summaryrefslogtreecommitdiff
path: root/docs/configuration/firewall
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/firewall')
-rw-r--r--docs/configuration/firewall/bridge.rst42
-rw-r--r--docs/configuration/firewall/flowtables.rst52
-rw-r--r--docs/configuration/firewall/general-legacy.rst1054
-rw-r--r--docs/configuration/firewall/general.rst1544
-rw-r--r--docs/configuration/firewall/global-options.rst117
-rw-r--r--docs/configuration/firewall/groups.rst210
-rw-r--r--docs/configuration/firewall/index.rst204
-rw-r--r--docs/configuration/firewall/ipv4.rst1145
-rw-r--r--docs/configuration/firewall/ipv6.rst1167
-rw-r--r--docs/configuration/firewall/zone.rst47
10 files changed, 2915 insertions, 2667 deletions
diff --git a/docs/configuration/firewall/bridge.rst b/docs/configuration/firewall/bridge.rst
new file mode 100644
index 00000000..4a0dc3bb
--- /dev/null
+++ b/docs/configuration/firewall/bridge.rst
@@ -0,0 +1,42 @@
+:lastproofread: 2023-11-08
+
+.. _firewall-configuration:
+
+#############################
+Bridge Firewall Configuration
+#############################
+
+.. note:: **Documentation under development**
+
+********
+Overview
+********
+
+In this section there's useful information of all firewall configuration that
+can be done regarding bridge, and appropiate op-mode commands.
+Configuration commands covered in this section:
+
+.. cfgcmd:: set firewall bridge ...
+
+From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>`
+in this section you can find detailed information only for the next part
+of the general structure:
+
+.. code-block:: none
+
+ - set firewall
+ * bridge
+ - forward
+ + filter
+ - name
+ + custom_name
+
+Traffic which is received by the router on an interface which is member of a
+bridge is processed on the **Bridge Layer**. A simplified packet flow diagram
+for this layer is shown next:
+
+.. figure:: /_static/images/firewall-bridge-packet-flow.png
+
+For traffic that needs to be forwared internally by the bridge, base chain is
+is **forward**, and it's base command for filtering is ``set firewall bridge
+forward filter ...``
diff --git a/docs/configuration/firewall/flowtables.rst b/docs/configuration/firewall/flowtables.rst
new file mode 100644
index 00000000..8b44a9b9
--- /dev/null
+++ b/docs/configuration/firewall/flowtables.rst
@@ -0,0 +1,52 @@
+:lastproofread: 2023-11-08
+
+.. _firewall-flowtables-configuration:
+
+#################################
+Flowtables Firewall Configuration
+#################################
+
+.. note:: **Documentation under development**
+
+********
+Overview
+********
+
+In this section there's useful information of all firewall configuration that
+can be done regarding flowtables
+
+.. cfgcmd:: set firewall flowtables ...
+
+From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>`
+in this section you can find detailed information only for the next part
+of the general structure:
+
+.. code-block:: none
+
+ - set firewall
+ * flowtable
+ - custom_flow_table
+ + ...
+
+
+Flowtables allows you to define a fastpath through the flowtable datapath.
+The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP
+and UDP protocols.
+
+.. figure:: /_static/images/firewall-flowtable-packet-flow.png
+
+Once the first packet of the flow successfully goes through the IP forwarding
+path (black circles path), from the second packet on, you might decide to
+offload the flow to the flowtable through your ruleset. The flowtable
+infrastructure provides a rule action that allows you to specify when to add
+a flow to the flowtable (On forward filtering, red circle number 6)
+
+A packet that finds a matching entry in the flowtable (flowtable hit) is
+transmitted to the output netdevice, hence, packets bypass the classic IP
+forwarding path and uses the **Fast Path** (orange circles path). The visible
+effect is that you do not see these packets from any of the Netfilter
+hooks coming after ingress. In case that there is no matching entry in the
+flowtable (flowtable miss), the packet follows the classic IP forwarding path.
+
+.. note:: **Flowtable Reference:**
+ https://docs.kernel.org/networking/nf_flowtable.html
diff --git a/docs/configuration/firewall/general-legacy.rst b/docs/configuration/firewall/general-legacy.rst
deleted file mode 100644
index 5d235eb8..00000000
--- a/docs/configuration/firewall/general-legacy.rst
+++ /dev/null
@@ -1,1054 +0,0 @@
-:lastproofread: 2021-06-29
-
-.. _legacy-firewall:
-
-###################################
-Firewall Configuration (Deprecated)
-###################################
-
-.. note:: **Important note:**
- This documentation is valid only for VyOS Sagitta prior to
- 1.4-rolling-202308040557
-
-********
-Overview
-********
-
-VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet
-filtering.
-
-The firewall supports the creation of groups for ports, addresses, and
-networks (implemented using netfilter ipset) and the option of interface
-or zone based firewall policy.
-
-.. note:: **Important note on usage of terms:**
- The firewall makes use of the terms `in`, `out`, and `local`
- for firewall policy. Users experienced with netfilter often confuse
- `in` to be a reference to the `INPUT` chain, and `out` the `OUTPUT`
- chain from netfilter. This is not the case. These instead indicate
- the use of the `FORWARD` chain and either the input or output
- interface. The `INPUT` chain, which is used for local traffic to the
- OS, is a reference to as `local` with respect to its input interface.
-
-
-***************
-Global settings
-***************
-
-Some firewall settings are global and have an affect on the whole system.
-
-.. cfgcmd:: set firewall all-ping [enable | disable]
-
- By default, when VyOS receives an ICMP echo request packet destined for
- itself, it will answer with an ICMP echo reply, unless you avoid it
- through its firewall.
-
- With the firewall you can set rules to accept, drop or reject ICMP in,
- out or local traffic. You can also use the general **firewall all-ping**
- command. This command affects only to LOCAL (packets destined for your
- VyOS system), not to IN or OUT traffic.
-
- .. note:: **firewall all-ping** affects only to LOCAL and it always
- behaves in the most restrictive way
-
- .. code-block:: none
-
- set firewall all-ping enable
-
- When the command above is set, VyOS will answer every ICMP echo request
- addressed to itself, but that will only happen if no other rule is
- applied dropping or rejecting local echo requests. In case of conflict,
- VyOS will not answer ICMP echo requests.
-
- .. code-block:: none
-
- set firewall all-ping disable
-
- When the command above is set, VyOS will answer no ICMP echo request
- addressed to itself at all, no matter where it comes from or whether
- more specific rules are being applied to accept them.
-
-.. cfgcmd:: set firewall broadcast-ping [enable | disable]
-
- This setting enable or disable the response of icmp broadcast
- messages. The following system parameter will be altered:
-
- * ``net.ipv4.icmp_echo_ignore_broadcasts``
-
-.. cfgcmd:: set firewall ip-src-route [enable | disable]
-.. cfgcmd:: set firewall ipv6-src-route [enable | disable]
-
- This setting handle if VyOS accept packets with a source route
- option. The following system parameter will be altered:
-
- * ``net.ipv4.conf.all.accept_source_route``
- * ``net.ipv6.conf.all.accept_source_route``
-
-.. cfgcmd:: set firewall receive-redirects [enable | disable]
-.. cfgcmd:: set firewall ipv6-receive-redirects [enable | disable]
-
- enable or disable of ICMPv4 or ICMPv6 redirect messages accepted
- by VyOS. The following system parameter will be altered:
-
- * ``net.ipv4.conf.all.accept_redirects``
- * ``net.ipv6.conf.all.accept_redirects``
-
-.. cfgcmd:: set firewall send-redirects [enable | disable]
-
- enable or disable ICMPv4 redirect messages send by VyOS
- The following system parameter will be altered:
-
- * ``net.ipv4.conf.all.send_redirects``
-
-.. cfgcmd:: set firewall log-martians [enable | disable]
-
- enable or disable the logging of martian IPv4 packets.
- The following system parameter will be altered:
-
- * ``net.ipv4.conf.all.log_martians``
-
-.. cfgcmd:: set firewall source-validation [strict | loose | disable]
-
- Set the IPv4 source validation mode.
- The following system parameter will be altered:
-
- * ``net.ipv4.conf.all.rp_filter``
-
-.. cfgcmd:: set firewall syn-cookies [enable | disable]
-
- Enable or Disable if VyOS use IPv4 TCP SYN Cookies.
- The following system parameter will be altered:
-
- * ``net.ipv4.tcp_syncookies``
-
-.. cfgcmd:: set firewall twa-hazards-protection [enable | disable]
-
- Enable or Disable VyOS to be :rfc:`1337` conform.
- The following system parameter will be altered:
-
- * ``net.ipv4.tcp_rfc1337``
-
-.. cfgcmd:: set firewall state-policy established action [accept | drop |
- reject]
-
-.. cfgcmd:: set firewall state-policy established log enable
-
- Set the global setting for an established connection.
-
-.. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject]
-
-.. cfgcmd:: set firewall state-policy invalid log enable
-
- Set the global setting for invalid packets.
-
-.. cfgcmd:: set firewall state-policy related action [accept | drop | reject]
-
-.. cfgcmd:: set firewall state-policy related log enable
-
- Set the global setting for related connections.
-
-
-******
-Groups
-******
-
-Firewall groups represent collections of IP addresses, networks, ports,
-mac addresses or domains. Once created, a group can be referenced by
-firewall, nat and policy route rules as either a source or destination
-matcher. Members can be added or removed from a group without changes to,
-or the need to reload, individual firewall rules.
-
-Groups need to have unique names. Even though some contain IPv4
-addresses and others contain IPv6 addresses, they still need to have
-unique names, so you may want to append "-v4" or "-v6" to your group
-names.
-
-
-Address Groups
-==============
-
-In an **address group** a single IP address or IP address ranges are
-defined.
-
-.. cfgcmd:: set firewall group address-group <name> address [address |
- address range]
-.. cfgcmd:: set firewall group ipv6-address-group <name> address <address>
-
- Define a IPv4 or a IPv6 address group
-
- .. code-block:: none
-
- set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1
- set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8
- set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1
-
-.. cfgcmd:: set firewall group address-group <name> description <text>
-.. cfgcmd:: set firewall group ipv6-address-group <name> description <text>
-
- Provide a IPv4 or IPv6 address group description
-
-Network Groups
-==============
-
-While **network groups** accept IP networks in CIDR notation, specific
-IP addresses can be added as a 32-bit prefix. If you foresee the need
-to add a mix of addresses and networks, the network group is
-recommended.
-
-.. cfgcmd:: set firewall group network-group <name> network <CIDR>
-.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR>
-
- Define a IPv4 or IPv6 Network group.
-
- .. code-block:: none
-
- set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24
- set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24
- set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64
-
-.. cfgcmd:: set firewall group network-group <name> description <text>
-.. cfgcmd:: set firewall group ipv6-network-group <name> description <text>
-
- Provide a IPv4 or IPv6 network group description.
-
-Port Groups
-===========
-
-A **port group** represents only port numbers, not the protocol. Port
-groups can be referenced for either TCP or UDP. It is recommended that
-TCP and UDP groups are created separately to avoid accidentally
-filtering unnecessary ports. Ranges of ports can be specified by using
-`-`.
