. | .. note:: In :vytask:`T2199` the syntax of the zone configuration was changed. | ||||||
|    The zone configuration moved from ``zone-policy zone <name>`` to ``firewall |    The zone configuration moved from ``zone-policy zone <name>`` to ``firewall | ||||||
|    zone <name>``. |    zone <name>``. | ||||||
| @ -428,4 +418,3 @@ Something like: | |||||||
|       address ip.of.tunnel.broker |       address ip.of.tunnel.broker | ||||||
|     } |     } | ||||||
|   } |   } | ||||||
| 
 |  | ||||||
|  | |||||||
| @ -168,6 +168,17 @@ Configuration | |||||||
|      setdomainame) |      setdomainame) | ||||||
|    - **sys-time**: Permission to set system clock |    - **sys-time**: Permission to set system clock | ||||||
| 
 | 
 | ||||||
|  | .. cfgcmd:: set container name <name> sysctl parameter <parameter> value <value> | ||||||
|  | 
 | ||||||
|  |    Set container sysctl values. | ||||||
|  | 
 | ||||||
|  |    The subset of possible parameters are: | ||||||
|  | 
 | ||||||
|  |    - Kernel Parameters: kernel.msgmax, kernel.msgmnb, kernel.msgmni, kernel.sem, | ||||||
|  |      kernel.shmall, kernel.shmmax, kernel.shmmni, kernel.shm_rmid_forced | ||||||
|  |    - Parameters beginning with fs.mqueue.* | ||||||
|  |    - Parameters beginning with net.* (only if user-defined network is used) | ||||||
|  | 
 | ||||||
| .. cfgcmd:: set container name <name> label <label> value <value> | .. cfgcmd:: set container name <name> label <label> value <value> | ||||||
| 
 | 
 | ||||||
|    Add metadata label for this container. |    Add metadata label for this container. | ||||||
|  | |||||||
| @ -1,4 +1,4 @@ | |||||||
| :lastproofread: 2023-12-26 | :lastproofread: 2024-06-20 | ||||||
| 
 | 
 | ||||||
| .. _firewall-flowtables-configuration: | .. _firewall-flowtables-configuration: | ||||||
| 
 | 
 | ||||||
| @ -85,12 +85,12 @@ Provide a description to the flow table. | |||||||
| 
 | 
 | ||||||
| Creating rules for using flow tables: | Creating rules for using flow tables: | ||||||
| 
 | 
 | ||||||
| .. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999> | .. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> | ||||||
|    action offload |    action offload | ||||||
| 
 | 
 | ||||||
|    Create firewall rule in forward chain, and set action to ``offload``. |    Create firewall rule in forward chain, and set action to ``offload``. | ||||||
| 
 | 
 | ||||||
| .. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999> | .. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> | ||||||
|    offload-target <flowtable> |    offload-target <flowtable> | ||||||
| 
 | 
 | ||||||
|    Create firewall rule in forward chain, and define which flowtbale |    Create firewall rule in forward chain, and define which flowtbale | ||||||
| @ -142,7 +142,7 @@ Explanation | |||||||
| 
 | 
 | ||||||
| Analysis on what happens for desired connection: | Analysis on what happens for desired connection: | ||||||
| 
 | 
 | ||||||
|    1. First packet is received on eht0, with destination address 192.0.2.100, |    1. First packet is received on eth0, with destination address 192.0.2.100, | ||||||
|    protocol tcp and destination port 1122. Assume such destination address is |    protocol tcp and destination port 1122. Assume such destination address is | ||||||
|    reachable through interface eth1. |    reachable through interface eth1. | ||||||
| 
 | 
 | ||||||
| @ -159,7 +159,7 @@ Analysis on what happens for desired connection: | |||||||
|    connection state is **established**, then rule 10 is hit, and a new entry |    connection state is **established**, then rule 10 is hit, and a new entry | ||||||
|    in the flowtable FT01 is added for this connection. |    in the flowtable FT01 is added for this connection. | ||||||
| 
 | 
 | ||||||
|    6. All subsecuent packets will skip traditional path, and will be offloaded |    6. All the following packets will skip traditional path, and will be offloaded | ||||||
|    and will use the **Fast Path**. |    and will use the **Fast Path**. | ||||||
| 
 | 
 | ||||||
| Checks | Checks | ||||||
|  | |||||||
| @ -145,3 +145,35 @@ Configuration | |||||||
|    [emerg | alert | crit | err | warn | notice | info | debug] |    [emerg | alert | crit | err | warn | notice | info | debug] | ||||||
| 
 | 
 | ||||||
|    Set the global setting for related connections. |    Set the global setting for related connections. | ||||||
|  | 
 | ||||||
|  | VyOS supports setting timeouts for connections according to the | ||||||
|  | connection type. You can set timeout values for generic connections, for ICMP | ||||||
|  | connections, UDP connections, or for TCP connections in a number of different | ||||||
|  | states. | ||||||
|  | 
 | ||||||
|  | .. cfgcmd:: set firewall global-options timeout icmp <1-21474836> | ||||||
|  |     :defaultvalue: | ||||||
|  | .. cfgcmd:: set firewall global-options timeout other <1-21474836> | ||||||
|  |     :defaultvalue: | ||||||
|  | .. cfgcmd:: set firewall global-options timeout tcp close <1-21474836> | ||||||
|  |     :defaultvalue: | ||||||
|  | .. cfgcmd:: set firewall global-options timeout tcp close-wait <1-21474836> | ||||||
|  |     :defaultvalue: | ||||||
|  | .. cfgcmd:: set firewall global-options timeout tcp established <1-21474836> | ||||||
|  |     :defaultvalue: | ||||||
