diff options
author | rebortg <github@ghlr.de> | 2023-11-23 21:09:57 +0100 |
---|---|---|
committer | rebortg <github@ghlr.de> | 2023-11-23 21:09:57 +0100 |
commit | 4aa0865d9fa00ddb5dc12dddf7208bf53f14075a (patch) | |
tree | 626ce6874124e405abb6f5abb916709549b8d0f8 /docs/configuration/firewall/ipv4.rst | |
parent | 32400cbbda436c062f75af27c36717e9a33fdc14 (diff) | |
download | vyos-documentation-4aa0865d9fa00ddb5dc12dddf7208bf53f14075a.tar.gz vyos-documentation-4aa0865d9fa00ddb5dc12dddf7208bf53f14075a.zip |
backport Firewall docs from master
Diffstat (limited to 'docs/configuration/firewall/ipv4.rst')
-rw-r--r-- | docs/configuration/firewall/ipv4.rst | 1145 |
1 files changed, 1145 insertions, 0 deletions
diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst new file mode 100644 index 00000000..3fd365e1 --- /dev/null +++ b/docs/configuration/firewall/ipv4.rst @@ -0,0 +1,1145 @@ +:lastproofread: 2023-11-08 + +.. _firewall-ipv4-configuration: + +########################### +IPv4 Firewall Configuration +########################### + +******** +Overview +******** + +In this section there's useful information of all firewall configuration that +can be done regarding IPv4, and appropiate op-mode commands. +Configuration commands covered in this section: + +.. cfgcmd:: set firewall ipv4 ... + +From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * ipv4 + - forward + + filter + - input + + filter + - output + + filter + - name + + custom_name + +For transit traffic, which is received by the router and forwarded, base chain +is **forward**. A simplified packet flow diagram for transit traffic is shown +next: + +.. figure:: /_static/images/firewall-fwd-packet-flow.png + +Where firewall base chain to configure firewall filtering rules for transit +traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, +highlightened with red color. + +For traffic towards the router itself, base chain is **input**, while traffic +originated by the router, base chain is **output**. +A new simplified packet flow diagram is shown next, which shows the path +for traffic destinated to the router itself, and traffic generated by the +router (starting from circle number 6): + +.. figure:: /_static/images/firewall-input-packet-flow.png + +Base chain is for traffic toward the router is ``set firewall ipv4 input +filter ...`` + +And base chain for traffic generated by the router is ``set firewall ipv4 +output filter ...`` + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop** + +Custom firewall chains can be created, with commands +``set firewall ipv4 name <name> ...``. In order to use +such custom chain, a rule with **action jump**, and the appropiate **target** +should be defined in a base chain. + +********************* +Firewall - IPv4 Rules +********************* + +For firewall filtering, firewall rules needs to be created. Each rule is +numbered, has an action to apply if the rule is matched, and the ability +to specify multiple criteria matchers. Data packets go through the rules +from 1 - 999999, so order is crucial. At the first match the action of the +rule will be executed. + +Actions +======= + +If a rule is defined, then an action must be defined for it. This tells the +firewall what to do if all criteria matchers defined for such rule do match. + +The action can be : + + * ``accept``: accept the packet. + + * ``continue``: continue parsing next rule. + + * ``drop``: drop the packet. + + * ``reject``: reject the packet. + + * ``jump``: jump to another custom chain. + + * ``return``: Return from the current chain and continue at the next rule + of the last chain. + + * ``queue``: Enqueue packet to userspace. + + * ``synproxy``: synproxy the packet. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return | synproxy] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return | synproxy] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return] + + This required setting defines the action of the current rule. If action is + set to jump, then jump-target is also needed. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + jump-target <text> + + To be used only when action is set to jump. Use this command to specify + jump target. + +Also, **default-action** is an action that takes place whenever a packet does +not match any rule in it's chain. For base chains, possible options for +**default-action** are **accept** or **drop**. + +.. cfgcmd:: set firewall ipv4 forward filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv4 input filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv4 output filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv4 name <name> default-action + [accept | drop | jump | queue | reject | return] + + This set the default action of the rule-set if no rule matched a packet + criteria. If defacult-action is set to ``jump``, then + ``default-jump-target`` is also needed. Note that for base chains, default + action can only be set to ``accept`` or ``drop``, while on custom chain, + more actions are available. + +.. cfgcmd:: set firewall ipv4 name <name> default-jump-target <text> + + To be used only when ``defult-action`` is set to ``jump``. Use this + command to specify jump target for default rule. + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop** + +Firewall Logs +============= + +Logging can be enable for every single firewall rule. If enabled, other +log options can be defined. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log + [disable | enable] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> log + [disable | enable] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> log + [disable | enable] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log + [disable | enable] + + Enable or disable logging for the matched packet. + +.. cfgcmd:: set firewall ipv4 forward filter enable-default-log +.. cfgcmd:: set firewall ipv4 input filter enable-default-log +.. cfgcmd:: set firewall ipv4 output filter enable-default-log +.. cfgcmd:: set firewall ipv4 name <name> enable-default-log + + Use this command to enable the logging of the default action on + the specified chain. