mirror of
https://github.com/vyos/vyos-documentation.git
synced 2025-11-04 00:02:05 +01:00
1306 lines
51 KiB
ReStructuredText
1306 lines
51 KiB
ReStructuredText
:lastproofread: 2025-02-14
|
|
|
|
.. _firewall-ipv6-configuration:
|
|
|
|
###########################
|
|
IPv6 Firewall Configuration
|
|
###########################
|
|
|
|
********
|
|
Overview
|
|
********
|
|
|
|
In this section there's useful information on all firewall configuration that
|
|
can be done regarding IPv6, and appropriate op-mode commands.
|
|
Configuration commands covered in this section:
|
|
|
|
.. cfgcmd:: set firewall ipv6 ...
|
|
|
|
From the main structure defined in
|
|
:doc:`Firewall Overview</configuration/firewall/index>`
|
|
in this section you can find detailed information only for the next part
|
|
of the general structure:
|
|
|
|
.. code-block:: none
|
|
|
|
- set firewall
|
|
* ipv6
|
|
- forward
|
|
+ filter
|
|
- input
|
|
+ filter
|
|
- output
|
|
+ filter
|
|
+ raw
|
|
- prerouting
|
|
+ raw
|
|
- name
|
|
+ custom_name
|
|
|
|
First, all traffic is received by the router, and it is processed in the
|
|
**prerouting** section.
|
|
|
|
This stage includes:
|
|
|
|
* **Firewall Prerouting**: commands found under ``set firewall ipv6
|
|
prerouting raw ...``
|
|
* :doc:`Conntrack Ignore</configuration/system/conntrack>`: ``set system
|
|
conntrack ignore ipv6...``
|
|
* :doc:`Policy Route</configuration/policy/route>`: commands found under
|
|
``set policy route6 ...``
|
|
* :doc:`Destination NAT</configuration/nat/nat44>`: commands found under
|
|
``set nat66 destination ...``
|
|
|
|
For transit traffic, which is received by the router and forwarded, the base
|
|
chain is **forward**. A simplified packet flow diagram for transit traffic is
|
|
shown next:
|
|
|
|
.. figure:: /_static/images/firewall-fwd-packet-flow.png
|
|
|
|
The base firewall chain to configure filtering rules for transit traffic
|
|
is ``set firewall ipv6 forward filter ...``, which happens in stage 5,
|
|
highlighted in the color red.
|
|
|
|
For traffic towards the router itself, the base chain is **input**, while
|
|
traffic originated by the router has the base chain **output**.
|
|
A new simplified packet flow diagram is shown next, which shows the path
|
|
for traffic destined to the router itself, and traffic generated by the
|
|
router (starting from circle number 6):
|
|
|
|
.. figure:: /_static/images/firewall-input-packet-flow.png
|
|
|
|
The base chain for traffic towards the router is ``set firewall ipv6 input
|
|
filter ...``
|
|
|
|
And the base chain for traffic generated by the router is ``set firewall ipv6
|
|
output ...``, where two sub-chains are available: **filter** and **raw**:
|
|
|
|
* **Output Prerouting**: ``set firewall ipv6 output raw ...``.
|
|
As described in **Prerouting**, rules defined in this section are
|
|
processed before connection tracking subsystem.
|
|
* **Output Filter**: ``set firewall ipv6 output filter ...``. Rules defined
|
|
in this section are processed after connection tracking subsystem.
|
|
|
|
.. note:: **Important note about default-actions:**
|
|
If a default action for any base chain is not defined, then the default
|
|
action is set to **accept** for that chain. For custom chains, if the
|
|
default action is not defined, then the default-action is set to **drop**
|
|
|
|
Custom firewall chains can be created, with commands
|
|
``set firewall ipv6 name <name> ...``. In order to use
|
|
such custom chain, a rule with **action jump**, and the appropriate **target**
|
|
should be defined in a base chain.
|
|
|
|
******************************
|
|
Firewall - IPv6 Rules
|
|
******************************
|
|
|
|
For firewall filtering, firewall rules need to be created. Each rule is
|
|
numbered, has an action to apply if the rule is matched, and the ability
|
|
to specify multiple matching criteria. Data packets go through the rules
|
|
from 1 - 999999, so order is crucial. At the first match the action of the
|
|
rule will be executed.
|
|
|
|
Actions
|
|
=======
|
|
|
|
If a rule is defined, then an action must be defined for it. This tells the
|
|
firewall what to do if all of the criteria defined for that rule match.
|
|
|
|
The action can be :
|
|
|
|
* ``accept``: accept the packet.
