diff options
Diffstat (limited to 'docs/configuration/firewall/general.rst')
-rw-r--r-- | docs/configuration/firewall/general.rst | 1003 |
1 files changed, 1003 insertions, 0 deletions
diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst new file mode 100644 index 00000000..f2e01e03 --- /dev/null +++ b/docs/configuration/firewall/general.rst @@ -0,0 +1,1003 @@ +:lastproofread: 2021-06-29 + +.. _firewall: + +######## +Firewall +######## + +******** +Overview +******** + +VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet +filtering. + +The firewall supports the creation of groups for ports, addresses, and +networks (implemented using netfilter ipset) and the option of interface +or zone based firewall policy. + +.. note:: **Important note on usage of terms:** + The firewall makes use of the terms `in`, `out`, and `local` + for firewall policy. Users experienced with netfilter often confuse + `in` to be a reference to the `INPUT` chain, and `out` the `OUTPUT` + chain from netfilter. This is not the case. These instead indicate + the use of the `FORWARD` chain and either the input or output + interface. The `INPUT` chain, which is used for local traffic to the + OS, is a reference to as `local` with respect to its input interface. + + +*************** +Global settings +*************** + +Some firewall settings are global and have an affect on the whole system. + +.. cfgcmd:: set firewall all-ping [enable | disable] + + By default, when VyOS receives an ICMP echo request packet destined for + itself, it will answer with an ICMP echo reply, unless you avoid it + through its firewall. + + With the firewall you can set rules to accept, drop or reject ICMP in, + out or local traffic. You can also use the general **firewall all-ping** + command. This command affects only to LOCAL (packets destined for your + VyOS system), not to IN or OUT traffic. + + .. note:: **firewall all-ping** affects only to LOCAL and it always + behaves in the most restrictive way + + .. code-block:: none + + set firewall all-ping enable + + When the command above is set, VyOS will answer every ICMP echo request + addressed to itself, but that will only happen if no other rule is + applied dropping or rejecting local echo requests. In case of conflict, + VyOS will not answer ICMP echo requests. + + .. code-block:: none + + set firewall all-ping disable + + When the command above is set, VyOS will answer no ICMP echo request + addressed to itself at all, no matter where it comes from or whether + more specific rules are being applied to accept them. + +.. cfgcmd:: set firewall broadcast-ping [enable | disable] + + This setting enable or disable the response of icmp broadcast + messages. The following system parameter will be altered: + + * ``net.ipv4.icmp_echo_ignore_broadcasts`` + +.. cfgcmd:: set firewall ip-src-route [enable | disable] +.. cfgcmd:: set firewall ipv6-src-route [enable | disable] + + This setting handle if VyOS accept packets with a source route + option. The following system parameter will be altered: + + * ``net.ipv4.conf.all.accept_source_route`` + * ``net.ipv6.conf.all.accept_source_route`` + +.. cfgcmd:: set firewall receive-redirects [enable | disable] +.. cfgcmd:: set firewall ipv6-receive-redirects [enable | disable] + + enable or disable of ICMPv4 or ICMPv6 redirect messages accepted + by VyOS. The following system parameter will be altered: + + * ``net.ipv4.conf.all.accept_redirects`` + * ``net.ipv6.conf.all.accept_redirects`` + +.. cfgcmd:: set firewall send-redirects [enable | disable] + + enable or disable ICMPv4 redirect messages send by VyOS + The following system parameter will be altered: + + * ``net.ipv4.conf.all.send_redirects`` + +.. cfgcmd:: set firewall log-martians [enable | disable] + + enable or disable the logging of martian IPv4 packets. + The following system parameter will be altered: + + * ``net.ipv4.conf.all.log_martians`` + +.. cfgcmd:: set firewall source-validation [strict | loose | disable] + + Set the IPv4 source validation mode. + The following system parameter will be altered: + + * ``net.ipv4.conf.all.rp_filter`` + +.. cfgcmd:: set firewall syn-cookies [enable | disable] + + Enable or Disable if VyOS use IPv4 TCP SYN Cookies. + The following system parameter will be altered: + + * ``net.ipv4.tcp_syncookies`` + +.. cfgcmd:: set firewall twa-hazards-protection [enable | disable] + + Enable or Disable VyOS to be :rfc:`1337` conform. + The following system parameter will be altered: + + * ``net.ipv4.tcp_rfc1337`` + +.. cfgcmd:: set firewall state-policy established action [accept | drop | + reject] + +.. cfgcmd:: set firewall state-policy established log enable + + Set the global setting for an established connection. + +.. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject] + +.. cfgcmd:: set firewall state-policy invalid log enable + + Set the global setting for invalid packets. + +.. cfgcmd:: set firewall state-policy related action [accept | drop | reject] + +.. cfgcmd:: set firewall state-policy related log enable + + Set the global setting for related connections. + + +****** +Groups +****** + +Firewall groups represent collections of IP addresses, networks, ports, +mac addresses or domains. Once created, a group can be referenced by +firewall, nat and policy route rules as either a source or destination +matcher. Members can be added or removed from a group without changes to, +or the need to reload, individual firewall rules. + +Groups need to have unique names. Even though some contain IPv4 +addresses and others contain IPv6 addresses, they still need to have +unique names, so you may want to append "-v4" or "-v6" to your group +names. + + +Address Groups +============== + +In an **address group** a single IP address or IP address ranges are +defined. + +.. cfgcmd:: set firewall group address-group <name> address [address | + address range] +.. cfgcmd:: set firewall group ipv6-address-group <name> address <address> + + Define a IPv4 or a IPv6 address group + + .. code-block:: none + + set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1 + set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8 + set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1 + +.. cfgcmd:: set firewall group address-group <name> description <text> +.. cfgcmd:: set firewall group ipv6-address-group <name> description <text> + + Provide a IPv4 or IPv6 address group description + +Network Groups +============== + +While **network groups** accept IP networks in CIDR notation, specific +IP addresses can be added as a 32-bit prefix. If you foresee the need +to add a mix of addresses and networks, the network group is +recommended. + +.. cfgcmd:: set firewall group network-group <name> network <CIDR> +.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR> + + Define a IPv4 or IPv6 Network group. + + .. code-block:: none + + set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24 + set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24 + set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64 + +.. cfgcmd:: set firewall group network-group <name> description <text> +.. cfgcmd:: set firewall group ipv6-network-group <name> description <text> + + Provide a IPv4 or IPv6 network group description. + +Port Groups +=========== + +A **port group** represents only port numbers, not the protocol. Port +groups can be referenced for either TCP or UDP. It is recommended that +TCP and UDP groups are created separately to avoid accidentally +filtering unnecessary ports. Ranges of ports can be specified by using +`-`. + +.. cfgcmd:: set firewall group port-group <name> port + [portname | portnumber | startport-endport] + + Define a port group. A port name can be any name defined in + /etc/services. e.g.: http + + .. code-block:: none + + set firewall group port-group PORT-TCP-SERVER1 port http + set firewall group port-group PORT-TCP-SERVER1 port 443 + set firewall group port-group PORT-TCP-SERVER1 port 5000-5010 + +.. cfgcmd:: set firewall group port-group <name> description <text> + + Provide a port group description. + +MAC Groups +========== + +A **mac group** represents a collection of mac addresses. + +.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address> + + Define a mac group. + +.. code-block:: none + + set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f + set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81 + + +Domain Groups +============= + +A **domain group** represents a collection of domains. + +.. cfgcmd:: set firewall group domain-group <name> address <domain> + + Define a domain group. + +.. code-block:: none + + set firewall group domain-group DOM address example.com + + +********* +Rule-Sets +********* + +A rule-set is a named collection of firewall rules that can be applied +to an interface or a zone. Each rule is numbered, has an action to apply +if the rule is matched, and the ability to specify the criteria to +match. Data packets go through the rules from 1 - 999999, at the first match +the action of the rule will be executed. + +.. cfgcmd:: set firewall name <name> description <text> +.. cfgcmd:: set firewall ipv6-name <name> description <text> + + Provide a rule-set description. + +.. cfgcmd:: set firewall name <name> default-action [accept | drop | jump | + reject | return] +.. cfgcmd:: set firewall ipv6-name <name> default-action [accept | drop | + jump | reject | return] + + This set the default action of the rule-set if no rule matched a packet + criteria. If defacult-action is set to ``jump``, then + ``default-jump-target`` is also needed. + +.. cfgcmd:: set firewall name <name> default-jump-target <text> +.. cfgcmd:: set firewall ipv6-name <name> default-jump-target <text> + + To be used only when ``defult-action`` is set to ``jump``. Use this + command to specify jump target for default rule. + +.. cfgcmd:: set firewall name <name> enable-default-log +.. cfgcmd:: set firewall ipv6-name <name> enable-default-log + + Use this command to enable the logging of the default action. + +.. cfgcmd:: set firewall name <name> rule <1-999999> action [accept | drop | + jump | reject | return] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [accept | + drop | jump | reject | return] + + This required setting defines the action of the current rule. If action + is set to ``jump``, then ``jump-target`` is also needed. + +.. cfgcmd:: set firewall name <name> rule <1-999999> jump-target <text> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> jump-target <text> + + To be used only when ``action`` is set to ``jump``. Use this + command to specify jump target. + +.. cfgcmd:: set firewall name <name> rule <1-999999> description <text> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> description <text> + + Provide a description for each rule. + +.. cfgcmd:: set firewall name <name> rule <1-999999> log [disable | enable] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable | + enable] + + Enable or disable logging for the matched packet. + +.. cfgcmd:: set firewall name <name> rule <1-999999> log-level [emerg | + alert | crit | err | warn | notice | info | debug] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-level [emerg | + alert | crit | err | warn | notice | info | debug] + + Define log-level. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall name <name> rule <1-999999> disable +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> disable + + If you want to disable a rule but let it in the configuration. + +Matching criteria +================= + +There are a lot of matching criteria against which the package can be tested. + +.. cfgcmd:: set firewall name <name> rule <1-999999> connection-status nat + [destination | source] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-status + nat [destination | source] + + Match criteria based on nat connection status. + +.. cfgcmd:: set firewall name <name> rule <1-999999> connection-mark + <1-2147483647> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-mark + <1-2147483647> + + Match criteria based on connection mark. + +.. cfgcmd:: set firewall name <name> rule <1-999999> source address + [address | addressrange | CIDR] +.. cfgcmd:: set firewall name <name> rule <1-999999> destination address + [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address + [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination address + [address | addressrange | CIDR] + + This is similar to the network groups part, but here you are able to negate + the matching addresses. + + .. code-block:: none + + set firewall name WAN-IN-v4 rule 100 source address 192.0.2.10-192.0.2.11 + # with a '!' the rule match everything except the specified subnet + set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24 + set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202 + +.. cfgcmd:: set firewall name <name> rule <1-999999> source address-mask + [address] +.. cfgcmd:: set firewall name <name> rule <1-999999> destination address-mask + [address] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address-mask + [address] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination + address-mask [address] + + An arbitrary netmask can be applied to mask addresses to only match against + a specific portion. This is particularly useful with IPv6 and a zone-based + firewall as rules will remain valid if the IPv6 prefix changes and the host + portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses + <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_) + + This functions for both individual addresses and address groups. + + .. code-block:: none + + # Match any IPv6 address with the suffix ::0000:0000:0000:beef + set firewall ipv6-name WAN-LAN-v6 rule 100 destination address ::beef + set firewall ipv6-name WAN-LAN-v6 rule 100 destination address-mask ::ffff:ffff:ffff:ffff + # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet + set firewall name WAN-LAN-v4 rule 100 destination address 0.11.0.13 + set firewall name WAN-LAN-v4 rule 100 destination address-mask 0.255.0.255 + # Address groups + set firewall group ipv6-address-group WEBSERVERS address ::1000 + set firewall group ipv6-address-group WEBSERVERS address ::2000 + set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS + set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff + +.. cfgcmd:: set firewall name <name> rule <1-999999> source fqdn <fqdn> +.. cfgcmd:: set firewall name <name> rule <1-999999> destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source fqdn <fqdn> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination fqdn + <fqdn> + + Specify a Fully Qualified Domain Name as source/destination matcher. Ensure + router is able to resolve such dns query. + +.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code + <country> +.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip + country-code <country> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip + inverse-match +.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip + country-code <country> +.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip + inverse-match +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip + country-code <country> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip + inverse-match + +Match IP addresses based on its geolocation. +More info: `geoip matching +<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. + +Use inverse-match to match anything except the given country-codes. + +Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, +permits redistribution so we can include a database in images(~3MB +compressed). Includes cron script (manually callable by op-mode update +geoip) to keep database and rules updated. + +.. cfgcmd:: set firewall name <name> rule <1-999999> source mac-address + <mac-address> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source mac-address + <mac-address> + + Only