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] + + Define log-level. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options group <0-65535> + + Define log group to send message to. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options snapshot-length <0-9000> + + Define length of packet payload to include in netlink message. Only + applicable if rule log is enable and log group is defined. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options queue-threshold <0-65535> + + Define number of packets to queue inside the kernel before sending them to + userspace. Only applicable if rule log is enable and log group is defined. + +Firewall Description +==================== + +For reference, a description can be defined for every single rule, and for +every defined custom chain. + +.. cfgcmd:: set firewall ipv4 name <name> description <text> + + Provide a rule-set description to a custom firewall chain. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> description <text> + + Provide a description for each rule. + +Rule Status +=========== + +When defining a rule, it is enable by default. In some cases, it is useful to +just disable the rule, rather than removing it. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> disable + + Command for disabling a rule but keep it in the configuration. + +Matching criteria +================= + +There are a lot of matching criteria against which the package can be tested. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + connection-status nat [destination | source] + + Match criteria based on nat connection status. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + connection-mark <1-2147483647> + + Match criteria based on connection mark. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source address [address | addressrange | CIDR] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination address [address | addressrange | CIDR] + + Match criteria based on source and/or destination address. This is similar + to the network groups part, but here you are able to negate the matching + addresses. + + .. code-block:: none + + set firewall ipv4 name FOO rule 50 source address 192.0.2.10-192.0.2.11 + # with a '!' the rule match everything except the specified subnet + set firewall ipv4 input filter FOO rule 51 source address !203.0.113.0/24 + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source address-mask [address] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination address-mask [address] + + An arbitrary netmask can be applied to mask addresses to only match against + a specific portion. + + This functions for both individual addresses and address groups. + + .. code-block:: none + + # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet + set firewall ipv4 name FOO rule 100 destination address 0.11.0.13 + set firewall ipv4 name FOO rule 100 destination address-mask 0.255.0.255 + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination fqdn <fqdn> + + Specify a Fully Qualified Domain Name as source/destination matcher. Ensure + router is able to resolve such dns query. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source geoip country-code <country> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination geoip country-code <country> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source geoip inverse-match + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination geoip inverse-match + + Match IP addresses based on its geolocation. More info: `geoip matching + <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. + Use inverse-match to match anything except the given country-codes. + +Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, +permits redistribution so we can include a database in images(~3MB +compressed). Includes cron script (manually callable by op-mode update +geoip) to keep database and rules updated. + + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source mac-address <mac-address> + + Only in the source criteria, you can specify a mac-address. + + .. code-block:: none + + set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33 + set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34 + + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source port [1-65535 | portname | start-end] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination port [1-65535 | portname | start-end] + + A port can be set with a port number or a name which is here + defined: ``/etc/services``. + + .. code-block:: none + + set firewall ipv4 forward filter rule 10 source port '22' + set firewall ipv4 forward filter rule 11 source port '!http' + set firewall ipv4 forward filter rule 12 source port 'https' + + Multiple source ports can be specified as a comma-separated list. + The whole list can also be "negated" using ``!``. For example: + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group address-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group address-group <name | !name> + + Use a specific address-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group network-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group network-group <name | !name> + + Use a specific network-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group port-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group port-group <name | !name> + + Use a specific port-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group domain-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group domain-group <name | !name> + + Use a specific domain-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group mac-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group mac-group <name | !name> + + Use a specific mac-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + dscp [0-63 | start-end] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + dscp-exclude [0-63 | start-end] + + Match based on dscp value. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + fragment [match-frag | match-non-frag] + + Match based on fragment criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + icmp [code | type] <0-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + icmp [code | type] <0-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + icmp [code | type] <0-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + icmp [code | type] <0-255> + + Match based on icmp code and type. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + icmp type-name <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + icmp type-name <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + icmp type-name <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + icmp type-name <text> + + Match based on icmp type-name criteria. Use tab for information + about what **type-name** criteria are supported. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + inbound-interface name <iface> + + Match based on inbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + inbound-interface group <iface_group> + + Match based on inbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + outbound-interface name <iface> + + Match based on outbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + outbound-interface group <iface_group> + + Match based on outbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + ipsec [match-ipsec | match-none] + + Match based on ipsec criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + limit burst <0-4294967295> + + Match based on the maximum number of packets to allow in excess of rate. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + limit rate <text> + + Match based on the maximum average rate, specified as **integer/unit**. + For example **5/minutes** + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + packet-length <text> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + packet-length-exclude <text> + + Match based on packet length criteria. Multiple values from 1 to 65535 + and ranges are supported. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + packet-type [broadcast | host | multicast | other] + + Match based on packet type criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] + + Match a protocol criteria. A protocol number or a name which is here + defined: ``/etc/protocols``. + Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp + based packets. The ``!`` negate the selected protocol. + + .. code-block:: none + + set firewall ipv4 forward fitler rule 10 protocol tcp_udp + set firewall ipv4 forward fitler rule 11 protocol !tcp_udp + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent count <1-255> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent time [second | minute | hour] + + Match bases on recently seen sources. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + tcp flags [not] <text> + + Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, + ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for + inverted selection use ``not``, as shown in the example. + + .. code-block:: none + + set firewall ipv4 input filter rule 10 tcp flags 'ack' + set firewall ipv4 input filter rule 12 tcp flags 'syn' + set firewall ipv4 input filter rule 13 tcp flags not 'fin' + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + state [established | invalid | new | related] [enable | disable] + + Match against the state of a packet. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time weekdays <text> + + Time to match the defined rule. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + ttl <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + ttl <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + ttl <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + ttl <eq | gt | lt> <0-255> + + Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for + 'greater than', and 'lt' stands for 'less than'. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent count <1-255> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent time <second | minute | hour> + + Match when 'count' amount of connections are seen within 'time'. These + matching criteria can be used to block brute-force attempts. + +******** +Synproxy +******** +Synproxy connections + +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> action synproxy +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> protocol tcp +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535> + + Set TCP-MSS (maximum segment size) for the connection + +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14> + + Set the window scale factor for TCP window scaling + +Example synproxy +================ +Requirements to enable synproxy: + + * Traffic must be symmetric + * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled + * Disable conntrack loose track option + +.. code-block:: none + + set system sysctl parameter net.ipv4.tcp_timestamps value '1' + + set system conntrack tcp loose disable + set system conntrack ignore ipv4 rule 10 destination port '8080' + set system conntrack ignore ipv4 rule 10 protocol 'tcp' + set system conntrack ignore ipv4 rule 10 tcp flags syn + + set firewall global-options syn-cookies 'enable' + set firewall ipv4 input filter rule 10 action 'synproxy' + set firewall ipv4 input filter rule 10 destination port '8080' + set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1' + set firewall ipv4 input filter rule 10 protocol 