summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorrebortg <github@ghlr.de>2023-08-27 21:04:56 +0200
committerrebortg <github@ghlr.de>2023-08-27 21:04:56 +0200
commit355b459f22544c97bd0332ff06dee1d39a05ac07 (patch)
tree54b261d0577c48a53695d6cf8392cb130ed2ae0a
parentabd23045bc3bc06fcd6475e3e616056c1870ab0c (diff)
parent02aafc3df3abebb58832c62ded26c495363ebb3a (diff)
downloadvyos-documentation-355b459f22544c97bd0332ff06dee1d39a05ac07.tar.gz
vyos-documentation-355b459f22544c97bd0332ff06dee1d39a05ac07.zip
Merge branch 'master' of github.com:vyos/vyos-documentation into localazy-3
-rw-r--r--README.md15
-rw-r--r--docs/_include/interface-ipv6.txt32
-rw-r--r--docs/_include/interface-per-client-thread.txt14
m---------docs/_include/vyos-1x0
-rw-r--r--docs/changelog/1.3.rst32
-rw-r--r--docs/changelog/1.4.rst142
-rw-r--r--docs/configuration/firewall/general-legacy.rst1051
-rw-r--r--docs/configuration/firewall/general.rst1627
-rw-r--r--docs/configuration/firewall/index.rst14
-rw-r--r--docs/configuration/firewall/zone.rst4
-rw-r--r--docs/configuration/interfaces/macsec.rst49
-rw-r--r--docs/configuration/interfaces/wireguard.rst4
-rw-r--r--docs/configuration/interfaces/wireless.rst13
-rw-r--r--docs/configuration/nat/nat44.rst60
-rw-r--r--docs/configuration/service/dns.rst6
-rw-r--r--docs/configuration/vrf/index.rst15
-rw-r--r--docs/installation/virtual/docker.rst7
17 files changed, 2482 insertions, 603 deletions
diff --git a/README.md b/README.md
index 84dfed54..63fafbe1 100644
--- a/README.md
+++ b/README.md
@@ -1,7 +1,6 @@
-Starting with VyOS 1.2 (`crux`) our documentation is being migrated from the old wiki
-to ReadTheDocs. Documentation can be accessed via the following URL: https://docs.vyos.io
+Starting with VyOS 1.2 (`crux`) our documentation is hosted on ReadTheDocs at https://docs.vyos.io
-Our old WiKi can still be accessed from the
+Our old wiki with documentation from the VyOS 1.1.x and early 1.2.0 era can still be accessed via the
[Wayback Machine](https://web.archive.org/web/20200225171529/https://wiki.vyos.net/wiki/Main_Page)
# Build
@@ -28,7 +27,7 @@ largest. There are 88 of them, here's the
* 1.4.x: `sagitta` (Arrow)
* ...
-### sphinx
+### Sphinx
Debian requires some extra steps for
installing `sphinx`, `sphinx-autobuild` and `sphinx-rtd-theme` packages:
@@ -100,18 +99,16 @@ $ docker run --rm -it -p 8000:8000 -v "$(pwd)":/vyos -w /vyos/docs -e \
### Test the docs
-Discuss in this Phabricator task: [T1731](https://vyos.dev/T1731)
-
-To test all files run:
+To test all files, run:
```bash
$ docker run --rm -it -v "$(pwd)":/vyos -w /vyos/docs \
-e GOSU_UID=$(id -u) -e GOSU_GID=$(id -g) vyos/vyos-documentation vale .
```
-to test a specific file (e.g. `clustering.rst`)
+to test a specific file (e.g. `quick-start.rst`)
```bash
$ docker run --rm -it -v "$(pwd)":/vyos -w /vyos/docs -e GOSU_UID=$(id -u) \
- -e GOSU_GID=$(id -g) vyos/vyos-documentation vale clustering.rst
+ -e GOSU_GID=$(id -g) vyos/vyos-documentation vale quick-start.rst
```
diff --git a/docs/_include/interface-ipv6.txt b/docs/_include/interface-ipv6.txt
index eb60b4e8..0c222d80 100644
--- a/docs/_include/interface-ipv6.txt
+++ b/docs/_include/interface-ipv6.txt
@@ -67,6 +67,34 @@
.. hint:: MSS value = MTU - 40 (IPv6 header) - 20 (TCP header), resulting in
1432 bytes on a 1492 byte MTU.
-
- Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to
+
+ Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to
automatically set the proper value.
+
+.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }}
+ {{ var5 }} {{ var6 }} ipv6 accept-dad <1-3>
+
+ Whether to accept DAD (Duplicate Address Detection).
+
+ - 0: Disable DAD
+ - 1: Enable DAD (default)
+ - 2: Enable DAD, and disable IPv6 operation if MAC-based duplicate link-local address has been found.
+
+ Example:
+
+ .. code-block:: none
+
+ set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ipv6 accept-dad 2
+
+.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }}
+ {{ var5 }} {{ var6 }} ipv6 dup-addr-detect-transmits <n>
+
+ The amount of Duplicate Address Detection probes to send.
+
+ Default: 1
+
+ Example:
+
+ .. code-block:: none
+
+ set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} ipv6 dup-addr-detect-transmits 5
diff --git a/docs/_include/interface-per-client-thread.txt b/docs/_include/interface-per-client-thread.txt
new file mode 100644
index 00000000..877be591
--- /dev/null
+++ b/docs/_include/interface-per-client-thread.txt
@@ -0,0 +1,14 @@
+.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }}
+ {{ var5 }} {{ var6 }} per-client-thread
+
+ Provides a per-device control to enable/disable the threaded mode for
+ all the NAPI instances of the given network device, without the need for
+ a device up/down.
+
+ If CLI option is not specified, this feature is disabled.
+
+ Example:
+
+ .. code-block:: none
+
+ set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} per-client-thread
diff --git a/docs/_include/vyos-1x b/docs/_include/vyos-1x
-Subproject 1a44d8607f715934f2c03f28a9bf547321b26ed
+Subproject ffb798b4678f3b1bd0a40cc42b1f0477470346d
diff --git a/docs/changelog/1.3.rst b/docs/changelog/1.3.rst
index 775257d4..b452274c 100644
--- a/docs/changelog/1.3.rst
+++ b/docs/changelog/1.3.rst
@@ -8,6 +8,38 @@
_ext/releasenotes.py
+2023-08-20
+==========
+
+* :vytask:`T5470` ``(bug): wlan: can not disable interface if SSID is not configured``
+
+
+2023-08-17
+==========
+
+* :vytask:`T5486` ``(bug): Service dns dynamic cannot pass the smoketest``
+* :vytask:`T5223` ``(bug): tunnel key doesn't clear``
+
+
+2023-08-15
+==========
+
+* :vytask:`T5273` ``(default): Add op mode commands for displaying certificate details and fingerprints``
+* :vytask:`T5270` ``(default): Make OpenVPN `tls dh-params` optional``
+
+
+2023-08-10
+==========
+
+* :vytask:`T5329` ``(bug): Wireguard interface as GRE tunnel source causes configuration error on boot``
+
+
+2023-08-06
+==========
+
+* :vytask:`T3424` ``(default): PPPoE IA-PD doesn't work in VRF``
+
+
2023-07-24
==========
diff --git a/docs/changelog/1.4.rst b/docs/changelog/1.4.rst
index 9b8ca26a..c654199b 100644
--- a/docs/changelog/1.4.rst
+++ b/docs/changelog/1.4.rst
@@ -8,6 +8,148 @@
_ext/releasenotes.py
+2023-08-20
+==========
+
+* :vytask:`T5470` ``(bug): wlan: can not disable interface if SSID is not configured``
+
+
+2023-08-18
+==========
+
+* :vytask:`T5488` ``(bug): System conntrack ignore does not take any effect``
+
+
+2023-08-17
+==========
+
+* :vytask:`T4202` ``(bug): NFT: Zone policies fail to apply when "l2tp+" is in the interface list``
+* :vytask:`T5409` ``(feature): Add 'set interfaces wireguard wgX threaded'``
+* :vytask:`T5476` ``(feature): netplug: replace Perl helper scripts with a Python equivalent``
+* :vytask:`T5223` ``(bug): tunnel key doesn't clear``
+* :vytask:`T5490` ``(feature): login: add missing regex for home direcotry and radius server key``
+
+
+2023-08-16
+==========
+
+* :vytask:`T5483` ``(bug): Residual dhcp-server test file causing zabbix-agent smoketest to fail``
+
+
+2023-08-15
+==========
+
+* :vytask:`T5293` ``(feature): Support for Floating Rules (Global Firewall-Rules that are automatically applied before all other Zone Rules)``
+* :vytask:`T5273` ``(default): Add op mode commands for displaying certificate details and fingerprints``
+* :vytask:`T5270` ``(default): Make OpenVPN `tls dh-params` optional``
+
+
+2023-08-14
+==========
+
+* :vytask:`T5477` ``(bug): op-mode pki.py should use Config for defaults``
+* :vytask:`T5461` ``(feature): Improve rootfs directory variable``
+* :vytask:`T5457` ``(feature): Add environmental variable pointing to current rootfs directory``
+* :vytask:`T5440` ``(bug): Restore pre/postconfig scripts if user deleted them``
+* :vytask:`T5436` ``(bug): vyos-preconfig-bootup.script is missing``
+
+
+2023-08-12
+==========
+
+* :vytask:`T5467` ``(bug): ospf(v3): removing an interface from the OSPF process does not clear FRR configuration``
+
+
+2023-08-11
+==========
+
+* :vytask:`T5465` ``(feature): adjust-mss: config migration fails if applied to a VLAN or Q-in-Q interface``
+* :vytask:`T2665` ``(bug): vyos.xml.defaults for tag nodes``
+* :vytask:`T5434` ``(enhancment): Replace remaining calls of vyos.xml library``
+* :vytask:`T5319` ``(enhancment): Remove remaining workarounds for incorrect defaults``
+* :vytask:`T5464` ``(feature): ipv6: add support for per-interface dad (duplicate address detection) setting``
+
+
+2023-08-10
+==========
+
+* :vytask:`T5416` ``(bug): Ignoring "ipsec match-none" for firewall``
+* :vytask:`T5329` ``(bug): Wireguard interface as GRE tunnel source causes configuration error on boot``
+
+
+2023-08-09
+==========
+
+* :vytask:`T5452` ``(bug): Uncaught error in generate_cache during vyos-1x build``
+* :vytask:`T5443` ``(enhancment): Add merge_defaults as Config method``
+* :vytask:`T5435` ``(enhancment): Expose utility function for default values at path``
+
+
+2023-08-07
+==========
+
+* :vytask:`T5406` ``(bug): "update webproxy blacklists" fails when vrf is being configured``
+* :vytask:`T5302` ``(bug): QoS class with multiple matches generates one filter rule but expects several rules``
+* :vytask:`T5266` ``(bug): QoS- HTB error when match with a dscp parameter for queue-type 'priority'``
+* :vytask:`T5071` ``(bug): QOS-Rewrite: DSCP match missing``
+
+
+2023-08-06
+==========
+
+* :vytask:`T5420` ``(feature): nftables - upgrade to latest 1.0.8``
+* :vytask:`T3424` ``(default): PPPoE IA-PD doesn't work in VRF``
+* :vytask:`T5445` ``(feature): dyndns: add possibility to specify update interval (timeout)``
+
+
+2023-08-05
+==========
+
+* :vytask:`T5291` ``(bug): vyatta-cfg-cmd-wrapper missing ${vyos_libexec_dir} variable``
+* :vytask:`T5290` ``(bug): Failing commits for SR-IOV interfaces using ixgbevf driver due to change speed/duplex settings``
+* :vytask:`T5439` ``(bug): Upgrade to FRR version 9.0 added new daemons which must be adjusted``
+
+
+2023-08-04
+==========
+
+* :vytask:`T5427` ``(bug): Change migration script len arguments checking``
+
+
+2023-08-03
+==========
+
+* :vytask:`T5301` ``(bug): NTP: chrony only allows one bind address``
+* :vytask:`T5154` ``(bug): Chrony - multiple listen addresses``
+
+
+2023-08-02
+==========
+
+* :vytask:`T5374` ``(feature): Ability to set 24-hour time format``
+* :vytask:`T5350` ``(bug): Confusing warning message when committing VRRP config``
+* :vytask:`T5430` ``(bug): bridge: vxlan interfaces are not listed as bridgable in completion helpers``
+* :vytask:`T5429` ``(bug): vxlan: source-interface is not honored and throws config error``
+* :vytask:`T5415` ``(feature): Upgrade FRR to version 9.0``
+* :vytask:`T5422` ``(feature): Support LXD Agent``
+
+
+2023-08-01
+==========
+
+* :vytask:`T5399` ``(bug): "show ntp" fails when vrf is being configured``
+* :vytask:`T5346` ``(bug): MPLS sysctl not persistent for L2TP interfaces``
+* :vytask:`T5343` ``(feature): BGP peer group VPNv4 & VPNv6 Address Family Support``
+* :vytask:`T5339` ``(feature): Geneve interface - option to use IPv4 as inner protocol``
+* :vytask:`T5335` ``(bug): ISIS: error when loading config from file``
+
+
+2023-07-31
+==========
+
+* :vytask:`T5421` ``(feature): Add arg to completion helper 'list_interfaces' to filter out vlan subinterfaces``
+
+
2023-07-29
==========
diff --git a/docs/configuration/firewall/general-legacy.rst b/docs/configuration/firewall/general-legacy.rst
new file mode 100644
index 00000000..de91e54b
--- /dev/null
+++ b/docs/configuration/firewall/general-legacy.rst
@@ -0,0 +1,1051 @@
+:lastproofread: 2021-06-29
+
+.. _firewall:
+
+###############
+Firewall-Legacy
+###############
+
+.. note:: **Important note:**
+ This documentation is valid only for VyOS Sagitta prior to
+ 1.4-rolling-YYYYMMDDHHmm
+
+********
+Overview
+********
+
+VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet
+filtering.