-
-.. cfgcmd:: set firewall group port-group <name> port
- [portname | portnumber | startport-endport]
-
- Define a port group. A port name can be any name defined in
- /etc/services. e.g.: http
-
- .. code-block:: none
-
- set firewall group port-group PORT-TCP-SERVER1 port http
- set firewall group port-group PORT-TCP-SERVER1 port 443
- set firewall group port-group PORT-TCP-SERVER1 port 5000-5010
-
-.. cfgcmd:: set firewall group port-group <name> description <text>
-
- Provide a port group description.
-
-MAC Groups
-==========
-
-A **mac group** represents a collection of mac addresses.
-
-.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address>
-
- Define a mac group.
-
-.. code-block:: none
-
- set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f
- set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81
-
-
-Domain Groups
-=============
-
-A **domain group** represents a collection of domains.
-
-.. cfgcmd:: set firewall group domain-group <name> address <domain>
-
- Define a domain group.
-
-.. code-block:: none
-
- set firewall group domain-group DOM address example.com
-
-
-*********
-Rule-Sets
-*********
-
-A rule-set is a named collection of firewall rules that can be applied
-to an interface or a zone. Each rule is numbered, has an action to apply
-if the rule is matched, and the ability to specify the criteria to
-match. Data packets go through the rules from 1 - 999999, at the first match
-the action of the rule will be executed.
-
-.. cfgcmd:: set firewall name <name> description <text>
-.. cfgcmd:: set firewall ipv6-name <name> description <text>
-
- Provide a rule-set description.
-
-.. cfgcmd:: set firewall name <name> default-action [accept | drop | jump |
- reject | return]
-.. cfgcmd:: set firewall ipv6-name <name> default-action [accept | drop |
- jump | reject | return]
-
- This set the default action of the rule-set if no rule matched a packet
- criteria. If defacult-action is set to ``jump``, then
- ``default-jump-target`` is also needed.
-
-.. cfgcmd:: set firewall name <name> default-jump-target <text>
-.. cfgcmd:: set firewall ipv6-name <name> default-jump-target <text>
-
- To be used only when ``defult-action`` is set to ``jump``. Use this
- command to specify jump target for default rule.
-
-.. cfgcmd:: set firewall name <name> enable-default-log
-.. cfgcmd:: set firewall ipv6-name <name> enable-default-log
-
- Use this command to enable the logging of the default action.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> action [accept | drop |
- jump | queue | reject | return]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [accept |
- drop | jump | queue | reject | return]
-
- This required setting defines the action of the current rule. If action
- is set to ``jump``, then ``jump-target`` is also needed.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> jump-target <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> jump-target <text>
-
- To be used only when ``action`` is set to ``jump``. Use this
- command to specify jump target.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> queue <0-65535>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> queue <0-65535>
-
- Use this command to set the target to use. Action queue must be defined
- to use this setting
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> queue-options
- <bypass-fanout>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> queue-options
- <bypass-fanout>
-
- Options used for queue target. Action queue must be defined to use this
- setting
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> description <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> description <text>
-
- Provide a description for each rule.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> log [disable | enable]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable |
- enable]
-
- Enable or disable logging for the matched packet.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> log-options level
- [emerg | alert | crit | err | warn | notice | info | debug]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options level
- [emerg | alert | crit | err | warn | notice | info | debug]
-
- Define log-level. Only applicable if rule log is enable.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> log-options group
- <0-65535>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options group
- <0-65535>
-
- Define log group to send message to. Only applicable if rule log is enable.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> log-options snaplen
- <0-9000>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options snaplen
- <0-9000>
-
- Define length of packet payload to include in netlink message. Only
- applicable if rule log is enable and log group is defined.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> log-options
- queue-threshold <0-65535>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options
- queue-threshold <0-65535>
-
- Define number of packets to queue inside the kernel before sending them to
- userspace. Only applicable if rule log is enable and log group is defined.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> disable
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> disable
-
- If you want to disable a rule but let it in the configuration.
-
-Matching criteria
-=================
-
-There are a lot of matching criteria against which the package can be tested.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> connection-status nat
- [destination | source]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-status
- nat [destination | source]
-
- Match criteria based on nat connection status.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> connection-mark
- <1-2147483647>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-mark
- <1-2147483647>
-
- Match criteria based on connection mark.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source address
- [address | addressrange | CIDR]
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination address
- [address | addressrange | CIDR]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address
- [address | addressrange | CIDR]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination address
- [address | addressrange | CIDR]
-
- This is similar to the network groups part, but here you are able to negate
- the matching addresses.
-
- .. code-block:: none
-
- set firewall name WAN-IN-v4 rule 100 source address 192.0.2.10-192.0.2.11
- # with a '!' the rule match everything except the specified subnet
- set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24
- set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source address-mask
- [address]
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination address-mask
- [address]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address-mask
- [address]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination
- address-mask [address]
-
- An arbitrary netmask can be applied to mask addresses to only match against
- a specific portion. This is particularly useful with IPv6 and a zone-based
- firewall as rules will remain valid if the IPv6 prefix changes and the host
- portion of systems IPv6 address is static (for example, with SLAAC or
- `tokenised IPv6 addresses
- <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_).
-
- This functions for both individual addresses and address groups.
-
- .. stop_vyoslinter
- .. code-block:: none
-
- # Match any IPv6 address with the suffix ::0000:0000:0000:beef
- set firewall ipv6-name WAN-LAN-v6 rule 100 destination address ::beef
- set firewall ipv6-name WAN-LAN-v6 rule 100 destination address-mask ::ffff:ffff:ffff:ffff
- # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet
- set firewall name WAN-LAN-v4 rule 100 destination address 0.11.0.13
- set firewall name WAN-LAN-v4 rule 100 destination address-mask 0.255.0.255
- # Address groups
- set firewall group ipv6-address-group WEBSERVERS address ::1000
- set firewall group ipv6-address-group WEBSERVERS address ::2000
- set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS
- set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff
- .. start_vyoslinter
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source fqdn <fqdn>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination fqdn <fqdn>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source fqdn <fqdn>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination fqdn
- <fqdn>
-
- Specify a Fully Qualified Domain Name as source/destination matcher. Ensure
- router is able to resolve such dns query.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code
- <country>
-.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
- country-code <country>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
- inverse-match
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
- country-code <country>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
- inverse-match
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
- country-code <country>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
- inverse-match
-
-Match IP addresses based on its geolocation.
-More info: `geoip matching
-<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
-
-Use inverse-match to match anything except the given country-codes.
-
-Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
-permits redistribution so we can include a database in images(~3MB
-compressed). Includes cron script (manually callable by op-mode update
-geoip) to keep database and rules updated.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source mac-address
- <mac-address>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source mac-address
- <mac-address>
-
- Only in the source criteria, you can specify a mac-address.
-
- .. code-block:: none
-
- set firewall name LAN-IN-v4 rule 100 source mac-address 00:53:00:11:22:33
- set firewall name LAN-IN-v4 rule 101 source mac-address !00:53:00:aa:12:34
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source port
- [1-65535 | portname | start-end]
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination port
- [1-65535 | portname | start-end]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source port
- [1-65535 | portname | start-end]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination port
- [1-65535 | portname | start-end]
-
- A port can be set with a port number or a name which is here
- defined: ``/etc/services``.
-
- .. code-block:: none
-
- set firewall name WAN-IN-v4 rule 10 source port '22'
- set firewall name WAN-IN-v4 rule 11 source port '!http'
- set firewall name WAN-IN-v4 rule 12 source port 'https'
-
- Multiple source ports can be specified as a comma-separated list.
- The whole list can also be "negated" using ``!``. For example:
-
- .. code-block:: none
-
- set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338'
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source group
- address-group <name | !name>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
- address-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
- address-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
- address-group <name | !name>
-
- Use a specific address-group. Prepend character ``!`` for inverted matching
- criteria.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source group
- network-group <name | !name>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
- network-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
- network-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
- network-group <name | !name>
-
- Use a specific network-group. Prepend character ``!`` for inverted matching
- criteria.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source group
- port-group <name | !name>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
- port-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
- port-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
- port-group <name | !name>
-
- Use a specific port-group. Prepend character ``!`` for inverted matching
- criteria.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source group
- domain-group <name | !name>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
- domain-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
- domain-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
- domain-group <name | !name>
-
- Use a specific domain-group. Prepend character ``!`` for inverted matching
- criteria.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source group
- mac-group <name | !name>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
- mac-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
- mac-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
- mac-group <name | !name>
-
- Use a specific mac-group. Prepend character ``!`` for inverted matching
- criteria.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> dscp [0-63 | start-end]
-.. cfgcmd:: set firewall name <name> rule <1-999999> dscp-exclude [0-63 |
- start-end]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp [0-63 |
- start-end]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp-exclude [0-63 |
- start-end]
-
- Match based on dscp value.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> fragment [match-frag |
- match-non-frag]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> fragment [match-frag
- | match-non-frag]
-
- Match based on fragment criteria.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> icmp [code | type]
- <0-255>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 [code | type]
- <0-255>
-
- Match based on icmp|icmpv6 code and type.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> icmp type-name <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 type-name
- <text>
-
- Match based on icmp|icmpv6 type-name criteria. Use tab for information
- about what **type-name** criteria are supported.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> inbound-interface
- <iface>
-.. cfgcmd:: set firewall name <name> rule <1-999999> outbound-interface
- <iface>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> inbound-interface
- <iface>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> outbound-interface
- <iface>
-
- Match based on inbound/outbound interface. Wilcard ``*`` can be used.
- For example: ``eth2*``
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> ipsec [match-ipsec
- | match-none]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> ipsec [match-ipsec
- | match-none]
-
- Match based on ipsec criteria.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> limit burst
- <0-4294967295>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit burst
- <0-4294967295>
-
- Match based on the maximum number of packets to allow in excess of rate.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> limit rate
- <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit rate
- <text>
-
- Match based on the maximum average rate, specified as **integer/unit**.
- For example **5/minutes**
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length
- <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length
- <text>
-.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length-exclude
- <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length-exclude
- <text>
-
- Match based on packet length criteria. Multiple values from 1 to 65535
- and ranges are supported.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> packet-type
- [broadcast | host | multicast | other]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-type
- [broadcast | host | multicast | other]
-
- Match based on packet type criteria.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> protocol [<text> |
- <0-255> | all | tcp_udp]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> protocol [<text> |
- <0-255> | all | tcp_udp]
-
- Match a protocol criteria. A protocol number or a name which is here
- defined: ``/etc/protocols``.
- Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
- based packets. The ``!`` negate the selected protocol.
-
- .. code-block:: none
-
- set firewall name WAN-IN-v4 rule 10 protocol tcp_udp
- set firewall name WAN-IN-v4 rule 11 protocol !tcp_udp
- set firewall ipv6-name WAN-IN-v6 rule 10 protocol tcp
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
-.. cfgcmd:: set firewall name <name> rule <1-999999> recent time
- [second | minute | hour]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time
- [second | minute | hour]
-
- Match bases on recently seen sources.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> tcp flags <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> tcp flags <text>
-
- Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``,
- ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma
- separated. The ``!`` negate the selected protocol.
