vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity
vyos-documentation/docs/configuration/firewall/ipv4.rst
whyrlpool 8214ffe4c6
proofread and update firewall docs
2024-07-03 17:26:08 +01:00

1257 lines
49 KiB
ReStructuredText
Raw Blame History

:lastproofread: 2024-07-03
.. _firewall-ipv4-configuration:
###########################
IPv4 Firewall Configuration
###########################
********
Overview
********
In this section there's useful information on all firewall configuration that
can be done regarding IPv4, and appropriate op-mode commands.
Configuration commands covered in this section:
.. cfgcmd:: set firewall ipv4 ...
From the main structure defined in
:doc:`Firewall Overview</configuration/firewall/index>`
in this section you can find detailed information only for the next part
of the general structure:
.. code-block:: none
- set firewall
* ipv4
- forward
+ filter
- input
+ filter
- output
+ filter
+ raw
- prerouting
+ raw
- name
+ custom_name
First, all traffic is received by the router, and it is processed in the
**prerouting** section.
This stage includes:
* **Firewall Prerouting**: commands found under ``set firewall ipv4
prerouting raw ...``
* :doc:`Conntrack Ignore</configuration/system/conntrack>`: ``set system
conntrack ignore ipv4...``
* :doc:`Policy Route</configuration/policy/route>`: commands found under
``set policy route ...``
* :doc:`Destination NAT</configuration/nat/nat44>`: commands found under
``set nat destination ...``
For transit traffic, which is received by the router and forwarded, the base
chain is **forward**. A simplified packet flow diagram for transit traffic is
shown next:
.. figure:: /_static/images/firewall-fwd-packet-flow.png
The base firewall chain to configure filtering rules for transit traffic
is ``set firewall ipv4 forward filter ...``, which happens in stage 5,
highlighted in the color red.
For traffic towards the router itself, the base chain is **input**, while
traffic originated by the router has the base chain **output**.
A new simplified packet flow diagram is shown next, which shows the path
for traffic destined to the router itself, and traffic generated by the
router (starting from circle number 6):
.. figure:: /_static/images/firewall-input-packet-flow.png
The base chain for traffic towards the router is ``set firewall ipv4 input
filter ...``
And the base chain for traffic generated by the router is ``set firewall ipv4
output ...``, where two sub-chains are available: **filter** and **raw**:
* **Output Prerouting**: ``set firewall ipv4 output raw ...``.
As described in **Prerouting**, rules defined in this section are
processed before connection tracking subsystem.
* **Output Filter**: ``set firewall ipv4 output filter ...``. Rules defined
in this section are processed after connection tracking subsystem.
.. note:: **Important note about default-actions:**
If a default action for any base chain is not defined, then the default
action is set to **accept** for that chain. For custom chains, if the
default action is not defined, then the default-action is set to **drop**
Custom firewall chains can be created, with commands
``set firewall ipv4 name <name> ...``. In order to use
such custom chain, a rule with **action jump**, and the appropriate **target**
should be defined in a base chain.
*********************
Firewall - IPv4 Rules
*********************
For firewall filtering, firewall rules need to be created. Each rule is
numbered, has an action to apply if the rule is matched, and the ability
to specify multiple matching criteria. Data packets go through the rules
from 1 - 999999, so order is crucial. At the first match the action of the
rule will be executed.
Actions
=======
If a rule is defined, then an action must be defined for it. This tells the
firewall what to do if all of the criteria defined for that rule match.
The action can be :
* ``accept``: accept the packet.
* ``continue``: continue parsing next rule.
* ``drop``: drop the packet.
* ``reject``: reject the packet.
* ``jump``: jump to another custom chain.
* ``return``: Return from the current chain and continue at the next rule
of the last chain.
* ``queue``: Enqueue packet to userspace.