+
+The firewall supports the creation of groups for ports, addresses, and
+networks (implemented using netfilter ipset) and the option of interface
+or zone based firewall policy.
+
+.. note:: **Important note on usage of terms:**
+ The firewall makes use of the terms `in`, `out`, and `local`
+ for firewall policy. Users experienced with netfilter often confuse
+ `in` to be a reference to the `INPUT` chain, and `out` the `OUTPUT`
+ chain from netfilter. This is not the case. These instead indicate
+ the use of the `FORWARD` chain and either the input or output
+ interface. The `INPUT` chain, which is used for local traffic to the
+ OS, is a reference to as `local` with respect to its input interface.
+
+
+***************
+Global settings
+***************
+
+Some firewall settings are global and have an affect on the whole system.
+
+.. cfgcmd:: set firewall all-ping [enable | disable]
+
+ By default, when VyOS receives an ICMP echo request packet destined for
+ itself, it will answer with an ICMP echo reply, unless you avoid it
+ through its firewall.
+
+ With the firewall you can set rules to accept, drop or reject ICMP in,
+ out or local traffic. You can also use the general **firewall all-ping**
+ command. This command affects only to LOCAL (packets destined for your
+ VyOS system), not to IN or OUT traffic.
+
+ .. note:: **firewall all-ping** affects only to LOCAL and it always
+ behaves in the most restrictive way
+
+ .. code-block:: none
+
+ set firewall all-ping enable
+
+ When the command above is set, VyOS will answer every ICMP echo request
+ addressed to itself, but that will only happen if no other rule is
+ applied dropping or rejecting local echo requests. In case of conflict,
+ VyOS will not answer ICMP echo requests.
+
+ .. code-block:: none
+
+ set firewall all-ping disable
+
+ When the command above is set, VyOS will answer no ICMP echo request
+ addressed to itself at all, no matter where it comes from or whether
+ more specific rules are being applied to accept them.
+
+.. cfgcmd:: set firewall broadcast-ping [enable | disable]
+
+ This setting enable or disable the response of icmp broadcast
+ messages. The following system parameter will be altered:
+
+ * ``net.ipv4.icmp_echo_ignore_broadcasts``
+
+.. cfgcmd:: set firewall ip-src-route [enable | disable]
+.. cfgcmd:: set firewall ipv6-src-route [enable | disable]
+
+ This setting handle if VyOS accept packets with a source route
+ option. The following system parameter will be altered:
+
+ * ``net.ipv4.conf.all.accept_source_route``
+ * ``net.ipv6.conf.all.accept_source_route``
+
+.. cfgcmd:: set firewall receive-redirects [enable | disable]
+.. cfgcmd:: set firewall ipv6-receive-redirects [enable | disable]
+
+ enable or disable of ICMPv4 or ICMPv6 redirect messages accepted
+ by VyOS. The following system parameter will be altered:
+
+ * ``net.ipv4.conf.all.accept_redirects``
+ * ``net.ipv6.conf.all.accept_redirects``
+
+.. cfgcmd:: set firewall send-redirects [enable | disable]
+
+ enable or disable ICMPv4 redirect messages send by VyOS
+ The following system parameter will be altered:
+
+ * ``net.ipv4.conf.all.send_redirects``
+
+.. cfgcmd:: set firewall log-martians [enable | disable]
+
+ enable or disable the logging of martian IPv4 packets.
+ The following system parameter will be altered:
+
+ * ``net.ipv4.conf.all.log_martians``
+
+.. cfgcmd:: set firewall source-validation [strict | loose | disable]
+
+ Set the IPv4 source validation mode.
+ The following system parameter will be altered:
+
+ * ``net.ipv4.conf.all.rp_filter``
+
+.. cfgcmd:: set firewall syn-cookies [enable | disable]
+
+ Enable or Disable if VyOS use IPv4 TCP SYN Cookies.
+ The following system parameter will be altered:
+
+ * ``net.ipv4.tcp_syncookies``
+
+.. cfgcmd:: set firewall twa-hazards-protection [enable | disable]
+
+ Enable or Disable VyOS to be :rfc:`1337` conform.
+ The following system parameter will be altered:
+
+ * ``net.ipv4.tcp_rfc1337``
+
+.. cfgcmd:: set firewall state-policy established action [accept | drop |
+ reject]
+
+.. cfgcmd:: set firewall state-policy established log enable
+
+ Set the global setting for an established connection.
+
+.. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject]
+
+.. cfgcmd:: set firewall state-policy invalid log enable
+
+ Set the global setting for invalid packets.
+
+.. cfgcmd:: set firewall state-policy related action [accept | drop | reject]
+
+.. cfgcmd:: set firewall state-policy related log enable
+
+ Set the global setting for related connections.
+
+
+******
+Groups
+******
+
+Firewall groups represent collections of IP addresses, networks, ports,
+mac addresses or domains. Once created, a group can be referenced by
+firewall, nat and policy route rules as either a source or destination
+matcher. Members can be added or removed from a group without changes to,
+or the need to reload, individual firewall rules.
+
+Groups need to have unique names. Even though some contain IPv4
+addresses and others contain IPv6 addresses, they still need to have
+unique names, so you may want to append "-v4" or "-v6" to your group
+names.
+
+
+Address Groups
+==============
+
+In an **address group** a single IP address or IP address ranges are
+defined.
+
+.. cfgcmd:: set firewall group address-group <name> address [address |
+ address range]
+.. cfgcmd:: set firewall group ipv6-address-group <name> address <address>
+
+ Define a IPv4 or a IPv6 address group
+
+ .. code-block:: none
+
+ set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1
+ set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8
+ set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1
+
+.. cfgcmd:: set firewall group address-group <name> description <text>
+.. cfgcmd:: set firewall group ipv6-address-group <name> description <text>
+
+ Provide a IPv4 or IPv6 address group description
+
+Network Groups
+==============
+
+While **network groups** accept IP networks in CIDR notation, specific
+IP addresses can be added as a 32-bit prefix. If you foresee the need
+to add a mix of addresses and networks, the network group is
+recommended.
+
+.. cfgcmd:: set firewall group network-group <name> network <CIDR>
+.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR>
+
+ Define a IPv4 or IPv6 Network group.
+
+ .. code-block:: none
+
+ set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24
+ set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24
+ set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64
+
+.. cfgcmd:: set firewall group network-group <name> description <text>
+.. cfgcmd:: set firewall group ipv6-network-group <name> description <text>
+
+ Provide a IPv4 or IPv6 network group description.
+
+Port Groups
+===========
+
+A **port group** represents only port numbers, not the protocol. Port
+groups can be referenced for either TCP or UDP. It is recommended that
+TCP and UDP groups are created separately to avoid accidentally
+filtering unnecessary ports. Ranges of ports can be specified by using
+`-`.
+
+.. cfgcmd:: set firewall group port-group <name> port
+ [portname | portnumber | startport-endport]
+
+ Define a port group. A port name can be any name defined in
+ /etc/services. e.g.: http
+
+ .. code-block:: none
+
+ set firewall group port-group PORT-TCP-SERVER1 port http
+ set firewall group port-group PORT-TCP-SERVER1 port 443
+ set firewall group port-group PORT-TCP-SERVER1 port 5000-5010
+
+.. cfgcmd:: set firewall group port-group <name> description <text>
+
+ Provide a port group description.
+
+MAC Groups
+==========
+
+A **mac group** represents a collection of mac addresses.
+
+.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address>
+
+ Define a mac group.
+
+.. code-block:: none
+
+ set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f
+ set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81
+
+
+Domain Groups
+=============
+
+A **domain group** represents a collection of domains.
+
+.. cfgcmd:: set firewall group domain-group <name> address <domain>
+
+ Define a domain group.
+
+.. code-block:: none
+
+ set firewall group domain-group DOM address example.com
+
+
+*********
+Rule-Sets
+*********
+
+A rule-set is a named collection of firewall rules that can be applied
+to an interface or a zone. Each rule is numbered, has an action to apply
+if the rule is matched, and the ability to specify the criteria to
+match. Data packets go through the rules from 1 - 999999, at the first match
+the action of the rule will be executed.
+
+.. cfgcmd:: set firewall name <name> description <text>
+.. cfgcmd:: set firewall ipv6-name <name> description <text>
+
+ Provide a rule-set description.
+
+.. cfgcmd:: set firewall name <name> default-action [accept | drop | jump |
+ reject | return]
+.. cfgcmd:: set firewall ipv6-name <name> default-action [accept | drop |
+ jump | reject | return]
+
+ This set the default action of the rule-set if no rule matched a packet
+ criteria. If defacult-action is set to ``jump``, then
+ ``default-jump-target`` is also needed.
+
+.. cfgcmd:: set firewall name <name> default-jump-target <text>
+.. cfgcmd:: set firewall ipv6-name <name> default-jump-target <text>
+
+ To be used only when ``defult-action`` is set to ``jump``. Use this
+ command to specify jump target for default rule.
+
+.. cfgcmd:: set firewall name <name> enable-default-log
+.. cfgcmd:: set firewall ipv6-name <name> enable-default-log
+
+ Use this command to enable the logging of the default action.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> action [accept | drop |
+ jump | queue | reject | return]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [accept |
+ drop | jump | queue | reject | return]
+
+ This required setting defines the action of the current rule. If action
+ is set to ``jump``, then ``jump-target`` is also needed.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> jump-target <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> jump-target <text>
+
+ To be used only when ``action`` is set to ``jump``. Use this
+ command to specify jump target.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> queue <0-65535>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> queue <0-65535>
+
+ Use this command to set the target to use. Action queue must be defined
+ to use this setting
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> queue-options
+ <bypass-fanout>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> queue-options
+ <bypass-fanout>
+
+ Options used for queue target. Action queue must be defined to use this
+ setting
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> description <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> description <text>
+
+ Provide a description for each rule.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> log [disable | enable]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable |
+ enable]
+
+ Enable or disable logging for the matched packet.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> log-options level
+ [emerg | alert | crit | err | warn | notice | info | debug]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options level
+ [emerg | alert | crit | err | warn | notice | info | debug]
+
+ Define log-level. Only applicable if rule log is enable.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> log-options group
+ <0-65535>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options group
+ <0-65535>
+
+ Define log group to send message to. Only applicable if rule log is enable.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> log-options snaplen
+ <0-9000>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options snaplen
+ <0-9000>
+
+ Define length of packet payload to include in netlink message. Only
+ applicable if rule log is enable and log group is defined.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> log-options
+ queue-threshold <0-65535>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options
+ queue-threshold <0-65535>
+
+ Define number of packets to queue inside the kernel before sending them to
+ userspace. Only applicable if rule log is enable and log group is defined.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> disable
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> disable
+
+ If you want to disable a rule but let it in the configuration.
+
+Matching criteria
+=================
+
+There are a lot of matching criteria against which the package can be tested.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> connection-status nat
+ [destination | source]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-status
+ nat [destination | source]
+
+ Match criteria based on nat connection status.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> connection-mark
+ <1-2147483647>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-mark
+ <1-2147483647>
+
+ Match criteria based on connection mark.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source address
+ [address | addressrange | CIDR]
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination address
+ [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address
+ [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination address
+ [address | addressrange | CIDR]
+
+ This is similar to the network groups part, but here you are able to negate
+ the matching addresses.