-
- .. code-block:: none
-
- set firewall name WAN-IN-v4 rule 10 tcp flags 'ACK'
- set firewall name WAN-IN-v4 rule 12 tcp flags 'SYN'
- set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST'
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> state [established |
- invalid | new | related] [enable | disable]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> state [established |
- invalid | new | related] [enable | disable]
-
- Match against the state of a packet.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> time startdate <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time startdate <text>
-.. cfgcmd:: set firewall name <name> rule <1-999999> time starttime <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time starttime <text>
-.. cfgcmd:: set firewall name <name> rule <1-999999> time stopdate <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stopdate <text>
-.. cfgcmd:: set firewall name <name> rule <1-999999> time stoptime <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stoptime <text>
-.. cfgcmd:: set firewall name <name> rule <1-999999> time weekdays <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time weekdays <text>
-
- Time to match the defined rule.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> ttl <eq | gt | lt> <0-255>
-
- Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for
- 'greater than', and 'lt' stands for 'less than'.
-
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> hop-limit <eq | gt |
- lt> <0-255>
-
- Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
- 'greater than', and 'lt' stands for 'less than'.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
-.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second |
- minute | hour>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second |
- minute | hour>
-
- Match when 'count' amount of connections are seen within 'time'. These
- matching criteria can be used to block brute-force attempts.
-
-***********************************
-Applying a Rule-Set to an Interface
-***********************************
-
-A Rule-Set can be applied to every interface:
-
-* ``in``: Ruleset for forwarded packets on an inbound interface
-* ``out``: Ruleset for forwarded packets on an outbound interface
-* ``local``: Ruleset for packets destined for this router
-
-.. cfgcmd:: set firewall interface <interface> [in | out | local] [name |
- ipv6-name] <rule-set>
-
-
- Here are some examples for applying a rule-set to an interface
-
- .. code-block:: none
-
- set firewall interface eth1.100 in name LANv4-IN
- set firewall interface eth1.100 out name LANv4-OUT
- set firewall interface bond0 in name LANv4-IN
- set firewall interface vtun1 in name LANv4-IN
- set firewall interface eth2* in name LANv4-IN
-
- .. note::
- As you can see in the example here, you can assign the same rule-set to
- several interfaces. An interface can only have one rule-set per chain.
-
- .. note::
- You can use wildcard ``*`` to match a group of interfaces.
-
-***********************
-Operation-mode Firewall
-***********************
-
-Rule-set overview
-=================
-
-.. opcmd:: show firewall
-
- This will show you a basic firewall overview
-
- .. code-block:: none
-
- vyos@vyos:~$ show firewall
-
- ------------------------
- Firewall Global Settings
- ------------------------
-
- Firewall state-policy for all IPv4 and Ipv6 traffic
-
- state action log
- ----- ------ ---
- invalid accept disabled
- established accept disabled
- related accept disabled
-
- -----------------------------
- Rulesets Information
- -----------------------------
- --------------------------------------------------------------------------
- IPv4 Firewall "DMZv4-1-IN":
-
- Active on (eth0,IN)
-
- rule action proto packets bytes
- ---- ------ ----- ------- -----
- 10 accept icmp 0 0
- condition - saddr 10.1.0.0/24 daddr 0.0.0.0/0 LOG enabled
-
- 10000 drop all 0 0
- condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled
-
- --------------------------------------------------------------------------
- IPv4 Firewall "DMZv4-1-OUT":
-
- Active on (eth0,OUT)
-
- rule action proto packets bytes
- ---- ------ ----- ------- -----
- 10 accept tcp_udp 1 60
- condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-DST-PORT-GROUP DMZ-Ports /*
- DMZv4-1-OUT-10 */LOG enabled
-
- 11 accept icmp 1 84
- condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* DMZv4-1-OUT-11 */LOG enabled
-
- 10000 drop all 6 360
- condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled
-
- --------------------------------------------------------------------------
- IPv4 Firewall "LANv4-IN":
-
- Inactive - Not applied to any interfaces or zones.
-
- rule action proto packets bytes
- ---- ------ ----- ------- -----
- 10 accept all 0 0
- condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* LANv4-IN-10 */
-
- 10000 drop all 0 0
- condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0
-
-.. opcmd:: show firewall summary
-
- This will show you a summary of rule-sets and groups
-
- .. code-block:: none
-
- vyos@vyos:~$ show firewall summary
-
- ------------------------
- Firewall Global Settings
- ------------------------
-
- Firewall state-policy for all IPv4 and Ipv6 traffic
-
- state action log
- ----- ------ ---
- invalid accept disabled
- related accept disabled
- established accept disabled
-
- ------------------------
- Firewall Rulesets
- ------------------------
-
- IPv4 name:
-
- Rule-set name Description References
- ------------- ----------- ----------
- DMZv4-1-OUT (eth0,OUT)
- DMZv4-1-IN (eth0,IN)
-
- ------------------------
- Firewall Groups
- ------------------------
-
- Port Groups:
-
- Group name Description References
- ---------- ----------- ----------
- DMZ-Ports DMZv4-1-OUT-10-destination
-
- Network Groups:
-
- Group name Description References
- ---------- ----------- ----------
- LANv4 LANv4-IN-10-source,
- DMZv4-1-OUT-10-source,
- DMZv4-1-OUT-11-source
-
-.. opcmd:: show firewall statistics
-
- This will show you a statistic of all rule-sets since the last boot.
-
-.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999>
-
- This command will give an overview of a rule in a single rule-set
-
-.. opcmd:: show firewall group <name>
-
- Overview of defined groups. You see the type, the members, and where the
- group is used.
-
- .. code-block:: none
-
- vyos@vyos:~$ show firewall group DMZ-Ports
- Name : DMZ-Ports
- Type : port
- References : none
- Members :
- 80
- 443
- 8080
- 8443
-
- vyos@vyos:~$ show firewall group LANv4
- Name : LANv4
- Type : network
- References : LANv4-IN-10-source
- Members :
- 10.10.0.0/16
-
-.. opcmd:: show firewall [name | ipv6name] <name>
-
- This command will give an overview of a single rule-set.
-
-.. opcmd:: show firewall [name | ipv6name] <name> statistics
-
- This will show you a rule-set statistic since the last boot.
-
-.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999>
-
- This command will give an overview of a rule in a single rule-set.
-
-
-Zone-Policy Overview
-====================
-
-.. opcmd:: show zone-policy zone <name>
-
- Use this command to get an overview of a zone.
-
- .. code-block:: none
-
- vyos@vyos:~$ show zone-policy zone DMZ
- -------------------
- Name: DMZ
-
- Interfaces: eth0 eth1
-
- From Zone:
- name firewall
- ---- --------
- LAN DMZv4-1-OUT
-
-
-Show Firewall log
-=================
-
-.. opcmd:: show log firewall [name | ipv6name] <name>
-
- Show the logs of a specific Rule-Set.
-
-.. note::
- At the moment it not possible to look at the whole firewall log with VyOS
- operational commands. All logs will save to ``/var/logs/messages``.
- For example: ``grep '10.10.0.10' /var/log/messages``
-
-
-
-Example Partial Config
-======================
-
-.. code-block:: none
-
- firewall {
- interface eth0 {
- in {
- name FROM-INTERNET
- }
- }
- all-ping enable
- broadcast-ping disable
- config-trap disable
- group {
- network-group BAD-NETWORKS {
- network 198.51.100.0/24
- network 203.0.113.0/24
- }
- network-group GOOD-NETWORKS {
- network 192.0.2.0/24
- }
- port-group BAD-PORTS {
- port 65535
- }
- }
- name FROM-INTERNET {
- default-action accept
- description "From the Internet"
- rule 10 {
- action accept
- description "Authorized Networks"
- protocol all
- source {
- group {
- network-group GOOD-NETWORKS
- }
- }
- }
- rule 11 {
- action drop
- description "Bad Networks"
- protocol all
- source {
- group {
- network-group BAD-NETWORKS
- }
- }
- }
- rule 30 {
- action drop
- description "BAD PORTS"
- destination {
- group {
- port-group BAD-PORTS
- }
- }
- log enable
- protocol all
- }
- }
- }
- interfaces {
- ethernet eth1 {
- address dhcp
- description OUTSIDE
- duplex auto
- }
- }
-
-
-Update geoip database
-=====================
-
-.. opcmd:: update geoip
-
- Command used to update GeoIP database and firewall sets.
diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst
deleted file mode 100644
index 3fe876f2..00000000
--- a/docs/configuration/firewall/general.rst
+++ /dev/null
@@ -1,1544 +0,0 @@
-:lastproofread: 2023-09-17
-
-.. _firewall-configuration:
-
-######################
-Firewall Configuration
-######################
-
-********
-Overview
-********
-
-VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet
-filtering.
-
-The firewall supports the creation of groups for addresses, domains,
-interfaces, mac-addresses, networks and port groups. This groups can be used
-later in firewall ruleset as desired.
-
-Main structure is shown next:
-
-.. code-block:: none
-
- - set firewall
- * global-options
- + all-ping
- + broadcast-ping
- + ...
- * group
- - address-group
- - ipv6-address-group
- - network-group
- - ipv6-network-group
- - interface-group
- - mac-group
- - port-group
- - domain-group
- * ipv4
- - forward
- + filter
- - input
- + filter
- - output
- + filter
- - name
- + custom_name
- * ipv6
- - forward
- + filter
- - input
- + filter
- - output
- + filter
- - ipv6-name
- + custom_name
-
-Where, main key words and configuration paths that needs to be understood:
-
- * For firewall filtering, configuration should be done in ``set firewall
- [ipv4 | ipv6] ...``
-
- * For transit traffic, which is received by the router and forwarded,
- base chain is **forward filter**: ``set firewall [ipv4 | ipv6]
- forward filter ...``
-
- * For traffic originated by the router, base chain is **output filter**:
- ``set firewall [ipv4 | ipv6] output filter ...``
-
- * For traffic towards the router itself, base chain is **input filter**:
- ``set firewall [ipv4 | ipv6] input filter ...``
-
-.. note:: **Important note about default-actions:**
- If default action for any chain is not defined, then the default
- action is set to **accept** for that chain. Only for custom chains,
- the default action is set to **drop**.
-
-Custom firewall chains can be created, with commands
-``set firewall [ipv4 | ipv6] [name | ipv6-name] <name> ...``. In order to use
-such custom chain, a rule with **action jump**, and the appropiate **target**
-should be defined in a base chain.
-
-**************
-Global Options
-**************
-
-Some firewall settings are global and have an affect on the whole system.
-
-.. cfgcmd:: set firewall global-options all-ping [enable | disable]
-
- By default, when VyOS receives an ICMP echo request packet destined for
- itself, it will answer with an ICMP echo reply, unless you avoid it
- through its firewall.
-
- With the firewall you can set rules to accept, drop or reject ICMP in,
- out or local traffic. You can also use the general **firewall all-ping**
- command. This command affects only to LOCAL (packets destined for your
- VyOS system), not to IN or OUT traffic.
-
- .. note:: **firewall global-options all-ping** affects only to LOCAL
- and it always behaves in the most restrictive way
-
- .. code-block:: none
-
- set firewall global-options all-ping enable
-
- When the command above is set, VyOS will answer every ICMP echo request
- addressed to itself, but that will only happen if no other rule is
- applied dropping or rejecting local echo requests. In case of conflict,
- VyOS will not answer ICMP echo requests.