in the source criteria, you can specify a mac-address. + + .. code-block:: none + + set firewall name LAN-IN-v4 rule 100 source mac-address 00:53:00:11:22:33 + set firewall name LAN-IN-v4 rule 101 source mac-address !00:53:00:aa:12:34 + +.. cfgcmd:: set firewall name <name> rule <1-999999> source port + [1-65535 | portname | start-end] +.. cfgcmd:: set firewall name <name> rule <1-999999> destination port + [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source port + [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination port + [1-65535 | portname | start-end] + + A port can be set with a port number or a name which is here + defined: ``/etc/services``. + + .. code-block:: none + + set firewall name WAN-IN-v4 rule 10 source port '22' + set firewall name WAN-IN-v4 rule 11 source port '!http' + set firewall name WAN-IN-v4 rule 12 source port 'https' + + Multiple source ports can be specified as a comma-separated list. + The whole list can also be "negated" using ``!``. For example: + + .. code-block:: none + + set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338' + +.. cfgcmd:: set firewall name <name> rule <1-999999> source group + address-group <name | !name> +.. cfgcmd:: set firewall name <name> rule <1-999999> destination group + address-group <name | !name> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group + address-group <name | !name> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group + address-group <name | !name> + + Use a specific address-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall name <name> rule <1-999999> source group + network-group <name | !name> +.. cfgcmd:: set firewall name <name> rule <1-999999> destination group + network-group <name | !name> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group + network-group <name | !name> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group + network-group <name | !name> + + Use a specific network-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall name <name> rule <1-999999> source group + port-group <name | !name> +.. cfgcmd:: set firewall name <name> rule <1-999999> destination group + port-group <name | !name> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group + port-group <name | !name> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group + port-group <name | !name> + + Use a specific port-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall name <name> rule <1-999999> source group + domain-group <name | !name> +.. cfgcmd:: set firewall name <name> rule <1-999999> destination group + domain-group <name | !name> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group + domain-group <name | !name> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group + domain-group <name | !name> + + Use a specific domain-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall name <name> rule <1-999999> source group + mac-group <name | !name> +.. cfgcmd:: set firewall name <name> rule <1-999999> destination group + mac-group <name | !name> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group + mac-group <name | !name> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group + mac-group <name | !name> + + Use a specific mac-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall name <name> rule <1-999999> dscp [0-63 | start-end] +.. cfgcmd:: set firewall name <name> rule <1-999999> dscp-exclude [0-63 | + start-end] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp [0-63 | + start-end] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp-exclude [0-63 | + start-end] + + Match based on dscp value. + +.. cfgcmd:: set firewall name <name> rule <1-999999> fragment [match-frag | + match-non-frag] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> fragment [match-frag + | match-non-frag] + + Match based on fragment criteria. + +.. cfgcmd:: set firewall name <name> rule <1-999999> icmp [code | type] + <0-255> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 [code | type] + <0-255> + + Match based on icmp|icmpv6 code and type. + +.. cfgcmd:: set firewall name <name> rule <1-999999> icmp type-name <text> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 type-name + <text> + + Match based on icmp|icmpv6 type-name criteria. Use tab for information + about what **type-name** criteria are supported. + +.. cfgcmd:: set firewall name <name> rule <1-999999> inbound-interface + <iface> +.. cfgcmd:: set firewall name <name> rule <1-999999> outbound-interface + <iface> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> inbound-interface + <iface> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> outbound-interface + <iface> + + Match based on inbound/outbound interface. Wilcard ``*`` can be used. + For example: ``eth2*`` + +.. cfgcmd:: set firewall name <name> rule <1-999999> ipsec [match-ipsec + | match-none] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> ipsec [match-ipsec + | match-none] + + Match based on ipsec criteria. + +.. cfgcmd:: set firewall name <name> rule <1-999999> limit burst + <0-4294967295> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit burst + <0-4294967295> + + Match based on the maximum number of packets to allow in excess of rate. + +.. cfgcmd:: set firewall name <name> rule <1-999999> limit rate + <text> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit rate + <text> + + Match based on the maximum average rate, specified as **integer/unit**. + For example **5/minutes** + +.