* ``synproxy``: synproxy the packet.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> action
[accept | continue | drop | jump | queue | reject | return | synproxy]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> action
[accept | continue | drop | jump | queue | reject | return | synproxy]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> action
[accept | continue | drop | jump | queue | reject | return]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action
[accept | continue | drop | jump | queue | reject | return]
This required setting defines the action of the current rule. If the action
is set to jump, then a jump-target is also needed.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
jump-target <text>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
jump-target <text>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
jump-target <text>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
jump-target <text>
To be used only when action is set to ``jump``. Use this command to specify
the jump target.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
queue <0-65535>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
queue <0-65535>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
queue <0-65535>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
queue <0-65535>
To be used only when action is set to ``queue``. Use this command to specify
the queue target to use. Queue range is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
queue-options bypass
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
queue-options bypass
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
queue-options bypass
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
queue-options bypass
To be used only when action is set to ``queue``. Use this command to let the
packet go through firewall when no userspace software is connected to the
queue.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
queue-options fanout
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
queue-options fanout
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
queue-options fanout
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
queue-options fanout
To be used only when action is set to ``queue``. Use this command to
distribute packets between several queues.
Also, **default-action** is an action that takes place whenever a packet does
not match any rule in it's chain. For base chains, possible options for
**default-action** are **accept** or **drop**.
.. cfgcmd:: set firewall ipv4 forward filter default-action
[accept | drop]
.. cfgcmd:: set firewall ipv4 input filter default-action
[accept | drop]
.. cfgcmd:: set firewall ipv4 output filter default-action
[accept | drop]
.. cfgcmd:: set firewall ipv4 name <name> default-action
[accept | drop | jump | queue | reject | return]
This sets the default action of the rule-set if a packet does not match the
criteria of any rule. If default-action is set to ``jump``, then
``default-jump-target`` is also needed. Note that for base chains, the
default action can only be set to ``accept`` or ``drop``, while on custom
chains, more actions are available.
.. cfgcmd:: set firewall ipv4 name <name> default-jump-target <text>
To be used only when ``default-action`` is set to ``jump``. Use this
command to specify the jump target for the default rule.
.. note:: **Important note about default-actions:**
If the default action for any base chain is not defined, then the default
action is set to **accept** for that chain. For custom chains if a default
action is not defined then the default-action is set to **drop**.
Firewall Logs
=============
Logging can be enable for every single firewall rule. If enabled, other
log options can be defined.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> log
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> log
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log
Enable logging for the matched packet. If this configuration command is not
present, then the log is not enabled.
.. cfgcmd:: set firewall ipv4 forward filter default-log
.. cfgcmd:: set firewall ipv4 input filter default-log
.. cfgcmd:: set firewall ipv4 output filter default-log
.. cfgcmd:: set firewall ipv4 name <name> default-log
Use this command to enable the logging of the default action on
the specified chain.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
log-options level [emerg | alert | crit | err | warn | notice
| info | debug]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
log-options level [emerg | alert | crit | err | warn | notice
| info | debug]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
log-options level [emerg | alert | crit | err | warn | notice
| info | debug]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
log-options level [emerg | alert | crit | err | warn | notice
| info | debug]
Define log-level. Only applicable if rule log is enabled.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
log-options group <0-65535>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
log-options group <0-65535>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
log-options group <0-65535>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
log-options group <0-65535>
Define the log group to send messages to. Only applicable if rule log is
enabled.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
log-options snapshot-length <0-9000>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
log-options snapshot-length <0-9000>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
log-options snapshot-length <0-9000>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
log-options snapshot-length <0-9000>
Define the length of packet payload to include in a netlink message. Only
applicable if rule log is enabled and log group is defined.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
log-options queue-threshold <0-65535>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
log-options queue-threshold <0-65535>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
log-options queue-threshold <0-65535>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
log-options queue-threshold <0-65535>
Define the number of packets to queue inside the kernel before sending them
to userspace. Only applicable if rule log is enabled and log group is defined.
Firewall Description
====================
For reference, a description can be defined for every single rule, and for
every defined custom chain.