|
|
|
|
* ``continue``: continue parsing next rule.
|
|
|
|
* ``drop``: drop the packet.
|
|
|
|
* ``reject``: reject the packet.
|
|
|
|
* ``jump``: jump to another custom chain.
|
|
|
|
* ``return``: Return from the current chain and continue at the next rule
|
|
of the last chain.
|
|
|
|
* ``queue``: Enqueue packet to userspace.
|
|
|
|
* ``synproxy``: synproxy the packet.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> action
|
|
[accept | continue | drop | jump | queue | reject | return | synproxy]
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> action
|
|
[accept | continue | drop | jump | queue | reject | return | synproxy]
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> action
|
|
[accept | continue | drop | jump | queue | reject | return]
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> action
|
|
[accept | continue | drop | jump | queue | reject | return]
|
|
|
|
This required setting defines the action of the current rule. If the action
|
|
is set to jump, then a jump-target is also needed.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
jump-target <text>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
jump-target <text>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
jump-target <text>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
jump-target <text>
|
|
|
|
To be used only when action is set to ``jump``. Use this command to specify
|
|
the jump target.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
queue <0-65535>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
queue <0-65535>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
queue <0-65535>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
queue <0-65535>
|
|
|
|
To be used only when action is set to ``queue``. Use this command to specify
|
|
the queue target to use. Queue range is also supported.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
queue-options bypass
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
queue-options bypass
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
queue-options bypass
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
queue-options bypass
|
|
|
|
To be used only when action is set to ``queue``. Use this command to let the
|
|
packet go through firewall when no userspace software is connected to the
|
|
queue.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
queue-options fanout
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
queue-options fanout
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
queue-options fanout
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
queue-options fanout
|
|
|
|
To be used only when action is set to ``queue``. Use this command to
|
|
distribute packets between several queues.
|
|
|
|
Also, **default-action** is an action that takes place whenever a packet does
|
|
not match any rule in its chain. For base chains, possible options for
|
|
**default-action** are **accept** or **drop**.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter default-action
|
|
[accept | drop]
|
|
.. cfgcmd:: set firewall ipv6 input filter default-action
|
|
[accept | drop]
|
|
.. cfgcmd:: set firewall ipv6 output filter default-action
|
|
[accept | drop]
|
|
.. cfgcmd:: set firewall ipv6 name <name> default-action
|
|
[accept | drop | jump | queue | reject | return]
|
|
|
|
This sets the default action of the rule-set if a packet does not match the
|
|
criteria of any rule. If default-action is set to ``jump``, then
|
|
``default-jump-target`` is also needed. Note that for base chains, the
|
|
default action can only be set to ``accept`` or ``drop``, while on custom
|
|
chains, more actions are available.
|
|
|
|
.. cfgcmd:: set firewall ipv6 name <name> default-jump-target <text>
|
|
|
|
To be used only when ``default-action`` is set to ``jump``. Use this
|
|
command to specify the jump target for the default rule.
|
|
|
|
.. note:: **Important note about default-actions:**
|
|
If the default action for any base chain is not defined, then the default
|
|
action is set to **accept** for that chain. For custom chains if a default
|
|
action is not defined then the default-action is set to **drop**.
|
|
|
|
Firewall Logs
|
|
=============
|
|
|
|
Logging can be enabled for every single firewall rule. If enabled, other
|
|
log options can be defined.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> log
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> log
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> log
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> log
|
|
|
|
Enable logging for the matched packet. If this configuration command is not
|
|
present, then the log is not enabled.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter default-log
|
|
.. cfgcmd:: set firewall ipv6 input filter default-log
|
|
.. cfgcmd:: set firewall ipv6 output filter default-log
|
|
.. cfgcmd:: set firewall ipv6 name <name> default-log
|
|
|
|
Use this command to enable the logging of the default action on
|
|
the specified chain.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
log-options level [emerg | alert | crit | err | warn | notice
|
|
| info | debug]
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
log-options level [emerg | alert | crit | err | warn | notice
|
|
| info | debug]
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
log-options level [emerg | alert | crit | err | warn | notice
|
|
| info | debug]
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
log-options level [emerg | alert | crit | err | warn | notice
|
|
| info | debug]
|
|
|
|
Define log-level. Only applicable if rule log is enabled.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
log-options group <0-65535>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
log-options group <0-65535>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
log-options group <0-65535>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
log-options group <0-65535>
|
|
|
|
Define the log group to send messages to. Only applicable if rule log is
|
|
enabled.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
log-options snapshot-length <0-9000>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
log-options snapshot-length <0-9000>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
log-options snapshot-length <0-9000>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
log-options snapshot-length <0-9000>
|
|
|
|
Define the length of packet payload to include in a netlink message. Only
|
|
applicable if rule log is enabled and log group is defined.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
log-options queue-threshold <0-65535>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
log-options queue-threshold <0-65535>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
log-options queue-threshold <0-65535>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
log-options queue-threshold <0-65535>
|
|
|
|
Define the number of packets to queue inside the kernel before sending them
|
|
to userspace. Only applicable if rule log is enabled and log group is defined.
