diff options
author | Remi van Dijk | Link-it <r.vandijk@link-it.nl> | 2022-07-06 11:43:33 +0200 |
---|---|---|
committer | Remi van Dijk | Link-it <r.vandijk@link-it.nl> | 2022-07-06 11:43:33 +0200 |
commit | 54196d2ca6179685b511b1c5de139bb7d778bf1d (patch) | |
tree | b300b4942435afd0cd4e3d0463650412a60d78a4 | |
parent | a04df9e0c61fee87f297972db17fee93878016de (diff) | |
download | vyos-documentation-54196d2ca6179685b511b1c5de139bb7d778bf1d.tar.gz vyos-documentation-54196d2ca6179685b511b1c5de139bb7d778bf1d.zip |
Firewall: T4299: Add inverse-match to geoip
-rw-r--r-- | docs/configuration/firewall/index.rst | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 5081ce2f..a83ea2ae 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -325,15 +325,25 @@ There are a lot of matching criteria against which the package can be tested. .. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code <country> +.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip country-code <country> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip + inverse-match .. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip country-code <country> +.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip + inverse-match .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip country-code <country> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip + inverse-match + +Match IP addresses based on its geolocation. +More info: `geoip matching +<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. -Match IP addresses based on its geolocation. More info: `geoip matching -<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_ +Use inverse-match to match anything except the given country-codes. Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, permits redistribution so we can include a database in images(~3MB @@ -531,10 +541,10 @@ Applying a Rule-Set to a Zone Before you are able to apply a rule-set to a zone you have to create the zones first. -It helps to think of the syntax as: (see below). The 'rule-set' should be +It helps to think of the syntax as: (see below). The 'rule-set' should be written from the perspective of: *Source Zone*-to->*Destination Zone* -.. cfgcmd:: set zone-policy zone <Destination Zone> from <Source Zone> +.. cfgcmd:: set zone-policy zone <Destination Zone> from <Source Zone> firewall name <rule-set> .. cfgcmd:: set zone-policy zone <name> from <name> firewall name @@ -829,4 +839,4 @@ Update geoip database .. opcmd:: update geoip - Command used to update GeoIP database and firewall sets.
\ No newline at end of file + Command used to update GeoIP database and firewall sets. |