|  | .. cfgcmd:: set firewall global-options timeout tcp fin-wait <1-21474836> | ||||||
|  |     :defaultvalue: | ||||||
|  | .. cfgcmd:: set firewall global-options timeout tcp last-ack <1-21474836> | ||||||
|  |     :defaultvalue: | ||||||
|  | .. cfgcmd:: set firewall global-options timeout tcp syn-recv <1-21474836> | ||||||
|  |     :defaultvalue: | ||||||
|  | .. cfgcmd:: set firewall global-options timeout tcp syn-sent <1-21474836> | ||||||
|  |     :defaultvalue: | ||||||
|  | .. cfgcmd:: set firewall global-options timeout tcp time-wait <1-21474836> | ||||||
|  |     :defaultvalue: | ||||||
|  | .. cfgcmd:: set firewall global-options timeout udp other <1-21474836> | ||||||
|  |     :defaultvalue: | ||||||
|  | .. cfgcmd:: set firewall global-options timeout udp stream <1-21474836> | ||||||
|  |     :defaultvalue: | ||||||
|  | 
 | ||||||
|  |     Set the timeout in seconds for a protocol or state. | ||||||
| @ -26,14 +26,23 @@ firewall are covered below: | |||||||
| If the interface where the packet was received isn't part of a bridge, then  | If the interface where the packet was received isn't part of a bridge, then  | ||||||
| packet is processed at the **IP Layer**: | packet is processed at the **IP Layer**: | ||||||
| 
 | 
 | ||||||
|    * **Prerouting**: several actions can be done in this stage, and currently |    * **Prerouting**: All packets that are received by the router | ||||||
|      these actions are defined in different parts in VyOS configuration. Order |      are processed in this stage, regardless of the destination of the packet. | ||||||
|      is important, and all these actions are performed before any actions |      Starting from vyos-1.5-rolling-202406120020, a new section was added to | ||||||
|      defined under ``firewall`` section. Relevant configuration that acts in |      firewall configuration. There are several actions that can be done in this | ||||||
|      this stage are: |      stage, and currently these actions are also defined in different parts in | ||||||
|  |      VyOS configuration. Order is important, and relevant configuration that | ||||||
|  |      acts in this stage are: | ||||||
|  | 
 | ||||||
|  |       * **Firewall prerouting**: rules defined under ``set firewall [ipv4 | | ||||||
|  |         ipv6] prerouting raw...``. All rules defined in this section are | ||||||
|  |         processed before connection tracking subsystem. | ||||||
| 
 | 
 | ||||||
|       * **Conntrack Ignore**: rules defined under ``set system conntrack ignore |       * **Conntrack Ignore**: rules defined under ``set system conntrack ignore | ||||||
|         [ipv4 | ipv6] ...``. |         [ipv4 | ipv6] ...``. Starting from vyos-1.5-rolling-202406120020, | ||||||
|  |         configuration done in this section can be done in ``firewall [ipv4 | | ||||||
|  |         ipv6] prerouting ...``. For compatibility reasons, this feature is | ||||||
|  |         still present, but it will be removed in the future. | ||||||
| 
 | 
 | ||||||
|       * **Policy Route**: rules defined under ``set policy [route | route6] |       * **Policy Route**: rules defined under ``set policy [route | route6] | ||||||
|         ...``. |         ...``. | ||||||
| @ -67,11 +76,13 @@ packet is processed at the **IP Layer**: | |||||||
|      new connection originated by a internal process running on VyOS router, |      new connection originated by a internal process running on VyOS router, | ||||||
|      such as NTP, or a response to traffic received externally through |      such as NTP, or a response to traffic received externally through | ||||||
|      **input** (for example response to an ssh login attempt to the router). |      **input** (for example response to an ssh login attempt to the router). | ||||||
|      This includes ipv4 and ipv6 filtering rules, defined in: |      This includes ipv4 and ipv6 rules, and two different sections are present: | ||||||
| 
 | 
 | ||||||
|      * ``set firewall ipv4 output filter ...``. |      * **Output Prerouting**: ``set firewall [ipv4 | ipv6] output filter ...``. | ||||||
|  |        As described in **Prerouting**, rules defined in this section are | ||||||
|  |        processed before connection tracking subsystem. | ||||||
| 
 | 
 | ||||||
|      * ``set firewall ipv6 output filter ...``. |      * **Output Filter**: ``set firewall [ipv4 | ipv6] output filter ...``. | ||||||
| 
 | 
 | ||||||
|    * **Postrouting**: as in **Prerouting**, several actions defined in |    * **Postrouting**: as in **Prerouting**, several actions defined in | ||||||
|      different parts of VyOS configuration are performed in this |      different parts of VyOS configuration are performed in this | ||||||
| @ -120,6 +131,9 @@ The main structure of the VyOS firewall CLI is shown next: | |||||||
|                + filter |                + filter | ||||||
|             - output |             - output | ||||||
|                + filter |                + filter | ||||||
|  |                + raw | ||||||
|  |             - prerouting | ||||||
|  |                + raw | ||||||
|             - name |             - name | ||||||
|                + custom_name |                + custom_name | ||||||
|        * ipv6 |        * ipv6 | ||||||
| @ -129,6 +143,9 @@ The main structure of the VyOS firewall CLI is shown next: | |||||||
|                + filter |                + filter | ||||||