'tcp' + set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' + set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7' + set firewall ipv4 input filter rule 1000 action 'drop' + set firewall ipv4 input filter rule 1000 state invalid 'enable' + + +*********************** +Operation-mode Firewall +*********************** + +Rule-set overview +================= + +.. opcmd:: show firewall + + This will show you a basic firewall overview, for all ruleset, and not + only for ipv4 + + .. code-block:: none + + vyos@vyos:~$ show firewall + Rulesets Information + + --------------------------------- + ipv4 Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ----------------------------- + 20 accept all 0 0 ip saddr @N_TRUSTEDv4 accept + 21 jump all 0 0 jump NAME_AUX + default accept all 0 0 + + --------------------------------- + ipv4 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ------------------------- + 10 accept all 156 14377 iifname != @I_LAN accept + default accept all 0 0 + + --------------------------------- + ipv4 Firewall "name AUX" + + Rule Action Protocol Packets Bytes Conditions + ------ -------- ---------- --------- ------- -------------------------------------------- + 10 accept icmp 0 0 meta l4proto icmp accept + 20 accept udp 0 0 meta l4proto udp ip saddr @A_SERVERS accept + 30 drop all 0 0 ip saddr != @A_SERVERS iifname "eth2" + + --------------------------------- + ipv4 Firewall "output filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------- + 10 reject all 0 0 oifname @I_LAN + 20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept + default accept all 72 9258 + + --------------------------------- + ipv6 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ------------------------------- + 10 accept all 0 0 ip6 saddr @N6_TRUSTEDv6 accept + default accept all 2 112 + + vyos@vyos:~$ + +.. opcmd:: show firewall summary + + This will show you a summary of rule-sets and groups + + .. code-block:: none + + vyos@vyos:~$ show firewall summary + Ruleset Summary + + IPv6 Ruleset: + + Ruleset Hook Ruleset Priority Description + -------------- -------------------- ------------------------- + forward filter + input filter + ipv6_name IPV6-VyOS_MANAGEMENT + ipv6_name IPV6-WAN_IN PUBLIC_INTERNET + + IPv4 Ruleset: + + Ruleset Hook Ruleset Priority Description + -------------- ------------------ ------------------------- + forward filter + input filter + name VyOS_MANAGEMENT + name WAN_IN PUBLIC_INTERNET + + Firewall Groups + + Name Type References Members + ----------------------- ------------------ ----------------------- ---------------- + PBX address_group WAN_IN-100 198.51.100.77 + SERVERS address_group WAN_IN-110 192.0.2.10 + WAN_IN-111 192.0.2.11 + WAN_IN-112 192.0.2.12 + WAN_IN-120 + WAN_IN-121 + WAN_IN-122 + SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2 + WAN_IN-20 + PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2 + PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2 + WAN_IN-171 + PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1 + SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2 + IPV6-WAN_IN-111 2001:db8::3 + IPV6-WAN_IN-112 2001:db8::4 + IPV6-WAN_IN-120 + IPV6-WAN_IN-121 + IPV6-WAN_IN-122 + SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5 + IPV6-WAN_IN-20 + + +.. opcmd:: show firewall ipv4 [forward | input | output] filter + +.. opcmd:: show firewall ipv4 name <name> + + This command will give an overview of a single rule-set. + + .. code-block:: none + + vyos@vyos:~$ show firewall ipv4 input filter + Ruleset Information + + --------------------------------- + IPv4 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ----------------------------------------- + 5 jump all 0 0 iifname "eth2" jump NAME_VyOS_MANAGEMENT + default accept all + +.. opcmd:: show firewall ipv4 [forward | input | output] + filter rule <1-999999> +.. opcmd:: show firewall ipv4 name <name> rule <1-999999> + + This command will give an overview of a rule in a single rule-set, plus + information for default action. + +.. code-block:: none + + vyos@vyos:~$show firewall ipv4 output filter rule 20 + Rule Information + + --------------------------------- + ipv4 Firewall "output filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------- + 20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept + default accept all 286 47614 + + vyos@vyos:~$ + + +.. opcmd:: show firewall statistics + + This will show you a statistic of all rule-sets since the last boot. + +Show Firewall log +================= + +.. opcmd:: show log firewall +.. opcmd:: show log firewall ipv4 +.. opcmd:: show log firewall ipv4 [forward | input | output | name] +.. opcmd:: show log firewall ipv4 [forward | input | output] filter +.. opcmd:: show log firewall ipv4 name <name> +.. opcmd:: show log firewall ipv4 [forward | input | output] filter rule <rule> +.. opcmd:: show log firewall ipv4 name <name> rule <rule> + + Show the logs of all firewall; show all ipv4 firewall logs; show all logs + for particular hook; show all logs for particular hook and priority; show all logs + for particular custom chain; show logs for specific Rule-Set. + +Example Partial Config +====================== + +.. code-block:: none + + firewall { + group { + network-group BAD-NETWORKS { + network 198.51.100.0/24 + network 203.0.113.0/24 + } + network-group GOOD-NETWORKS { + network 192.0.2.0/24 + } + port-group BAD-PORTS { + port 65535 + } + } + ipv4 { + forward { + filter { + default-action accept + rule 5 { + action accept + source { + group { + network-group GOOD-NETWORKS + } + } + } + rule 10 { + action drop + description "Bad Networks" + protocol all + source { + group { + network-group BAD-NETWORKS + } + } + } + } + } + } + } + +Update geoip database +===================== + +.. opcmd:: update geoip + + Command used to update GeoIP database and firewall sets. |