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length + <text> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length + <text> +.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length-exclude + <text> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length-exclude + <text> + + Match based on packet length criteria. Multiple values from 1 to 65535 + and ranges are supported. + +.. cfgcmd:: set firewall name <name> rule <1-999999> protocol [<text> | + <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> protocol [<text> | + <0-255> | all | tcp_udp] + + Match a protocol criteria. A protocol number or a name which is here + defined: ``/etc/protocols``. + Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp + based packets. The ``!`` negate the selected protocol. + + .. code-block:: none + + set firewall name WAN-IN-v4 rule 10 protocol tcp_udp + set firewall name WAN-IN-v4 rule 11 protocol !tcp_udp + set firewall ipv6-name WAN-IN-v6 rule 10 protocol tcp + +.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255> +.. cfgcmd:: set firewall name <name> rule <1-999999> recent time + [second | minute | hour] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time + [second | minute | hour] + + Match bases on recently seen sources. + +.. cfgcmd:: set firewall name <name> rule <1-999999> tcp flags <text> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> tcp flags <text> + + Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``, + ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma + separated. The ``!`` negate the selected protocol. + + .. code-block:: none + + set firewall name WAN-IN-v4 rule 10 tcp flags 'ACK' + set firewall name WAN-IN-v4 rule 12 tcp flags 'SYN' + set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST' + +.. cfgcmd:: set firewall name <name> rule <1-999999> state [established | + invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> state [established | + invalid | new | related] [enable | disable] + + Match against the state of a packet. + +.. cfgcmd:: set firewall name <name> rule <1-999999> time startdate <text> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time startdate <text> +.. cfgcmd:: set firewall name <name> rule <1-999999> time starttime <text> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time starttime <text> +.. cfgcmd:: set firewall name <name> rule <1-999999> time stopdate <text> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stopdate <text> +.. cfgcmd:: set firewall name <name> rule <1-999999> time stoptime <text> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stoptime <text> +.. cfgcmd:: set firewall name <name> rule <1-999999> time weekdays <text> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time weekdays <text> + + Time to match the defined rule. + +.. cfgcmd:: set firewall name <name> rule <1-999999> ttl <eq | gt | lt> <0-255> + + Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for + 'greater than', and 'lt' stands for 'less than'. + +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> hop-limit <eq | gt | + lt> <0-255> + + Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for + 'greater than', and 'lt' stands for 'less than'. + +.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255> +.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second | + minute | hour> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second | + minute | hour> + + Match when 'count' amount of connections are seen within 'time'. These + matching criteria can be used to block brute-force attempts. + +*********************************** +Applying a Rule-Set to an Interface +*********************************** + +A Rule-Set can be applied to every interface: + +* ``in``: Ruleset for forwarded packets on an inbound interface +* ``out``: Ruleset for forwarded packets on an outbound interface +* ``local``: Ruleset for packets destined for this router + +.. cfgcmd:: set firewall interface <interface> [in | out | local] [name | + ipv6-name] <rule-set> + + + Here are some examples for applying a rule-set to an interface + + .. code-block:: none + + set firewall interface eth1.100 in name LANv4-IN + set firewall interface eth1.100 out name LANv4-OUT + set firewall interface bond0 in name LANv4-IN + set firewall interface vtun1 in name LANv4-IN + set firewall interface eth2* in name LANv4-IN + + .. note:: + As you can see in the example here, you can assign the same rule-set to + several interfaces. An interface can only have one rule-set per chain. + + .. note:: + You can use wildcard ``*`` to match a group of interfaces. + +*********************** +Operation-mode Firewall +*********************** + +Rule-set overview +================= + +.. opcmd:: show firewall + + This will show you a basic firewall overview + + .. code-block:: none + + vyos@vyos:~$ show firewall + + ------------------------ + Firewall Global Settings + ------------------------ + + Firewall state-policy for all IPv4 and Ipv6 traffic + + state action log + ----- ------ --- + invalid accept disabled + established accept disabled + related accept disabled + + ----------------------------- + Rulesets