|             - output |             - output | ||||||
|                + filter |                + filter | ||||||
|  |                + raw | ||||||
|  |             - prerouting | ||||||
|  |                + raw | ||||||
|             - ipv6-name |             - ipv6-name | ||||||
|                + custom_name |                + custom_name | ||||||
|        * zone |        * zone | ||||||
|  | |||||||
| @ -31,17 +31,34 @@ of the general structure: | |||||||
|                + filter |                + filter | ||||||
|             - output |             - output | ||||||
|                + filter |                + filter | ||||||
|  |                + raw | ||||||
|  |             - prerouting | ||||||
|  |                + raw | ||||||
|             - name |             - name | ||||||
|                + custom_name |                + custom_name | ||||||
| 
 | 
 | ||||||
|  | First, all traffic is received by the router, and it is processed in the | ||||||
|  | **prerouting** section. | ||||||
|  | 
 | ||||||
|  | This stage includes: | ||||||
|  | 
 | ||||||
|  |    * **Firewall Prerouting**: commands found under ``set firewall ipv4 | ||||||
|  |      prerouting raw ...`` | ||||||
|  |    * :doc:`Conntrack Ignore</configuration/system/conntrack>`: ``set system | ||||||
|  |      conntrack ignore ipv4...`` | ||||||
|  |    * :doc:`Policy Route</configuration/policy/route>`: commands found under | ||||||
|  |      ``set policy route ...`` | ||||||
|  |    * :doc:`Destination NAT</configuration/nat/nat44>`: commands found under | ||||||
|  |      ``set nat destination ...`` | ||||||
|  | 
 | ||||||
| For transit traffic, which is received by the router and forwarded, base chain | For transit traffic, which is received by the router and forwarded, base chain | ||||||
| is **forward**. A simplified packet flow diagram for transit traffic is shown | is **forward**. A simplified packet flow diagram for transit traffic is shown | ||||||
| next: | next: | ||||||
| 
 | 
 | ||||||
| .. figure:: /_static/images/firewall-fwd-packet-flow.png | .. figure:: /_static/images/firewall-fwd-packet-flow.png | ||||||
| 
 | 
 | ||||||
| Where firewall base chain to configure firewall filtering rules for transit | Firewall base chain to configure firewall filtering rules for transit traffic | ||||||
| traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, | is ``set firewall ipv4 forward filter ...``, which happens in stage 5, | ||||||
| highlighted with red color. | highlighted with red color. | ||||||
| 
 | 
 | ||||||
| For traffic towards the router itself, base chain is **input**, while traffic | For traffic towards the router itself, base chain is **input**, while traffic | ||||||
| @ -52,11 +69,17 @@ router (starting from circle number 6): | |||||||
| 
 | 
 | ||||||
| .. figure:: /_static/images/firewall-input-packet-flow.png | .. figure:: /_static/images/firewall-input-packet-flow.png | ||||||
| 
 | 
 | ||||||
| Base chain is for traffic toward the router is ``set firewall ipv4 input | Base chain for traffic towards the router is ``set firewall ipv4 input | ||||||
| filter ...`` | filter ...`` | ||||||
| 
 | 
 | ||||||
| And base chain for traffic generated by the router is ``set firewall ipv4 | And base chain for traffic generated by the router is ``set firewall ipv4 | ||||||
| output filter ...`` | output ...``, where two sub-chains are available: **filter** and **raw**: | ||||||
|  | 
 | ||||||
|  | * **Output Prerouting**: ``set firewall ipv4 output raw ...``. | ||||||
|  |   As described in **Prerouting**, rules defined in this section are | ||||||
|  |   processed before connection tracking subsystem. | ||||||
|  | * **Output Filter**: ``set firewall ipv4 output filter ...``. Rules defined | ||||||
|  |   in this section are processed after connection tracking subsystem. | ||||||
| 
 | 
 | ||||||
| .. note:: **Important note about default-actions:** | .. note:: **Important note about default-actions:** | ||||||
|    If default action for any base chain is not defined, then the default |    If default action for any base chain is not defined, then the default | ||||||
| @ -709,6 +732,10 @@ geoip) to keep database and rules updated. | |||||||
|    For example: ``eth2*``. Prepending character ``!`` for inverted matching |    For example: ``eth2*``. Prepending character ``!`` for inverted matching | ||||||
|    criteria is also supported. For example ``!eth2`` |    criteria is also supported. For example ``!eth2`` | ||||||
| 
 | 
 | ||||||
|  | .. note:: If an interface is attached to a non-default vrf, when using | ||||||
|  |    **inbound-interface**, vrf name must be used. For example ``set firewall | ||||||
|  |    ipv4 forward filter rule 10 inbound-interface name MGMT`` | ||||||
|  | 
 | ||||||
| .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> | .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> | ||||||
|    inbound-interface group <iface_group> |    inbound-interface group <iface_group> | ||||||
| .. cfgcmd:: set firewall ipv4 input filter rule <1-999999> | .. cfgcmd:: set firewall ipv4 input filter rule <1-999999> | ||||||
| @ -730,6 +757,10 @@ geoip) to keep database and rules updated. | |||||||
|    For example: ``eth2*``. Prepending character ``!`` for inverted matching |    For example: ``eth2*``. Prepending character ``!`` for inverted matching | ||||||