.. cfgcmd:: set firewall ipv4 name <name> description <text>
Provide a rule-set description to a custom firewall chain.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
description <text>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
description <text>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
description <text>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> description <text>
Provide a description for each rule.
Rule Status
===========
When defining a rule, it is enabled by default. In some cases, it is useful to
just disable the rule, rather than removing it.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> disable
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> disable
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> disable
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> disable
Command for disabling a rule but keep it in the configuration.
Matching criteria
=================
There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
connection-status nat [destination | source]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
connection-status nat [destination | source]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
connection-status nat [destination | source]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
connection-status nat [destination | source]
Match based on nat connection status.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
connection-mark <1-2147483647>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
connection-mark <1-2147483647>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
connection-mark <1-2147483647>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
connection-mark <1-2147483647>
Match based on connection mark.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
conntrack-helper <module>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
conntrack-helper <module>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
conntrack-helper <module>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
conntrack-helper <module>
Match based on connection tracking protocol helper module to secure use of
that helper module. See below for possible completions `<module>`.
.. code-block:: none
Possible completions:
ftp Related traffic from FTP helper
h323 Related traffic from H.323 helper
pptp Related traffic from PPTP helper
nfs Related traffic from NFS helper
sip Related traffic from SIP helper
tftp Related traffic from TFTP helper
sqlnet Related traffic from SQLNet helper
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source address [address | addressrange | CIDR]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
source address [address | addressrange | CIDR]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
source address [address | addressrange | CIDR]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
source address [address | addressrange | CIDR]
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
destination address [address | addressrange | CIDR]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
destination address [address | addressrange | CIDR]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
destination address [address | addressrange | CIDR]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination address [address | addressrange | CIDR]
Match criteria based on source and/or destination address. This is similar
to the network groups part, but here you are able to negate the matching
addresses.
.. code-block:: none
set firewall ipv4 name FOO rule 50 source address 192.0.2.10-192.0.2.11
# with a '!' the rule match everything except the specified subnet
set firewall ipv4 input filter FOO rule 51 source address !203.0.113.0/24
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source address-mask [address]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
source address-mask [address]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
source address-mask [address]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
source address-mask [address]
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
destination address-mask [address]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
destination address-mask [address]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
destination address-mask [address]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination address-mask [address]
An arbitrary netmask can be applied to mask addresses to only match against
a specific portion.
This functions for both individual addresses and address groups.
.. code-block:: none
# Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet
set firewall ipv4 name FOO rule 100 destination address 0.11.0.13
set firewall ipv4 name FOO rule 100 destination address-mask 0.255.0.255
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source fqdn <fqdn>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
source fqdn <fqdn>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
source fqdn <fqdn>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
source fqdn <fqdn>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
destination fqdn <fqdn>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
destination fqdn <fqdn>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
destination fqdn <fqdn>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination fqdn <fqdn>
Specify a Fully Qualified Domain Name as source/destination to match. Ensure
that the router is able to resolve this dns query.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source geoip country-code <country>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
source geoip country-code <country>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
source geoip country-code <country>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
source geoip country-code <country>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
destination geoip country-code <country>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
destination geoip country-code <country>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
destination geoip country-code <country>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination geoip country-code <country>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source geoip inverse-match
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
source geoip inverse-match
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
source geoip inverse-match
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
source geoip inverse-match
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
destination geoip inverse-match
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
destination geoip inverse-match
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
destination geoip inverse-match
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination geoip inverse-match
Match IP addresses based on its geolocation. More info: `geoip matching
<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
Use inverse-match to match anything except the given country-codes.
Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
permits redistribution so we can include a database in images(~3MB
compressed). Includes cron script (manually callable by op-mode update
geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source mac-address <mac-address>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
source mac-address <mac-address>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
source mac-address <mac-address>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
source mac-address <mac-address>
You can only specify a source mac-address to match.
