diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-06-13 07:22:30 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-06-13 07:22:30 +0200 |
| commit | f1eb14c7e97e79dbaeac67c31e3d2b8737c6e2df (patch) | |
| tree | 1057bb0a72c82a61389a1ad84e5dd7d7ed94ac26 /docs/configuration/firewall/ipv4.rst | |
| parent | 03b87236bb358058f6e23b682676b43387319055 (diff) | |
| parent | 8118c93687b89e267111069c475e02f8e89f648c (diff) | |
| download | vyos-documentation-f1eb14c7e97e79dbaeac67c31e3d2b8737c6e2df.tar.gz vyos-documentation-f1eb14c7e97e79dbaeac67c31e3d2b8737c6e2df.zip | |
Merge pull request #1478 from nicolas-fort/T3900-fwall-raw-tables
Firewall: Add prerouting information
Diffstat (limited to 'docs/configuration/firewall/ipv4.rst')
| -rw-r--r-- | docs/configuration/firewall/ipv4.rst | 31 |
1 files changed, 27 insertions, 4 deletions
diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst index f7f98dc7..e53f2480 100644 --- a/docs/configuration/firewall/ipv4.rst +++ b/docs/configuration/firewall/ipv4.rst @@ -31,17 +31,34 @@ of the general structure: + filter - output + filter + + raw + - prerouting + + raw - name + custom_name +First, all traffic is received by the router, and it is processed in the +**prerouting** section. + +This stage includes: + + * **Firewall Prerouting**: commands found under ``set firewall ipv4 + prerouting raw ...`` + * :doc:`Conntrack Ignore</configuration/system/conntrack>`: ``set system + conntrack ignore ipv4...`` + * :doc:`Policy Route</configuration/policy/route>`: commands found under + ``set policy route ...`` + * :doc:`Destination NAT</configuration/nat/nat44>`: commands found under + ``set nat destination ...`` + For transit traffic, which is received by the router and forwarded, base chain is **forward**. A simplified packet flow diagram for transit traffic is shown next: .. figure:: /_static/images/firewall-fwd-packet-flow.png -Where firewall base chain to configure firewall filtering rules for transit -traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, +Firewall base chain to configure firewall filtering rules for transit traffic +is ``set firewall ipv4 forward filter ...``, which happens in stage 5, highlighted with red color. For traffic towards the router itself, base chain is **input**, while traffic @@ -52,11 +69,17 @@ router (starting from circle number 6): .. figure:: /_static/images/firewall-input-packet-flow.png -Base chain is for traffic toward the router is ``set firewall ipv4 input +Base chain for traffic towards the router is ``set firewall ipv4 input filter ...`` And base chain for traffic generated by the router is ``set firewall ipv4 -output filter ...`` +output ...``, where two sub-chains are available: **filter** and **raw**: + +* **Output Prerouting**: ``set firewall ipv4 output raw ...``. + As described in **Prerouting**, rules defined in this section are + processed before connection tracking subsystem. +* **Output Filter**: ``set firewall ipv4 output filter ...``. Rules defined + in this section are processed after connection tracking subsystem. .. note:: **Important note about default-actions:** If default action for any base chain is not defined, then the default |