diff options
author | Robert Göhler <github@ghlr.de> | 2022-11-27 21:43:00 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-11-27 21:43:00 +0100 |
commit | a669e2d29353fba82c07d866ae5918f3bd5f6af5 (patch) | |
tree | c2bd51ccb40b1ec1d85763449b5c42cc9d1c0e96 /docs/configuration/firewall | |
parent | 37b7955fc2f35e14ce7cd18b8c84afc915f8aceb (diff) | |
parent | 52d2552a240789753bd92454973ca14d68c84c3e (diff) | |
download | vyos-documentation-a669e2d29353fba82c07d866ae5918f3bd5f6af5.tar.gz vyos-documentation-a669e2d29353fba82c07d866ae5918f3bd5f6af5.zip |
Merge pull request #885 from Rain/T4612-arbitrary-netmasks-docs
firewall: T4612: Support arbitrary netmasks Documentation
Diffstat (limited to 'docs/configuration/firewall')
-rw-r--r-- | docs/configuration/firewall/general.rst | 31 |
1 files changed, 31 insertions, 0 deletions
diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst index 0cf8bcec..42387864 100644 --- a/docs/configuration/firewall/general.rst +++ b/docs/configuration/firewall/general.rst @@ -323,6 +323,37 @@ There are a lot of matching criteria against which the package can be tested. set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24 set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202 +.. cfgcmd:: set firewall name <name> rule <1-999999> source address-mask + [address] +.. cfgcmd:: set firewall name <name> rule <1-999999> destination address-mask + [address] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address-mask + [address] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination + address-mask [address] + + An arbitrary netmask can be applied to mask addresses to only match against + a specific portion. This is particularly useful with IPv6 and a zone-based + firewall as rules will remain valid if the IPv6 prefix changes and the host + portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses + <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_) + + This functions for both individual addresses and address groups. + + .. code-block:: none + + # Match any IPv6 address with the suffix ::0000:0000:0000:beef + set firewall ipv6-name WAN-LAN-v6 rule 100 destination address ::beef + set firewall ipv6-name WAN-LAN-v6 rule 100 destination address-mask ::ffff:ffff:ffff:ffff + # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet + set firewall name WAN-LAN-v4 rule 100 destination address 0.11.0.13 + set firewall name WAN-LAN-v4 rule 100 destination address-mask 0.255.0.255 + # Address groups + set firewall group ipv6-address-group WEBSERVERS address ::1000 + set firewall group ipv6-address-group WEBSERVERS address ::2000 + set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS + set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff + .. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code <country> .. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match |