+
+ .. code-block:: none
+
+ set firewall name WAN-IN-v4 rule 100 source address 192.0.2.10-192.0.2.11
+ # with a '!' the rule match everything except the specified subnet
+ set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24
+ set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source address-mask
+ [address]
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination address-mask
+ [address]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address-mask
+ [address]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination
+ address-mask [address]
+
+ An arbitrary netmask can be applied to mask addresses to only match against
+ a specific portion. This is particularly useful with IPv6 and a zone-based
+ firewall as rules will remain valid if the IPv6 prefix changes and the host
+ portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses
+ <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)
+
+ This functions for both individual addresses and address groups.
+
+ .. code-block:: none
+
+ # Match any IPv6 address with the suffix ::0000:0000:0000:beef
+ set firewall ipv6-name WAN-LAN-v6 rule 100 destination address ::beef
+ set firewall ipv6-name WAN-LAN-v6 rule 100 destination address-mask ::ffff:ffff:ffff:ffff
+ # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet
+ set firewall name WAN-LAN-v4 rule 100 destination address 0.11.0.13
+ set firewall name WAN-LAN-v4 rule 100 destination address-mask 0.255.0.255
+ # Address groups
+ set firewall group ipv6-address-group WEBSERVERS address ::1000
+ set firewall group ipv6-address-group WEBSERVERS address ::2000
+ set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS
+ set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source fqdn <fqdn>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination fqdn <fqdn>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source fqdn <fqdn>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination fqdn
+ <fqdn>
+
+ Specify a Fully Qualified Domain Name as source/destination matcher. Ensure
+ router is able to resolve such dns query.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code
+ <country>
+.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
+ country-code <country>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
+ inverse-match
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
+ country-code <country>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
+ inverse-match
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
+ country-code <country>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
+ inverse-match
+
+Match IP addresses based on its geolocation.
+More info: `geoip matching
+<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
+
+Use inverse-match to match anything except the given country-codes.
+
+Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
+permits redistribution so we can include a database in images(~3MB
+compressed). Includes cron script (manually callable by op-mode update
+geoip) to keep database and rules updated.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source mac-address
+ <mac-address>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source mac-address
+ <mac-address>
+
+ Only in the source criteria, you can specify a mac-address.
+
+ .. code-block:: none
+
+ set firewall name LAN-IN-v4 rule 100 source mac-address 00:53:00:11:22:33
+ set firewall name LAN-IN-v4 rule 101 source mac-address !00:53:00:aa:12:34
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source port
+ [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination port
+ [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source port
+ [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination port
+ [1-65535 | portname | start-end]
+
+ A port can be set with a port number or a name which is here
+ defined: ``/etc/services``.
+
+ .. code-block:: none
+
+ set firewall name WAN-IN-v4 rule 10 source port '22'
+ set firewall name WAN-IN-v4 rule 11 source port '!http'
+ set firewall name WAN-IN-v4 rule 12 source port 'https'
+
+ Multiple source ports can be specified as a comma-separated list.
+ The whole list can also be "negated" using ``!``. For example:
+
+ .. code-block:: none
+
+ set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338'
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source group
+ address-group <name | !name>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
+ address-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
+ address-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
+ address-group <name | !name>
+
+ Use a specific address-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source group
+ network-group <name | !name>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
+ network-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
+ network-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
+ network-group <name | !name>
+
+ Use a specific network-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source group
+ port-group <name | !name>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
+ port-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
+ port-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
+ port-group <name | !name>
+
+ Use a specific port-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source group
+ domain-group <name | !name>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
+ domain-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
+ domain-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
+ domain-group <name | !name>
+
+ Use a specific domain-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source group
+ mac-group <name | !name>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
+ mac-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
+ mac-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
+ mac-group <name | !name>
+
+ Use a specific mac-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> dscp [0-63 | start-end]
+.. cfgcmd:: set firewall name <name> rule <1-999999> dscp-exclude [0-63 |
+ start-end]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp [0-63 |
+ start-end]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp-exclude [0-63 |
+ start-end]
+
+ Match based on dscp value.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> fragment [match-frag |
+ match-non-frag]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> fragment [match-frag
+ | match-non-frag]
+
+ Match based on fragment criteria.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> icmp [code | type]
+ <0-255>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 [code | type]
+ <0-255>
+
+ Match based on icmp|icmpv6 code and type.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> icmp type-name <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 type-name
+ <text>
+
+ Match based on icmp|icmpv6 type-name criteria. Use tab for information
+ about what **type-name** criteria are supported.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> inbound-interface
+ <iface>
+.. cfgcmd:: set firewall name <name> rule <1-999999> outbound-interface
+ <iface>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> inbound-interface
+ <iface>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> outbound-interface
+ <iface>
+
+ Match based on inbound/outbound interface. Wilcard ``*`` can be used.
+ For example: ``eth2*``
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> ipsec [match-ipsec
+ | match-none]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> ipsec [match-ipsec
+ | match-none]
+
+ Match based on ipsec criteria.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> limit burst
+ <0-4294967295>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit burst
+ <0-4294967295>
+
+ Match based on the maximum number of packets to allow in excess of rate.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> limit rate
+ <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit rate
+ <text>
+
+ Match based on the maximum average rate, specified as **integer/unit**.
+ For example **5/minutes**
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length
+ <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length
+ <text>
+.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length-exclude
+ <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length-exclude
+ <text>
+
+ Match based on packet length criteria. Multiple values from 1 to 65535
+ and ranges are supported.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> packet-type
+ [broadcast | host | multicast | other]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-type
+ [broadcast | host | multicast | other]
+
+ Match based on packet type criteria.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> protocol [<text> |
+ <0-255> | all | tcp_udp]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> protocol [<text> |
+ <0-255> | all | tcp_udp]
+
+ Match a protocol criteria. A protocol number or a name which is here
+ defined: ``/etc/protocols``.
+ Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
+ based packets. The ``!`` negate the selected protocol.
+
+ .. code-block:: none
+
+ set firewall name WAN-IN-v4 rule 10 protocol tcp_udp
+ set firewall name WAN-IN-v4 rule 11 protocol !tcp_udp
+ set firewall ipv6-name WAN-IN-v6 rule 10 protocol tcp
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
+.. cfgcmd:: set firewall name <name> rule <1-999999> recent time
+ [second | minute | hour]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time
+ [second | minute | hour]
+
+ Match bases on recently seen sources.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> tcp flags <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> tcp flags <text>
+
+ Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``,
+ ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma
+ separated. The ``!`` negate the selected protocol.
+
+ .. code-block:: none
+
+ set firewall name WAN-IN-v4 rule 10 tcp flags 'ACK'
+ set firewall name WAN-IN-v4 rule 12 tcp flags 'SYN'
+ set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST'
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> state [established |
+ invalid | new | related] [enable | disable]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> state [established |
+ invalid | new | related] [enable | disable]
+
+ Match against the state of a packet.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> time startdate <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time startdate <text>
+.. cfgcmd:: set firewall name <name> rule <1-999999> time starttime <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time starttime <text>
+.. cfgcmd:: set firewall name <name> rule <1-999999> time stopdate <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stopdate <text>
+.. cfgcmd:: set firewall name <name> rule <1-999999> time stoptime <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stoptime <text>
+.. cfgcmd:: set firewall name <name> rule <1-999999> time weekdays <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time weekdays <text>
+
+ Time to match the defined rule.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> ttl <eq | gt | lt> <0-255>
+
+ Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for
+ 'greater than', and 'lt' stands for 'less than'.
+
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> hop-limit <eq | gt |
+ lt> <0-255>
+
+ Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
+ 'greater than', and 'lt' stands for 'less than'.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
+.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second |
+ minute | hour>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second |
+ minute | hour>
+
+ Match when 'count' amount of connections are seen within 'time'. These
+ matching criteria can be used to block brute-force attempts.
+
+***********************************
+Applying a Rule-Set to an Interface
+***********************************
+
+A Rule-Set can be applied to every interface:
+
+* ``in``: Ruleset for forwarded packets on an inbound interface
+* ``out``: Ruleset for forwarded packets on an outbound interface
+* ``local``: Ruleset for packets destined for this router
+
+.. cfgcmd:: set firewall interface <interface> [in | out | local] [name |
+ ipv6-name] <rule-set>
+
+
+ Here are some examples for applying a rule-set to an interface
+
+ .. code-block:: none
+
+ set firewall interface eth1.100 in name LANv4-IN
+ set firewall interface eth1.100 out name LANv4-OUT
+ set firewall interface bond0 in name LANv4-IN
+ set firewall interface vtun1 in name LANv4-IN
+ set firewall interface eth2* in name LANv4-IN
+
+ .. note::
+ As you can see in the example here, you can assign the same rule-set to
+ several interfaces. An interface can only have one rule-set per chain.
+
+ .. note::
+ You can use wildcard ``*`` to match a group of interfaces.
+
+***********************
+Operation-mode Firewall
+***********************
+
+Rule-set overview
+=================
+
+.. opcmd:: show firewall
+
+ This will show you a basic firewall overview
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show firewall
+
+ ------------------------
+ Firewall Global Settings
+ ------------------------
+
+ Firewall state-policy for all IPv4 and Ipv6 traffic
+
+ state action log
+ ----- ------ ---
+ invalid accept disabled
+ established accept disabled
+ related accept disabled
+
+ -----------------------------
+ Rulesets Information
+ -----------------------------
+ --------------------------------------------------------------------------
+ IPv4 Firewall "DMZv4-1-IN":
+
+ Active on (eth0,IN)
+
+ rule action proto packets bytes
+ ---- ------ ----- ------- -----
+ 10 accept icmp 0 0
+ condition - saddr 10.1.0.0/24 daddr 0.0.0.0/0 LOG enabled
+
+ 10000 drop all 0 0
+ condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled
+
+ --------------------------------------------------------------------------
+ IPv4 Firewall "DMZv4-1-OUT":
+
+ Active on (eth0,OUT)
+
+ rule action proto packets bytes
+ ---- ------ ----- ------- -----
+ 10 accept tcp_udp 1 60
+ condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-DST-PORT-GROUP DMZ-Ports /*
+ DMZv4-1-OUT-10 */LOG enabled
+
+ 11 accept icmp 1 84
+ condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* DMZv4-1-OUT-11 */LOG enabled
+
+ 10000 drop all 6 360
+ condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled
+
+ --------------------------------------------------------------------------
+ IPv4 Firewall "LANv4-IN":
+
+ Inactive - Not applied to any interfaces or zones.
+
+ rule action proto packets bytes
+ ---- ------ ----- ------- -----
+ 10 accept all 0 0
+ condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* LANv4-IN-10 */
+
+ 10000 drop all 0 0
+ condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0
+
+.. opcmd:: show firewall summary
+
+ This will show you a summary of rule-sets and groups
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show firewall summary
+
+ ------------------------
+ Firewall Global Settings
+ ------------------------
+
+ Firewall state-policy for all IPv4 and Ipv6 traffic
+
+ state action log
+ ----- ------ ---
+ invalid accept disabled
+ related accept disabled
+ established accept disabled
+
+ ------------------------
+ Firewall Rulesets
+ ------------------------
+
+ IPv4 name:
+
+ Rule-set name Description References
+ ------------- ----------- ----------
+ DMZv4-1-OUT (eth0,OUT)
+ DMZv4-1-IN (eth0,IN)
+
+ ------------------------
+ Firewall Groups
+ ------------------------
+
+ Port Groups:
+
+ Group name Description References
+ ---------- ----------- ----------
+ DMZ-Ports DMZv4-1-OUT-10-destination
+
+ Network Groups:
+
+ Group name Description References
+ ---------- ----------- ----------
+ LANv4 LANv4-IN-10-source,
+ DMZv4-1-OUT-10-source,
+ DMZv4-1-OUT-11-source
+
+.. opcmd:: show firewall statistics
+
+ This will show you a statistic of all rule-sets since the last boot.
+
+.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999>
+
+ This command will give an overview of a rule in a single rule-set
+
+.. opcmd:: show firewall group <name>
+
+ Overview of defined groups. You see the type, the members, and where the
+ group is used.
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show firewall group DMZ-Ports
+ Name : DMZ-Ports
+ Type : port
+ References : none
+ Members :
+ 80
+ 443
+ 8080
+ 8443
+
+ vyos@vyos:~$ show firewall group LANv4
+ Name : LANv4
+ Type : network
+ References : LANv4-IN-10-source
+ Members :
+ 10.10.0.0/16
+
+.. opcmd:: show firewall [name | ipv6name] <name>
+
+ This command will give an overview of a single rule-set.
+
+.. opcmd:: show firewall [name | ipv6name] <name> statistics
+
+ This will show you a rule-set statistic since the last boot.
+
+.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999>
+
+ This command will give an overview of a rule in a single rule-set.
+
+
+Zone-Policy Overview
+====================
+
+.. opcmd:: show zone-policy zone <name>
+
+ Use this command to get an overview of a zone.
