vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-12-17 11:02:24 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1478 from nicolas-fort/T3900-fwall-raw-tables

Browse Source 
Firewall: Add prerouting information
This commit is contained in:
Christian Breunig 2024-06-13 07:22:30 +02:00 committed by GitHub
commit f1eb14c7e9
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 118 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docs/_static/images/firewall-fwd-packet-flow.png vendored
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 39 KiB

After

Width:  |  Height:  |  Size: 30 KiB

BIN
docs/_static/images/firewall-input-packet-flow.png vendored
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 55 KiB

After

Width:  |  Height:  |  Size: 43 KiB

32
docs/configuration/firewall/global-options.rst
View File

@ -145,3 +145,35 @@ Configuration
[emerg | alert | crit | err | warn | notice | info | debug] [emerg | alert | crit | err | warn | notice | info | debug]
Set the global setting for related connections. Set the global setting for related connections.
VyOS supports setting timeouts for connections according to the
connection type. You can set timeout values for generic connections, for ICMP
connections, UDP connections, or for TCP connections in a number of different
states.
.. cfgcmd:: set firewall global-options timeout icmp <1-21474836>
:defaultvalue:
.. cfgcmd:: set firewall global-options timeout other <1-21474836>
:defaultvalue:
.. cfgcmd:: set firewall global-options timeout tcp close <1-21474836>
:defaultvalue:
.. cfgcmd:: set firewall global-options timeout tcp close-wait <1-21474836>
:defaultvalue:
.. cfgcmd:: set firewall global-options timeout tcp established <1-21474836>
:defaultvalue:
.. cfgcmd:: set firewall global-options timeout tcp fin-wait <1-21474836>
:defaultvalue:
.. cfgcmd:: set firewall global-options timeout tcp last-ack <1-21474836>
:defaultvalue:
.. cfgcmd:: set firewall global-options timeout tcp syn-recv <1-21474836>
:defaultvalue:
.. cfgcmd:: set firewall global-options timeout tcp syn-sent <1-21474836>
:defaultvalue:
.. cfgcmd:: set firewall global-options timeout tcp time-wait <1-21474836>
:defaultvalue:
.. cfgcmd:: set firewall global-options timeout udp other <1-21474836>
:defaultvalue:
.. cfgcmd:: set firewall global-options timeout udp stream <1-21474836>
:defaultvalue:
Set the timeout in seconds for a protocol or state.

35
docs/configuration/firewall/index.rst
View File

@ -26,14 +26,23 @@ firewall are covered below:
If the interface where the packet was received isn't part of a bridge, then If the interface where the packet was received isn't part of a bridge, then
packet is processed at the **IP Layer**: packet is processed at the **IP Layer**:
* **Prerouting**: several actions can be done in this stage, and currently * **Prerouting**: All packets that are received by the router
these actions are defined in different parts in VyOS configuration. Order are processed in this stage, regardless of the destination of the packet.
is important, and all these actions are performed before any actions Starting from vyos-1.5-rolling-202406120020, a new section was added to
defined under ``firewall`` section. Relevant configuration that acts in firewall configuration. There are several actions that can be done in this
this stage are: stage, and currently these actions are also defined in different parts in
VyOS configuration. Order is important, and relevant configuration that
acts in this stage are:
* **Firewall prerouting**: rules defined under ``set firewall [ipv4 |
ipv6] prerouting raw...``. All rules defined in this section are
processed before connection tracking subsystem.
* **Conntrack Ignore**: rules defined under ``set system conntrack ignore * **Conntrack Ignore**: rules defined under ``set system conntrack ignore
[ipv4 | ipv6] ...``. [ipv4 | ipv6] ...``. Starting from vyos-1.5-rolling-202406120020,
configuration done in this section can be done in ``firewall [ipv4 |
ipv6] prerouting ...``. For compatibility reasons, this feature is
still present, but it will be removed in the future.
* **Policy Route**: rules defined under ``set policy [route | route6] * **Policy Route**: rules defined under ``set policy [route | route6]
...``. ...``.
@ -67,11 +76,13 @@ packet is processed at the **IP Layer**:
new connection originated by a internal process running on VyOS router, new connection originated by a internal process running on VyOS router,
such as NTP, or a response to traffic received externally through such as NTP, or a response to traffic received externally through
**input** (for example response to an ssh login attempt to the router). **input** (for example response to an ssh login attempt to the router).
This includes ipv4 and ipv6 filtering rules, defined in: This includes ipv4 and ipv6 rules, and two different sections are present:
* ``set firewall ipv4 output filter ...``. * **Output Prerouting**: ``set firewall [ipv4 | ipv6] output filter ...``.
As described in **Prerouting**, rules defined in this section are
processed before connection tracking subsystem.
* ``set firewall ipv6 output filter ...``. * **Output Filter**: ``set firewall [ipv4 | ipv6] output filter ...``.
* **Postrouting**: as in **Prerouting**, several actions defined in * **Postrouting**: as in **Prerouting**, several actions defined in
different parts of VyOS configuration are performed in this different parts of VyOS configuration are performed in this
@ -120,6 +131,9 @@ The main structure of the VyOS firewall CLI is shown next:
+ filter + filter
- output - output
+ filter + filter
+ raw
- prerouting
+ raw
- name - name
+ custom_name + custom_name
* ipv6 * ipv6
@ -129,6 +143,9 @@ The main structure of the VyOS firewall CLI is shown next:
+ filter + filter
- output - output
+ filter + filter
+ raw
- prerouting
+ raw
- ipv6-name - ipv6-name
+ custom_name + custom_name
* zone * zone