|    criteria is also supported. For example ``!eth2`` |    criteria is also supported. For example ``!eth2`` | ||||||
| 
 | 
 | ||||||
|  | .. note:: If an interface is attached to a non-default vrf, when using | ||||||
|  |    **outbound-interface**, real interface name must be used. For example | ||||||
|  |    ``set firewall ipv4 forward filter rule 10 outbound-interface name eth0`` | ||||||
|  | 
 | ||||||
| .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> | .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> | ||||||
|    outbound-interface group <iface_group> |    outbound-interface group <iface_group> | ||||||
| .. cfgcmd:: set firewall ipv4 output filter rule <1-999999> | .. cfgcmd:: set firewall ipv4 output filter rule <1-999999> | ||||||
|  | |||||||
| @ -31,17 +31,34 @@ of the general structure: | |||||||
|                + filter |                + filter | ||||||
|             - output |             - output | ||||||
|                + filter |                + filter | ||||||
|  |                + raw | ||||||
|  |             - prerouting | ||||||
|  |                + raw | ||||||
|             - name |             - name | ||||||
|                + custom_name |                + custom_name | ||||||
| 
 | 
 | ||||||
|  | First, all traffic is received by the router, and it is processed in the | ||||||
|  | **prerouting** section. | ||||||
|  | 
 | ||||||
|  | This stage includes: | ||||||
|  | 
 | ||||||
|  |    * **Firewall Prerouting**: commands found under ``set firewall ipv6 | ||||||
|  |      prerouting raw ...`` | ||||||
|  |    * :doc:`Conntrack Ignore</configuration/system/conntrack>`: ``set system | ||||||
|  |      conntrack ignore ipv6...`` | ||||||
|  |    * :doc:`Policy Route</configuration/policy/route>`: commands found under | ||||||
|  |      ``set policy route6 ...`` | ||||||
|  |    * :doc:`Destination NAT</configuration/nat/nat44>`: commands found under | ||||||
|  |      ``set nat66 destination ...`` | ||||||
|  | 
 | ||||||
| For transit traffic, which is received by the router and forwarded, base chain | For transit traffic, which is received by the router and forwarded, base chain | ||||||
| is **forward**. A simplified packet flow diagram for transit traffic is shown | is **forward**. A simplified packet flow diagram for transit traffic is shown | ||||||
| next: | next: | ||||||
| 
 | 
 | ||||||
| .. figure:: /_static/images/firewall-fwd-packet-flow.png | .. figure:: /_static/images/firewall-fwd-packet-flow.png | ||||||
| 
 | 
 | ||||||
| Where firewall base chain to configure firewall filtering rules for transit | Firewall base chain to configure firewall filtering rules for transit traffic | ||||||
| traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, | is ``set firewall ipv6 forward filter ...``, which happens in stage 5, | ||||||
| highlighted with red color. | highlighted with red color. | ||||||
| 
 | 
 | ||||||
| For traffic towards the router itself, base chain is **input**, while traffic | For traffic towards the router itself, base chain is **input**, while traffic | ||||||
| @ -52,11 +69,17 @@ router (starting from circle number 6): | |||||||
| 
 | 
 | ||||||
| .. figure:: /_static/images/firewall-input-packet-flow.png | .. figure:: /_static/images/firewall-input-packet-flow.png | ||||||
| 
 | 
 | ||||||
| Base chain is for traffic toward the router is ``set firewall ipv6 input | Base chain for traffic towards the router is ``set firewall ipv6 input | ||||||
| filter ...`` | filter ...`` | ||||||
| 
 | 
 | ||||||
| And base chain for traffic generated by the router is ``set firewall ipv6 | And base chain for traffic generated by the router is ``set firewall ipv6 | ||||||
| output filter ...`` | output filter ...``, where two sub-chains are available: **filter** and **raw**: | ||||||
|  | 
 | ||||||
|  | * **Output Prerouting**: ``set firewall ipv6 output raw ...``. | ||||||
|  |   As described in **Prerouting**, rules defined in this section are | ||||||
|  |   processed before connection tracking subsystem. | ||||||
|  | * **Output Filter**: ``set firewall ipv6 output filter ...``. Rules defined | ||||||
|  |   in this section are processed after connection tracking subsystem. | ||||||
| 
 | 
 | ||||||
| .. note:: **Important note about default-actions:** | .. note:: **Important note about default-actions:** | ||||||
|    If default action for any base chain is not defined, then the default |    If default action for any base chain is not defined, then the default | ||||||
| @ -700,6 +723,10 @@ geoip) to keep database and rules updated. | |||||||
|    For example: ``eth2*``. Prepending character ``!`` for inverted matching |    For example: ``eth2*``. Prepending character ``!`` for inverted matching | ||||||
|    criteria is also supported. For example ``!eth2`` |    criteria is also supported. For example ``!eth2`` | ||||||
| 
 | 
 | ||||||
|  | .. note:: If an interface is attached to a non-default vrf, when using | ||||||
|  |    **inbound-interface**, vrf name must be used. For example ``set firewall | ||||||
|  |    ipv6 forward filter rule 10 inbound-interface name MGMT`` | ||||||
|  | 
 | ||||||
| .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> | .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> | ||||||