-
- .. code-block:: none
-
- set firewall global-options all-ping disable
-
- When the command above is set, VyOS will answer no ICMP echo request
- addressed to itself at all, no matter where it comes from or whether
- more specific rules are being applied to accept them.
-
-.. cfgcmd:: set firewall global-options broadcast-ping [enable | disable]
-
- This setting enable or disable the response of icmp broadcast
- messages. The following system parameter will be altered:
-
- * ``net.ipv4.icmp_echo_ignore_broadcasts``
-
-.. cfgcmd:: set firewall global-options ip-src-route [enable | disable]
-.. cfgcmd:: set firewall global-options ipv6-src-route [enable | disable]
-
- This setting handle if VyOS accept packets with a source route
- option. The following system parameter will be altered:
-
- * ``net.ipv4.conf.all.accept_source_route``
- * ``net.ipv6.conf.all.accept_source_route``
-
-.. cfgcmd:: set firewall global-options receive-redirects [enable | disable]
-.. cfgcmd:: set firewall global-options ipv6-receive-redirects
- [enable | disable]
-
- enable or disable of ICMPv4 or ICMPv6 redirect messages accepted
- by VyOS. The following system parameter will be altered:
-
- * ``net.ipv4.conf.all.accept_redirects``
- * ``net.ipv6.conf.all.accept_redirects``
-
-.. cfgcmd:: set firewall global-options send-redirects [enable | disable]
-
- enable or disable ICMPv4 redirect messages send by VyOS
- The following system parameter will be altered:
-
- * ``net.ipv4.conf.all.send_redirects``
-
-.. cfgcmd:: set firewall global-options log-martians [enable | disable]
-
- enable or disable the logging of martian IPv4 packets.
- The following system parameter will be altered:
-
- * ``net.ipv4.conf.all.log_martians``
-
-.. cfgcmd:: set firewall global-options source-validation
- [strict | loose | disable]
-
- Set the IPv4 source validation mode.
- The following system parameter will be altered:
-
- * ``net.ipv4.conf.all.rp_filter``
-
-.. cfgcmd:: set firewall global-options syn-cookies [enable | disable]
-
- Enable or Disable if VyOS use IPv4 TCP SYN Cookies.
- The following system parameter will be altered:
-
- * ``net.ipv4.tcp_syncookies``
-
-.. cfgcmd:: set firewall global-options twa-hazards-protection
- [enable | disable]
-
- Enable or Disable VyOS to be :rfc:`1337` conform.
- The following system parameter will be altered:
-
- * ``net.ipv4.tcp_rfc1337``
-
-******
-Groups
-******
-
-Firewall groups represent collections of IP addresses, networks, ports,
-mac addresses, domains or interfaces. Once created, a group can be referenced
-by firewall, nat and policy route rules as either a source or destination
-matcher, and as inbpund/outbound in the case of interface group.
-
-Address Groups
-==============
-
-In an **address group** a single IP address or IP address ranges are
-defined.
-
-.. cfgcmd:: set firewall group address-group <name> address [address |
- address range]
-.. cfgcmd:: set firewall group ipv6-address-group <name> address <address>
-
- Define a IPv4 or a IPv6 address group
-
- .. code-block:: none
-
- set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1
- set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8
- set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1
-
-.. cfgcmd:: set firewall group address-group <name> description <text>
-.. cfgcmd:: set firewall group ipv6-address-group <name> description <text>
-
- Provide a IPv4 or IPv6 address group description
-
-Network Groups
-==============
-
-While **network groups** accept IP networks in CIDR notation, specific
-IP addresses can be added as a 32-bit prefix. If you foresee the need
-to add a mix of addresses and networks, the network group is
-recommended.
-
-.. cfgcmd:: set firewall group network-group <name> network <CIDR>
-.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR>
-
- Define a IPv4 or IPv6 Network group.
-
- .. code-block:: none
-
- set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24
- set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24
- set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64
-
-.. cfgcmd:: set firewall group network-group <name> description <text>
-.. cfgcmd:: set firewall group ipv6-network-group <name> description <text>
-
- Provide an IPv4 or IPv6 network group description.
-
-Interface Groups
-================
-
-An **interface group** represents a collection of interfaces.
-
-.. cfgcmd:: set firewall group interface-group <name> interface <text>
-
- Define an interface group. Wildcard are accepted too.
-
-.. code-block:: none
-
- set firewall group interface-group LAN interface bond1001
- set firewall group interface-group LAN interface eth3*
-
-.. cfgcmd:: set firewall group interface-group <name> description <text>
-
- Provide an interface group description
-
-Port Groups
-===========
-
-A **port group** represents only port numbers, not the protocol. Port
-groups can be referenced for either TCP or UDP. It is recommended that
-TCP and UDP groups are created separately to avoid accidentally
-filtering unnecessary ports. Ranges of ports can be specified by using
-`-`.
-
-.. cfgcmd:: set firewall group port-group <name> port
- [portname | portnumber | startport-endport]
-
- Define a port group. A port name can be any name defined in
- /etc/services. e.g.: http
-
- .. code-block:: none
-
- set firewall group port-group PORT-TCP-SERVER1 port http
- set firewall group port-group PORT-TCP-SERVER1 port 443
- set firewall group port-group PORT-TCP-SERVER1 port 5000-5010
-
-.. cfgcmd:: set firewall group port-group <name> description <text>
-
- Provide a port group description.
-
-MAC Groups
-==========
-
-A **mac group** represents a collection of mac addresses.
-
-.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address>
-
- Define a mac group.
-
-.. code-block:: none
-
- set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f
- set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81
-
-.. cfgcmd:: set firewall group mac-group <name> description <text>
-
- Provide a mac group description.
-
-Domain Groups
-=============
-
-A **domain group** represents a collection of domains.
-
-.. cfgcmd:: set firewall group domain-group <name> address <domain>
-
- Define a domain group.
-
-.. code-block:: none
-
- set firewall group domain-group DOM address example.com
-
-.. cfgcmd:: set firewall group domain-group <name> description <text>
-
- Provide a domain group description.
-
-**************
-Firewall Rules
-**************
-
-For firewall filtering, firewall rules needs to be created. Each rule is
-numbered, has an action to apply if the rule is matched, and the ability
-to specify multiple criteria matchers. Data packets go through the rules
-from 1 - 999999, so order is crucial. At the first match the action of the
-rule will be executed.
-
-Actions
-=======
-
-If a rule is defined, then an action must be defined for it. This tells the
-firewall what to do if all criteria matchers defined for such rule do match.
-
-The action can be :
-
- * ``accept``: accept the packet.
-
- * ``drop``: drop the packet.
-
- * ``reject``: reject the packet.
-
- * ``jump``: jump to another custom chain.
-
- * ``return``: Return from the current chain and continue at the next rule
- of the last chain.
-
- * ``queue``: Enqueue packet to userspace.
-
- * ``synproxy``: synproxy the packet.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> action
- [accept | drop | jump | queue | reject | return | synproxy]
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> action
- [accept | drop | jump | queue | reject | return | synproxy]
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> action
- [accept | drop | jump | queue | reject | return]
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action
- [accept | drop | jump | queue | reject | return]
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> action
- [accept | drop | jump | queue | reject | return]
-
- This required setting defines the action of the current rule. If action is
- set to jump, then jump-target is also needed.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- jump-target <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- jump-target <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- jump-target <text>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- jump-target <text>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- jump-target <text>
-
- To be used only when action is set to jump. Use this command to specify
- jump target.
-
-Also, **default-action** is an action that takes place whenever a packet does
-not match any rule in it's chain. For base chains, possible options for
-**default-action** are **accept** or **drop**.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter default-action
- [accept | drop]
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter default-action
- [accept | drop]
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter default-action
- [accept | drop]
-.. cfgcmd:: set firewall ipv4 name <name> default-action
- [accept | drop | jump | queue | reject | return]
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> default-action
- [accept | drop | jump | queue | reject | return]
-
- This set the default action of the rule-set if no rule matched a packet
- criteria. If defacult-action is set to ``jump``, then
- ``default-jump-target`` is also needed. Note that for base chains, default
- action can only be set to ``accept`` or ``drop``, while on custom chain,
- more actions are available.
-
-.. cfgcmd:: set firewall name <name> default-jump-target <text>
-.. cfgcmd:: set firewall ipv6-name <name> default-jump-target <text>
-
- To be used only when ``defult-action`` is set to ``jump``. Use this
- command to specify jump target for default rule.
-
-.. note:: **Important note about default-actions:**
- If default action for any chain is not defined, then the default
- action is set to **drop** for that chain.
-
-
-Firewall Logs
-=============
-
-Logging can be enable for every single firewall rule. If enabled, other
-log options can be defined.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> log
- [disable | enable]
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> log
- [disable | enable]
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> log
- [disable | enable]
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log
- [disable | enable]
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> log
- [disable | enable]
-
- Enable or disable logging for the matched packet.
-
-.. cfgcmd:: set firewall ipv4 name <name> enable-default-log
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> enable-default-log
-
- Use this command to enable the logging of the default action on
- custom chains.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- log-options level [emerg | alert | crit | err | warn | notice
- | info | debug]
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- log-options level [emerg | alert | crit | err | warn | notice
- | info | debug]
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- log-options level [emerg | alert | crit | err | warn | notice
- | info | debug]
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- log-options level [emerg | alert | crit | err | warn | notice
- | info | debug]
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- log-options level [emerg | alert | crit | err | warn | notice
- | info | debug]
-
- Define log-level. Only applicable if rule log is enable.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- log-options group <0-65535>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- log-options group <0-65535>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- log-options group <0-65535>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- log-options group <0-65535>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- log-options group <0-65535>
-
- Define log group to send message to. Only applicable if rule log is enable.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- log-options snapshot-length <0-9000>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- log-options snapshot-length <0-9000>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- log-options snapshot-length <0-9000>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- log-options snapshot-length <0-9000>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- log-options snapshot-length <0-9000>
-
- Define length of packet payload to include in netlink message. Only
- applicable if rule log is enable and log group is defined.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- log-options queue-threshold <0-65535>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- log-options queue-threshold <0-65535>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- log-options queue-threshold <0-65535>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- log-options queue-threshold <0-65535>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- log-options queue-threshold <0-65535>
-
- Define number of packets to queue inside the kernel before sending them to
- userspace. Only applicable if rule log is enable and log group is defined.
-
-
-Firewall Description
-====================
-
-For reference, a description can be defined for every single rule, and for
-every defined custom chain.
-
-.. cfgcmd:: set firewall ipv4 name <name> description <text>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> description <text>
-
- Provide a rule-set description to a custom firewall chain.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- description <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- description <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- description <text>
-
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> description <text>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> description <text>
-
- Provide a description for each rule.
-
-
-Rule Status
-===========
-
-When defining a rule, it is enable by default. In some cases, it is useful to
-just disable the rule, rather than removing it.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> disable
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> disable
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> disable
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> disable
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> disable
-
- Command for disabling a rule but keep it in the configuration.