|
|
|
|
Firewall Description
|
|
====================
|
|
|
|
For reference, a description can be defined for every single rule, and for
|
|
every defined custom chain.
|
|
|
|
.. cfgcmd:: set firewall ipv6 name <name> description <text>
|
|
|
|
Provide a rule-set description to a custom firewall chain.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
description <text>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
description <text>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
description <text>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> description <text>
|
|
|
|
Provide a description for each rule.
|
|
|
|
Rule Status
|
|
===========
|
|
|
|
When defining a rule, it is enabled by default. In some cases, it is useful to
|
|
just disable the rule, rather than removing it.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> disable
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> disable
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> disable
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> disable
|
|
|
|
Command for disabling a rule but keep it in the configuration.
|
|
|
|
Matching criteria
|
|
=================
|
|
|
|
There are a lot of matching criteria against which the packet can be tested.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
connection-status nat [destination | source]
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
connection-status nat [destination | source]
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
connection-status nat [destination | source]
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
connection-status nat [destination | source]
|
|
|
|
Match based on nat connection status.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
connection-mark <1-2147483647>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
connection-mark <1-2147483647>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
connection-mark <1-2147483647>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
connection-mark <1-2147483647>
|
|
|
|
Match based on connection mark.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
source address [address | addressrange | CIDR]
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
source address [address | addressrange | CIDR]
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
source address [address | addressrange | CIDR]
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
source address [address | addressrange | CIDR]
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
destination address [address | addressrange | CIDR]
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
destination address [address | addressrange | CIDR]
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
destination address [address | addressrange | CIDR]
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
destination address [address | addressrange | CIDR]
|
|
|
|
Match based on source and/or destination address. This is similar to the
|
|
network groups part, but here you are able to negate the matching addresses.
|
|
|
|
.. code-block:: none
|
|
|
|
set firewall ipv6 name FOO rule 100 source address 2001:db8::202
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
source address-mask [address]
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
source address-mask [address]
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
source address-mask [address]
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
source address-mask [address]
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
destination address-mask [address]
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
destination address-mask [address]
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
destination address-mask [address]
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
destination address-mask [address]
|
|
|
|
An arbitrary netmask can be applied to mask addresses to only match against
|
|
a specific portion. This is particularly useful with IPv6 as rules will
|
|
remain valid if the IPv6 prefix changes and the host
|
|
portion of systems IPv6 address is static (for example, with SLAAC or
|
|
`tokenised IPv6 addresses
|
|
<https://datatracker.ietf.org
|
|
/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)
|
|
|
|
This functions for both individual addresses and address groups.
|
|
|
|
.. stop_vyoslinter
|
|
.. code-block:: none
|
|
|
|
# Match any IPv6 address with the suffix ::0000:0000:0000:beef
|
|
set firewall ipv6 forward filter rule 100 destination address ::beef
|
|
set firewall ipv6 forward filter rule 100 destination address-mask ::ffff:ffff:ffff:ffff
|
|
# Address groups
|
|
set firewall group ipv6-address-group WEBSERVERS address ::1000
|
|
set firewall group ipv6-address-group WEBSERVERS address ::2000
|
|
set firewall ipv6 forward filter rule 200 source group address-group WEBSERVERS
|
|
set firewall ipv6 forward filter rule 200 source address-mask ::ffff:ffff:ffff:ffff
|
|
|
|
.. start_vyoslinter
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
source fqdn <fqdn>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
source fqdn <fqdn>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
source fqdn <fqdn>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
source fqdn <fqdn>
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
destination fqdn <fqdn>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
destination fqdn <fqdn>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
destination fqdn <fqdn>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
destination fqdn <fqdn>
|
|
|
|
Specify a Fully Qualified Domain Name as source/destination to match. Ensure
|
|
that the router is able to resolve this dns query.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
source geoip country-code <country>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
source geoip country-code <country>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
source geoip country-code <country>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
source geoip country-code <country>
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
destination geoip country-code <country>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
destination geoip country-code <country>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
destination geoip country-code <country>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
destination geoip country-code <country>
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
source geoip inverse-match
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
source geoip inverse-match
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
source geoip inverse-match
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
source geoip inverse-match
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
destination geoip inverse-match
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
destination geoip inverse-match
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
destination geoip inverse-match
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
destination geoip inverse-match
|
|
|
|
Match IP addresses based on its geolocation. More info: `geoip matching
|
|
<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
|
|
Use inverse-match to match anything except the given country-codes.