|    inbound-interface group <iface_group> |    inbound-interface group <iface_group> | ||||||
| .. cfgcmd:: set firewall ipv6 input filter rule <1-999999> | .. cfgcmd:: set firewall ipv6 input filter rule <1-999999> | ||||||
| @ -721,6 +748,10 @@ geoip) to keep database and rules updated. | |||||||
|    For example: ``eth2*``. Prepending character ``!`` for inverted matching |    For example: ``eth2*``. Prepending character ``!`` for inverted matching | ||||||
|    criteria is also supported. For example ``!eth2`` |    criteria is also supported. For example ``!eth2`` | ||||||
| 
 | 
 | ||||||
|  | .. note:: If an interface is attached to a non-default vrf, when using | ||||||
|  |    **outbound-interface**, real interface name must be used. For example | ||||||
|  |    ``set firewall ipv6 forward filter rule 10 outbound-interface name eth0`` | ||||||
|  | 
 | ||||||
| .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> | .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> | ||||||
|    outbound-interface group <iface_group> |    outbound-interface group <iface_group> | ||||||
| .. cfgcmd:: set firewall ipv6 output filter rule <1-999999> | .. cfgcmd:: set firewall ipv6 output filter rule <1-999999> | ||||||
|  | |||||||
| @ -36,15 +36,20 @@ Common interface configuration | |||||||
|    :var0: wireless |    :var0: wireless | ||||||
|    :var1: wlan0 |    :var1: wlan0 | ||||||
| 
 | 
 | ||||||
|  | System Wide configuration | ||||||
|  | ========================= | ||||||
|  | 
 | ||||||
|  | .. cfgcmd:: set system wireless country-code <cc> | ||||||
|  | 
 | ||||||
|  |   Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed | ||||||
|  |   to indicate country in which device is operating. This can limit available | ||||||
|  |   channels and transmit power. | ||||||
|  | 
 | ||||||
|  |   .. note:: This option is mandatory in Access-Point mode. | ||||||
|  | 
 | ||||||
| Wireless options | Wireless options | ||||||
| ================ | ================ | ||||||
| 
 | 
 | ||||||
| .. cfgcmd:: set interfaces wireless <interface> channel <number> |  | ||||||
| 
 |  | ||||||
|   Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from |  | ||||||
|   1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173.  |  | ||||||
|   On 6GHz (802.11 ax) channels range from 1 to 233. |  | ||||||
| 
 |  | ||||||
| .. cfgcmd:: set system wireless country-code <cc> | .. cfgcmd:: set system wireless country-code <cc> | ||||||
| 
 | 
 | ||||||
|   Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed |   Country code (ISO/IEC 3166-1). Used to set regulatory domain. Set as needed | ||||||
| @ -53,6 +58,12 @@ Wireless options | |||||||
| 
 | 
 | ||||||
|   .. note:: This option is mandatory in Access-Point mode. |   .. note:: This option is mandatory in Access-Point mode. | ||||||
| 
 | 
 | ||||||
|  | .. cfgcmd:: set interfaces wireless <interface> channel <number> | ||||||
|  | 
 | ||||||
|  |   Channel number (IEEE 802.11), for 2.4Ghz (802.11 b/g/n) channels range from | ||||||
|  |   1-14. On 5Ghz (802.11 a/h/j/n/ac) channels available are 0, 34 to 173.  | ||||||
|  |   On 6GHz (802.11 ax) channels range from 1 to 233. | ||||||
|  | 
 | ||||||
| .. cfgcmd:: set interfaces wireless <interface> disable-broadcast-ssid | .. cfgcmd:: set interfaces wireless <interface> disable-broadcast-ssid | ||||||
| 
 | 
 | ||||||
|   Send empty SSID in beacons and ignore probe request frames that do not specify |   Send empty SSID in beacons and ignore probe request frames that do not specify | ||||||
|  | |||||||
| @ -161,8 +161,34 @@ Backend | |||||||
|   Set custom HTTP headers to be included in all responses using the backend |   Set custom HTTP headers to be included in all responses using the backend | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| HTTP health check | Global | ||||||
| ^^^^^^^^^^^^^^^^^ | ------- | ||||||
|  | 
 | ||||||
|  | Global parameters | ||||||
|  | 
 | ||||||
|  | .. cfgcmd:: set load-balancing reverse-proxy global-parameters max-connections | ||||||
|  |    <num> | ||||||
|  | 
 | ||||||
|  |   Limit maximum number of connections | ||||||
|  | 
 | ||||||
|  | .. cfgcmd:: set load-balancing reverse-proxy global-parameters ssl-bind-ciphers | ||||||
|  |    <ciphers> | ||||||
|  | 
 | ||||||
|  |   Limit allowed cipher algorithms used during SSL/TLS handshake | ||||||
|  | 
 | ||||||
|  | .. cfgcmd:: set load-balancing reverse-proxy global-parameters tls-version-min | ||||||
|  |    <version> | ||||||
|  | 
 | ||||||
|  |   Specify the minimum required TLS version 1.2 or 1.3 | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | Health checks | ||||||
|  | ============= | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | HTTP checks | ||||||
|  | ----------- | ||||||
|  | 
 | ||||||
| For web application providing information about their state HTTP health | For web application providing information about their state HTTP health | ||||||
| checks can be used to determine their availability. | checks can be used to determine their availability. | ||||||
| 
 | 
 | ||||||
| @ -185,31 +211,32 @@ checks can be used to determine their availability. | |||||||
|    expect <condition> |    expect <condition> | ||||||
| 
 | 
 | ||||||
|   Sets the expected result condition for considering a server healthy. |   Sets the expected result condition for considering a server healthy. | ||||||