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show zone-policy zone DMZ
+ -------------------
+ Name: DMZ
+
+ Interfaces: eth0 eth1
+
+ From Zone:
+ name firewall
+ ---- --------
+ LAN DMZv4-1-OUT
+
+
+Show Firewall log
+=================
+
+.. opcmd:: show log firewall [name | ipv6name] <name>
+
+ Show the logs of a specific Rule-Set.
+
+.. note::
+ At the moment it not possible to look at the whole firewall log with VyOS
+ operational commands. All logs will save to ``/var/logs/messages``.
+ For example: ``grep '10.10.0.10' /var/log/messages``
+
+
+
+Example Partial Config
+======================
+
+.. code-block:: none
+
+ firewall {
+ interface eth0 {
+ in {
+ name FROM-INTERNET
+ }
+ }
+ all-ping enable
+ broadcast-ping disable
+ config-trap disable
+ group {
+ network-group BAD-NETWORKS {
+ network 198.51.100.0/24
+ network 203.0.113.0/24
+ }
+ network-group GOOD-NETWORKS {
+ network 192.0.2.0/24
+ }
+ port-group BAD-PORTS {
+ port 65535
+ }
+ }
+ name FROM-INTERNET {
+ default-action accept
+ description "From the Internet"
+ rule 10 {
+ action accept
+ description "Authorized Networks"
+ protocol all
+ source {
+ group {
+ network-group GOOD-NETWORKS
+ }
+ }
+ }
+ rule 11 {
+ action drop
+ description "Bad Networks"
+ protocol all
+ source {
+ group {
+ network-group BAD-NETWORKS
+ }
+ }
+ }
+ rule 30 {
+ action drop
+ description "BAD PORTS"
+ destination {
+ group {
+ port-group BAD-PORTS
+ }
+ }
+ log enable
+ protocol all
+ }
+ }
+ }
+ interfaces {
+ ethernet eth1 {
+ address dhcp
+ description OUTSIDE
+ duplex auto
+ }
+ }
+
+
+Update geoip database
+=====================
+
+.. opcmd:: update geoip
+
+ Command used to update GeoIP database and firewall sets. \ No newline at end of file
diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst
index c217ba6c..0e172a24 100644
--- a/docs/configuration/firewall/general.rst
+++ b/docs/configuration/firewall/general.rst
@@ -13,27 +13,86 @@ Overview
VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet
filtering.
-The firewall supports the creation of groups for ports, addresses, and
-networks (implemented using netfilter ipset) and the option of interface
-or zone based firewall policy.
+The firewall supports the creation of groups for addresses, domains,
+interfaces, mac-addresses, networks and port groups. This groups can be used
+later in firewall ruleset as desired.
.. note:: **Important note on usage of terms:**
- The firewall makes use of the terms `in`, `out`, and `local`
- for firewall policy. Users experienced with netfilter often confuse
- `in` to be a reference to the `INPUT` chain, and `out` the `OUTPUT`
- chain from netfilter. This is not the case. These instead indicate
- the use of the `FORWARD` chain and either the input or output
- interface. The `INPUT` chain, which is used for local traffic to the
- OS, is a reference to as `local` with respect to its input interface.
+ The firewall makes use of the terms `forward`, `input`, and `output`
+ for firewall policy. More information of Netfilter hooks and Linux
+ networking packet flows can be found in `Netfilter-Hooks
+ <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_
-***************
-Global settings
-***************
+Main structure is shown next:
+
+.. code-block:: none
+
+ - set firewall
+ * global-options
+ + all-ping
+ + broadcast-ping
+ + ...
+ * group
+ - address-group
+ - ipv6-address-group
+ - network-group
+ - ipv6-network-group
+ - interface-group
+ - mac-group
+ - port-group
+ - domain-group
+ * ipv4
+ - forward
+ + filter
+ - input
+ + filter
+ - output
+ + filter
+ - name
+ + custom_name
+ * ipv6
+ - forward
+ + filter
+ - input
+ + filter
+ - output
+ + filter
+ - ipv6-name
+ + custom_name
+
+Where, main key words and configuration paths that needs to be understood:
+
+ * For firewall filtering, configuration should be done in ``set firewall
+ [ipv4 | ipv6] ...``
+
+ * For transit traffic, which is received by the router and forwarded,
+ base chain is **forward filter**: ``set firewall [ipv4 | ipv6]
+ forward filter ...``
+
+ * For traffic originated by the router, base chain is **output filter**:
+ ``set firewall [ipv4 | ipv6] output filter ...``
+
+ * For traffic towards the router itself, base chain is **input filter**:
+ ``set firewall [ipv4 | ipv6] input filter ...``
+
+.. note:: **Important note about default-actions:**
+ If default action for any chain is not defined, then the default
+ action is set to **accept** for that chain. Only for custom chains,
+ the default action is set to **drop**.
+
+Custom firewall chains can be created, with commands
+``set firewall [ipv4 | ipv6] [name | ipv6-name] <name> ...``. In order to use
+such custom chain, a rule with **action jump**, and the appropiate **target**
+should be defined in a base chain.
+
+**************
+Global Options
+**************
Some firewall settings are global and have an affect on the whole system.
-.. cfgcmd:: set firewall all-ping [enable | disable]
+.. cfgcmd:: set firewall global-options all-ping [enable | disable]
By default, when VyOS receives an ICMP echo request packet destined for
itself, it will answer with an ICMP echo reply, unless you avoid it
@@ -44,12 +103,12 @@ Some firewall settings are global and have an affect on the whole system.
command. This command affects only to LOCAL (packets destined for your
VyOS system), not to IN or OUT traffic.
- .. note:: **firewall all-ping** affects only to LOCAL and it always
- behaves in the most restrictive way
+ .. note:: **firewall global-options all-ping** affects only to LOCAL
+ and it always behaves in the most restrictive way
.. code-block:: none
- set firewall all-ping enable
+ set firewall global-options all-ping enable
When the command above is set, VyOS will answer every ICMP echo request
addressed to itself, but that will only happen if no other rule is
@@ -58,21 +117,21 @@ Some firewall settings are global and have an affect on the whole system.
.. code-block:: none
- set firewall all-ping disable
+ set firewall global-options all-ping disable
When the command above is set, VyOS will answer no ICMP echo request
addressed to itself at all, no matter where it comes from or whether
more specific rules are being applied to accept them.
-.. cfgcmd:: set firewall broadcast-ping [enable | disable]
+.. cfgcmd:: set firewall global-options broadcast-ping [enable | disable]
This setting enable or disable the response of icmp broadcast
messages. The following system parameter will be altered:
* ``net.ipv4.icmp_echo_ignore_broadcasts``
-.. cfgcmd:: set firewall ip-src-route [enable | disable]
-.. cfgcmd:: set firewall ipv6-src-route [enable | disable]
+.. cfgcmd:: set firewall global-options ip-src-route [enable | disable]
+.. cfgcmd:: set firewall global-options ipv6-src-route [enable | disable]
This setting handle if VyOS accept packets with a source route
option. The following system parameter will be altered:
@@ -80,8 +139,9 @@ Some firewall settings are global and have an affect on the whole system.
* ``net.ipv4.conf.all.accept_source_route``
* ``net.ipv6.conf.all.accept_source_route``
-.. cfgcmd:: set firewall receive-redirects [enable | disable]
-.. cfgcmd:: set firewall ipv6-receive-redirects [enable | disable]
+.. cfgcmd:: set firewall global-options receive-redirects [enable | disable]
+.. cfgcmd:: set firewall global-options ipv6-receive-redirects
+ [enable | disable]
enable or disable of ICMPv4 or ICMPv6 redirect messages accepted
by VyOS. The following system parameter will be altered:
@@ -89,76 +149,51 @@ Some firewall settings are global and have an affect on the whole system.
* ``net.ipv4.conf.all.accept_redirects``
* ``net.ipv6.conf.all.accept_redirects``
-.. cfgcmd:: set firewall send-redirects [enable | disable]
+.. cfgcmd:: set firewall global-options send-redirects [enable | disable]
- enable or disable ICMPv4 redirect messages send by VyOS
+ enable or disable ICMPv4 redirect messages send by VyOS
The following system parameter will be altered:
* ``net.ipv4.conf.all.send_redirects``
-.. cfgcmd:: set firewall log-martians [enable | disable]
+.. cfgcmd:: set firewall global-options log-martians [enable | disable]
enable or disable the logging of martian IPv4 packets.
The following system parameter will be altered:
* ``net.ipv4.conf.all.log_martians``
-.. cfgcmd:: set firewall source-validation [strict | loose | disable]
+.. cfgcmd:: set firewall global-options source-validation
+ [strict | loose | disable]
Set the IPv4 source validation mode.
The following system parameter will be altered:
* ``net.ipv4.conf.all.rp_filter``
-.. cfgcmd:: set firewall syn-cookies [enable | disable]
+.. cfgcmd:: set firewall global-options syn-cookies [enable | disable]
Enable or Disable if VyOS use IPv4 TCP SYN Cookies.
The following system parameter will be altered:
* ``net.ipv4.tcp_syncookies``
-.. cfgcmd:: set firewall twa-hazards-protection [enable | disable]
+.. cfgcmd:: set firewall global-options twa-hazards-protection
+ [enable | disable]
Enable or Disable VyOS to be :rfc:`1337` conform.
The following system parameter will be altered:
* ``net.ipv4.tcp_rfc1337``
-.. cfgcmd:: set firewall state-policy established action [accept | drop |
- reject]
-
-.. cfgcmd:: set firewall state-policy established log enable
-
- Set the global setting for an established connection.
-
-.. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject]
-
-.. cfgcmd:: set firewall state-policy invalid log enable
-
- Set the global setting for invalid packets.
-
-.. cfgcmd:: set firewall state-policy related action [accept | drop | reject]
-
-.. cfgcmd:: set firewall state-policy related log enable
-
- Set the global setting for related connections.
-
-
******
Groups
******
Firewall groups represent collections of IP addresses, networks, ports,
-mac addresses or domains. Once created, a group can be referenced by
-firewall, nat and policy route rules as either a source or destination
-matcher. Members can be added or removed from a group without changes to,
-or the need to reload, individual firewall rules.
-
-Groups need to have unique names. Even though some contain IPv4
-addresses and others contain IPv6 addresses, they still need to have
-unique names, so you may want to append "-v4" or "-v6" to your group
-names.
-
+mac addresses, domains or interfaces. Once created, a group can be referenced
+by firewall, nat and policy route rules as either a source or destination
+matcher, and as inbpund/outbound in the case of interface group.
Address Groups
==============
@@ -205,7 +240,25 @@ recommended.
.. cfgcmd:: set firewall group network-group <name> description <text>
.. cfgcmd:: set firewall group ipv6-network-group <name> description <text>
- Provide a IPv4 or IPv6 network group description.
+ Provide an IPv4 or IPv6 network group description.
+
+Interface Groups
+================
+
+An **interface group** represents a collection of interfaces.
+
+.. cfgcmd:: set firewall group interface-group <name> interface <text>
+
+ Define an interface group. Wildcard are accepted too.
+
+.. code-block:: none
+
+ set firewall group interface-group LAN interface bond1001
+ set firewall group interface-group LAN interface eth3*
+
+.. cfgcmd:: set firewall group interface-group <name> description <text>
+
+ Provide an interface group description
Port Groups
===========
@@ -246,6 +299,9 @@ A **mac group** represents a collection of mac addresses.
set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f
set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81
+.. cfgcmd:: set firewall group mac-group <name> description <text>
+
+ Provide a mac group description.
Domain Groups
=============
@@ -260,167 +316,316 @@ A **domain group** represents a collection of domains.
set firewall group domain-group DOM address example.com
+.. cfgcmd:: set firewall group domain-group <name> description <text>
-*********
-Rule-Sets
-*********
+ Provide a domain group description.
-A rule-set is a named collection of firewall rules that can be applied
-to an interface or a zone. Each rule is numbered, has an action to apply
-if the rule is matched, and the ability to specify the criteria to
-match. Data packets go through the rules from 1 - 999999, at the first match
-the action of the rule will be executed.
+**************
+Firewall Rules
+**************
-.. cfgcmd:: set firewall name <name> description <text>
-.. cfgcmd:: set firewall ipv6-name <name> description <text>
+For firewall filtering, firewall rules needs to be created. Each rule is
+numbered, has an action to apply if the rule is matched, and the ability
+to specify multiple criteria matchers. Data packets go through the rules
+from 1 - 999999, so order is crucial. At the first match the action of the
+rule will be executed.
- Provide a rule-set description.