.. code-block:: none
set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33
set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source port [1-65535 | portname | start-end]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
source port [1-65535 | portname | start-end]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
source port [1-65535 | portname | start-end]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
source port [1-65535 | portname | start-end]
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
destination port [1-65535 | portname | start-end]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
destination port [1-65535 | portname | start-end]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
destination port [1-65535 | portname | start-end]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination port [1-65535 | portname | start-end]
A port can be set by number or name as defined in ``/etc/services``.
.. code-block:: none
set firewall ipv4 forward filter rule 10 source port '22'
set firewall ipv4 forward filter rule 11 source port '!http'
set firewall ipv4 forward filter rule 12 source port 'https'
Multiple source ports can be specified as a comma-separated list.
The whole list can also be "negated" using ``!``. For example:
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source group address-group <name | !name>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
source group address-group <name | !name>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
source group address-group <name | !name>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
source group address-group <name | !name>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
destination group address-group <name | !name>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
destination group address-group <name | !name>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
destination group address-group <name | !name>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination group address-group <name | !name>
Use a specific address-group. Prepending the character ``!`` to invert the
criteria to match is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source group dynamic-address-group <name | !name>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
source group dynamic-address-group <name | !name>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
source group dynamic-address-group <name | !name>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
source group dynamic-address-group <name | !name>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
destination group dynamic-address-group <name | !name>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
destination group dynamic-address-group <name | !name>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
destination group dynamic-address-group <name | !name>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination group dynamic-address-group <name | !name>
Use a specific dynamic-address-group. Prepending the character ``!`` to
invert the criteria to match is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source group network-group <name | !name>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
source group network-group <name | !name>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
source group network-group <name | !name>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
source group network-group <name | !name>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
destination group network-group <name | !name>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
destination group network-group <name | !name>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
destination group network-group <name | !name>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination group network-group <name | !name>
Use a specific network-group. Prepending the character ``!`` to invert the
criteria to match is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source group port-group <name | !name>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
source group port-group <name | !name>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
source group port-group <name | !name>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
source group port-group <name | !name>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
destination group port-group <name | !name>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
destination group port-group <name | !name>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
destination group port-group <name | !name>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination group port-group <name | !name>
Use a specific port-group. Prepending the character ``!`` to invert the
criteria to match is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source group domain-group <name | !name>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
source group domain-group <name | !name>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
source group domain-group <name | !name>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
source group domain-group <name | !name>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
destination group domain-group <name | !name>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
destination group domain-group <name | !name>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
destination group domain-group <name | !name>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination group domain-group <name | !name>
Use a specific domain-group. Prepending the character ``!`` to invert the
criteria to match is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source group mac-group <name | !name>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
source group mac-group <name | !name>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
source group mac-group <name | !name>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
source group mac-group <name | !name>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
destination group mac-group <name | !name>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
destination group mac-group <name | !name>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
destination group mac-group <name | !name>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination group mac-group <name | !name>
Use a specific mac-group. Prepending the character ``!`` to invert the
criteria to match is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
dscp [0-63 | start-end]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
dscp [0-63 | start-end]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
dscp [0-63 | start-end]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
dscp [0-63 | start-end]
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
dscp-exclude [0-63 | start-end]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
dscp-exclude [0-63 | start-end]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
dscp-exclude [0-63 | start-end]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
dscp-exclude [0-63 | start-end]
Match based on dscp value.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
fragment [match-frag | match-non-frag]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
fragment [match-frag | match-non-frag]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
fragment [match-frag | match-non-frag]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
fragment [match-frag | match-non-frag]
Match based on fragmentation.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
icmp [code | type] <0-255>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
icmp [code | type] <0-255>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
icmp [code | type] <0-255>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
icmp [code | type] <0-255>
Match based on icmp code and type.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
icmp type-name <text>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
icmp type-name <text>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
icmp type-name <text>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
icmp type-name <text>
Match based on icmp type-name. Use tab for information
about what **type-name** criteria are supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
inbound-interface name <iface>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
inbound-interface name <iface>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
inbound-interface name <iface>
Match based on inbound interface. Wildcard ``*`` can be used.