|  | 
 | ||||||
|   Some possible examples are: |   Some possible examples are: | ||||||
|    * ``status 200`` Expecting a 200 response code |    * ``status 200`` Expecting a 200 response code | ||||||
|    * ``status 200-399`` Expecting a non-failure response code |    * ``status 200-399`` Expecting a non-failure response code | ||||||
|    * ``string success`` Expecting the string `success` in the response body |    * ``string success`` Expecting the string `success` in the response body | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| Global | TCP checks | ||||||
| ------- | ---------- | ||||||
| 
 | 
 | ||||||
| Global parameters | Health checks can also be configured for TCP mode backends. You can configure | ||||||
|  | protocol aware checks for a range of Layer 7 protocols: | ||||||
| 
 | 
 | ||||||
| .. cfgcmd:: set load-balancing reverse-proxy global-parameters max-connections | .. cfgcmd:: set load-balancing reverse-proxy backend <name> health-check <protocol> | ||||||
|    <num> |  | ||||||
| 
 | 
 | ||||||
|   Limit maximum number of connections |   Available health check protocols: | ||||||
|  |    * ``ldap`` LDAP protocol check. | ||||||
|  |    * ``redis`` Redis protocol check. | ||||||
|  |    * ``mysql`` MySQL protocol check. | ||||||
|  |    * ``pgsql`` PostgreSQL protocol check. | ||||||
|  |    * ``smtp`` SMTP protocol check. | ||||||
| 
 | 
 | ||||||
| .. cfgcmd:: set load-balancing reverse-proxy global-parameters ssl-bind-ciphers | .. note:: If you specify a server to be checked but do not configure a | ||||||
|    <ciphers> |    protocol, a basic TCP health check will be attempted. A server shall be | ||||||
| 
 |    deemed online if it responses to a connection attempt with a valid | ||||||
|   Limit allowed cipher algorithms used during SSL/TLS handshake |    ``SYN/ACK`` packet. | ||||||
| 
 |  | ||||||
| .. cfgcmd:: set load-balancing reverse-proxy global-parameters tls-version-min |  | ||||||
|    <version> |  | ||||||
| 
 |  | ||||||
|   Specify the minimum required TLS version 1.2 or 1.3 |  | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| Redirect HTTP to HTTPS | Redirect HTTP to HTTPS | ||||||
|  | |||||||
| @ -82,9 +82,10 @@ Configuration | |||||||
|     Set external source port limits that will be allocated to each subscriber |     Set external source port limits that will be allocated to each subscriber | ||||||
|     individually. The default value is 2000. |     individually. The default value is 2000. | ||||||
| 
 | 
 | ||||||
| .. cfgcmd:: set nat cgnat pool external <pool-name> range [address | address range | network] | .. cfgcmd:: set nat cgnat pool external <pool-name> range [address | address range | network] [seq] | ||||||
| 
 | 
 | ||||||
|     Set the range of external IP addresses for the CGNAT pool. |     Set the range of external IP addresses for the CGNAT pool. | ||||||
|  |     The sequence is optional; if set, a lower value means higher priority. | ||||||
| 
 | 
 | ||||||
| .. cfgcmd:: set nat cgnat pool internal <pool-name> range [address range | network] | .. cfgcmd:: set nat cgnat pool internal <pool-name> range [address range | network] | ||||||
| 
 | 
 | ||||||
| @ -98,6 +99,9 @@ Configuration | |||||||
| 
 | 
 | ||||||
|     Set the rule for the translation pool. |     Set the rule for the translation pool. | ||||||
| 
 | 
 | ||||||
|  | .. cfgcmd:: set nat cgnat log-allocation | ||||||
|  | 
 | ||||||
|  |     Enable logging of IP address and ports allocations. | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| Configuration Examples | Configuration Examples | ||||||
| @ -134,6 +138,55 @@ Multiple external addresses | |||||||
|    set nat cgnat rule 10 source pool 'int1' |    set nat cgnat rule 10 source pool 'int1' | ||||||
|    set nat cgnat rule 10 translation pool 'ext1' |    set nat cgnat rule 10 translation pool 'ext1' | ||||||
| 
 | 
 | ||||||
|  | External address sequences | ||||||
|  | ----------------------------------- | ||||||
|  | 
 | ||||||
|  | .. code-block:: none | ||||||
|  | 
 | ||||||
|  |    set nat cgnat pool external ext-01 per-user-limit port '16000' | ||||||
|  |    set nat cgnat pool external ext-01 range 203.0.113.1/32 seq '10' | ||||||
|  |    set nat cgnat pool external ext-01 range 192.0.2.1/32 seq '20' | ||||||
|  |    set nat cgnat pool internal int-01 range '100.64.0.0/29' | ||||||
|  |    set nat cgnat rule 10 source pool 'int-01' | ||||||
|  |    set nat cgnat rule 10 translation pool 'ext-01' | ||||||
|  | 
 | ||||||
|  | 
 | ||||||
|  | Operation commands | ||||||
|  | ================== | ||||||
|  | 
 | ||||||
|  | .. opcmd:: show nat cgnat allocation | ||||||
|  | 
 | ||||||
|  |     Show address and port allocations | ||||||
|  | 
 | ||||||
|  | .. opcmd:: show nat cgnat allocation external-address <address> | ||||||
|  | 
 | ||||||
|  |     Show all allocations for an external IP address | ||||||
|  | 
 | ||||||
|  | .. opcmd:: show nat cgnat allocation internal-address <address> | ||||||
|  | 
 | ||||||
|  |     Show all allocations for an internal IP address | ||||||
|  | 
 | ||||||
|  | Show CGNAT allocations | ||||||
|  | ---------------------- | ||||||
|  | 
 | ||||||
|  | .. code-block:: none | ||||||
|  | 
 | ||||||
|  |    vyos@vyos:~$ show nat cgnat allocation | ||||||