-
-
-Matching criteria
-=================
-
-There are a lot of matching criteria against which the package can be tested.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- connection-status nat [destination | source]
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- connection-status nat [destination | source]
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- connection-status nat [destination | source]
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- connection-status nat [destination | source]
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- connection-status nat [destination | source]
-
- Match criteria based on nat connection status.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- connection-mark <1-2147483647>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- connection-mark <1-2147483647>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- connection-mark <1-2147483647>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- connection-mark <1-2147483647>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- connection-mark <1-2147483647>
-
- Match criteria based on connection mark.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- source address [address | addressrange | CIDR]
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- source address [address | addressrange | CIDR]
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- source address [address | addressrange | CIDR]
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- source address [address | addressrange | CIDR]
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- source address [address | addressrange | CIDR]
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- destination address [address | addressrange | CIDR]
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- destination address [address | addressrange | CIDR]
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- destination address [address | addressrange | CIDR]
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- destination address [address | addressrange | CIDR]
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- destination address [address | addressrange | CIDR]
-
- Match criteria based on source and/or destination address. This is similar
- to the network groups part, but here you are able to negate the matching
- addresses.
-
- .. code-block:: none
-
- set firewall ipv4 name FOO rule 50 source address 192.0.2.10-192.0.2.11
- # with a '!' the rule match everything except the specified subnet
- set firewall ipv4 input filter FOO rule 51 source address !203.0.113.0/24
- set firewall ipv6 ipv6-name FOO rule 100 source address 2001:db8::202
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- source address-mask [address]
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- source address-mask [address]
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- source address-mask [address]
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- source address-mask [address]
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- source address-mask [address]
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- destination address-mask [address]
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- destination address-mask [address]
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- destination address-mask [address]
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- destination address-mask [address]
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- destination address-mask [address]
-
- An arbitrary netmask can be applied to mask addresses to only match against
- a specific portion. This is particularly useful with IPv6 as rules will
- remain valid if the IPv6 prefix changes and the host
- portion of systems IPv6 address is static (for example, with SLAAC or
- `tokenised IPv6 addresses
- <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)
-
- This functions for both individual addresses and address groups.
-
- .. code-block:: none
-
- # Match any IPv6 address with the suffix ::0000:0000:0000:beef
- set firewall ipv6 forward filter rule 100 destination address ::beef
- set firewall ipv6 forward filter rule 100 destination address-mask ::ffff:ffff:ffff:ffff
- # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet
- set firewall ipv4 name FOO rule 100 destination address 0.11.0.13
- set firewall ipv4 name FOO rule 100 destination address-mask 0.255.0.255
- # Address groups
- set firewall group ipv6-address-group WEBSERVERS address ::1000
- set firewall group ipv6-address-group WEBSERVERS address ::2000
- set firewall ipv6 forward filter rule 200 source group address-group WEBSERVERS
- set firewall ipv6 forward filter rule 200 source address-mask ::ffff:ffff:ffff:ffff
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- source fqdn <fqdn>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- source fqdn <fqdn>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- source fqdn <fqdn>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- source fqdn <fqdn>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- source fqdn <fqdn>
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- destination fqdn <fqdn>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- destination fqdn <fqdn>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- destination fqdn <fqdn>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- destination fqdn <fqdn>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- destination fqdn <fqdn>
-
- Specify a Fully Qualified Domain Name as source/destination matcher. Ensure
- router is able to resolve such dns query.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- source geoip country-code <country>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- source geoip country-code <country>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- source geoip country-code <country>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- source geoip country-code <country>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- source geoip country-code <country>
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- destination geoip country-code <country>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- destination geoip country-code <country>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- destination geoip country-code <country>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- destination geoip country-code <country>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- destination geoip country-code <country>
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- source geoip inverse-match
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- source geoip inverse-match
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- source geoip inverse-match
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- source geoip inverse-match
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- source geoip inverse-match
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- destination geoip inverse-match
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- destination geoip inverse-match
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- destination geoip inverse-match
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- destination geoip inverse-match
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- destination geoip inverse-match
-
- Match IP addresses based on its geolocation. More info: `geoip matching
- <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
- Use inverse-match to match anything except the given country-codes.
-
-Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
-permits redistribution so we can include a database in images(~3MB
-compressed). Includes cron script (manually callable by op-mode update
-geoip) to keep database and rules updated.
-
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- source mac-address <mac-address>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- source mac-address <mac-address>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- source mac-address <mac-address>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- source mac-address <mac-address>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- source mac-address <mac-address>
-
- Only in the source criteria, you can specify a mac-address.
-
- .. code-block:: none
-
- set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33
- set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34
-
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- source port [1-65535 | portname | start-end]
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- source port [1-65535 | portname | start-end]
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- source port [1-65535 | portname | start-end]
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- source port [1-65535 | portname | start-end]
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- source port [1-65535 | portname | start-end]
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- destination port [1-65535 | portname | start-end]
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- destination port [1-65535 | portname | start-end]
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- destination port [1-65535 | portname | start-end]
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- destination port [1-65535 | portname | start-end]
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- destination port [1-65535 | portname | start-end]
-
- A port can be set with a port number or a name which is here
- defined: ``/etc/services``.
-
- .. code-block:: none
-
- set firewall ipv4 forward filter rule 10 source port '22'
- set firewall ipv4 forward filter rule 11 source port '!http'
- set firewall ipv4 forward filter rule 12 source port 'https'
-
- Multiple source ports can be specified as a comma-separated list.
- The whole list can also be "negated" using ``!``. For example:
-
- .. code-block:: none
-
- set firewall ipv6 forward filter rule 10 source port '!22,https,3333-3338'
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- source group address-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- source group address-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- source group address-group <name | !name>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- source group address-group <name | !name>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- source group address-group <name | !name>
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- destination group address-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- destination group address-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- destination group address-group <name | !name>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- destination group address-group <name | !name>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- destination group address-group <name | !name>
-
- Use a specific address-group. Prepend character ``!`` for inverted matching
- criteria.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- source group network-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- source group network-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- source group network-group <name | !name>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- source group network-group <name | !name>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- source group network-group <name | !name>
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- destination group network-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- destination group network-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- destination group network-group <name | !name>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- destination group network-group <name | !name>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- destination group network-group <name | !name>
-
- Use a specific network-group. Prepend character ``!`` for inverted matching
- criteria.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- source group port-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- source group port-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- source group port-group <name | !name>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- source group port-group <name | !name>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- source group port-group <name | !name>
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- destination group port-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- destination group port-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- destination group port-group <name | !name>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- destination group port-group <name | !name>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- destination group port-group <name | !name>
-
- Use a specific port-group. Prepend character ``!`` for inverted matching
- criteria.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- source group domain-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- source group domain-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- source group domain-group <name | !name>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- source group domain-group <name | !name>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- source group domain-group <name | !name>
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- destination group domain-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- destination group domain-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- destination group domain-group <name | !name>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- destination group domain-group <name | !name>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- destination group domain-group <name | !name>
-
- Use a specific domain-group. Prepend character ``!`` for inverted matching
- criteria.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- source group mac-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- source group mac-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- source group mac-group <name | !name>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- source group mac-group <name | !name>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- source group mac-group <name | !name>
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- destination group mac-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- destination group mac-group <name | !name>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- destination group mac-group <name | !name>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- destination group mac-group <name | !name>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- destination group mac-group <name | !name>
-
- Use a specific mac-group. Prepend character ``!`` for inverted matching
- criteria.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- dscp [0-63 | start-end]
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- dscp [0-63 | start-end]
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- dscp [0-63 | start-end]
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- dscp [0-63 | start-end]
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- dscp [0-63 | start-end]
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- dscp-exclude [0-63 | start-end]
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- dscp-exclude [0-63 | start-end]
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- dscp-exclude [0-63 | start-end]
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- dscp-exclude [0-63 | start-end]
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- dscp-exclude [0-63 | start-end]
-
- Match based on dscp value.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- fragment [match-frag | match-non-frag]
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- fragment [match-frag | match-non-frag]
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- fragment [match-frag | match-non-frag]
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- fragment [match-frag | match-non-frag]
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- fragment [match-frag | match-non-frag]
-
- Match based on fragment criteria.
-
-.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
- icmp [code | type] <0-255>
-.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
- icmp [code | type] <0-255>
-.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
- icmp [code | type] <0-255>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- icmp [code | type] <0-255>
-.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
- icmpv6 [code | type] <0-255>
-.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
- icmpv6 [code | type] <0-255>
-.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
- icmpv6 [code | type] <0-255>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- icmpv6 [code | type] <0-255>
-
- Match based on icmp|icmpv6 code and type.
-
-.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
- icmp type-name <text>
-.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
- icmp type-name <text>
-.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
- icmp type-name <text>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- icmp type-name <text>
-.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
- icmpv6 type-name <text>
-.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
- icmpv6 type-name <text>
-.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
- icmpv6 type-name <text>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- icmpv6 type-name <text>
-
- Match based on icmp|icmpv6 type-name criteria. Use tab for information
- about what **type-name** criteria are supported.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- inbound-interface <iface>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- inbound-interface <iface>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- inbound-interface <iface>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- inbound-interface <iface>
-
- Match based on inbound interface. Wilcard ``*`` can be used.
- For example: ``eth2*``
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- outbound-interface <iface>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- outbound-interface <iface>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- outbound-interface <iface>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- outbound-interface <iface>
-
- Match based on outbound interface. Wilcard ``*`` can be used.
- For example: ``eth2*``
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- ipsec [match-ipsec | match-none]
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- ipsec [match-ipsec | match-none]
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- ipsec [match-ipsec | match-none]
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- ipsec [match-ipsec | match-none]
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- ipsec [match-ipsec | match-none]
-
- Match based on ipsec criteria.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- limit burst <0-4294967295>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- limit burst <0-4294967295>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- limit burst <0-4294967295>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- limit burst <0-4294967295>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- limit burst <0-4294967295>
-
- Match based on the maximum number of packets to allow in excess of rate.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- limit rate <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- limit rate <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- limit rate <text>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- limit rate <text>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- limit rate <text>
-
- Match based on the maximum average rate, specified as **integer/unit**.
- For example **5/minutes**
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- packet-length <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- packet-length <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- packet-length <text>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- packet-length <text>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- packet-length <text>
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- packet-length-exclude <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- packet-length-exclude <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- packet-length-exclude <text>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- packet-length-exclude <text>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- packet-length-exclude <text>
-
- Match based on packet length criteria. Multiple values from 1 to 65535
- and ranges are supported.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- packet-type [broadcast | host | multicast | other]
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- packet-type [broadcast | host | multicast | other]
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- packet-type [broadcast | host | multicast | other]
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- packet-type [broadcast | host | multicast | other]
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- packet-type [broadcast | host | multicast | other]
-
- Match based on packet type criteria.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- protocol [<text> | <0-255> | all | tcp_udp]
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- protocol [<text> | <0-255> | all | tcp_udp]
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- protocol [<text> | <0-255> | all | tcp_udp]
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- protocol [<text> | <0-255> | all | tcp_udp]
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- protocol [<text> | <0-255> | all | tcp_udp]
-
- Match a protocol criteria. A protocol number or a name which is here
- defined: ``/etc/protocols``.
- Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
- based packets. The ``!`` negate the selected protocol.