For example: ``eth2*``. Prepending the character ``!`` to invert the
criteria to match is also supported. For example ``!eth2``
.. note:: If an interface is attached to a non-default vrf, when using
**inbound-interface**, the vrf name must be used. For example ``set firewall
ipv4 forward filter rule 10 inbound-interface name MGMT``
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
inbound-interface group <iface_group>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
inbound-interface group <iface_group>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
inbound-interface group <iface_group>
Match based on the inbound interface group. Prepending the character ``!``
to invert the criteria to match is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
outbound-interface name <iface>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
outbound-interface name <iface>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
outbound-interface name <iface>
Match based on outbound interface. Wildcard ``*`` can be used.
For example: ``eth2*``. Prepending the character ``!`` to invert the
criteria to match is also supported. For example ``!eth2``
.. note:: If an interface is attached to a non-default vrf, when using
**outbound-interface**, the real interface name must be used. For example
``set firewall ipv4 forward filter rule 10 outbound-interface name eth0``
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
outbound-interface group <iface_group>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
outbound-interface group <iface_group>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
outbound-interface group <iface_group>
Match based on outbound interface group. Prepending the character ``!`` to
invert the criteria to match is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
ipsec [match-ipsec | match-none]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
ipsec [match-ipsec | match-none]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
ipsec [match-ipsec | match-none]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
ipsec [match-ipsec | match-none]
Match based on ipsec.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
limit burst <0-4294967295>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
limit burst <0-4294967295>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
limit burst <0-4294967295>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
limit burst <0-4294967295>
Match based on the maximum number of packets to allow in excess of rate.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
limit rate <text>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
limit rate <text>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
limit rate <text>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
limit rate <text>
Match based on the maximum average rate, specified as **integer/unit**.
For example **5/minutes**
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
packet-length <text>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
packet-length <text>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
packet-length <text>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
packet-length <text>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
packet-length-exclude <text>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
packet-length-exclude <text>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
packet-length-exclude <text>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
packet-length-exclude <text>
Match based on the packet length. Multiple values from 1 to 65535
and ranges are supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
packet-type [broadcast | host | multicast | other]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
packet-type [broadcast | host | multicast | other]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
packet-type [broadcast | host | multicast | other]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
packet-type [broadcast | host | multicast | other]
Match based on the packet type.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
protocol [<text> | <0-255> | all | tcp_udp]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
protocol [<text> | <0-255> | all | tcp_udp]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
protocol [<text> | <0-255> | all | tcp_udp]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
protocol [<text> | <0-255> | all | tcp_udp]
Match based on protocol number or name as defined in ``/etc/protocols``.
Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
based packets. The ``!`` negates the selected protocol.
.. code-block:: none
set firewall ipv4 forward fitler rule 10 protocol tcp_udp
set firewall ipv4 forward fitler rule 11 protocol !tcp_udp
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
recent count <1-255>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
recent count <1-255>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
recent count <1-255>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
recent count <1-255>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
recent time [second | minute | hour]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
recent time [second | minute | hour]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
recent time [second | minute | hour]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
recent time [second | minute | hour]
Match based on recently seen sources.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
tcp flags [not] <text>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
tcp flags [not] <text>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
tcp flags [not] <text>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
tcp flags [not] <text>
Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``,
``rst``, ``syn`` and ``urg``. Multiple values are supported, and for
inverted selection use ``not``, as shown in the example.