31
docs/configuration/firewall/ipv4.rst
View File

@ -31,17 +31,34 @@ of the general structure:
+ filter + filter
- output - output
+ filter + filter
+ raw
- prerouting
+ raw
- name - name
+ custom_name + custom_name
First, all traffic is received by the router, and it is processed in the
**prerouting** section.
This stage includes:
* **Firewall Prerouting**: commands found under ``set firewall ipv4
prerouting raw ...``
* :doc:`Conntrack Ignore</configuration/system/conntrack>`: ``set system
conntrack ignore ipv4...``
* :doc:`Policy Route</configuration/policy/route>`: commands found under
``set policy route ...``
* :doc:`Destination NAT</configuration/nat/nat44>`: commands found under
``set nat destination ...``
For transit traffic, which is received by the router and forwarded, base chain For transit traffic, which is received by the router and forwarded, base chain
is **forward**. A simplified packet flow diagram for transit traffic is shown is **forward**. A simplified packet flow diagram for transit traffic is shown
next: next:
.. figure:: /_static/images/firewall-fwd-packet-flow.png .. figure:: /_static/images/firewall-fwd-packet-flow.png
Where firewall base chain to configure firewall filtering rules for transit Firewall base chain to configure firewall filtering rules for transit traffic
traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, is ``set firewall ipv4 forward filter ...``, which happens in stage 5,
highlighted with red color. highlighted with red color.
For traffic towards the router itself, base chain is **input**, while traffic For traffic towards the router itself, base chain is **input**, while traffic
@ -52,11 +69,17 @@ router (starting from circle number 6):
.. figure:: /_static/images/firewall-input-packet-flow.png .. figure:: /_static/images/firewall-input-packet-flow.png
Base chain is for traffic toward the router is ``set firewall ipv4 input Base chain for traffic towards the router is ``set firewall ipv4 input
filter ...`` filter ...``
And base chain for traffic generated by the router is ``set firewall ipv4 And base chain for traffic generated by the router is ``set firewall ipv4
output filter ...`` output ...``, where two sub-chains are available: **filter** and **raw**:
* **Output Prerouting**: ``set firewall ipv4 output raw ...``.
As described in **Prerouting**, rules defined in this section are
processed before connection tracking subsystem.
* **Output Filter**: ``set firewall ipv4 output filter ...``. Rules defined
in this section are processed after connection tracking subsystem.
.. note:: **Important note about default-actions:** .. note:: **Important note about default-actions:**
If default action for any base chain is not defined, then the default If default action for any base chain is not defined, then the default