-
- .. code-block:: none
-
- set firewall ipv4 forward fitler rule 10 protocol tcp_udp
- set firewall ipv4 forward fitler rule 11 protocol !tcp_udp
- set firewall ipv6 input filter rule 10 protocol tcp
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- recent count <1-255>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- recent count <1-255>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- recent count <1-255>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- recent count <1-255>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- recent count <1-255>
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- recent time [second | minute | hour]
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- recent time [second | minute | hour]
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- recent time [second | minute | hour]
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- recent time [second | minute | hour]
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- recent time [second | minute | hour]
-
- Match bases on recently seen sources.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- tcp flags <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- tcp flags <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- tcp flags <text>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- tcp flags <text>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- tcp flags <text>
-
- Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``,
- ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma
- separated. The ``!`` negate the selected protocol.
-
- .. code-block:: none
-
- set firewall ipv4 input filter rule 10 tcp flags 'ACK'
- set firewall ipv4 input filter rule 12 tcp flags 'SYN'
- set firewall ipv4 input filter rule 13 tcp flags 'SYN,!ACK,!FIN,!RST'
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- state [established | invalid | new | related] [enable | disable]
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- state [established | invalid | new | related] [enable | disable]
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- state [established | invalid | new | related] [enable | disable]
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- state [established | invalid | new | related] [enable | disable]
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- state [established | invalid | new | related] [enable | disable]
-
- Match against the state of a packet.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- time startdate <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- time startdate <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- time startdate <text>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- time startdate <text>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- time startdate <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- time starttime <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- time starttime <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- time starttime <text>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- time starttime <text>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- time starttime <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- time stopdate <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- time stopdate <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- time stopdate <text>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- time stopdate <text>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- time stopdate <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- time stoptime <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- time stoptime <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- time stoptime <text>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- time stoptime <text>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- time stoptime <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- time weekdays <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- time weekdays <text>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- time weekdays <text>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- time weekdays <text>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- time weekdays <text>
-
- Time to match the defined rule.
-
-.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
- ttl <eq | gt | lt> <0-255>
-.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
- ttl <eq | gt | lt> <0-255>
-.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
- ttl <eq | gt | lt> <0-255>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- ttl <eq | gt | lt> <0-255>
-
- Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for
- 'greater than', and 'lt' stands for 'less than'.
-
-.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
- hop-limit <eq | gt | lt> <0-255>
-.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
- hop-limit <eq | gt | lt> <0-255>
-.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
- hop-limit <eq | gt | lt> <0-255>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- hop-limit <eq | gt | lt> <0-255>
-
- Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
- 'greater than', and 'lt' stands for 'less than'.
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- recent count <1-255>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- recent count <1-255>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- recent count <1-255>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- recent count <1-255>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- recent count <1-255>
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999>
- recent time <second | minute | hour>
-.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999>
- recent time <second | minute | hour>
-.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999>
- recent time <second | minute | hour>
-.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- recent time <second | minute | hour>
-.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999>
- recent time <second | minute | hour>
-
- Match when 'count' amount of connections are seen within 'time'. These
- matching criteria can be used to block brute-force attempts.
-
-********
-Synproxy
-********
-Synproxy connections
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> action synproxy
-.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> protocol tcp
-.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535>
-
- Set TCP-MSS (maximum segment size) for the connection
-
-.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14>
-
- Set the window scale factor for TCP window scaling
-
-Example synproxy
-================
-Requirements to enable synproxy:
-
- * Traffic must be symmetric
- * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled
- * Disable conntrack loose track option
-
-.. code-block:: none
-
- set system sysctl parameter net.ipv4.tcp_timestamps value '1'
-
- set system conntrack tcp loose disable
- set system conntrack ignore ipv4 rule 10 destination port '8080'
- set system conntrack ignore ipv4 rule 10 protocol 'tcp'
- set system conntrack ignore ipv4 rule 10 tcp flags syn
-
- set firewall global-options syn-cookies 'enable'
- set firewall ipv4 input filter rule 10 action 'synproxy'
- set firewall ipv4 input filter rule 10 destination port '8080'
- set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1'
- set firewall ipv4 input filter rule 10 protocol 'tcp'
- set firewall ipv4 input filter rule 10 synproxy tcp mss '1460'
- set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
- set firewall ipv4 input filter rule 1000 action 'drop'
- set firewall ipv4 input filter rule 1000 state invalid 'enable'
-
-
-***********************
-Operation-mode Firewall
-***********************
-
-Rule-set overview
-=================
-
-.. opcmd:: show firewall
-
- This will show you a basic firewall overview
-
- .. code-block:: none
-
- vyos@vyos:~$ show firewall
- Rulesets Information
-
- ---------------------------------
- IPv4 Firewall "forward filter"
-
- Rule Action Protocol Packets Bytes Conditions
- ------- -------- ---------- --------- ------- -----------------------------------------
- 5 jump all 0 0 iifname "eth1" jump NAME_VyOS_MANAGEMENT
- 10 jump all 0 0 oifname "eth1" jump NAME_WAN_IN
- 15 jump all 0 0 iifname "eth3" jump NAME_WAN_IN
- default accept all
-
- ---------------------------------
- IPv4 Firewall "name VyOS_MANAGEMENT"
-
- Rule Action Protocol Packets Bytes Conditions
- ------- -------- ---------- --------- ------- --------------------------------
- 5 accept all 0 0 ct state established accept
- 10 drop all 0 0 ct state invalid
- 20 accept all 0 0 ip saddr @A_GOOD_GUYS accept
- 30 accept all 0 0 ip saddr @N_ENTIRE_RANGE accept
- 40 accept all 0 0 ip saddr @A_VyOS_SERVERS accept
- 50 accept icmp 0 0 meta l4proto icmp accept
- default drop all 0 0
-
- ---------------------------------
- IPv6 Firewall "forward filter"
-
- Rule Action Protocol
- ------- -------- ----------
- 5 jump all
- 10 jump all
- 15 jump all
- default accept all
-
- ---------------------------------
- IPv6 Firewall "input filter"
-
- Rule Action Protocol
- ------- -------- ----------
- 5 jump all
- default accept all
-
- ---------------------------------
- IPv6 Firewall "ipv6_name IPV6-VyOS_MANAGEMENT"
-
- Rule Action Protocol
- ------- -------- ----------
- 5 accept all
- 10 drop all
- 20 accept all
- 30 accept all
- 40 accept all
- 50 accept ipv6-icmp
- default drop all
-
-.. opcmd:: show firewall summary
-
- This will show you a summary of rule-sets and groups
-
- .. code-block:: none
-
- vyos@vyos:~$ show firewall summary
- Ruleset Summary
-
- IPv6 Ruleset:
-
- Ruleset Hook Ruleset Priority Description
- -------------- -------------------- -------------------------
- forward filter
- input filter
- ipv6_name IPV6-VyOS_MANAGEMENT
- ipv6_name IPV6-WAN_IN PUBLIC_INTERNET
-
- IPv4 Ruleset:
-
- Ruleset Hook Ruleset Priority Description
- -------------- ------------------ -------------------------
- forward filter
- input filter
- name VyOS_MANAGEMENT
- name WAN_IN PUBLIC_INTERNET
-
- Firewall Groups
-
- Name Type References Members
- ----------------------- ------------------ ----------------------- ----------------
- PBX address_group WAN_IN-100 198.51.100.77
- SERVERS address_group WAN_IN-110 192.0.2.10
- WAN_IN-111 192.0.2.11
- WAN_IN-112 192.0.2.12
- WAN_IN-120
- WAN_IN-121
- WAN_IN-122
- SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2
- WAN_IN-20
- PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2
- PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2
- WAN_IN-171
- PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1
- SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2
- IPV6-WAN_IN-111 2001:db8::3
- IPV6-WAN_IN-112 2001:db8::4
- IPV6-WAN_IN-120
- IPV6-WAN_IN-121
- IPV6-WAN_IN-122
- SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5
- IPV6-WAN_IN-20
-
-
-.. opcmd:: show firewall [ipv4 | ipv6] [forward | input | output] filter
-
-.. opcmd:: show firewall ipv4 name <name>
-
-.. opcmd:: show firewall ipv6 ipv6-name <name>
-
- This command will give an overview of a single rule-set.
-
- .. code-block:: none
-
- vyos@vyos:~$ show firewall ipv4 input filter
- Ruleset Information
-
- ---------------------------------
- IPv4 Firewall "input filter"
-
- Rule Action Protocol Packets Bytes Conditions
- ------- -------- ---------- --------- ------- -----------------------------------------
- 5 jump all 0 0 iifname "eth2" jump NAME_VyOS_MANAGEMENT
- default accept all
-
-.. opcmd:: show firewall [ipv4 | ipv6] [forward | input | output]
- filter rule <1-999999>
-
-.. opcmd:: show firewall ipv4 name <name> rule <1-999999>
-
-.. opcmd:: show firewall ipv6 ipv6-name <name> rule <1-999999>
-
- This command will give an overview of a rule in a single rule-set
-
-.. opcmd:: show firewall group <name>
-
- Overview of defined groups. You see the type, the members, and where the
- group is used.
-
- .. code-block:: none
-
- vyos@vyos:~$ show firewall group LAN
- Firewall Groups
-
- Name Type References Members
- ------------ ------------------ ----------------------- ----------------
- LAN ipv6_network_group IPV6-VyOS_MANAGEMENT-30 2001:db8::0/64
- IPV6-WAN_IN-30
- LAN network_group VyOS_MANAGEMENT-30 192.168.200.0/24
- WAN_IN-30
-
-
-.. opcmd:: show firewall statistics
-
- This will show you a statistic of all rule-sets since the last boot.
-
-Show Firewall log
-=================
-
-.. opcmd:: show log firewall [name | ipv6name] <name>
-
- Show the logs of a specific Rule-Set.
-
-.. note::
- At the moment it not possible to look at the whole firewall log with VyOS
- operational commands. All logs will save to ``/var/logs/messages``.
- For example: ``grep '10.10.0.10' /var/log/messages``
-
-
-Example Partial Config
-======================
-
-.. code-block:: none
-
- firewall {
- group {
- network-group BAD-NETWORKS {
- network 198.51.100.0/24
- network 203.0.113.0/24
- }
- network-group GOOD-NETWORKS {
- network 192.0.2.0/24
- }
- port-group BAD-PORTS {
- port 65535
- }
- }
- ipv4 {
- forward {
- filter {
- default-action accept
- rule 5 {
- action accept
- source {
- group {
- network-group GOOD-NETWORKS
- }
- }
- }
- rule 10 {
- action drop
- description "Bad Networks"
- protocol all
- source {
- group {
- network-group BAD-NETWORKS
- }
- }
- }
- }
- }
- }
- }
-
-Update geoip database
-=====================
-
-.. opcmd:: update geoip
-
- Command used to update GeoIP database and firewall sets.
diff --git a/docs/configuration/firewall/global-options.rst b/docs/configuration/firewall/global-options.rst
new file mode 100644
index 00000000..316e0802
--- /dev/null
+++ b/docs/configuration/firewall/global-options.rst
@@ -0,0 +1,117 @@
+:lastproofread: 2023-11-07
+
+.. _firewall-global-options-configuration:
+
+#####################################
+Global Options Firewall Configuration
+#####################################
+
+********
+Overview
+********
+
+Some firewall settings are global and have an affect on the whole system.
+In this section there's useful information about these global-options that can
+be configured using vyos cli.
+
+Configuration commands covered in this section:
+
+.. cfgcmd:: set firewall global-options ...