|
|
|
|
Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
|
|
permits redistribution so we can include a database in images(~3MB
|
|
compressed). Includes cron script (manually callable by op-mode update
|
|
geoip) to keep database and rules updated.
|
|
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
source mac-address <mac-address>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
source mac-address <mac-address>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
source mac-address <mac-address>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
source mac-address <mac-address>
|
|
|
|
You can only specify a source mac-address to match.
|
|
|
|
.. code-block:: none
|
|
|
|
set firewall ipv6 input filter rule 100 source mac-address 00:53:00:11:22:33
|
|
set firewall ipv6 input filter rule 101 source mac-address !00:53:00:aa:12:34
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
source port [1-65535 | portname | start-end]
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
source port [1-65535 | portname | start-end]
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
source port [1-65535 | portname | start-end]
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
source port [1-65535 | portname | start-end]
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
destination port [1-65535 | portname | start-end]
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
destination port [1-65535 | portname | start-end]
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
destination port [1-65535 | portname | start-end]
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
destination port [1-65535 | portname | start-end]
|
|
|
|
A port can be set by number or name as defined in ``/etc/services``.
|
|
|
|
.. code-block:: none
|
|
|
|
set firewall ipv6 forward filter rule 10 source port '22'
|
|
set firewall ipv6 forward filter rule 11 source port '!http'
|
|
set firewall ipv6 forward filter rule 12 source port 'https'
|
|
|
|
Multiple source ports can be specified as a comma-separated list.
|
|
The whole list can also be "negated" using ``!``. For example:
|
|
|
|
.. code-block:: none
|
|
|
|
set firewall ipv6 forward filter rule 10 source port '!22,https,3333-3338'
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
source group address-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
source group address-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
source group address-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
source group address-group <name | !name>
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
destination group address-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
destination group address-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
destination group address-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
destination group address-group <name | !name>
|
|
|
|
Use a specific address-group. Prepending the character ``!`` to invert the
|
|
criteria to match is also supported.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
source group dynamic-address-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
source group dynamic-address-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
source group dynamic-address-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
source group dynamic-address-group <name | !name>
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
destination group dynamic-address-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
destination group dynamic-address-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
destination group dynamic-address-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
destination group dynamic-address-group <name | !name>
|
|
|
|
Use a specific dynamic-address-group. Prepending the character ``!`` to
|
|
invert the criteria to match is also supported.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
source group network-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
source group network-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
source group network-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
source group network-group <name | !name>
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
destination group network-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
destination group network-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
destination group network-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
destination group network-group <name | !name>
|
|
|
|
Use a specific network-group. Prepending the character ``!`` to invert the
|
|
criteria to match is also supported.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
source group port-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
source group port-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
source group port-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
source group port-group <name | !name>
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
destination group port-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
destination group port-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
destination group port-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
destination group port-group <name | !name>
|
|
|
|
Use a specific port-group. Prepending the character ``!`` to invert the
|
|
criteria to match is also supported.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
source group domain-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
source group domain-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
source group domain-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
source group domain-group <name | !name>
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
destination group domain-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
destination group domain-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
destination group domain-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
destination group domain-group <name | !name>
|
|
|
|
Use a specific domain-group. Prepending the character ``!`` to invert the
|
|
criteria to match is also supported.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
source group mac-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
source group mac-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
source group mac-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
source group mac-group <name | !name>
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
destination group mac-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
destination group mac-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
destination group mac-group <name | !name>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
destination group mac-group <name | !name>
|
|
|
|
Use a specific mac-group. Prepending the character ``!`` to invert the
|
|
criteria to match is also supported.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
dscp [0-63 | start-end]
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
dscp [0-63 | start-end]
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
dscp [0-63 | start-end]
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
dscp [0-63 | start-end]
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
dscp-exclude [0-63 | start-end]
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
dscp-exclude [0-63 | start-end]
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
dscp-exclude [0-63 | start-end]
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
dscp-exclude [0-63 | start-end]
|
|
|
|
Match based on dscp value.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
fragment [match-frag | match-non-frag]
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
fragment [match-frag | match-non-frag]
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
fragment [match-frag | match-non-frag]
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
fragment [match-frag | match-non-frag]
|
|
|
|
Match based on fragmentation.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
icmpv6 [code | type] <0-255>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
icmpv6 [code | type] <0-255>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
icmpv6 [code | type] <0-255>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
icmpv6 [code | type] <0-255>
|
|
|
|
Match based on icmp|icmpv6 code and type.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
icmpv6 type-name <text>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
icmpv6 type-name <text>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
icmpv6 type-name <text>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
icmpv6 type-name <text>
|
|
|
|
Match based on icmpv6 type-name. Use tab for information
|
|
about what **type-name** criteria are supported.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
inbound-interface name <iface>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
inbound-interface name <iface>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
inbound-interface name <iface>
|
|
|
|
Match based on inbound interface. Wildcard ``*`` can be used.