|  |    Internal IP    External IP    Port range | ||||||
|  |    -------------  -------------  ------------ | ||||||
|  |    100.64.0.0     203.0.113.1    1024-17023 | ||||||
|  |    100.64.0.1     203.0.113.1    17024-33023 | ||||||
|  |    100.64.0.2     203.0.113.1    33024-49023 | ||||||
|  |    100.64.0.3     203.0.113.1    49024-65023 | ||||||
|  |    100.64.0.4     192.0.2.1      1024-17023 | ||||||
|  |    100.64.0.5     192.0.2.1      17024-33023 | ||||||
|  |    100.64.0.6     192.0.2.1      33024-49023 | ||||||
|  |    100.64.0.7     192.0.2.1      49024-65023 | ||||||
|  | 
 | ||||||
|  |    vyos@vyos:~$ show nat cgnat allocation internal-address 100.64.0.4 | ||||||
|  |    Internal IP    External IP    Port range | ||||||
|  |    -------------  -------------  ------------ | ||||||
|  |    100.64.0.4     192.0.2.1      1024-17023 | ||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| Further Reading | Further Reading | ||||||
|  | |||||||
| @ -64,39 +64,7 @@ Configure | |||||||
| Contrack Timeouts | Contrack Timeouts | ||||||
| ================= | ================= | ||||||
| 
 | 
 | ||||||
| VyOS supports setting timeouts for connections according to the | You can define custom timeout values to apply to a specific subset of | ||||||
| connection type. You can set timeout values for generic connections, for ICMP |  | ||||||
| connections, UDP connections, or for TCP connections in a number of different |  | ||||||
| states. |  | ||||||
| 
 |  | ||||||
| .. cfgcmd:: set system conntrack timeout icmp <1-21474836> |  | ||||||
|     :defaultvalue: |  | ||||||
| .. cfgcmd:: set system conntrack timeout other <1-21474836> |  | ||||||
|     :defaultvalue: |  | ||||||
| .. cfgcmd:: set system conntrack timeout tcp close <1-21474836> |  | ||||||
|     :defaultvalue: |  | ||||||
| .. cfgcmd:: set system conntrack timeout tcp close-wait <1-21474836> |  | ||||||
|     :defaultvalue: |  | ||||||
| .. cfgcmd:: set system conntrack timeout tcp established <1-21474836> |  | ||||||
|     :defaultvalue: |  | ||||||
| .. cfgcmd:: set system conntrack timeout tcp fin-wait <1-21474836> |  | ||||||
|     :defaultvalue: |  | ||||||
| .. cfgcmd:: set system conntrack timeout tcp last-ack <1-21474836> |  | ||||||
|     :defaultvalue: |  | ||||||
| .. cfgcmd:: set system conntrack timeout tcp syn-recv <1-21474836> |  | ||||||
|     :defaultvalue: |  | ||||||
| .. cfgcmd:: set system conntrack timeout tcp syn-sent <1-21474836> |  | ||||||
|     :defaultvalue: |  | ||||||
| .. cfgcmd:: set system conntrack timeout tcp time-wait <1-21474836> |  | ||||||
|     :defaultvalue: |  | ||||||
| .. cfgcmd:: set system conntrack timeout udp other <1-21474836> |  | ||||||
|     :defaultvalue: |  | ||||||
| .. cfgcmd:: set system conntrack timeout udp stream <1-21474836> |  | ||||||
|     :defaultvalue: |  | ||||||
| 
 |  | ||||||
|     Set the timeout in seconds for a protocol or state. |  | ||||||
| 
 |  | ||||||
| You can also define custom timeout values to apply to a specific subset of |  | ||||||
| connections, based on a packet and flow selector. To do this, you need to | connections, based on a packet and flow selector. To do this, you need to | ||||||
| create a rule defining the packet and flow selector. | create a rule defining the packet and flow selector. | ||||||
| 
 | 
 | ||||||
| @ -177,6 +145,11 @@ create a rule defining the packet and flow selector. | |||||||
| Conntrack ignore rules | Conntrack ignore rules | ||||||
| ====================== | ====================== | ||||||
| 
 | 
 | ||||||
|  | .. note:: **Important note about conntrack ignore rules:** | ||||||
|  |    Starting from vyos-1.5-rolling-202406120020, ignore rules can be defined in | ||||||
|  |    ``set firewall [ipv4 | ipv6] prerouting raw ...``. It's expected that in | ||||||
|  |    the future the conntrack ignore rules will be removed. | ||||||
|  | 
 | ||||||
|     Customized ignore rules, based on a packet and flow selector. |     Customized ignore rules, based on a packet and flow selector. | ||||||
| 
 | 
 | ||||||
| .. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> | .. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> | ||||||
|  | |||||||
| @ -212,6 +212,56 @@ You can also write a description for a filter: | |||||||
| .. note:: IPv6 TCP filters will only match IPv6 packets with no header | .. note:: IPv6 TCP filters will only match IPv6 packets with no header | ||||||
|    extension, see https://en.wikipedia.org/wiki/IPv6_packet#Extension_headers |    extension, see https://en.wikipedia.org/wiki/IPv6_packet#Extension_headers | ||||||
| 
 | 
 | ||||||
|  | Traffic Match Group  | ||||||
|  | ------------------- | ||||||
|  | In some case where we need to have an organization of our matching selection,  | ||||||
|  | in order to be more flexible and organize with our filter definition. We can  | ||||||
|  | apply traffic match groups, allowing us to create distinct filter groups within  | ||||||
|  | our policy and define various parameters for each group: | ||||||
|  | 
 | ||||||
|  | .. code-block:: none | ||||||
|  | 
 | ||||||
|  |   set qos traffic-match-group <group_name> match <match_name>  | ||||||
|  |   Possible completions: | ||||||
|  |      description          Description | ||||||
|  |    > ip                   Match IP protocol header | ||||||
|  |    > ipv6                 Match IPv6 protocol header | ||||||