+
+*************
+Configuration
+*************
+
+.. cfgcmd:: set firewall global-options all-ping [enable | disable]
+
+ By default, when VyOS receives an ICMP echo request packet destined for
+ itself, it will answer with an ICMP echo reply, unless you avoid it
+ through its firewall.
+
+ With the firewall you can set rules to accept, drop or reject ICMP in,
+ out or local traffic. You can also use the general **firewall all-ping**
+ command. This command affects only to LOCAL (packets destined for your
+ VyOS system), not to IN or OUT traffic.
+
+ .. note:: **firewall global-options all-ping** affects only to LOCAL
+ and it always behaves in the most restrictive way
+
+ .. code-block:: none
+
+ set firewall global-options all-ping enable
+
+ When the command above is set, VyOS will answer every ICMP echo request
+ addressed to itself, but that will only happen if no other rule is
+ applied dropping or rejecting local echo requests. In case of conflict,
+ VyOS will not answer ICMP echo requests.
+
+ .. code-block:: none
+
+ set firewall global-options all-ping disable
+
+ When the command above is set, VyOS will answer no ICMP echo request
+ addressed to itself at all, no matter where it comes from or whether
+ more specific rules are being applied to accept them.
+
+.. cfgcmd:: set firewall global-options broadcast-ping [enable | disable]
+
+ This setting enable or disable the response of icmp broadcast
+ messages. The following system parameter will be altered:
+
+ * ``net.ipv4.icmp_echo_ignore_broadcasts``
+
+.. cfgcmd:: set firewall global-options ip-src-route [enable | disable]
+.. cfgcmd:: set firewall global-options ipv6-src-route [enable | disable]
+
+ This setting handle if VyOS accept packets with a source route
+ option. The following system parameter will be altered:
+
+ * ``net.ipv4.conf.all.accept_source_route``
+ * ``net.ipv6.conf.all.accept_source_route``
+
+.. cfgcmd:: set firewall global-options receive-redirects [enable | disable]
+.. cfgcmd:: set firewall global-options ipv6-receive-redirects
+ [enable | disable]
+
+ enable or disable of ICMPv4 or ICMPv6 redirect messages accepted
+ by VyOS. The following system parameter will be altered:
+
+ * ``net.ipv4.conf.all.accept_redirects``
+ * ``net.ipv6.conf.all.accept_redirects``
+
+.. cfgcmd:: set firewall global-options send-redirects [enable | disable]
+
+ enable or disable ICMPv4 redirect messages send by VyOS
+ The following system parameter will be altered:
+
+ * ``net.ipv4.conf.all.send_redirects``
+
+.. cfgcmd:: set firewall global-options log-martians [enable | disable]
+
+ enable or disable the logging of martian IPv4 packets.
+ The following system parameter will be altered:
+
+ * ``net.ipv4.conf.all.log_martians``
+
+.. cfgcmd:: set firewall global-options source-validation
+ [strict | loose | disable]
+
+ Set the IPv4 source validation mode.
+ The following system parameter will be altered:
+
+ * ``net.ipv4.conf.all.rp_filter``
+
+.. cfgcmd:: set firewall global-options syn-cookies [enable | disable]
+
+ Enable or Disable if VyOS use IPv4 TCP SYN Cookies.
+ The following system parameter will be altered:
+
+ * ``net.ipv4.tcp_syncookies``
+
+.. cfgcmd:: set firewall global-options twa-hazards-protection
+ [enable | disable]
+
+ Enable or Disable VyOS to be :rfc:`1337` conform.
+ The following system parameter will be altered:
+
+ * ``net.ipv4.tcp_rfc1337`` \ No newline at end of file
diff --git a/docs/configuration/firewall/groups.rst b/docs/configuration/firewall/groups.rst
new file mode 100644
index 00000000..aee68793
--- /dev/null
+++ b/docs/configuration/firewall/groups.rst
@@ -0,0 +1,210 @@
+:lastproofread: 2023-11-08
+
+.. _firewall-groups-configuration:
+
+###############
+Firewall groups
+###############
+
+*************
+Configuration
+*************
+
+Firewall groups represent collections of IP addresses, networks, ports,
+mac addresses, domains or interfaces. Once created, a group can be referenced
+by firewall, nat and policy route rules as either a source or destination
+matcher, and/or as inbound/outbound in the case of interface group.
+
+Address Groups
+==============
+
+In an **address group** a single IP address or IP address ranges are
+defined.
+
+.. cfgcmd:: set firewall group address-group <name> address [address |
+ address range]
+.. cfgcmd:: set firewall group ipv6-address-group <name> address <address>
+
+ Define a IPv4 or a IPv6 address group
+
+ .. code-block:: none
+
+ set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1
+ set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8
+ set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1
+
+.. cfgcmd:: set firewall group address-group <name> description <text>
+.. cfgcmd:: set firewall group ipv6-address-group <name> description <text>
+
+ Provide a IPv4 or IPv6 address group description
+
+Network Groups
+==============
+
+While **network groups** accept IP networks in CIDR notation, specific
+IP addresses can be added as a 32-bit prefix. If you foresee the need
+to add a mix of addresses and networks, the network group is
+recommended.
+
+.. cfgcmd:: set firewall group network-group <name> network <CIDR>
+.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR>
+
+ Define a IPv4 or IPv6 Network group.
+
+ .. code-block:: none
+
+ set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24
+ set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24
+ set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64
+
+.. cfgcmd:: set firewall group network-group <name> description <text>
+.. cfgcmd:: set firewall group ipv6-network-group <name> description <text>
+
+ Provide an IPv4 or IPv6 network group description.
+
+Interface Groups
+================
+
+An **interface group** represents a collection of interfaces.
+
+.. cfgcmd:: set firewall group interface-group <name> interface <text>
+
+ Define an interface group. Wildcard are accepted too.
+
+.. code-block:: none
+
+ set firewall group interface-group LAN interface bond1001
+ set firewall group interface-group LAN interface eth3*
+
+.. cfgcmd:: set firewall group interface-group <name> description <text>
+
+ Provide an interface group description
+
+Port Groups
+===========
+
+A **port group** represents only port numbers, not the protocol. Port
+groups can be referenced for either TCP or UDP. It is recommended that
+TCP and UDP groups are created separately to avoid accidentally
+filtering unnecessary ports. Ranges of ports can be specified by using
+`-`.
+
+.. cfgcmd:: set firewall group port-group <name> port
+ [portname | portnumber | startport-endport]
+
+ Define a port group. A port name can be any name defined in
+ /etc/services. e.g.: http
+
+ .. code-block:: none
+
+ set firewall group port-group PORT-TCP-SERVER1 port http
+ set firewall group port-group PORT-TCP-SERVER1 port 443
+ set firewall group port-group PORT-TCP-SERVER1 port 5000-5010
+
+.. cfgcmd:: set firewall group port-group <name> description <text>
+
+ Provide a port group description.
+
+MAC Groups
+==========
+
+A **mac group** represents a collection of mac addresses.
+
+.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address>
+
+ Define a mac group.
+
+.. code-block:: none
+
+ set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f
+ set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81
+
+.. cfgcmd:: set firewall group mac-group <name> description <text>
+
+ Provide a mac group description.
+
+Domain Groups
+=============
+
+A **domain group** represents a collection of domains.
+
+.. cfgcmd:: set firewall group domain-group <name> address <domain>
+
+ Define a domain group.
+
+.. code-block:: none
+
+ set firewall group domain-group DOM address example.com
+
+.. cfgcmd:: set firewall group domain-group <name> description <text>
+
+ Provide a domain group description.
+
+********
+Examples
+********
+
+As said before, once firewall groups are created, they can be referenced
+either in firewall, nat, nat66 and/or policy-route rules.
+
+Here is an example were multiple groups are created:
+
+ .. code-block:: none
+
+ set firewall group address-group SERVERS address 198.51.100.101
+ set firewall group address-group SERVERS address 198.51.100.102
+ set firewall group network-group TRUSTEDv4 network 192.0.2.0/30
+ set firewall group network-group TRUSTEDv4 network 203.0.113.128/25
+ set firewall group ipv6-network-group TRUSTEDv6 network 2001:db8::/64
+ set firewall group interface-group LAN interface eth2.2001
+ set firewall group interface-group LAN interface bon0
+ set firewall group port-group PORT-SERVERS port http
+ set firewall group port-group PORT-SERVERS port 443
+ set firewall group port-group PORT-SERVERS port 5000-5010
+
+And next, some configuration example where groups are used:
+
+ .. code-block:: none
+
+ set firewall ipv4 input filter rule 10 action accept
+ set firewall ipv4 input filter rule 10 inbound-interface group !LAN
+ set firewall ipv4 forward filter rule 20 action accept
+ set firewall ipv4 forward filter rule 20 source group network-group TRUSTEDv4
+ set firewall ipv6 input filter rule 10 action accept
+ set firewall ipv6 input filter rule 10 source-group network-group TRUSTEDv6
+ set nat destination rule 101 inbound-interface group LAN
+ set nat destination rule 101 destination group address-group SERVERS
+ set nat destination rule 101 protocol tcp
+ set nat destination rule 101 destination group port-group PORT-SERVERS
+ set nat destination rule 101 translation address 203.0.113.250
+ set policy route PBR rule 201 destination group port-group PORT-SERVERS
+ set policy route PBR rule 201 protocol tcp
+ set policy route PBR rule 201 set table 15
+
+**************
+Operation-mode
+**************
+
+.. opcmd:: show firewall group <name>
+
+ Overview of defined groups. You see the type, the members, and where the
+ group is used.
+
+ .. code-block:: none
+
+ vyos@ZBF-15-CLean:~$ show firewall group
+ Firewall Groups
+
+ Name Type References Members
+ ------------ ------------------ ---------------------- ----------------
+ SERVERS address_group nat-destination-101 198.51.100.101
+ 198.51.100.102
+ LAN interface_group ipv4-input-filter-10 bon0
+ nat-destination-101 eth2.2001
+ TRUSTEDv6 ipv6_network_group ipv6-input-filter-10 2001:db8::/64
+ TRUSTEDv4 network_group ipv4-forward-filter-20 192.0.2.0/30
+ 203.0.113.128/25
+ PORT-SERVERS port_group route-PBR-201 443
+ nat-destination-101 5000-5010
+ http
+ vyos@ZBF-15-CLean:~$
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index 4b923143..3887e26a 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -1,66 +1,158 @@
-:lastproofread: 2023-09-17
+:lastproofread: 2023-11-23
########
Firewall
########
-.. attention::
- Starting from VyOS 1.4-rolling-202308040557, a new firewall structure
- can be found on all vyos installations.
+With VyOS being based on top of Linux and its kernel, the Netfilter project
+created the iptables and now the successor nftables for the Linux kernel to
+work directly on the data flows. This now extends the concept of zone-based
+security to allow for manipulating the data at multiple stages once accepted
+by the network interface and the driver before being handed off to the
+destination (e.g. a web server OR another device).
-.. note::
- The legacy and zone-based firewall configuration options is not longer
- supported. They are here for reference purposes only.
+A simplified traffic flow, based on Netfilter packet flow, is shown next, in
+order to have a full view and understanding of how packets are processed, and
+what possible paths can take.
+
+.. figure:: /_static/images/firewall-gral-packet-flow.png
+
+Main notes regarding this packet flow and terminology used in VyOS firewall:
+
+ * **Bridge Port?**: choose appropiate path based on if interface were the
+ packet was received is part of a bridge, or not.