|
|
For example: ``eth2*``. Prepending the character ``!`` to invert the
|
|
criteria to match is also supported. For example ``!eth2``
|
|
|
|
.. note:: If an interface is attached to a non-default vrf, when using
|
|
**inbound-interface**, the vrf name must be used. For example ``set firewall
|
|
ipv6 forward filter rule 10 inbound-interface name MGMT``
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
inbound-interface group <iface_group>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
inbound-interface group <iface_group>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
inbound-interface group <iface_group>
|
|
|
|
Match based on the inbound interface group. Prepending the character ``!``
|
|
to invert the criteria to match is also supported. For example ``!IFACE_GROUP``
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
outbound-interface name <iface>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
outbound-interface name <iface>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
outbound-interface name <iface>
|
|
|
|
Match based on outbound interface. Wildcard ``*`` can be used.
|
|
For example: ``eth2*``. Prepending the character ``!`` to invert the
|
|
criteria to match is also supported. For example ``!eth2``
|
|
|
|
.. note:: If an interface is attached to a non-default vrf, when using
|
|
**outbound-interface**, the real interface name must be used. For example
|
|
``set firewall ipv6 forward filter rule 10 outbound-interface name eth0``
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
outbound-interface group <iface_group>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
outbound-interface group <iface_group>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
outbound-interface group <iface_group>
|
|
|
|
Match based on outbound interface group. Prepending the character ``!`` to
|
|
invert the criteria to match is also supported. For example ``!IFACE_GROUP``
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
ipsec [match-ipsec-in | match-ipsec-out | match-none-in | match-none-out]
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
ipsec [match-ipsec-in | match-none-in]
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
ipsec [match-ipsec-out | match-none-out]
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
ipsec [match-ipsec-in | match-ipsec-out | match-none-in | match-none-out]
|
|
|
|
Match based on ipsec.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
limit burst <0-4294967295>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
limit burst <0-4294967295>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
limit burst <0-4294967295>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
limit burst <0-4294967295>
|
|
|
|
Match based on the maximum number of packets to allow in excess of rate.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
limit rate <text>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
limit rate <text>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
limit rate <text>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
limit rate <text>
|
|
|
|
Match based on the maximum average rate, specified as **integer/unit**.
|
|
For example **5/minutes**
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
packet-length <text>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
packet-length <text>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
packet-length <text>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
packet-length <text>
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
packet-length-exclude <text>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
packet-length-exclude <text>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
packet-length-exclude <text>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
packet-length-exclude <text>
|
|
|
|
Match based on the packet length. Multiple values from 1 to 65535
|
|
and ranges are supported.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
packet-type [broadcast | host | multicast | other]
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
packet-type [broadcast | host | multicast | other]
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
packet-type [broadcast | host | multicast | other]
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
packet-type [broadcast | host | multicast | other]
|
|
|
|
Match based on the packet type.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
protocol [<text> | <0-255> | all | tcp_udp]
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
protocol [<text> | <0-255> | all | tcp_udp]
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
protocol [<text> | <0-255> | all | tcp_udp]
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
protocol [<text> | <0-255> | all | tcp_udp]
|
|
|
|
Match based on protocol number or name as defined in ``/etc/protocols``.
|
|
Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
|
|
based packets. The ``!`` negates the selected protocol.
|
|
|
|
.. code-block:: none
|
|
|
|
set firewall ipv6 input filter rule 10 protocol tcp
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
recent count <1-255>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
recent count <1-255>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
recent count <1-255>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
recent count <1-255>
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
recent time [second | minute | hour]
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
recent time [second | minute | hour]
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
recent time [second | minute | hour]
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
recent time [second | minute | hour]
|
|
|
|
Match bases on recently seen sources.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
tcp flags [not] <text>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
tcp flags [not] <text>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
tcp flags [not] <text>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
tcp flags [not] <text>
|
|
|
|
Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``,
|
|
``rst``, ``syn`` and ``urg``. Multiple values are supported, and for
|
|
inverted selection use ``not``, as shown in the example.