Information + ----------------------------- + -------------------------------------------------------------------------- + IPv4 Firewall "DMZv4-1-IN": + + Active on (eth0,IN) + + rule action proto packets bytes + ---- ------ ----- ------- ----- + 10 accept icmp 0 0 + condition - saddr 10.1.0.0/24 daddr 0.0.0.0/0 LOG enabled + + 10000 drop all 0 0 + condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled + + -------------------------------------------------------------------------- + IPv4 Firewall "DMZv4-1-OUT": + + Active on (eth0,OUT) + + rule action proto packets bytes + ---- ------ ----- ------- ----- + 10 accept tcp_udp 1 60 + condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-DST-PORT-GROUP DMZ-Ports /* + DMZv4-1-OUT-10 */LOG enabled + + 11 accept icmp 1 84 + condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* DMZv4-1-OUT-11 */LOG enabled + + 10000 drop all 6 360 + condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled + + -------------------------------------------------------------------------- + IPv4 Firewall "LANv4-IN": + + Inactive - Not applied to any interfaces or zones. + + rule action proto packets bytes + ---- ------ ----- ------- ----- + 10 accept all 0 0 + condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* LANv4-IN-10 */ + + 10000 drop all 0 0 + condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 + +.. opcmd:: show firewall summary + + This will show you a summary of rule-sets and groups + + .. code-block:: none + + vyos@vyos:~$ show firewall summary + + ------------------------ + Firewall Global Settings + ------------------------ + + Firewall state-policy for all IPv4 and Ipv6 traffic + + state action log + ----- ------ --- + invalid accept disabled + related accept disabled + established accept disabled + + ------------------------ + Firewall Rulesets + ------------------------ + + IPv4 name: + + Rule-set name Description References + ------------- ----------- ---------- + DMZv4-1-OUT (eth0,OUT) + DMZv4-1-IN (eth0,IN) + + ------------------------ + Firewall Groups + ------------------------ + + Port Groups: + + Group name Description References + ---------- ----------- ---------- + DMZ-Ports DMZv4-1-OUT-10-destination + + Network Groups: + + Group name Description References + ---------- ----------- ---------- + LANv4 LANv4-IN-10-source, + DMZv4-1-OUT-10-source, + DMZv4-1-OUT-11-source + +.. opcmd:: show firewall statistics + + This will show you a statistic of all rule-sets since the last boot. + +.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999> + + This command will give an overview of a rule in a single rule-set + +.. opcmd:: show firewall group <name> + + Overview of defined groups. You see the type, the members, and where the + group is used. + + .. code-block:: none + + vyos@vyos:~$ show firewall group DMZ-Ports + Name : DMZ-Ports + Type : port + References : none + Members : + 80 + 443 + 8080 + 8443 + + vyos@vyos:~$ show firewall group LANv4 + Name : LANv4 + Type : network + References : LANv4-IN-10-source + Members : + 10.10.0.0/16 + +.. opcmd:: show firewall [name | ipv6name] <name> + + This command will give an overview of a single rule-set. + +.. opcmd:: show firewall [name | ipv6name] <name> statistics + + This will show you a rule-set statistic since the last boot. + +.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999> + + This command will give an overview of a rule in a single rule-set. + + +Zone-Policy Overview +==================== + +.. opcmd:: show zone-policy zone <name> + + Use this command to get an overview of a zone. + + .. code-block:: none + + vyos@vyos:~$ show zone-policy zone DMZ + ------------------- + Name: DMZ + + Interfaces: eth0 eth1 + + From Zone: + name firewall + ---- -------- + LAN DMZv4-1-OUT + + +Show Firewall log +================= + +.. opcmd:: show log firewall [name | ipv6name] <name> + + Show the logs of a specific Rule-Set. + +.. note:: + At the moment it not possible to look at the whole firewall log with VyOS + operational commands. All logs will save to ``/var/logs/messages``. + For example: ``grep '10.10.0.10' /var/log/messages`` + + + +Example Partial Config +====================== + +.. code-block:: none + + firewall { + interface eth0 { + in { + name FROM-INTERNET + } + } + all-ping enable + broadcast-ping disable + config-trap disable + group { + network-group BAD-NETWORKS { + network 198.51.100.0/24 + network 203.0.113.0/24 + } + network-group GOOD-NETWORKS { + network 192.0.2.0/24 + } + port-group BAD-PORTS { + port 65535 + } + } + name FROM-INTERNET { + default-action accept + description "From the Internet" + rule 10 { + action accept + description "Authorized Networks" + protocol all + source { + group { + network-group GOOD-NETWORKS + } + } + } + rule 11 { + action drop + description "Bad Networks" + protocol all + source { + group { + network-group BAD-NETWORKS + } + } + } + rule 30 { + action drop + description "BAD PORTS" + destination { + group { + port-group BAD-PORTS + } + } + log enable + protocol all + } + } + } + interfaces { + ethernet eth1 { + address dhcp + description OUTSIDE + duplex auto + } + } + + +Update geoip database +===================== + +.. opcmd:: update geoip + + Command used to update GeoIP database and firewall sets.
\ No newline at end of file |