summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRemi van Dijk | Link-it <r.vandijk@link-it.nl>2022-07-06 11:43:33 +0200
committerRemi van Dijk | Link-it <r.vandijk@link-it.nl>2022-07-06 11:43:33 +0200
commit54196d2ca6179685b511b1c5de139bb7d778bf1d (patch)
treeb300b4942435afd0cd4e3d0463650412a60d78a4
parenta04df9e0c61fee87f297972db17fee93878016de (diff)
downloadvyos-documentation-54196d2ca6179685b511b1c5de139bb7d778bf1d.tar.gz
vyos-documentation-54196d2ca6179685b511b1c5de139bb7d778bf1d.zip
Firewall: T4299: Add inverse-match to geoip
-rw-r--r--docs/configuration/firewall/index.rst20
1 files changed, 15 insertions, 5 deletions
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index 5081ce2f..a83ea2ae 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -325,15 +325,25 @@ There are a lot of matching criteria against which the package can be tested.
.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code
<country>
+.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
country-code <country>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
+ inverse-match
.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
country-code <country>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
+ inverse-match
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
country-code <country>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
+ inverse-match
+
+Match IP addresses based on its geolocation.
+More info: `geoip matching
+<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
-Match IP addresses based on its geolocation. More info: `geoip matching
-<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_
+Use inverse-match to match anything except the given country-codes.
Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
permits redistribution so we can include a database in images(~3MB
@@ -531,10 +541,10 @@ Applying a Rule-Set to a Zone
Before you are able to apply a rule-set to a zone you have to create the zones
first.
-It helps to think of the syntax as: (see below). The 'rule-set' should be
+It helps to think of the syntax as: (see below). The 'rule-set' should be
written from the perspective of: *Source Zone*-to->*Destination Zone*
-.. cfgcmd:: set zone-policy zone <Destination Zone> from <Source Zone>
+.. cfgcmd:: set zone-policy zone <Destination Zone> from <Source Zone>
firewall name <rule-set>
.. cfgcmd:: set zone-policy zone <name> from <name> firewall name
@@ -829,4 +839,4 @@ Update geoip database
.. opcmd:: update geoip
- Command used to update GeoIP database and firewall sets. \ No newline at end of file
+ Command used to update GeoIP database and firewall sets.