|
|
|
|
.. code-block:: none
|
|
|
|
set firewall ipv6 input filter rule 10 tcp flags 'ack'
|
|
set firewall ipv6 input filter rule 12 tcp flags 'syn'
|
|
set firewall ipv6 input filter rule 13 tcp flags not 'fin'
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
state [established | invalid | new | related]
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
state [established | invalid | new | related]
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
state [established | invalid | new | related]
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
state [established | invalid | new | related]
|
|
|
|
Match against the state of a packet.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
time startdate <text>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
time startdate <text>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
time startdate <text>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
time startdate <text>
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
time starttime <text>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
time starttime <text>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
time starttime <text>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
time starttime <text>
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
time stopdate <text>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
time stopdate <text>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
time stopdate <text>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
time stopdate <text>
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
time stoptime <text>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
time stoptime <text>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
time stoptime <text>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
time stoptime <text>
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
time weekdays <text>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
time weekdays <text>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
time weekdays <text>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
time weekdays <text>
|
|
|
|
Time to match the defined rule.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
hop-limit <eq | gt | lt> <0-255>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
hop-limit <eq | gt | lt> <0-255>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
hop-limit <eq | gt | lt> <0-255>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
hop-limit <eq | gt | lt> <0-255>
|
|
|
|
Match the hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
|
|
'greater than', and 'lt' stands for 'less than'.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
recent count <1-255>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
recent count <1-255>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
recent count <1-255>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
recent count <1-255>
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
recent time <second | minute | hour>
|
|
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
|
|
recent time <second | minute | hour>
|
|
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
|
|
recent time <second | minute | hour>
|
|
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
|
|
recent time <second | minute | hour>
|
|
|
|
Match when 'count' amount of connections are seen within 'time'. These
|
|
matching criteria can be used to block brute-force attempts.
|
|
|
|
Packet Modifications
|
|
====================
|
|
|
|
Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify
|
|
packets before they are sent out. This feaure provides more flexibility in
|
|
packet handling.
|
|
|
|
.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999>
|
|
set dscp <0-63>
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
set dscp <0-63>
|
|
.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999>
|
|
set dscp <0-63>
|
|
|
|
Set a specific value of Differentiated Services Codepoint (DSCP).
|
|
|
|
.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999>
|
|
set mark <1-2147483647>
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
set mark <1-2147483647>
|
|
.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999>
|
|
set mark <1-2147483647>
|
|
|
|
Set a specific packet mark value.
|
|
|
|
.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999>
|
|
set tcp-mss <500-1460>
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
set tcp-mss <500-1460>
|
|
.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999>
|
|
set tcp-mss <500-1460>
|
|
|
|
Set the TCP-MSS (TCP maximum segment size) for the connection.
|
|
|
|
.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999>
|
|
set hop-limit <0-255>
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
set hop-limit <0-255>
|
|
.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999>
|
|
set hop-limit <0-255>
|
|
|
|
Set hop limit value.
|
|
|
|
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
|
|
set connection-mark <0-2147483647>
|
|
.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999>
|
|
set connection-mark <0-2147483647>
|
|
|
|
Set connection mark value.