+Actions
+=======
-.. cfgcmd:: set firewall name <name> default-action [accept | drop | jump |
- reject | return]
-.. cfgcmd:: set firewall ipv6-name <name> default-action [accept | drop |
- jump | reject | return]
+If a rule is defined, then an action must be defined for it. This tells the
+firewall what to do if all criteria matchers defined for such rule do match.
- This set the default action of the rule-set if no rule matched a packet
- criteria. If defacult-action is set to ``jump``, then
- ``default-jump-target`` is also needed.
+The action can be :
-.. cfgcmd:: set firewall name <name> default-jump-target <text>
-.. cfgcmd:: set firewall ipv6-name <name> default-jump-target <text>
+ * ``accept``: accept the packet.
- To be used only when ``defult-action`` is set to ``jump``. Use this
- command to specify jump target for default rule.
+ * ``drop``: drop the packet.
-.. cfgcmd:: set firewall name <name> enable-default-log
-.. cfgcmd:: set firewall ipv6-name <name> enable-default-log
+ * ``reject``: reject the packet.
- Use this command to enable the logging of the default action.
+ * ``jump``: jump to another custom chain.
-.. cfgcmd:: set firewall name <name> rule <1-999999> action [accept | drop |
- jump | queue | reject | return]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [accept |
- drop | jump | queue | reject | return]
+ * ``return``: Return from the current chain and continue at the next rule
+ of the last chain.
- This required setting defines the action of the current rule. If action
- is set to ``jump``, then ``jump-target`` is also needed.
+ * ``queue``: Enqueue packet to userspace.
-.. cfgcmd:: set firewall name <name> rule <1-999999> jump-target <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> jump-target <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> action
+ [accept | drop | jump | queue | reject | return]
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> action
+ [accept | drop | jump | queue | reject | return]
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> action
+ [accept | drop | jump | queue | reject | return]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action
+ [accept | drop | jump | queue | reject | return]
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> action
+ [accept | drop | jump | queue | reject | return]
- To be used only when ``action`` is set to ``jump``. Use this
- command to specify jump target.
+ This required setting defines the action of the current rule. If action is
+ set to jump, then jump-target is also needed.
-.. cfgcmd:: set firewall name <name> rule <1-999999> queue <0-65535>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> queue <0-65535>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ jump-target <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ jump-target <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ jump-target <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ jump-target <text>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ jump-target <text>
- Use this command to set the target to use. Action queue must be defined
- to use this setting
+ To be used only when action is set to jump. Use this command to specify
+ jump target.
-.. cfgcmd:: set firewall name <name> rule <1-999999> queue-options
- <bypass-fanout>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> queue-options
- <bypass-fanout>
+Also, **default-action** is an action that takes place whenever a packet does
+not match any rule in it's chain. For base chains, possible options for
+**default-action** are **accept** or **drop**.
- Options used for queue target. Action queue must be defined to use this
- setting
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter default-action
+ [accept | drop]
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter default-action
+ [accept | drop]
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter default-action
+ [accept | drop]
+.. cfgcmd:: set firewall ipv4 name <name> default-action
+ [accept | drop | jump | queue | reject | return]
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> default-action
+ [accept | drop | jump | queue | reject | return]
-.. cfgcmd:: set firewall name <name> rule <1-999999> description <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> description <text>
+ This set the default action of the rule-set if no rule matched a packet
+ criteria. If defacult-action is set to ``jump``, then
+ ``default-jump-target`` is also needed. Note that for base chains, default
+ action can only be set to ``accept`` or ``drop``, while on custom chain,
+ more actions are available.
- Provide a description for each rule.
+.. cfgcmd:: set firewall name <name> default-jump-target <text>
+.. cfgcmd:: set firewall ipv6-name <name> default-jump-target <text>
-.. cfgcmd:: set firewall name <name> rule <1-999999> log [disable | enable]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable |
- enable]
+ To be used only when ``defult-action`` is set to ``jump``. Use this
+ command to specify jump target for default rule.
+
+.. note:: **Important note about default-actions:**
+ If default action for any chain is not defined, then the default
+ action is set to **drop** for that chain.
+
+
+Firewall Logs
+=============
+
+Logging can be enable for every single firewall rule. If enabled, other
+log options can be defined.
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> log
+ [disable | enable]
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> log
+ [disable | enable]
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> log
+ [disable | enable]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log
+ [disable | enable]
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> log
+ [disable | enable]
Enable or disable logging for the matched packet.
-.. cfgcmd:: set firewall name <name> rule <1-999999> log-options level
- [emerg | alert | crit | err | warn | notice | info | debug]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options level
- [emerg | alert | crit | err | warn | notice | info | debug]
+.. cfgcmd:: set firewall ipv4 name <name> enable-default-log
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> enable-default-log
+
+ Use this command to enable the logging of the default action on
+ custom chains.
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ log-options level [emerg | alert | crit | err | warn | notice
+ | info | debug]
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ log-options level [emerg | alert | crit | err | warn | notice
+ | info | debug]
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ log-options level [emerg | alert | crit | err | warn | notice
+ | info | debug]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ log-options level [emerg | alert | crit | err | warn | notice
+ | info | debug]
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ log-options level [emerg | alert | crit | err | warn | notice
+ | info | debug]
Define log-level. Only applicable if rule log is enable.
-.. cfgcmd:: set firewall name <name> rule <1-999999> log-options group
- <0-65535>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options group
- <0-65535>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ log-options group <0-65535>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ log-options group <0-65535>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ log-options group <0-65535>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ log-options group <0-65535>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ log-options group <0-65535>
Define log group to send message to. Only applicable if rule log is enable.
-.. cfgcmd:: set firewall name <name> rule <1-999999> log-options snaplen
- <0-9000>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options snaplen
- <0-9000>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ log-options snapshot-length <0-9000>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ log-options snapshot-length <0-9000>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ log-options snapshot-length <0-9000>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ log-options snapshot-length <0-9000>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ log-options snapshot-length <0-9000>
Define length of packet payload to include in netlink message. Only
applicable if rule log is enable and log group is defined.
-.. cfgcmd:: set firewall name <name> rule <1-999999> log-options
- queue-threshold <0-65535>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options
- queue-threshold <0-65535>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ log-options queue-threshold <0-65535>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ log-options queue-threshold <0-65535>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ log-options queue-threshold <0-65535>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ log-options queue-threshold <0-65535>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ log-options queue-threshold <0-65535>
Define number of packets to queue inside the kernel before sending them to
userspace. Only applicable if rule log is enable and log group is defined.
-.. cfgcmd:: set firewall name <name> rule <1-999999> disable
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> disable
- If you want to disable a rule but let it in the configuration.
+Firewall Description
+====================
+
+For reference, a description can be defined for every single rule, and for
+every defined custom chain.
+
+.. cfgcmd:: set firewall ipv4 name <name> description <text>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> description <text>
+
+ Provide a rule-set description to a custom firewall chain.
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ description <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ description <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ description <text>
+
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> description <text>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> description <text>
+
+ Provide a description for each rule.
+
+
+Rule Status
+===========
+
+When defining a rule, it is enable by default. In some cases, it is useful to
+just disable the rule, rather than removing it.
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> disable
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> disable
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> disable
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> disable
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> disable
+
+ Command for disabling a rule but keep it in the configuration.
+
Matching criteria
=================
There are a lot of matching criteria against which the package can be tested.
-.. cfgcmd:: set firewall name <name> rule <1-999999> connection-status nat
- [destination | source]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-status
- nat [destination | source]
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ connection-status nat [destination | source]
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ connection-status nat [destination | source]
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ connection-status nat [destination | source]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ connection-status nat [destination | source]
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ connection-status nat [destination | source]
Match criteria based on nat connection status.
-.. cfgcmd:: set firewall name <name> rule <1-999999> connection-mark
- <1-2147483647>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-mark
- <1-2147483647>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ connection-mark <1-2147483647>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ connection-mark <1-2147483647>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ connection-mark <1-2147483647>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ connection-mark <1-2147483647>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ connection-mark <1-2147483647>
Match criteria based on connection mark.
-.. cfgcmd:: set firewall name <name> rule <1-999999> source address
- [address | addressrange | CIDR]
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination address
- [address | addressrange | CIDR]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address
- [address | addressrange | CIDR]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination address
- [address | addressrange | CIDR]
-
- This is similar to the network groups part, but here you are able to negate
- the matching addresses.
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ source address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ source address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ source address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ source address [address | addressrange | CIDR]
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ destination address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ destination address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ destination address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ destination address [address | addressrange | CIDR]
+
+ Match criteria based on source and/or destination address. This is similar
+ to the network groups part, but here you are able to negate the matching
+ addresses.
.. code-block:: none
- set firewall name WAN-IN-v4 rule 100 source address 192.0.2.10-192.0.2.11
+ set firewall ipv4 name FOO rule 50 source address 192.0.2.10-192.0.2.11
# with a '!' the rule match everything except the specified subnet
- set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24
- set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source address-mask
- [address]
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination address-mask
- [address]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address-mask
- [address]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination
- address-mask [address]
+ set firewall ipv4 input filter FOO rule 51 source address !203.0.113.0/24
+ set firewall ipv6 ipv6-name FOO rule 100 source address 2001:db8::202
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ source address-mask [address]
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ source address-mask [address]
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ source address-mask [address]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source address-mask [address]
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ source address-mask [address]
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ destination address-mask [address]
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ destination address-mask [address]
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ destination address-mask [address]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination address-mask [address]
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ destination address-mask [address]
An arbitrary netmask can be applied to mask addresses to only match against
- a specific portion. This is particularly useful with IPv6 and a zone-based
- firewall as rules will remain valid if the IPv6 prefix changes and the host
- portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses
+ a specific portion. This is particularly useful with IPv6 as rules will
+ remain valid if the IPv6 prefix changes and the host
+ portion of systems IPv6 address is static (for example, with SLAAC or
+ `tokenised IPv6 addresses
<https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)
This functions for both individual addresses and address groups.
@@ -428,238 +633,465 @@ There are a lot of matching criteria against which the package can be tested.
.. code-block:: none
# Match any IPv6 address with the suffix ::0000:0000:0000:beef
- set firewall ipv6-name WAN-LAN-v6 rule 100 destination address ::beef
- set firewall ipv6-name WAN-LAN-v6 rule 100 destination address-mask ::ffff:ffff:ffff:ffff
+ set firewall ipv6 forward filter rule 100 destination address ::beef
+ set firewall ipv6 forward filter rule 100 destination address-mask ::ffff:ffff:ffff:ffff
# Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet
- set firewall name WAN-LAN-v4 rule 100 destination address 0.11.0.13
- set firewall name WAN-LAN-v4 rule 100 destination address-mask 0.255.0.255
+ set firewall ipv4 name FOO rule 100 destination address 0.11.0.13
+ set firewall ipv4 name FOO rule 100 destination address-mask 0.255.0.255
# Address groups
set firewall group ipv6-address-group WEBSERVERS address ::1000
set firewall group ipv6-address-group WEBSERVERS address ::2000
- set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS
- set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source fqdn <fqdn>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination fqdn <fqdn>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source fqdn <fqdn>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination fqdn
- <fqdn>
+ set firewall ipv6 forward filter rule 200 source group address-group WEBSERVERS
+ set firewall ipv6 forward filter rule 200 source address-mask ::ffff:ffff:ffff:ffff
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ source fqdn <fqdn>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ source fqdn <fqdn>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ source fqdn <fqdn>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source fqdn <fqdn>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ source fqdn <fqdn>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ destination fqdn <fqdn>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ destination fqdn <fqdn>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ destination fqdn <fqdn>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination fqdn <fqdn>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ destination fqdn <fqdn>
Specify a Fully Qualified Domain Name as source/destination matcher. Ensure
router is able to resolve such dns query.
-.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code
- <country>
-.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
- country-code <country>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
- inverse-match
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
- country-code <country>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
- inverse-match
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
- country-code <country>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
- inverse-match
-
-Match IP addresses based on its geolocation.
-More info: `geoip matching
-<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
-
-Use inverse-match to match anything except the given country-codes.
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ source geoip country-code <country>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ source geoip country-code <country>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ source geoip country-code <country>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source geoip country-code <country>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ source geoip country-code <country>
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ destination geoip country-code <country>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ destination geoip country-code <country>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ destination geoip country-code <country>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination geoip country-code <country>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ destination geoip country-code <country>
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ source geoip inverse-match
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ source geoip inverse-match
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ source geoip inverse-match
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source geoip inverse-match
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ source geoip inverse-match
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ destination geoip inverse-match
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ destination geoip inverse-match
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ destination geoip inverse-match
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination geoip inverse-match
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ destination geoip inverse-match
+
+ Match IP addresses based on its geolocation. More info: `geoip matching
+ <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
+ Use inverse-match to match anything except the given country-codes.
Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
permits redistribution so we can include a database in images(~3MB
compressed). Includes cron script (manually callable by op-mode update
geoip) to keep database and rules updated.
-.. cfgcmd:: set firewall name <name> rule <1-999999> source mac-address
- <mac-address>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source mac-address
- <mac-address>
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ source mac-address <mac-address>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ source mac-address <mac-address>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ source mac-address <mac-address>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source mac-address <mac-address>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ source mac-address <mac-address>
Only in the source criteria, you can specify a mac-address.
.. code-block:: none
- set firewall name LAN-IN-v4 rule 100 source mac-address 00:53:00:11:22:33
- set firewall name LAN-IN-v4 rule 101 source mac-address !00:53:00:aa:12:34
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source port
- [1-65535 | portname | start-end]
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination port
- [1-65535 | portname | start-end]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source port
- [1-65535 | portname | start-end]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination port
- [1-65535 | portname | start-end]
+ set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33
+ set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34
+
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ source port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ source port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ source port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ source port [1-65535 | portname | start-end]
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ destination port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ destination port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ destination port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ destination port [1-65535 | portname | start-end]
A port can be set with a port number or a name which is here
defined: ``/etc/services``.
.. code-block:: none
- set firewall name WAN-IN-v4 rule 10 source port '22'
- set firewall name WAN-IN-v4 rule 11 source port '!http'
- set firewall name WAN-IN-v4 rule 12 source port 'https'
+ set firewall ipv4 forward filter rule 10 source port '22'
+ set firewall ipv4 forward filter rule 11 source port '!http'
+ set firewall ipv4 forward filter rule 12 source port 'https'
Multiple source ports can be specified as a comma-separated list.
The whole list can also be "negated" using ``!``. For example:
.. code-block:: none
- set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338'
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source group
- address-group <name | !name>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
- address-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
- address-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
- address-group <name | !name>
+ set firewall ipv6 forward filter rule 10 source port '!22,https,3333-3338'
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ source group address-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ source group address-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ source group address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source group address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ source group address-group <name | !name>
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ destination group address-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ destination group address-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ destination group address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination group address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ destination group address-group <name | !name>
Use a specific address-group. Prepend character ``!`` for inverted matching
criteria.
-.. cfgcmd:: set firewall name <name> rule <1-999999> source group
- network-group <name | !name>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
- network-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
- network-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
- network-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ source group network-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ source group network-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ source group network-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source group network-group <name | !name>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ source group network-group <name | !name>
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ destination group network-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ destination group network-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ destination group network-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination group network-group <name | !name>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ destination group network-group <name | !name>
Use a specific network-group. Prepend character ``!`` for inverted matching
criteria.
-.. cfgcmd:: set firewall name <name> rule <1-999999> source group
- port-group <name | !name>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
- port-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
- port-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
- port-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ source group port-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ source group port-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ source group port-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source group port-group <name | !name>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ source group port-group <name | !name>
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ destination group port-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ destination group port-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ destination group port-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination group port-group <name | !name>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ destination group port-group <name | !name>
Use a specific port-group. Prepend character ``!`` for inverted matching
criteria.
-.. cfgcmd:: set firewall name <name> rule <1-999999> source group
- domain-group <name | !name>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
- domain-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
- domain-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
- domain-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ source group domain-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ source group domain-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ source group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ source group domain-group <name | !name>
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ destination group domain-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ destination group domain-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ destination group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ destination group domain-group <name | !name>
Use a specific domain-group. Prepend character ``!`` for inverted matching
criteria.
-.. cfgcmd:: set firewall name <name> rule <1-999999> source group
- mac-group <name | !name>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
- mac-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
- mac-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
- mac-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ source group mac-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ source group mac-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ source group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ source group mac-group <name | !name>
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ destination group mac-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ destination group mac-group <name | !name>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ destination group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ destination group mac-group <name | !name>
Use a specific mac-group. Prepend character ``!`` for inverted matching
criteria.
-.. cfgcmd:: set firewall name <name> rule <1-999999> dscp [0-63 | start-end]
-.. cfgcmd:: set firewall name <name> rule <1-999999> dscp-exclude [0-63 |
- start-end]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp [0-63 |
- start-end]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp-exclude [0-63 |
- start-end]
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ dscp [0-63 | start-end]
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ dscp [0-63 | start-end]
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ dscp [0-63 | start-end]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ dscp [0-63 | start-end]
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ dscp [0-63 | start-end]
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ dscp-exclude [0-63 | start-end]
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ dscp-exclude [0-63 | start-end]
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ dscp-exclude [0-63 | start-end]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ dscp-exclude [0-63 | start-end]
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ dscp-exclude [0-63 | start-end]
Match based on dscp value.
-.. cfgcmd:: set firewall name <name> rule <1-999999> fragment [match-frag |
- match-non-frag]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> fragment [match-frag
- | match-non-frag]
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ fragment [match-frag | match-non-frag]
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ fragment [match-frag | match-non-frag]
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ fragment [match-frag | match-non-frag]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ fragment [match-frag | match-non-frag]
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ fragment [match-frag | match-non-frag]
Match based on fragment criteria.
-.. cfgcmd:: set firewall name <name> rule <1-999999> icmp [code | type]
- <0-255>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 [code | type]
- <0-255>
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ icmp [code | type] <0-255>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ icmp [code | type] <0-255>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ icmp [code | type] <0-255>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ icmp [code | type] <0-255>
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ icmpv6 [code | type] <0-255>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ icmpv6 [code | type] <0-255>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ icmpv6 [code | type] <0-255>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ icmpv6 [code | type] <0-255>
Match based on icmp|icmpv6 code and type.
-.. cfgcmd:: set firewall name <name> rule <1-999999> icmp type-name <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 type-name
- <text>
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ icmp type-name <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ icmp type-name <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ icmp type-name <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ icmp type-name <text>
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ icmpv6 type-name <text>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ icmpv6 type-name <text>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ icmpv6 type-name <text>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ icmpv6 type-name <text>
Match based on icmp|icmpv6 type-name criteria. Use tab for information
about what **type-name** criteria are supported.
-.. cfgcmd:: set firewall name <name> rule <1-999999> inbound-interface
- <iface>
-.. cfgcmd:: set firewall name <name> rule <1-999999> outbound-interface
- <iface>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> inbound-interface
- <iface>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> outbound-interface
- <iface>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ inbound-interface <iface>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ inbound-interface <iface>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ inbound-interface <iface>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ inbound-interface <iface>
- Match based on inbound/outbound interface. Wilcard ``*`` can be used.
+ Match based on inbound interface. Wilcard ``*`` can be used.
For example: ``eth2*``
-.. cfgcmd:: set firewall name <name> rule <1-999999> ipsec [match-ipsec
- | match-none]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> ipsec [match-ipsec
- | match-none]
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ outbound-interface <iface>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ outbound-interface <iface>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ outbound-interface <iface>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ outbound-interface <iface>
+
+ Match based on outbound interface. Wilcard ``*`` can be used.
+ For example: ``eth2*``
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ ipsec [match-ipsec | match-none]
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ ipsec [match-ipsec | match-none]
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ ipsec [match-ipsec | match-none]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ ipsec [match-ipsec | match-none]
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ ipsec [match-ipsec | match-none]
Match based on ipsec criteria.
-.. cfgcmd:: set firewall name <name> rule <1-999999> limit burst
- <0-4294967295>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit burst
- <0-4294967295>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ limit burst <0-4294967295>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ limit burst <0-4294967295>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ limit burst <0-4294967295>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ limit burst <0-4294967295>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ limit burst <0-4294967295>
Match based on the maximum number of packets to allow in excess of rate.
-.. cfgcmd:: set firewall name <name> rule <1-999999> limit rate
- <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit rate
- <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ limit rate <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ limit rate <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ limit rate <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ limit rate <text>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ limit rate <text>
Match based on the maximum average rate, specified as **integer/unit**.
For example **5/minutes**
-.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length
- <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length
- <text>
-.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length-exclude
- <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length-exclude
- <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ packet-length <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ packet-length <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ packet-length <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ packet-length <text>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ packet-length <text>
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ packet-length-exclude <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ packet-length-exclude <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ packet-length-exclude <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ packet-length-exclude <text>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ packet-length-exclude <text>
Match based on packet length criteria. Multiple values from 1 to 65535
and ranges are supported.
-.. cfgcmd:: set firewall name <name> rule <1-999999> packet-type
- [broadcast | host | multicast | other]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-type
- [broadcast | host | multicast | other]
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ packet-type [broadcast | host | multicast | other]
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ packet-type [broadcast | host | multicast | other]
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ packet-type [broadcast | host | multicast | other]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ packet-type [broadcast | host | multicast | other]
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ packet-type [broadcast | host | multicast | other]
Match based on packet type criteria.
-.. cfgcmd:: set firewall name <name> rule <1-999999> protocol [<text> |
- <0-255> | all | tcp_udp]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> protocol [<text> |
- <0-255> | all | tcp_udp]
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ protocol [<text> | <0-255> | all | tcp_udp]
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ protocol [<text> | <0-255> | all | tcp_udp]
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ protocol [<text> | <0-255> | all | tcp_udp]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ protocol [<text> | <0-255> | all | tcp_udp]
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ protocol [<text> | <0-255> | all | tcp_udp]
Match a protocol criteria. A protocol number or a name which is here
defined: ``/etc/protocols``.
@@ -668,21 +1100,44 @@ geoip) to keep database and rules updated.
.. code-block:: none
- set firewall name WAN-IN-v4 rule 10 protocol tcp_udp
- set firewall name WAN-IN-v4 rule 11 protocol !tcp_udp
- set firewall ipv6-name WAN-IN-v6 rule 10 protocol tcp
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
-.. cfgcmd:: set firewall name <name> rule <1-999999> recent time
- [second | minute | hour]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time
- [second | minute | hour]
+ set firewall ipv4 forward fitler rule 10 protocol tcp_udp
+ set firewall ipv4 forward fitler rule 11 protocol !tcp_udp
+ set firewall ipv6 input filter rule 10 protocol tcp
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ recent count <1-255>
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ recent time [second | minute | hour]
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ recent time [second | minute | hour]
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ recent time [second | minute | hour]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ recent time [second | minute | hour]
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ recent time [second | minute | hour]
Match bases on recently seen sources.
-.. cfgcmd:: set firewall name <name> rule <1-999999> tcp flags <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> tcp flags <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ tcp flags <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ tcp flags <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ tcp flags <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ tcp flags <text>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ tcp flags <text>
Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``,
``PSH``, ``ALL`` When specifying more than one flag, flags should be comma
@@ -690,82 +1145,125 @@ geoip) to keep database and rules updated.
.. code-block:: none
- set firewall name WAN-IN-v4 rule 10 tcp flags 'ACK'
- set firewall name WAN-IN-v4 rule 12 tcp flags 'SYN'
- set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST'
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> state [established |
- invalid | new | related] [enable | disable]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> state [established |
- invalid | new | related] [enable | disable]
+ set firewall ipv4 input filter rule 10 tcp flags 'ACK'
+ set firewall ipv4 input filter rule 12 tcp flags 'SYN'
+ set firewall ipv4 input filter rule 13 tcp flags 'SYN,!ACK,!FIN,!RST'
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ state [established | invalid | new | related] [enable | disable]
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ state [established | invalid | new | related] [enable | disable]
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ state [established | invalid | new | related] [enable | disable]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ state [established | invalid | new | related] [enable | disable]
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ state [established | invalid | new | related] [enable | disable]
Match against the state of a packet.
-.. cfgcmd:: set firewall name <name> rule <1-999999> time startdate <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time startdate <text>
-.. cfgcmd:: set firewall name <name> rule <1-999999> time starttime <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time starttime <text>
-.. cfgcmd:: set firewall name <name> rule <1-999999> time stopdate <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stopdate <text>
-.. cfgcmd:: set firewall name <name> rule <1-999999> time stoptime <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stoptime <text>
-.. cfgcmd:: set firewall name <name> rule <1-999999> time weekdays <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time weekdays <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ time startdate <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ time startdate <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ time startdate <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ time startdate <text>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ time startdate <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ time starttime <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ time starttime <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ time starttime <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ time starttime <text>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ time starttime <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ time stopdate <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ time stopdate <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ time stopdate <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ time stopdate <text>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ time stopdate <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ time stoptime <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ time stoptime <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ time stoptime <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ time stoptime <text>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ time stoptime <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ time weekdays <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ time weekdays <text>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ time weekdays <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ time weekdays <text>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ time weekdays <text>
Time to match the defined rule.
