vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #895 from nicolas-fort/fwall_update

Browse Source 
Firewall update: add groups and note to firewall interface section
This commit is contained in:
Robert Göhler 2022-11-27 21:44:33 +01:00 committed by GitHub
commit c7c838ffa5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 37 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
docs/configuration/firewall/general.rst
View File

@ -148,11 +148,11 @@ Some firewall settings are global and have an affect on the whole system.
Groups
******
Firewall groups represent collections of IP addresses, networks, or
ports. Once created, a group can be referenced by firewall rules as
either a source or destination. Members can be added or removed from a
group without changes to, or the need to reload, individual firewall
rules.
Firewall groups represent collections of IP addresses, networks, ports,
mac addresses or domains. Once created, a group can be referenced by
firewall, nat and policy route rules as either a source or destination
matcher. Members can be added or removed from a group without changes to,
or the need to reload, individual firewall rules.
Groups need to have unique names. Even though some contain IPv4
addresses and others contain IPv6 addresses, they still need to have
@ -183,7 +183,6 @@ defined.
Provide a IPv4 or IPv6 address group description
Network Groups
==============
@ -208,7 +207,6 @@ recommended.
Provide a IPv4 or IPv6 network group description.
Port Groups
===========
@ -234,6 +232,34 @@ filtering unnecessary ports. Ranges of ports can be specified by using
Provide a port group description.
MAC Groups
==========
A **mac group** represents a collection of mac addresses.
.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address>
Define a mac group.
.. code-block:: none
set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f
set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81
Domain Groups
=============
A **domain group** represents a collection of domains.
.. cfgcmd:: set firewall group domain-group <name> address <domain>
Define a domain group.
.. code-block:: none
set firewall group domain-group DOM address example.com
*********
Rule-Sets
@ -634,11 +660,15 @@ A Rule-Set can be applied to every interface:
set firewall interface eth1.100 out name LANv4-OUT
set firewall interface bond0 in name LANv4-IN
set firewall interface vtun1 in name LANv4-IN
set firewall interface eth2* in name LANv4-IN
.. note::
As you can see in the example here, you can assign the same rule-set to
several interfaces. An interface can only have one rule-set per chain.
.. note::
You can use wildcard ``*`` to match a group of interfaces.
***********************
Operation-mode Firewall
***********************