.. code-block:: none
set firewall ipv4 input filter rule 10 tcp flags 'ack'
set firewall ipv4 input filter rule 12 tcp flags 'syn'
set firewall ipv4 input filter rule 13 tcp flags not 'fin'
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
state [established | invalid | new | related]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
state [established | invalid | new | related]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
state [established | invalid | new | related]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
state [established | invalid | new | related]
Match against the state of a packet.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
time startdate <text>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
time startdate <text>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
time startdate <text>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
time startdate <text>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
time starttime <text>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
time starttime <text>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
time starttime <text>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
time starttime <text>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
time stopdate <text>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
time stopdate <text>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
time stopdate <text>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
time stopdate <text>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
time stoptime <text>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
time stoptime <text>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
time stoptime <text>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
time stoptime <text>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
time weekdays <text>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
time weekdays <text>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
time weekdays <text>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
time weekdays <text>
Time to match the defined rule.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
ttl <eq | gt | lt> <0-255>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
ttl <eq | gt | lt> <0-255>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
ttl <eq | gt | lt> <0-255>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
ttl <eq | gt | lt> <0-255>
Match the time to live parameter, where 'eq' stands for 'equal'; 'gt' stands
for 'greater than', and 'lt' stands for 'less than'.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
recent count <1-255>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
recent count <1-255>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
recent count <1-255>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
recent count <1-255>
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
recent time <second | minute | hour>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
recent time <second | minute | hour>
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
recent time <second | minute | hour>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
recent time <second | minute | hour>
Match when 'count' amount of connections are seen within 'time'. These
matching criteria can be used to block brute-force attempts.
********
Synproxy
********
Synproxy connections
.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999>
action synproxy
.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999>
protocol tcp
.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999>
synproxy tcp mss <501-65535>
Set the TCP-MSS (maximum segment size) for the connection
.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999>
synproxy tcp window-scale <1-14>
Set the window scale factor for TCP window scaling
Example synproxy
================
Requirements to enable synproxy:
* Traffic must be symmetric
* Synproxy relies on syncookies and TCP timestamps, ensure these are enabled
* Disable conntrack loose track option
.. code-block:: none
set system sysctl parameter net.ipv4.tcp_timestamps value '1'
set system conntrack tcp loose disable
set system conntrack ignore ipv4 rule 10 destination port '8080'
set system conntrack ignore ipv4 rule 10 protocol 'tcp'
set system conntrack ignore ipv4 rule 10 tcp flags syn
set firewall global-options syn-cookies 'enable'
set firewall ipv4 input filter rule 10 action 'synproxy'
set firewall ipv4 input filter rule 10 destination port '8080'
set firewall ipv4 input filter rule 10 inbound-interface name 'eth1'
set firewall ipv4 input filter rule 10 protocol 'tcp'
set firewall ipv4 input filter rule 10 synproxy tcp mss '1460'
set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
set firewall ipv4 input filter rule 1000 action 'drop'
set firewall ipv4 input filter rule 1000 state invalid
***********************
Operation-mode Firewall
***********************
Rule-set overview
=================
.. opcmd:: show firewall
This will show you a basic firewall overview, for all rule-sets, and not
only for ipv4
.. code-block:: none
vyos@vyos:~$ show firewall