-.. cfgcmd:: set firewall name <name> rule <1-999999> ttl <eq | gt | lt> <0-255>
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ ttl <eq | gt | lt> <0-255>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ ttl <eq | gt | lt> <0-255>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ ttl <eq | gt | lt> <0-255>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ ttl <eq | gt | lt> <0-255>
Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for
'greater than', and 'lt' stands for 'less than'.
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> hop-limit <eq | gt |
- lt> <0-255>
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ hop-limit <eq | gt | lt> <0-255>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ hop-limit <eq | gt | lt> <0-255>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ hop-limit <eq | gt | lt> <0-255>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ hop-limit <eq | gt | lt> <0-255>
Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
'greater than', and 'lt' stands for 'less than'.
-.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
-.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second |
- minute | hour>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second |
- minute | hour>
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ recent count <1-255>
+
+.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
+ recent time <second | minute | hour>
+.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
+ recent time <second | minute | hour>
+.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
+ recent time <second | minute | hour>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ recent time <second | minute | hour>
+.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
+ recent time <second | minute | hour>
Match when 'count' amount of connections are seen within 'time'. These
matching criteria can be used to block brute-force attempts.
-***********************************
-Applying a Rule-Set to an Interface
-***********************************
-
-A Rule-Set can be applied to every interface:
-
-* ``in``: Ruleset for forwarded packets on an inbound interface
-* ``out``: Ruleset for forwarded packets on an outbound interface
-* ``local``: Ruleset for packets destined for this router
-
-.. cfgcmd:: set firewall interface <interface> [in | out | local] [name |
- ipv6-name] <rule-set>
-
-
- Here are some examples for applying a rule-set to an interface
-
- .. code-block:: none
-
- set firewall interface eth1.100 in name LANv4-IN
- set firewall interface eth1.100 out name LANv4-OUT
- set firewall interface bond0 in name LANv4-IN
- set firewall interface vtun1 in name LANv4-IN
- set firewall interface eth2* in name LANv4-IN
-
- .. note::
- As you can see in the example here, you can assign the same rule-set to
- several interfaces. An interface can only have one rule-set per chain.
-
- .. note::
- You can use wildcard ``*`` to match a group of interfaces.
-
***********************
Operation-mode Firewall
***********************
@@ -779,65 +1277,62 @@ Rule-set overview
.. code-block:: none
- vyos@vyos:~$ show firewall
-
- ------------------------
- Firewall Global Settings
- ------------------------
-
- Firewall state-policy for all IPv4 and Ipv6 traffic
-
- state action log
- ----- ------ ---
- invalid accept disabled
- established accept disabled
- related accept disabled
-
- -----------------------------
+ vyos@vyos:~$ show firewall
Rulesets Information
- -----------------------------
- --------------------------------------------------------------------------
- IPv4 Firewall "DMZv4-1-IN":
-
- Active on (eth0,IN)
-
- rule action proto packets bytes
- ---- ------ ----- ------- -----
- 10 accept icmp 0 0
- condition - saddr 10.1.0.0/24 daddr 0.0.0.0/0 LOG enabled
-
- 10000 drop all 0 0
- condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled
-
- --------------------------------------------------------------------------
- IPv4 Firewall "DMZv4-1-OUT":
-
- Active on (eth0,OUT)
-
- rule action proto packets bytes
- ---- ------ ----- ------- -----
- 10 accept tcp_udp 1 60
- condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-DST-PORT-GROUP DMZ-Ports /*
- DMZv4-1-OUT-10 */LOG enabled
- 11 accept icmp 1 84
- condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* DMZv4-1-OUT-11 */LOG enabled
-
- 10000 drop all 6 360
- condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled
-
- --------------------------------------------------------------------------
- IPv4 Firewall "LANv4-IN":
-
- Inactive - Not applied to any interfaces or zones.
-
- rule action proto packets bytes
- ---- ------ ----- ------- -----
- 10 accept all 0 0
- condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* LANv4-IN-10 */
-
- 10000 drop all 0 0
- condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0
+ ---------------------------------
+ IPv4 Firewall "forward filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- -----------------------------------------
+ 5 jump all 0 0 iifname "eth1" jump NAME_VyOS_MANAGEMENT
+ 10 jump all 0 0 oifname "eth1" jump NAME_WAN_IN
+ 15 jump all 0 0 iifname "eth3" jump NAME_WAN_IN
+ default accept all
+
+ ---------------------------------
+ IPv4 Firewall "name VyOS_MANAGEMENT"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- --------------------------------
+ 5 accept all 0 0 ct state established accept
+ 10 drop all 0 0 ct state invalid
+ 20 accept all 0 0 ip saddr @A_GOOD_GUYS accept
+ 30 accept all 0 0 ip saddr @N_ENTIRE_RANGE accept
+ 40 accept all 0 0 ip saddr @A_VyOS_SERVERS accept
+ 50 accept icmp 0 0 meta l4proto icmp accept
+ default drop all 0 0
+
+ ---------------------------------
+ IPv6 Firewall "forward filter"
+
+ Rule Action Protocol
+ ------- -------- ----------
+ 5 jump all
+ 10 jump all
+ 15 jump all
+ default accept all
+
+ ---------------------------------
+ IPv6 Firewall "input filter"
+
+ Rule Action Protocol
+ ------- -------- ----------
+ 5 jump all
+ default accept all
+
+ ---------------------------------
+ IPv6 Firewall "ipv6_name IPV6-VyOS_MANAGEMENT"
+
+ Rule Action Protocol
+ ------- -------- ----------
+ 5 accept all
+ 10 drop all
+ 20 accept all
+ 30 accept all
+ 40 accept all
+ 50 accept ipv6-icmp
+ default drop all
.. opcmd:: show firewall summary
@@ -845,54 +1340,81 @@ Rule-set overview
.. code-block:: none
- vyos@vyos:~$ show firewall summary
+ vyos@vyos:~$ show firewall summary
+ Ruleset Summary
- ------------------------
- Firewall Global Settings
- ------------------------
+ IPv6 Ruleset:
- Firewall state-policy for all IPv4 and Ipv6 traffic
+ Ruleset Hook Ruleset Priority Description
+ -------------- -------------------- -------------------------
+ forward filter
+ input filter
+ ipv6_name IPV6-VyOS_MANAGEMENT
+ ipv6_name IPV6-WAN_IN PUBLIC_INTERNET
- state action log
- ----- ------ ---
- invalid accept disabled
- related accept disabled
- established accept disabled
+ IPv4 Ruleset:
- ------------------------
- Firewall Rulesets
- ------------------------
+ Ruleset Hook Ruleset Priority Description
+ -------------- ------------------ -------------------------
+ forward filter
+ input filter
+ name VyOS_MANAGEMENT
+ name WAN_IN PUBLIC_INTERNET
- IPv4 name:
+ Firewall Groups
- Rule-set name Description References
- ------------- ----------- ----------
- DMZv4-1-OUT (eth0,OUT)
- DMZv4-1-IN (eth0,IN)
+ Name Type References Members
+ ----------------------- ------------------ ----------------------- ----------------
+ PBX address_group WAN_IN-100 198.51.100.77
+ SERVERS address_group WAN_IN-110 192.0.2.10
+ WAN_IN-111 192.0.2.11
+ WAN_IN-112 192.0.2.12
+ WAN_IN-120
+ WAN_IN-121
+ WAN_IN-122
+ SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2
+ WAN_IN-20
+ PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2
+ PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2
+ WAN_IN-171
+ PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1
+ SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2
+ IPV6-WAN_IN-111 2001:db8::3
+ IPV6-WAN_IN-112 2001:db8::4
+ IPV6-WAN_IN-120
+ IPV6-WAN_IN-121
+ IPV6-WAN_IN-122
+ SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5
+ IPV6-WAN_IN-20
+
+
+.. opcmd:: show firewall [ipv4 | ipv6] [forward | input | output] filter
+
+.. opcmd:: show firewall ipv4 name <name>
+
+.. opcmd:: show firewall ipv6 ipv6-name <name>
- ------------------------
- Firewall Groups
- ------------------------
+ This command will give an overview of a single rule-set.
- Port Groups:
+ .. code-block:: none
- Group name Description References
- ---------- ----------- ----------
- DMZ-Ports DMZv4-1-OUT-10-destination
+ vyos@vyos:~$ show firewall ipv4 input filter
+ Ruleset Information
- Network Groups:
+ ---------------------------------
+ IPv4 Firewall "input filter"
- Group name Description References
- ---------- ----------- ----------
- LANv4 LANv4-IN-10-source,
- DMZv4-1-OUT-10-source,
- DMZv4-1-OUT-11-source
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- -----------------------------------------
+ 5 jump all 0 0 iifname "eth2" jump NAME_VyOS_MANAGEMENT
+ default accept all
-.. opcmd:: show firewall statistics
+.. opcmd:: show firewall [ipv4 | ipv6] [forward | input | output]
+ filter rule <1-999999>
- This will show you a statistic of all rule-sets since the last boot.
+.. opcmd:: show firewall ipv4 name <name> rule <1-999999>
-.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999>
+.. opcmd:: show firewall ipv6 ipv6-name <name> rule <1-999999>
This command will give an overview of a rule in a single rule-set
@@ -903,56 +1425,20 @@ Rule-set overview
.. code-block:: none
- vyos@vyos:~$ show firewall group DMZ-Ports
- Name : DMZ-Ports
- Type : port
- References : none
- Members :
- 80
- 443
- 8080
- 8443
-
- vyos@vyos:~$ show firewall group LANv4
- Name : LANv4
- Type : network
- References : LANv4-IN-10-source
- Members :
- 10.10.0.0/16
-
-.. opcmd:: show firewall [name | ipv6name] <name>
-
- This command will give an overview of a single rule-set.
-
-.. opcmd:: show firewall [name | ipv6name] <name> statistics
-
- This will show you a rule-set statistic since the last boot.
-
-.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999>
-
- This command will give an overview of a rule in a single rule-set.
-
-
-Zone-Policy Overview
-====================
-
-.. opcmd:: show zone-policy zone <name>
-
- Use this command to get an overview of a zone.
-
- .. code-block:: none
+ vyos@vyos:~$ show firewall group LAN
+ Firewall Groups
- vyos@vyos:~$ show zone-policy zone DMZ
- -------------------
- Name: DMZ
+ Name Type References Members
+ ------------ ------------------ ----------------------- ----------------
+ LAN ipv6_network_group IPV6-VyOS_MANAGEMENT-30 2001:db8::0/64
+ IPV6-WAN_IN-30
+ LAN network_group VyOS_MANAGEMENT-30 192.168.200.0/24
+ WAN_IN-30
- Interfaces: eth0 eth1
- From Zone:
- name firewall
- ---- --------
- LAN DMZv4-1-OUT
+.. opcmd:: show firewall statistics
+ This will show you a statistic of all rule-sets since the last boot.
Show Firewall log
=================
@@ -967,81 +1453,54 @@ Show Firewall log
For example: ``grep '10.10.0.10' /var/log/messages``
-
Example Partial Config
======================
.. code-block:: none
firewall {
- interface eth0 {
- in {
- name FROM-INTERNET
- }
- }
- all-ping enable
- broadcast-ping disable
- config-trap disable
- group {
- network-group BAD-NETWORKS {
- network 198.51.100.0/24
- network 203.0.113.0/24
- }
- network-group GOOD-NETWORKS {
- network 192.0.2.0/24
- }
- port-group BAD-PORTS {
- port 65535
- }
- }
- name FROM-INTERNET {
- default-action accept
- description "From the Internet"
- rule 10 {
- action accept
- description "Authorized Networks"
- protocol all
- source {
- group {
- network-group GOOD-NETWORKS
- }
- }
- }
- rule 11 {
- action drop
- description "Bad Networks"
- protocol all
- source {
- group {
- network-group BAD-NETWORKS
- }
- }
- }
- rule 30 {
- action drop
- description "BAD PORTS"
- destination {
- group {
- port-group BAD-PORTS
- }
- }
- log enable
- protocol all
- }
- }
- }
- interfaces {
- ethernet eth1 {
- address dhcp
- description OUTSIDE
- duplex auto
- }
+ group {
+ network-group BAD-NETWORKS {
+ network 198.51.100.0/24
+ network 203.0.113.0/24
+ }
+ network-group GOOD-NETWORKS {
+ network 192.0.2.0/24
+ }
+ port-group BAD-PORTS {
+ port 65535
+ }
+ }
+ ipv4 {
+ forward {
+ filter {
+ default-action accept
+ rule 5 {
+ action accept
+ source {
+ group {
+ network-group GOOD-NETWORKS
+ }
+ }
+ }
+ rule 10 {
+ action drop
+ description "Bad Networks"
+ protocol all
+ source {
+ group {
+ network-group BAD-NETWORKS
+ }
+ }
+ }
+ }
+ }
+ }
}
-
Update geoip database
=====================
.. opcmd:: update geoip
- Command used to update GeoIP database and firewall sets. \ No newline at end of file
+ Command used to update GeoIP database and firewall sets.