|  |      mark                 Match on mark applied by firewall | ||||||
|  |      vif                  Virtual Local Area Network (VLAN) ID for this match | ||||||
|  | 
 | ||||||
|  | inherit matches from another group | ||||||
|  | 
 | ||||||
|  | .. code-block:: none | ||||||
|  | 
 | ||||||
|  |   set qos traffic-match-group <group_name> match-group <match_group_name>  | ||||||
|  | 
 | ||||||
|  | A match group can contain multiple criteria and inherit them in the same policy. | ||||||
|  | 
 | ||||||
|  | For example: | ||||||
|  | 
 | ||||||
|  | .. code-block:: none | ||||||
|  | 
 | ||||||
|  |   set qos traffic-match-group Mission-Critical match AF31 ip dscp 'AF31' | ||||||
|  |   set qos traffic-match-group Mission-Critical match AF32 ip dscp 'AF42' | ||||||
|  |   set qos traffic-match-group Mission-Critical match CS3 ip dscp 'CS3' | ||||||
|  |   set qos traffic-match-group Streaming-Video match AF11 ip dscp 'AF11' | ||||||
|  |   set qos traffic-match-group Streaming-Video match AF41 ip dscp 'AF41' | ||||||
|  |   set qos traffic-match-group Streaming-Video match AF43 ip dscp 'AF43' | ||||||
|  |   set qos policy shaper VyOS-HTB class 10 bandwidth '30%' | ||||||
|  |   set qos policy shaper VyOS-HTB class 10 description 'Multimedia' | ||||||
|  |   set qos policy shaper VyOS-HTB class 10 match CS4 ip dscp 'CS4' | ||||||
|  |   set qos policy shaper VyOS-HTB class 10 match-group 'Streaming-Video' | ||||||
|  |   set qos policy shaper VyOS-HTB class 10 priority '1' | ||||||
|  |   set qos policy shaper VyOS-HTB class 10 queue-type 'fair-queue' | ||||||
|  |   set qos policy shaper VyOS-HTB class 20 description 'MC' | ||||||
|  |   set qos policy shaper VyOS-HTB class 20 match-group 'Mission-Critical' | ||||||
|  |   set qos policy shaper VyOS-HTB class 20 priority '2' | ||||||
|  |   set qos policy shaper VyOS-HTB class 20 queue-type 'fair-queue' | ||||||
|  |   set qos policy shaper VyOS-HTB default bandwidth '20%' | ||||||
|  |   set qos policy shaper VyOS-HTB default queue-type 'fq-codel' | ||||||
|  | 
 | ||||||
|  | In this example, we can observe that different DSCP criteria are defined based  | ||||||
|  | on our QoS configuration within the same policy group. | ||||||
| 
 | 
 | ||||||
| Default | Default | ||||||
| ------- | ------- | ||||||
|  | |||||||
| @ -65,10 +65,14 @@ To start, clone the repository to your local machine: | |||||||
|   $ ./configure --architecture amd64 --build-by "j.randomhacker@vyos.io" |   $ ./configure --architecture amd64 --build-by "j.randomhacker@vyos.io" | ||||||
|   $ sudo make iso |   $ sudo make iso | ||||||
| 
 | 
 | ||||||
|   # For VyOS 1.4 (sagitta) and VyOS 1.5 (circinus,current) |   # For VyOS 1.4 (sagitta) | ||||||
|   $ sudo make clean |   $ sudo make clean | ||||||
|   $ sudo ./build-vyos-image iso --architecture amd64 --build-by "j.randomhacker@vyos.io" |   $ sudo ./build-vyos-image iso --architecture amd64 --build-by "j.randomhacker@vyos.io" | ||||||
| 
 | 
 | ||||||
|  |   # For VyOS 1.5 (circinus,current) | ||||||
|  |   $ sudo make clean | ||||||
|  |   $ sudo ./build-vyos-image generic --architecture amd64 --build-by "j.randomhacker@vyos.io" | ||||||
|  | 
 | ||||||
| For the packages required, you can refer to the ``docker/Dockerfile`` file | For the packages required, you can refer to the ``docker/Dockerfile`` file | ||||||
| in the repository_. The ``./build-vyos-image`` script will also warn you if any | in the repository_. The ``./build-vyos-image`` script will also warn you if any | ||||||
| dependencies are missing. | dependencies are missing. | ||||||
| @ -274,10 +278,14 @@ Start the build: | |||||||
|   vyos_bld@8153428c7e1f:/vyos$ ./configure --architecture amd64 --build-by "j.randomhacker@vyos.io" |   vyos_bld@8153428c7e1f:/vyos$ ./configure --architecture amd64 --build-by "j.randomhacker@vyos.io" | ||||||
|   vyos_bld@8153428c7e1f:/vyos$ sudo make iso |   vyos_bld@8153428c7e1f:/vyos$ sudo make iso | ||||||
| 
 | 
 | ||||||
|   # For VyOS 1.4 (sagitta) For VyOS 1.5 (circinus,current) |   # For VyOS 1.4 (sagitta) | ||||||
|   vyos_bld@8153428c7e1f:/vyos$ sudo make clean |   vyos_bld@8153428c7e1f:/vyos$ sudo make clean | ||||||
|   vyos_bld@8153428c7e1f:/vyos$ sudo ./build-vyos-image iso --architecture amd64 --build-by "j.randomhacker@vyos.io" |   vyos_bld@8153428c7e1f:/vyos$ sudo ./build-vyos-image iso --architecture amd64 --build-by "j.randomhacker@vyos.io" | ||||||
| 
 | 
 | ||||||
|  |   # For VyOS 1.5 (circinus,current) | ||||||
|  |   vyos_bld@8153428c7e1f:/vyos$ sudo make clean | ||||||
|  |   vyos_bld@8153428c7e1f:/vyos$ sudo ./build-vyos-image generic --architecture amd64 --build-by "j.randomhacker@vyos.io" | ||||||
|  | 
 | ||||||
| When the build is successful, the resulting iso can be found inside the | When the build is successful, the resulting iso can be found inside the | ||||||
| ``build`` directory as ``live-image-[architecture].hybrid.iso``. | ``build`` directory as ``live-image-[architecture].hybrid.iso``. | ||||||
| 
 | 
 | ||||||
|  | |||||||
| @ -1,4 +1,4 @@ | |||||||
| urllib3==2.1.0 | urllib3==2.2.2 | ||||||
| Sphinx==7.2.6 | Sphinx==7.2.6 | ||||||
| sphinx-rtd-theme==2.0.0 | sphinx-rtd-theme==2.0.0 | ||||||
| sphinx-autobuild==2021.3.14 | sphinx-autobuild==2021.3.14 | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user