31
docs/configuration/firewall/ipv6.rst
View File

@ -31,17 +31,34 @@ of the general structure:
+ filter + filter
- output - output
+ filter + filter
+ raw
- prerouting
+ raw
- name - name
+ custom_name + custom_name
First, all traffic is received by the router, and it is processed in the
**prerouting** section.
This stage includes:
* **Firewall Prerouting**: commands found under ``set firewall ipv6
prerouting raw ...``
* :doc:`Conntrack Ignore</configuration/system/conntrack>`: ``set system
conntrack ignore ipv6...``
* :doc:`Policy Route</configuration/policy/route>`: commands found under
``set policy route6 ...``
* :doc:`Destination NAT</configuration/nat/nat44>`: commands found under
``set nat66 destination ...``
For transit traffic, which is received by the router and forwarded, base chain For transit traffic, which is received by the router and forwarded, base chain
is **forward**. A simplified packet flow diagram for transit traffic is shown is **forward**. A simplified packet flow diagram for transit traffic is shown
next: next:
.. figure:: /_static/images/firewall-fwd-packet-flow.png .. figure:: /_static/images/firewall-fwd-packet-flow.png
Where firewall base chain to configure firewall filtering rules for transit Firewall base chain to configure firewall filtering rules for transit traffic
traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, is ``set firewall ipv6 forward filter ...``, which happens in stage 5,
highlighted with red color. highlighted with red color.
For traffic towards the router itself, base chain is **input**, while traffic For traffic towards the router itself, base chain is **input**, while traffic
@ -52,11 +69,17 @@ router (starting from circle number 6):
.. figure:: /_static/images/firewall-input-packet-flow.png .. figure:: /_static/images/firewall-input-packet-flow.png
Base chain is for traffic toward the router is ``set firewall ipv6 input Base chain for traffic towards the router is ``set firewall ipv6 input
filter ...`` filter ...``
And base chain for traffic generated by the router is ``set firewall ipv6 And base chain for traffic generated by the router is ``set firewall ipv6
output filter ...`` output filter ...``, where two sub-chains are available: **filter** and **raw**:
* **Output Prerouting**: ``set firewall ipv6 output raw ...``.
As described in **Prerouting**, rules defined in this section are
processed before connection tracking subsystem.
* **Output Filter**: ``set firewall ipv6 output filter ...``. Rules defined
in this section are processed after connection tracking subsystem.
.. note:: **Important note about default-actions:** .. note:: **Important note about default-actions:**
If default action for any base chain is not defined, then the default If default action for any base chain is not defined, then the default

39
docs/configuration/system/conntrack.rst
View File

@ -64,39 +64,7 @@ Configure
Contrack Timeouts Contrack Timeouts
================= =================
VyOS supports setting timeouts for connections according to the You can define custom timeout values to apply to a specific subset of
connection type. You can set timeout values for generic connections, for ICMP
connections, UDP connections, or for TCP connections in a number of different
states.
.. cfgcmd:: set system conntrack timeout icmp <1-21474836>
:defaultvalue:
.. cfgcmd:: set system conntrack timeout other <1-21474836>
:defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp close <1-21474836>
:defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp close-wait <1-21474836>
:defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp established <1-21474836>
:defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp fin-wait <1-21474836>
:defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp last-ack <1-21474836>
:defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp syn-recv <1-21474836>
:defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp syn-sent <1-21474836>
:defaultvalue:
.. cfgcmd:: set system conntrack timeout tcp time-wait <1-21474836>
:defaultvalue:
.. cfgcmd:: set system conntrack timeout udp other <1-21474836>
:defaultvalue:
.. cfgcmd:: set system conntrack timeout udp stream <1-21474836>
:defaultvalue:
Set the timeout in seconds for a protocol or state.
You can also define custom timeout values to apply to a specific subset of
connections, based on a packet and flow selector. To do this, you need to connections, based on a packet and flow selector. To do this, you need to
create a rule defining the packet and flow selector. create a rule defining the packet and flow selector.
@ -177,6 +145,11 @@ create a rule defining the packet and flow selector.
Conntrack ignore rules Conntrack ignore rules
====================== ======================
.. note:: **Important note about conntrack ignore rules:**
Starting from vyos-1.5-rolling-202406120020, ignore rules can be defined in
``set firewall [ipv4 | ipv6] prerouting raw ...``. It's expected that in
the future the conntrack ignore rules will be removed.
Customized ignore rules, based on a packet and flow selector. Customized ignore rules, based on a packet and flow selector.
.. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> .. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999>