diff options
| author | Rain <6818611+Rain@users.noreply.github.com> | 2022-11-03 14:43:07 -0400 |
|---|---|---|
| committer | Rain <6818611+Rain@users.noreply.github.com> | 2022-11-03 14:43:07 -0400 |
| commit | 52d2552a240789753bd92454973ca14d68c84c3e (patch) | |
| tree | 779e0a33cbb93087ff99b6fb0ac7a10ded521085 /docs/configuration/firewall | |
| parent | b18aa2f9d853b92e193269a53c1b00c9f48dd73f (diff) | |
| download | vyos-documentation-52d2552a240789753bd92454973ca14d68c84c3e.tar.gz vyos-documentation-52d2552a240789753bd92454973ca14d68c84c3e.zip | |
firewall: T4612: Support arbitrary netmasks Documentation
Diffstat (limited to 'docs/configuration/firewall')
| -rw-r--r-- | docs/configuration/firewall/general.rst | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst index 0cf8bcec..42387864 100644 --- a/docs/configuration/firewall/general.rst +++ b/docs/configuration/firewall/general.rst @@ -323,6 +323,37 @@ There are a lot of matching criteria against which the package can be tested. set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24 set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202 +.. cfgcmd:: set firewall name <name> rule <1-999999> source address-mask + [address] +.. cfgcmd:: set firewall name <name> rule <1-999999> destination address-mask + [address] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address-mask + [address] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination + address-mask [address] + + An arbitrary netmask can be applied to mask addresses to only match against + a specific portion. This is particularly useful with IPv6 and a zone-based + firewall as rules will remain valid if the IPv6 prefix changes and the host + portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses + <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_) + + This functions for both individual addresses and address groups. + + .. code-block:: none + + # Match any IPv6 address with the suffix ::0000:0000:0000:beef + set firewall ipv6-name WAN-LAN-v6 rule 100 destination address ::beef + set firewall ipv6-name WAN-LAN-v6 rule 100 destination address-mask ::ffff:ffff:ffff:ffff + # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet + set firewall name WAN-LAN-v4 rule 100 destination address 0.11.0.13 + set firewall name WAN-LAN-v4 rule 100 destination address-mask 0.255.0.255 + # Address groups + set firewall group ipv6-address-group WEBSERVERS address ::1000 + set firewall group ipv6-address-group WEBSERVERS address ::2000 + set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS + set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff + .. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code <country> .. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match |