|
|
|
|
********
|
|
Synproxy
|
|
********
|
|
Synproxy connections
|
|
|
|
.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>
|
|
action synproxy
|
|
.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>
|
|
protocol tcp
|
|
.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>
|
|
synproxy tcp mss <501-65535>
|
|
|
|
Set the TCP-MSS (maximum segment size) for the connection
|
|
|
|
.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>
|
|
synproxy tcp window-scale <1-14>
|
|
|
|
Set the window scale factor for TCP window scaling
|
|
|
|
Example synproxy
|
|
================
|
|
Requirements to enable synproxy:
|
|
|
|
* Traffic must be symmetric
|
|
* Synproxy relies on syncookies and TCP timestamps, ensure these are enabled
|
|
* Disable conntrack loose track option
|
|
|
|
.. code-block:: none
|
|
|
|
set system sysctl parameter net.ipv4.tcp_timestamps value '1'
|
|
|
|
set system conntrack tcp loose disable
|
|
set system conntrack ignore ipv6 rule 10 destination port '8080'
|
|
set system conntrack ignore ipv6 rule 10 protocol 'tcp'
|
|
set system conntrack ignore ipv6 rule 10 tcp flags syn
|
|
|
|
set firewall global-options syn-cookies 'enable'
|
|
set firewall ipv6 input filter rule 10 action 'synproxy'
|
|
set firewall ipv6 input filter rule 10 destination port '8080'
|
|
set firewall ipv6 input filter rule 10 inbound-interface name 'eth1'
|
|
set firewall ipv6 input filter rule 10 protocol 'tcp'
|
|
set firewall ipv6 input filter rule 10 synproxy tcp mss '1460'
|
|
set firewall ipv6 input filter rule 10 synproxy tcp window-scale '7'
|
|
set firewall ipv6 input filter rule 1000 action 'drop'
|
|
set firewall ipv6 input filter rule 1000 state invalid
|
|
|
|
***********************
|
|
Operation-mode Firewall
|
|
***********************
|
|
|
|
Rule-set overview
|
|
=================
|
|
|
|
.. opcmd:: show firewall
|
|
|
|
This will show you a basic firewall overview, for all rule-sets, and not
|
|
only for ipv6
|
|
|
|
.. code-block:: none
|
|
|
|
vyos@vyos:~$ show firewall
|
|
Rulesets Information
|
|
|
|
---------------------------------
|
|
IPv4 Firewall "forward filter"
|
|
|
|
Rule Action Protocol Packets Bytes Conditions
|
|
------- -------- ---------- --------- ------- -----------------------------------------
|
|
5 jump all 0 0 iifname "eth1" jump NAME_VyOS_MANAGEMENT
|
|
10 jump all 0 0 oifname "eth1" jump NAME_WAN_IN
|
|
15 jump all 0 0 iifname "eth3" jump NAME_WAN_IN
|
|
default accept all
|
|
|
|
---------------------------------
|
|
IPv4 Firewall "name VyOS_MANAGEMENT"
|
|
|
|
Rule Action Protocol Packets Bytes Conditions
|
|
------- -------- ---------- --------- ------- --------------------------------
|
|
5 accept all 0 0 ct state established accept
|
|
10 drop all 0 0 ct state invalid
|
|
20 accept all 0 0 ip saddr @A_GOOD_GUYS accept
|
|
30 accept all 0 0 ip saddr @N_ENTIRE_RANGE accept
|
|
40 accept all 0 0 ip saddr @A_VyOS_SERVERS accept
|
|
50 accept icmp 0 0 meta l4proto icmp accept
|
|
default drop all 0 0
|
|
|
|
---------------------------------
|
|
IPv6 Firewall "forward filter"
|
|
|
|
Rule Action Protocol
|
|
------- -------- ----------
|
|
5 jump all
|
|
10 jump all
|
|
15 jump all
|
|
default accept all
|
|
|
|
---------------------------------
|
|
IPv6 Firewall "input filter"
|
|
|
|
Rule Action Protocol
|
|
------- -------- ----------
|
|
5 jump all
|
|
default accept all
|
|
|
|
---------------------------------
|
|
IPv6 Firewall "ipv6_name IPV6-VyOS_MANAGEMENT"
|
|
|
|
Rule Action Protocol
|
|
------- -------- ----------
|
|
5 accept all
|
|
10 drop all
|
|
20 accept all
|
|
30 accept all
|
|
40 accept all
|
|
50 accept ipv6-icmp
|
|
default drop all
|
|
|
|
.. opcmd:: show firewall summary
|
|
|
|
This will show you a summary of rule-sets and groups
|
|
|
|
.. code-block:: none
|
|
|
|
vyos@vyos:~$ show firewall summary
|
|
Ruleset Summary
|
|
|
|
IPv6 Ruleset:
|
|
|
|
Ruleset Hook Ruleset Priority Description
|
|
-------------- -------------------- -------------------------
|
|
forward filter
|
|
input filter
|
|
ipv6_name IPV6-VyOS_MANAGEMENT
|
|
ipv6_name IPV6-WAN_IN PUBLIC_INTERNET
|
|
|
|
IPv4 Ruleset:
|
|
|
|
Ruleset Hook Ruleset Priority Description
|
|
-------------- ------------------ -------------------------
|
|
forward filter
|
|
input filter
|
|
name VyOS_MANAGEMENT
|
|
name WAN_IN PUBLIC_INTERNET
|
|
|
|
Firewall Groups
|
|
|
|
Name Type References Members
|
|
----------------------- ------------------ ----------------------- ----------------
|
|
PBX address_group WAN_IN-100 198.51.100.77
|
|
SERVERS address_group WAN_IN-110 192.0.2.10
|
|
WAN_IN-111 192.0.2.11
|
|
WAN_IN-112 192.0.2.12
|
|
WAN_IN-120
|
|
WAN_IN-121
|
|
WAN_IN-122
|
|
SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2
|
|
WAN_IN-20
|
|
PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2
|
|
PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2
|
|
WAN_IN-171
|
|
PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1
|
|
SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2
|
|
IPV6-WAN_IN-111 2001:db8::3
|
|
IPV6-WAN_IN-112 2001:db8::4
|
|
IPV6-WAN_IN-120
|
|
IPV6-WAN_IN-121
|
|
IPV6-WAN_IN-122
|
|
SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5
|
|
IPV6-WAN_IN-20
|
|
|
|
|
|
.. opcmd:: show firewall ipv6 [forward | input | output] filter
|
|
|
|
.. opcmd:: show firewall ipv6 ipv6-name <name>
|
|
|
|
This command will give an overview of a single rule-set.