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index dfafa606..567e48a0 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -2,9 +2,23 @@
Firewall
########
+Starting from VyOS 1.4-rolling-202308040557, a new firewall structure
+can be found on all vyos installations. Documentation for most new firewall
+cli can be found here:
+
.. toctree::
:maxdepth: 1
:includehidden:
general
+
+Also, for those who haven't updated to newer version, legacy documentation is
+still present and valid for all sagitta version prior to VyOS
+1.4-rolling-202308040557:
+
+.. toctree::
+ :maxdepth: 1
+ :includehidden:
+
+ general-legacy
zone
diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst
index b27e02b9..403de912 100644
--- a/docs/configuration/firewall/zone.rst
+++ b/docs/configuration/firewall/zone.rst
@@ -6,6 +6,10 @@
Zone Based Firewall
###################
+.. note:: **Important note:**
+ This documentation is valid only for VyOS Sagitta prior to
+ 1.4-rolling-YYYYMMDDHHmm
+
In zone-based policy, interfaces are assigned to zones, and inspection policy
is applied to traffic moving between the zones and acted on according to
firewall rules. A Zone is a group of interfaces that have similar functions or
diff --git a/docs/configuration/interfaces/macsec.rst b/docs/configuration/interfaces/macsec.rst
index 60877d73..0c0c052b 100644
--- a/docs/configuration/interfaces/macsec.rst
+++ b/docs/configuration/interfaces/macsec.rst
@@ -44,6 +44,30 @@ MACsec options
A physical interface is required to connect this MACsec instance to. Traffic
leaving this interface will now be authenticated/encrypted.
+Static Keys
+-----------
+Static :abbr:`SAK (Secure Authentication Key)` mode can be configured manually on each
+device wishing to use MACsec. Keys must be set statically on all devices for traffic
+to flow properly. Key rotation is dependent on the administrator updating all keys
+manually across connected devices. Static SAK mode can not be used with MKA.
+
+.. cfgcmd:: set interfaces macsec <interface> security static key <key>
+
+ Set the device's transmit (TX) key. This key must be a hex string that is 16-bytes
+ (GCM-AES-128) or 32-bytes (GCM-AES-256).
+
+.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> mac <mac address>
+
+ Set the peer's MAC address
+
+.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> key <key>
+
+ Set the peer's key used to receive (RX) traffic
+
+.. cfgcmd:: set interfaces macsec <interface> security static peer <peer> disable
+
+ Disable the peer configuration
+
Key Management
--------------
@@ -188,3 +212,28 @@ the unencrypted but authenticated content.
0x0070: 3031 3233 3435 3637 87d5 eed3 3a39 d52b 01234567....:9.+
0x0080: a282 c842 5254 ef28 ...BRT.(
+**R1 Static Key**
+
+.. code-block:: none
+
+ set interfaces macsec macsec1 address '192.0.2.1/24'
+ set interfaces macsec macsec1 address '2001:db8::1/64'
+ set interfaces macsec macsec1 security cipher 'gcm-aes-128'
+ set interfaces macsec macsec1 security encrypt
+ set interfaces macsec macsec1 security static key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
+ set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:02
+ set interfaces macsec macsec1 security static peer R2 key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
+ set interfaces macsec macsec1 source-interface 'eth1'
+
+**R2 Static Key**
+
+.. code-block:: none
+
+ set interfaces macsec macsec1 address '192.0.2.2/24'
+ set interfaces macsec macsec1 address '2001:db8::2/64'
+ set interfaces macsec macsec1 security cipher 'gcm-aes-128'
+ set interfaces macsec macsec1 security encrypt
+ set interfaces macsec macsec1 security static key 'eadcc0aa9cf203f3ce651b332bd6e6c7'
+ set interfaces macsec macsec1 security static peer R2 mac 00:11:22:33:44:01
+ set interfaces macsec macsec1 security static peer R2 key 'ddd6f4a7be4d8bbaf88b26f10e1c05f7'
+ set interfaces macsec macsec1 source-interface 'eth1' \ No newline at end of file
diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst
index 5eb10fe8..d2916d9f 100644
--- a/docs/configuration/interfaces/wireguard.rst
+++ b/docs/configuration/interfaces/wireguard.rst
@@ -183,6 +183,10 @@ traffic.
The command :opcmd:`show interfaces wireguard wg01 public-key` will then show the
public key, which needs to be shared with the peer.
+.. cmdinclude:: /_include/interface-per-client-thread.txt
+ :var0: wireguard
+ :var1: wg01
+
**remote side - commands**
.. code-block:: none
diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst
index f45101b5..e853a1ec 100644
--- a/docs/configuration/interfaces/wireless.rst
+++ b/docs/configuration/interfaces/wireless.rst
@@ -122,6 +122,10 @@ Wireless options
* ``station`` - Connects to another access point
* ``monitor`` - Passively monitor all packets on the frequency/channel
+.. cmdinclude:: /_include/interface-per-client-thread.txt
+ :var0: wireless
+ :var1: wlan0
+
PPDU
----
@@ -304,6 +308,7 @@ default physical device (``phy0``) is used.
set interfaces wireless wlan0 type station
set interfaces wireless wlan0 address dhcp
+ set interfaces wireless wlan0 country-code de
set interfaces wireless wlan0 ssid Test
set interfaces wireless wlan0 security wpa passphrase '12345678'
@@ -315,6 +320,7 @@ Resulting in
[...]
wireless wlan0 {
address dhcp
+ country-code de
security {
wpa {
passphrase "12345678"
@@ -350,6 +356,7 @@ The WAP in this example has the following characteristics:
.. code-block:: none
set interfaces wireless wlan0 address '192.168.2.1/24'
+ set interfaces wireless wlan0 country-code de
set interfaces wireless wlan0 type access-point
set interfaces wireless wlan0 channel 1
set interfaces wireless wlan0 mode n
@@ -367,6 +374,7 @@ Resulting in
[...]
wireless wlan0 {
address 192.168.2.1/24
+ country-code de
channel 1
mode n
security {
@@ -385,11 +393,6 @@ Resulting in
type access-point
}
}
- system {
- [...]
- wifi-regulatory-domain DE
- }
-
VLAN
====
diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst
index 3a73d444..9aeb581e 100644
--- a/docs/configuration/nat/nat44.rst
+++ b/docs/configuration/nat/nat44.rst
@@ -283,6 +283,32 @@ Example of redirection:
set nat destination rule 10 translation redirect port 22
+NAT Load Balance
+----------------
+
+Advanced configuration can be used in order to apply source or destination NAT,
+and within a single rule, be able to define multiple translated addresses,
+so NAT balances the translations among them.
+
+NAT Load Balance uses an algorithm that generates a hash and based on it, then
+it applies corresponding translation. This hash can be generated randomly, or
+can use data from the ip header: source-address, destination-address,
+source-port and/or destination-port. By default, it will generate the hash
+randomly.
+
+When defining the translated address, called ``backends``, a ``weight`` must
+be configured. This lets the user define load balance distribution according
+to their needs. Them sum of all the weights defined for the backends should
+be equal to 100. In oder words, the weight defined for the backend is the
+percentage of the connections that will receive such backend.
+
+.. cfgcmd:: set nat [source | destination] rule <rule> load-balance hash
+ [source-address | destination-address | source-port | destination-port
+ | random]
+.. cfgcmd:: set nat [source | destination] rule <rule> load-balance backend
+ <x.x.x.x> weight <1-100>
+
+
Configuration Examples
======================
@@ -602,6 +628,40 @@ provide access to their internal resources, and require that a
connecting organisation translate all traffic to the service provider
network to a source address provided by the ASP.
+Load Balance
+------------
+Here we provide two examples on how to apply NAT Load Balance.
+
+First scenario: apply destination NAT for all HTTP traffic comming through
+interface eth0, and user 4 backends. First backend should received 30% of
+the request, second backend should get 20%, third 15% and the fourth 35%
+We will use source and destination address for hash generation.
+
+.. code-block:: none
+
+ set nat destination rule 10 inbound-interface eth0
+ set nat destination rule 10 protocol tcp
+ set nat destination rule 10 destination port 80
+ set nat destination rule 10 load-balance hash source-address
+ set nat destination rule 10 load-balance hash destination-address
+ set nat destination rule 10 laod-balance backend 198.51.100.101 weight 30
+ set nat destination rule 10 laod-balance backend 198.51.100.102 weight 20
+ set nat destination rule 10 laod-balance backend 198.51.100.103 weight 15
+ set nat destination rule 10 laod-balance backend 198.51.100.104 weight 35
+
+Second scenario: apply source NAT for all outgoing connections from
+LAN 10.0.0.0/8, using 3 public addresses and equal distribution.
+We will generate the hash randomly.
+
+.. code-block:: none
+
+ set nat source rule 10 outbound-interface eth0
+ set nat source rule 10 source address 10.0.0.0/8
+ set nat source rule 10 load-balance hash random
+ set nat source rule 10 load-balance backend 192.0.2.251 weight 33
+ set nat source rule 10 load-balance backend 192.0.2.252 weight 33
+ set nat source rule 10 load-balance backend 192.0.2.253 weight 34
+
Example Network
^^^^^^^^^^^^^^^
diff --git a/docs/configuration/service/dns.rst b/docs/configuration/service/dns.rst
index 92677d86..c96c0ab4 100644
--- a/docs/configuration/service/dns.rst
+++ b/docs/configuration/service/dns.rst
@@ -251,6 +251,12 @@ Configuration
Configure optional TTL value on the given resource record. This defaults to
600 seconds.
+.. cfgcmd:: set service dns dynamic timeout <60-3600>
+
+ Specify timeout / update interval to check if IP address changed.
+
+ This defaults to 300 seconds.
+
.. _dns:dynmaic_example:
Example
diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst
index 07f1faba..a51aca52 100644
--- a/docs/configuration/vrf/index.rst
+++ b/docs/configuration/vrf/index.rst
@@ -425,6 +425,14 @@ address-family.
automatically assigned from a pool maintained.
.. cfgcmd:: set vrf name <name> protocols bgp address-family
+ <ipv4-unicast|ipv6-unicast> label vpn allocation-mode per-nexthop
+
+ Select how labels are allocated in the given VRF. By default, the per-vrf
+ mode is selected, and one label is used for all prefixes from the VRF. The
+ per-nexthop will use a unique label for all prefixes that are reachable via
+ the same nexthop.
+
+.. cfgcmd:: set vrf name <name> protocols bgp address-family
<ipv4-unicast|ipv6-unicast> route-map vpn <import|export>
[route-map <name>]
@@ -444,6 +452,13 @@ address-family.
derived and should not be specified explicitly for either the source or
destination VRF’s.
+.. cfgcmd:: set vrf name <name> protocols bgp interface <interface> mpls
+ forwarding
+
+ It is possible to permit BGP install VPN prefixes without transport labels.
+ This configuration will install VPN prefixes originated from an e-bgp session,
+ and with the next-hop directly connected.
+
.. _l3vpn-vrf example operation:
Operation
diff --git a/docs/installation/virtual/docker.rst b/docs/installation/virtual/docker.rst
index e2bc0198..c4ff2c15 100644
--- a/docs/installation/virtual/docker.rst
+++ b/docs/installation/virtual/docker.rst
@@ -49,7 +49,7 @@ Deploy container from ISO
=========================
Download the ISO on which you want to base the container. In this example,
-the name of the ISO is ``vyos-1.4-rolling-202111281249-amd64.iso``. If you
+the name of the ISO is ``vyos-1.4-rolling-202308240020-amd64.iso``. If you
created a custom IPv6-enabled network, the ``docker run`` command below
will require that this network be included as the ``--net`` parameter to
``docker run``.
@@ -57,9 +57,10 @@ will require that this network be included as the ``--net`` parameter to
.. code-block:: none
$ mkdir vyos && cd vyos
- $ cp ~/vyos-1.4-rolling-202111281249-amd64.iso .
+ $ curl -o vyos-1.4-rolling-202308240020-amd64.iso https://github.com/vyos/vyos-rolling-night
+ly-builds/releases/download/1.4-rolling-202308240020/vyos-1.4-rolling-202308240020-amd64.iso
$ mkdir rootfs
- $ sudo mount -o loop vyos-1.4-rolling-202111281249-amd64.iso rootfs
+ $ sudo mount -o loop vyos-1.4-rolling-202308240020-amd64.iso rootfs
$ sudo apt-get install -y squashfs-tools
$ mkdir unsquashfs
$ sudo unsquashfs -f -d unsquashfs/ rootfs/live/filesystem.squashfs