diff options
author | Nicolas Fort <nicolasfort1988@gmail.com> | 2022-06-14 09:46:50 -0300 |
---|---|---|
committer | Nicolas Fort <nicolasfort1988@gmail.com> | 2022-06-14 10:20:40 -0300 |
commit | 49008adbef48b10e404b307309fc330b241022cf (patch) | |
tree | 8a9b640101c98fac2c7feae3cbccc3a315e7f132 /docs/configuration | |
parent | 72be7f58b240a0b364b2bd4a54b5e73a6da7fda3 (diff) | |
download | vyos-documentation-49008adbef48b10e404b307309fc330b241022cf.tar.gz vyos-documentation-49008adbef48b10e404b307309fc330b241022cf.zip |
Firewall: Add firewall documentation
Diffstat (limited to 'docs/configuration')
-rw-r--r-- | docs/configuration/firewall/index.rst | 54 |
1 files changed, 37 insertions, 17 deletions
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 55881b1b..0cbc60c8 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -264,7 +264,7 @@ the action of the rule will be executed. .. cfgcmd:: set firewall name <name> rule <1-999999> action [drop | reject | accept] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [drop | +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [drop | reject | accept] This required setting defines the action of the current rule. @@ -275,11 +275,18 @@ the action of the rule will be executed. Provide a description for each rule. .. cfgcmd:: set firewall name <name> rule <1-999999> log [disable | enable] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable | +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable | enable] Enable or disable logging for the matched packet. +.. cfgcmd:: set firewall name <name> rule <1-999999> log-level [emerg | + alert | crit | err | warn | notice | info | debug] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-level [emerg | + alert | crit | err | warn | notice | info | debug] + + Define log-level. Only applicable if rule log is enable. + .. cfgcmd:: set firewall name <name> rule <1-999999> disable .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> disable @@ -355,37 +362,40 @@ There are a lot of matching criteria against which the package can be tested. set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338' .. cfgcmd:: set firewall name <name> rule <1-999999> source group - address-group <name> + address-group <name | !name> .. cfgcmd:: set firewall name <name> rule <1-999999> destination group - address-group <name> + address-group <name | !name> .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - address-group <name> + address-group <name | !name> .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - address-group <name> + address-group <name | !name> - Use a specific address-group + Use a specific address-group. Prepend character '!' for inverted matching + criteria. .. cfgcmd:: set firewall name <name> rule <1-999999> source group - network-group <name> + network-group <name | !name> .. cfgcmd:: set firewall name <name> rule <1-999999> destination group - network-group <name> + network-group <name | !name> .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - network-group <name> + network-group <name | !name> .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - network-group <name> + network-group <name | !name> - Use a specific network-group + Use a specific network-group. Prepend character '!' for inverted matching + criteria. .. cfgcmd:: set firewall name <name> rule <1-999999> source group - port-group <name> + port-group <name | !name> .. cfgcmd:: set firewall name <name> rule <1-999999> destination group - port-group <name> + port-group <name | !name> .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - port-group <name> + port-group <name | !name> .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - port-group <name> + port-group <name | !name> - Use a specific port-group + Use a specific port-group. Prepend character '!' for inverted matching + criteria. .. cfgcmd:: set firewall name <name> rule <1-999999> protocol [<text> | <0-255> | all | tcp_udp] @@ -423,6 +433,16 @@ There are a lot of matching criteria against which the package can be tested. Match against the state of a packet. +.. cfgcmd:: set firewall name <name> rule <1-999999> ttl <eq | gt | lt> <0-255> + + Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for + 'greater than', and 'lt' stands for 'less than'. + +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> hop-limit <eq | gt | + lt> <0-255> + + Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for + 'greater than', and 'lt' stands for 'less than'. *********************************** Applying a Rule-Set to an Interface |