Rulesets Information
---------------------------------
ipv4 Firewall "forward filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- -----------------------------
20 accept all 0 0 ip saddr @N_TRUSTEDv4 accept
21 jump all 0 0 jump NAME_AUX
default accept all 0 0
---------------------------------
ipv4 Firewall "input filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- -------------------------
10 accept all 156 14377 iifname != @I_LAN accept
default accept all 0 0
---------------------------------
ipv4 Firewall "name AUX"
Rule Action Protocol Packets Bytes Conditions
------ -------- ---------- --------- ------- --------------------------------------------
10 accept icmp 0 0 meta l4proto icmp accept
20 accept udp 0 0 meta l4proto udp ip saddr @A_SERVERS accept
30 drop all 0 0 ip saddr != @A_SERVERS iifname "eth2"
---------------------------------
ipv4 Firewall "output filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- ----------------------------------------
10 reject all 0 0 oifname @I_LAN
20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept
default accept all 72 9258
---------------------------------
ipv6 Firewall "input filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- -------------------------------
10 accept all 0 0 ip6 saddr @N6_TRUSTEDv6 accept
default accept all 2 112
vyos@vyos:~$
.. opcmd:: show firewall summary
This will show you a summary of rule-sets and groups
.. code-block:: none
vyos@vyos:~$ show firewall summary
Ruleset Summary
IPv6 Ruleset:
Ruleset Hook Ruleset Priority Description
-------------- -------------------- -------------------------
forward filter
input filter
ipv6_name IPV6-VyOS_MANAGEMENT
ipv6_name IPV6-WAN_IN PUBLIC_INTERNET
IPv4 Ruleset:
Ruleset Hook Ruleset Priority Description
-------------- ------------------ -------------------------
forward filter
input filter
name VyOS_MANAGEMENT
name WAN_IN PUBLIC_INTERNET
Firewall Groups
Name Type References Members
----------------------- ------------------ ----------------------- ----------------
PBX address_group WAN_IN-100 198.51.100.77
SERVERS address_group WAN_IN-110 192.0.2.10
WAN_IN-111 192.0.2.11
WAN_IN-112 192.0.2.12
WAN_IN-120
WAN_IN-121
WAN_IN-122
SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2
WAN_IN-20
PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2
PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2
WAN_IN-171
PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1
SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2
IPV6-WAN_IN-111 2001:db8::3
IPV6-WAN_IN-112 2001:db8::4
IPV6-WAN_IN-120
IPV6-WAN_IN-121
IPV6-WAN_IN-122
SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5
IPV6-WAN_IN-20
.. opcmd:: show firewall ipv4 [forward | input | output] filter
.. opcmd:: show firewall ipv4 name <name>
This command will give an overview of a single rule-set.
.. code-block:: none
vyos@vyos:~$ show firewall ipv4 input filter
Ruleset Information
---------------------------------
IPv4 Firewall "input filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- -----------------------------------------
5 jump all 0 0 iifname "eth2" jump NAME_VyOS_MANAGEMENT
default accept all
.. opcmd:: show firewall ipv4 [forward | input | output]
filter rule <1-999999>
.. opcmd:: show firewall ipv4 name <name> rule <1-999999>
This command will give an overview of a rule in a single rule-set, plus
information for default action.
.. code-block:: none
vyos@vyos:~$show firewall ipv4 output filter rule 20
Rule Information
---------------------------------
ipv4 Firewall "output filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- ----------------------------------------
20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept
default accept all 286 47614
vyos@vyos:~$
.. opcmd:: show firewall statistics
This will show you a statistic of all rule-sets since the last boot.
Show Firewall log
=================
.. opcmd:: show log firewall
.. opcmd:: show log firewall ipv4
.. opcmd:: show log firewall ipv4 [forward | input | output | name]
.. opcmd:: show log firewall ipv4 [forward | input | output] filter
.. opcmd:: show log firewall ipv4 name <name>
.. opcmd:: show log firewall ipv4 [forward | input | output] filter rule <rule>
.. opcmd:: show log firewall ipv4 name <name> rule <rule>
Show the logs of all firewall; show all ipv4 firewall logs; show all logs
for particular hook; show all logs for particular hook and priority;
show all logs for particular custom chain; show logs for specific Rule-Set.
Example Partial Config
======================
.. code-block:: none
firewall {
group {
network-group BAD-NETWORKS {
network 198.51.100.0/24
network 203.0.113.0/24
}
network-group GOOD-NETWORKS {
network 192.0.2.0/24
}
port-group BAD-PORTS {
port 65535
}
}
ipv4 {
forward {
filter {
default-action accept
rule 5 {
action accept
source {
group {
network-group GOOD-NETWORKS
}
}
}
rule 10 {
action drop
description "Bad Networks"
protocol all
source {
group {
network-group BAD-NETWORKS
}
}
}
}
}
}
}
Update geoip database
=====================
.. opcmd:: update geoip
Command used to update GeoIP database and firewall sets.
Reference in New Issue View Git Blame Copy Permalink