diff options
author | Robert Göhler <github@ghlr.de> | 2022-06-28 21:15:37 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-06-28 21:15:37 +0200 |
commit | da6a59d3e3084bfd8e04bc2d4f4cd071614d817f (patch) | |
tree | a65ea018bd20de6259e2965c2abd14c4a0cbadc3 /docs | |
parent | cdf8b8a71da2285a7d0ca6ad8e407db50c8626d8 (diff) | |
parent | bd66e4fb6f683f47935c02dfca6a899afeca69b2 (diff) | |
download | vyos-documentation-da6a59d3e3084bfd8e04bc2d4f4cd071614d817f.tar.gz vyos-documentation-da6a59d3e3084bfd8e04bc2d4f4cd071614d817f.zip |
Merge pull request #795 from nicolas-fort/firewall-geoip
Firewall: T4299: add geoip matching criteria
Diffstat (limited to 'docs')
-rw-r--r-- | docs/configuration/firewall/index.rst | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 0cbc60c8..5081ce2f 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -323,6 +323,22 @@ There are a lot of matching criteria against which the package can be tested. set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24 set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202 +.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code + <country> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip + country-code <country> +.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip + country-code <country> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip + country-code <country> + +Match IP addresses based on its geolocation. More info: `geoip matching +<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_ + +Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, +permits redistribution so we can include a database in images(~3MB +compressed). Includes cron script (manually callable by op-mode update +geoip) to keep database and rules updated. .. cfgcmd:: set firewall name <name> rule <1-999999> source mac-address <mac-address> @@ -806,3 +822,11 @@ Example Partial Config } } } + + +Update geoip database +===================== + +.. opcmd:: update geoip + + Command used to update GeoIP database and firewall sets.
\ No newline at end of file |