summaryrefslogtreecommitdiff
path: root/docs/configuration/firewall/index.rst
diff options
context:
space:
mode:
authorNicolas Fort <yocasquito@gmail.com>2022-09-06 13:41:31 -0300
committerNicolas Fort <yocasquito@gmail.com>2022-09-06 13:41:31 -0300
commitdce86e966ef09191c99d4a041127ac6b223daef0 (patch)
tree53376acf686bb47526b729040d9ef03c820efe30 /docs/configuration/firewall/index.rst
parent1e13aef910d4cd4a5936fe9d483182adddff0e67 (diff)
downloadvyos-documentation-dce86e966ef09191c99d4a041127ac6b223daef0.tar.gz
vyos-documentation-dce86e966ef09191c99d4a041127ac6b223daef0.zip
Firewall. Update matching criteria for firewall rules
Diffstat (limited to 'docs/configuration/firewall/index.rst')
-rw-r--r--docs/configuration/firewall/index.rst101
1 files changed, 101 insertions, 0 deletions
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index a36877b7..56477dfc 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -423,6 +423,85 @@ geoip) to keep database and rules updated.
Use a specific port-group. Prepend character '!' for inverted matching
criteria.
+.. cfgcmd:: set firewall name <name> rule <1-999999> source group
+ domain-group <name | !name>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
+ domain-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
+ domain-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
+ domain-group <name | !name>
+
+ Use a specific domain-group. Prepend character '!' for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source group
+ mac-group <name | !name>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
+ mac-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
+ mac-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
+ mac-group <name | !name>
+
+ Use a specific mac-group. Prepend character '!' for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> fragment [match-frag |
+ match-non-frag]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> fragment [match-frag
+ | match-non-frag]
+
+ Match based on fragment criteria.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> icmp [code | type]
+ <0-255>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 [code | type]
+ <0-255>
+
+ Match based on icmp|icmpv6 code and type.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> icmp type-name <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 type-name
+ <text>
+
+ Match based on icmp|icmpv6 type-name criteria. Use tab for information
+ about what **type-name** criteria are supported.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> ipsec [match-ipsec
+ | match-none]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> ipsec [match-ipsec
+ | match-none]
+
+ Match based on ipsec criteria.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> limit burst
+ <0-4294967295>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit burst
+ <0-4294967295>
+
+ Match based on the maximum number of packets to allow in excess of rate.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> limit rate
+ <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit rate
+ <text>
+
+ Match based on the maximum average rate, specified as **integer/unit**.
+ For example **5/minutes**
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length
+ <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length
+ <text>
+.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length-exclude
+ <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length-exclude
+ <text>
+
+ Match based on packet length criteria. Multiple values from 1 to 65535
+ and ranges are supported.
+
.. cfgcmd:: set firewall name <name> rule <1-999999> protocol [<text> |
<0-255> | all | tcp_udp]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> protocol [<text> |
@@ -439,6 +518,15 @@ geoip) to keep database and rules updated.
set firewall name WAN-IN-v4 rule 11 protocol !tcp_udp
set firewall ipv6-name WAN-IN-v6 rule 10 protocol tcp
+.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
+.. cfgcmd:: set firewall name <name> rule <1-999999> recent time
+ [second | minute | hour]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time
+ [second | minute | hour]
+
+ Match bases on recently seen sources.
+
.. cfgcmd:: set firewall name <name> rule <1-999999> tcp flags <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> tcp flags <text>
@@ -459,6 +547,19 @@ geoip) to keep database and rules updated.
Match against the state of a packet.
+.. cfgcmd:: set firewall name <name> rule <1-999999> time startdate <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time startdate <text>
+.. cfgcmd:: set firewall name <name> rule <1-999999> time starttime <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time starttime <text>
+.. cfgcmd:: set firewall name <name> rule <1-999999> time stopdate <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stopdate <text>
+.. cfgcmd:: set firewall name <name> rule <1-999999> time stoptime <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stoptime <text>
+.. cfgcmd:: set firewall name <name> rule <1-999999> time weekdays <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time weekdays <text>
+
+ Time to match the defined rule.
+
.. cfgcmd:: set firewall name <name> rule <1-999999> ttl <eq | gt | lt> <0-255>
Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for