|
|
|
|
.. code-block:: none
|
|
|
|
vyos@vyos:~$ show firewall ipv6 input filter
|
|
Ruleset Information
|
|
|
|
---------------------------------
|
|
ipv6 Firewall "input filter"
|
|
|
|
Rule Action Protocol Packets Bytes Conditions
|
|
------- -------- ---------- --------- ------- ------------------------------------------------------------------------------
|
|
10 jump all 13 1456 iifname "eth1" jump NAME6_INP-ETH1
|
|
20 accept ipv6-icmp 10 1112 meta l4proto ipv6-icmp iifname "eth0" prefix "[ipv6-INP-filter-20-A]" accept
|
|
default accept all 14 1584
|
|
|
|
vyos@vyos:~$
|
|
|
|
.. opcmd:: show firewall ipv6 [forward | input | output]
|
|
filter rule <1-999999>
|
|
|
|
.. opcmd:: show firewall ipv6 name <name> rule <1-999999>
|
|
|
|
.. opcmd:: show firewall ipv6 ipv6-name <name> rule <1-999999>
|
|
|
|
This command will give an overview of a rule in a single rule-set
|
|
|
|
.. opcmd:: show firewall group <name>
|
|
|
|
Overview of defined groups. You see the type, the members, and where the
|
|
group is used.
|
|
|
|
.. code-block:: none
|
|
|
|
vyos@vyos:~$ show firewall group LAN
|
|
Firewall Groups
|
|
|
|
Name Type References Members
|
|
------------ ------------------ ----------------------- ----------------
|
|
LAN ipv6_network_group IPV6-VyOS_MANAGEMENT-30 2001:db8::0/64
|
|
IPV6-WAN_IN-30
|
|
LAN network_group VyOS_MANAGEMENT-30 192.168.200.0/24
|
|
WAN_IN-30
|
|
|
|
|
|
.. opcmd:: show firewall statistics
|
|
|
|
This will show you statistics of all rule-sets since the last boot.
|
|
|
|
Show Firewall log
|
|
=================
|
|
|
|
.. opcmd:: show log firewall
|
|
.. opcmd:: show log firewall ipv6
|
|
.. opcmd:: show log firewall ipv6 [forward | input | output | name]
|
|
.. opcmd:: show log firewall ipv6 [forward | input | output] filter
|
|
.. opcmd:: show log firewall ipv6 name <name>
|
|
.. opcmd:: show log firewall ipv6 [forward | input | output] filter rule <rule>
|
|
.. opcmd:: show log firewall ipv6 name <name> rule <rule>
|
|
|
|
Show the logs of all firewall; show all ipv6 firewall logs; show all logs
|
|
for particular hook; show all logs for particular hook and priority;
|
|
show all logs for particular custom chain; show logs for specific Rule-Set.
|
|
|
|
Example Partial Config
|
|
======================
|
|
|
|
.. code-block:: none
|
|
|
|
firewall {
|
|
ipv6 {
|
|
input {
|
|
filter {
|
|
rule 10 {
|
|
action jump
|
|
inbound-interface {
|
|
name eth1
|
|
}
|
|
jump-target INP-ETH1
|
|
}
|
|
rule 20 {
|
|
action accept
|
|
inbound-interface {
|
|
name eth0
|
|
}
|
|
log
|
|
protocol ipv6-icmp
|
|
}
|
|
}
|
|
}
|
|
name INP-ETH1 {
|
|
default-action drop
|
|
default-log
|
|
rule 10 {
|
|
action accept
|
|
protocol tcp_udp
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
Update geoip database
|
|
=====================
|
|
|
|
.. opcmd:: update geoip
|
|
|
|
Command used to update GeoIP database and firewall sets.
|