summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorRobert Göhler <github@ghlr.de>2022-06-28 21:15:37 +0200
committerGitHub <noreply@github.com>2022-06-28 21:15:37 +0200
commitda6a59d3e3084bfd8e04bc2d4f4cd071614d817f (patch)
treea65ea018bd20de6259e2965c2abd14c4a0cbadc3 /docs
parentcdf8b8a71da2285a7d0ca6ad8e407db50c8626d8 (diff)
parentbd66e4fb6f683f47935c02dfca6a899afeca69b2 (diff)
downloadvyos-documentation-da6a59d3e3084bfd8e04bc2d4f4cd071614d817f.tar.gz
vyos-documentation-da6a59d3e3084bfd8e04bc2d4f4cd071614d817f.zip
Merge pull request #795 from nicolas-fort/firewall-geoip
Firewall: T4299: add geoip matching criteria
Diffstat (limited to 'docs')
-rw-r--r--docs/configuration/firewall/index.rst24
1 files changed, 24 insertions, 0 deletions
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index 0cbc60c8..5081ce2f 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -323,6 +323,22 @@ There are a lot of matching criteria against which the package can be tested.
set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24
set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202
+.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code
+ <country>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
+ country-code <country>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
+ country-code <country>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
+ country-code <country>
+
+Match IP addresses based on its geolocation. More info: `geoip matching
+<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_
+
+Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
+permits redistribution so we can include a database in images(~3MB
+compressed). Includes cron script (manually callable by op-mode update
+geoip) to keep database and rules updated.
.. cfgcmd:: set firewall name <name> rule <1-999999> source mac-address
<mac-address>
@@ -806,3 +822,11 @@ Example Partial Config
}
}
}
+
+
+Update geoip database
+=====================
+
+.. opcmd:: update geoip
+
+ Command used to update GeoIP database and firewall sets. \ No newline at end of file