summaryrefslogtreecommitdiff
path: root/docs/configuration
diff options
context:
space:
mode:
authorNicolas Fort <nicolasfort1988@gmail.com>2022-11-24 16:24:03 -0300
committerNicolas Fort <nicolasfort1988@gmail.com>2022-11-24 16:24:03 -0300
commit7b7ea78ee2bb7205be1f2a8f817cd29974d73b72 (patch)
tree8e9cdb596d1cf8cbb1f4f11b4e7f60a3be1f1516 /docs/configuration
parent5072506e297a1e9ed0a7d843864add3253ff87ab (diff)
downloadvyos-documentation-7b7ea78ee2bb7205be1f2a8f817cd29974d73b72.tar.gz
vyos-documentation-7b7ea78ee2bb7205be1f2a8f817cd29974d73b72.zip
Firewall update: add groups and note to firewall interface section
Diffstat (limited to 'docs/configuration')
-rw-r--r--docs/configuration/firewall/general.rst44
1 files changed, 37 insertions, 7 deletions
diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst
index 0cf8bcec..5dfceed6 100644
--- a/docs/configuration/firewall/general.rst
+++ b/docs/configuration/firewall/general.rst
@@ -148,11 +148,11 @@ Some firewall settings are global and have an affect on the whole system.
Groups
******
-Firewall groups represent collections of IP addresses, networks, or
-ports. Once created, a group can be referenced by firewall rules as
-either a source or destination. Members can be added or removed from a
-group without changes to, or the need to reload, individual firewall
-rules.
+Firewall groups represent collections of IP addresses, networks, ports,
+mac addresses or domains. Once created, a group can be referenced by
+firewall, nat and policy route rules as either a source or destination
+matcher. Members can be added or removed from a group without changes to,
+or the need to reload, individual firewall rules.
Groups need to have unique names. Even though some contain IPv4
addresses and others contain IPv6 addresses, they still need to have
@@ -183,7 +183,6 @@ defined.
Provide a IPv4 or IPv6 address group description
-
Network Groups
==============
@@ -208,7 +207,6 @@ recommended.
Provide a IPv4 or IPv6 network group description.
-
Port Groups
===========
@@ -234,6 +232,34 @@ filtering unnecessary ports. Ranges of ports can be specified by using
Provide a port group description.
+MAC Groups
+==========
+
+A **mac group** represents a collection of mac addresses.
+
+.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address>
+
+ Define a mac group.
+
+.. code-block:: none
+
+ set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f
+ set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81
+
+
+Domain Groups
+=============
+
+A **domain group** represents a collection of domains.
+
+.. cfgcmd:: set firewall group domain-group <name> address <domain>
+
+ Define a domain group.
+
+.. code-block:: none
+
+ set firewall group domain-group DOM address example.com
+
*********
Rule-Sets
@@ -603,11 +629,15 @@ A Rule-Set can be applied to every interface:
set firewall interface eth1.100 out name LANv4-OUT
set firewall interface bond0 in name LANv4-IN
set firewall interface vtun1 in name LANv4-IN
+ set firewall interface eth2* in name LANv4-IN
.. note::
As you can see in the example here, you can assign the same rule-set to
several interfaces. An interface can only have one rule-set per chain.
+ .. note::
+ You can use wildcard ``*`` to match a group of interfaces.
+
***********************
Operation-mode Firewall
***********************