+
+If interface were the packet was received isn't part of a bridge, then packet
+is processed at the **IP Layer**:
+
+ * **Prerouting**: several actions can be done in this stage, and currently
+ these actions are defined in different parts in vyos configuration. Order
+ is important, and all these actions are performed before any actions
+ define under ``firewall`` section. Relevant configuration that acts in
+ this stage are:
+
+ * **Conntrack Ignore**: rules defined under ``set system conntrack ignore
+ [ipv4 | ipv6] ...``.
+
+ * **Policy Route**: rules defined under ``set policy [route | route6]
+ ...``.
+
+ * **Destination NAT**: rules defined under ``set [nat | nat66]
+ destination...``.
+
+ * **Destination is the router?**: choose appropiate path based on
+ destination IP address. Transit forward continunes to **forward**,
+ while traffic that destination IP address is configured on the router
+ continues to **input**.
+
+ * **Input**: stage where traffic destinated to the router itself can be
+ filtered and controlled. This is where all rules for securing the router
+ should take place. This includes ipv4 and ipv6 filtering rules, defined
+ in:
+
+ * ``set firewall ipv4 input filter ...``.
+
+ * ``set firewall ipv6 input filter ...``.
+
+ * **Forward**: stage where transit traffic can be filtered and controlled.
+ This includes ipv4 and ipv6 filtering rules, defined in:
+
+ * ``set firewall ipv4 forward filter ...``.
+
+ * ``set firewall ipv6 forward filter ...``.
+
+ * **Output**: stage where traffic that is originated by the router itself
+ can be filtered and controlled. Bare in mind that this traffic can be a
+ new connection originted by a internal process running on VyOS router,
+ such as NTP, or can be a response to traffic received externaly through
+ **inputt** (for example response to an ssh login attempt to the router).
+ This includes ipv4 and ipv6 filtering rules, defined in:
+
+ * ``set firewall ipv4 input filter ...``.
+
+ * ``set firewall ipv6 output filter ...``.
+
+ * **Postrouting**: as in **Prerouting**, several actions defined in
+ different parts of VyOS configuration are performed in this
+ stage. This includes:
+
+ * **Source NAT**: rules defined under ``set [nat | nat66]
+ destination...``.
+
+If interface were the packet was received is part of a bridge, then packet
+is processed at the **Bridge Layer**, which contains a ver basic setup where
+for bridge filtering:
+
+ * **Forward (Bridge)**: stage where traffic that is trasspasing through the
+ bridge is filtered and controlled:
+
+ * ``set firewall bridge forward filter ...``.
+
+Main structure VyOS firewall cli is shown next:
+
+.. code-block:: none
+
+ - set firewall
+ * bridge
+ - forward
+ + filter
+ * flowtable
+ - custom_flow_table
+ + ...
+ * global-options
+ + all-ping
+ + broadcast-ping
+ + ...
+ * group
+ - address-group
+ - ipv6-address-group
+ - network-group
+ - ipv6-network-group
+ - interface-group
+ - mac-group
+ - port-group
+ - domain-group
+ * ipv4
+ - forward
+ + filter
+ - input
+ + filter
+ - output
+ + filter
+ - name
+ + custom_name
+ * ipv6
+ - forward
+ + filter
+ - input
+ + filter
+ - output
+ + filter
+ - ipv6-name
+ + custom_name
+ * zone
+ - custom_zone_name
+ + ...
+
+Please, refer to appropiate section for more information about firewall
+configuration:
-Netfilter based
-^^^^^^^^^^^^^^^
.. toctree::
:maxdepth: 1
:includehidden:
- general
-
-With VyOS being based on top of Linux and its kernel, the Netfilter project created
-the iptables and now the successor nftables for the Linux kernel to work directly
-on the data flows. This now extends the concept of zone-based security to allow
-for manipulating the data at multiple stages once accepted by the network interface
-and the driver before being handed off to the destination (e.g. a web server OR
-another device).
-
-To configure VyOS with the new :doc:`firewall configuration </configuration/firewall/general>`
-
-The only stages VyOS will process as part of the firewall configuration is the
-`forward` (F4 stage), `input` (L4 stage), and `output` (L5 stage). All the other
-stages and steps are for reference and cant be manipulated through VyOS.
-
-In this example image, a simplifed traffic flow is shown to help provide context
-to the terms of `forward`, `input`, and `output` for the new firewall CLI format.
-
-.. figure:: /_static/images/firewall-netfilter.png
+ global-options
+ groups
+ bridge
+ ipv4
+ ipv6
+ flowtables
.. note:: **For more information**
of Netfilter hooks and Linux networking packet flows can be
found in `Netfilter-Hooks
<https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_
-Legacy Firewall
-^^^^^^^^^^^^^^^
-.. toctree::
- :maxdepth: 1
- :includehidden:
-
- general-legacy
-
-Traditionally firewalls weere configured with the concept of data going in and
-out of an interface. The router just listened to the data flowing through and
-responding as required if it was directed at the router itself.
-
-To configure VyOS with the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>`
-
-As the example image below shows, the device was configured with rules blocking
-inbound or outbound traffic on each interface.
-
-.. figure:: /_static/images/firewall-traditional.png
Zone-based firewall
^^^^^^^^^^^^^^^^^^^
@@ -70,16 +162,18 @@ Zone-based firewall
zone
-With zone-based firewalls a new concept was implemented, in addtion to the standard
-in and out traffic flows, a local flow was added. This local was for traffic
-originating and destined to the router itself. Which means additional rules were
-required to secure the firewall itself from the network, in addition to the existing
-inbound and outbound rules from the traditional concept above.
+With zone-based firewalls a new concept was implemented, in addtion to the
+standard in and out traffic flows, a local flow was added. This local was for
+traffic originating and destined to the router itself. Which means additional
+rules were required to secure the firewall itself from the network, in
+addition to the existing inbound and outbound rules from the traditional
+concept above.
-To configure VyOS with the :doc:`zone-based firewall configuration </configuration/firewall/zone>`
+To configure VyOS with the
+:doc:`zone-based firewall configuration </configuration/firewall/zone>`
-As the example image below shows, the device now needs rules to allow/block traffic
-to or from the services running on the device that have open connections on that
-interface.
+As the example image below shows, the device now needs rules to allow/block
+traffic to or from the services running on the device that have open
+connections on that interface.
.. figure:: /_static/images/firewall-zonebased.png
diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst
new file mode 100644
index 00000000..3fd365e1
--- /dev/null
+++ b/docs/configuration/firewall/ipv4.rst
@@ -0,0 +1,1145 @@
+:lastproofread: 2023-11-08
+
+.. _firewall-ipv4-configuration:
+
+###########################
+IPv4 Firewall Configuration
+###########################
+
+********
+Overview
+********
+
+In this section there's useful information of all firewall configuration that
+can be done regarding IPv4, and appropiate op-mode commands.
+Configuration commands covered in this section:
+
+.. cfgcmd:: set firewall ipv4 ...
+
+From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>`
+in this section you can find detailed information only for the next part
+of the general structure:
+
+.. code-block:: none
+
+ - set firewall
+ * ipv4
+ - forward
+ + filter
+ - input
+ + filter
+ - output
+ + filter
+ - name
+ + custom_name
+
+For transit traffic, which is received by the router and forwarded, base chain
+is **forward**. A simplified packet flow diagram for transit traffic is shown
+next:
+
+.. figure:: /_static/images/firewall-fwd-packet-flow.png
+
+Where firewall base chain to configure firewall filtering rules for transit
+traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5,
+highlightened with red color.
+
+For traffic towards the router itself, base chain is **input**, while traffic
+originated by the router, base chain is **output**.
+A new simplified packet flow diagram is shown next, which shows the path
+for traffic destinated to the router itself, and traffic generated by the
+router (starting from circle number 6):
+
+.. figure:: /_static/images/firewall-input-packet-flow.png
+
+Base chain is for traffic toward the router is ``set firewall ipv4 input
+filter ...``
+
+And base chain for traffic generated by the router is ``set firewall ipv4
+output filter ...``
+
+.. note:: **Important note about default-actions:**
+ If default action for any base chain is not defined, then the default
+ action is set to **accept** for that chain. For custom chains, if default
+ action is not defined, then the default-action is set to **drop**
+
+Custom firewall chains can be created, with commands
+``set firewall ipv4 name <name> ...``. In order to use
+such custom chain, a rule with **action jump**, and the appropiate **target**
+should be defined in a base chain.
+
+*********************
+Firewall - IPv4 Rules
+*********************
+
+For firewall filtering, firewall rules needs to be created. Each rule is
+numbered, has an action to apply if the rule is matched, and the ability
+to specify multiple criteria matchers. Data packets go through the rules
+from 1 - 999999, so order is crucial. At the first match the action of the
+rule will be executed.
+
+Actions
+=======
+
+If a rule is defined, then an action must be defined for it. This tells the
+firewall what to do if all criteria matchers defined for such rule do match.
+
+The action can be :
+
+ * ``accept``: accept the packet.
+
+ * ``continue``: continue parsing next rule.
+
+ * ``drop``: drop the packet.
+
+ * ``reject``: reject the packet.
+
+ * ``jump``: jump to another custom chain.
+
+ * ``return``: Return from the current chain and continue at the next rule
+ of the last chain.
+
+ * ``queue``: Enqueue packet to userspace.
+
+ * ``synproxy``: synproxy the packet.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> action
+ [accept | continue | drop | jump | queue | reject | return | synproxy]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> action
+ [accept | continue | drop | jump | queue | reject | return | synproxy]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> action
+ [accept | continue | drop | jump | queue | reject | return]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action
+ [accept | continue | drop | jump | queue | reject | return]
+
+ This required setting defines the action of the current rule. If action is
+ set to jump, then jump-target is also needed.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ jump-target <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ jump-target <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ jump-target <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ jump-target <text>
+
+ To be used only when action is set to jump. Use this command to specify
+ jump target.
+
+Also, **default-action** is an action that takes place whenever a packet does
+not match any rule in it's chain. For base chains, possible options for
+**default-action** are **accept** or **drop**.
+
+.. cfgcmd:: set firewall ipv4 forward filter default-action
+ [accept | drop]
+.. cfgcmd:: set firewall ipv4 input filter default-action
+ [accept | drop]
+.. cfgcmd:: set firewall ipv4 output filter default-action
+ [accept | drop]
+.. cfgcmd:: set firewall ipv4 name <name> default-action
+ [accept | drop | jump | queue | reject | return]
+
+ This set the default action of the rule-set if no rule matched a packet
+ criteria. If defacult-action is set to ``jump``, then
+ ``default-jump-target`` is also needed. Note that for base chains, default
+ action can only be set to ``accept`` or ``drop``, while on custom chain,
+ more actions are available.
+
+.. cfgcmd:: set firewall ipv4 name <name> default-jump-target <text>
+
+ To be used only when ``defult-action`` is set to ``jump``. Use this
+ command to specify jump target for default rule.
+
+.. note:: **Important note about default-actions:**
+ If default action for any base chain is not defined, then the default
+ action is set to **accept** for that chain. For custom chains, if default
+ action is not defined, then the default-action is set to **drop**
+
+Firewall Logs
+=============
+
+Logging can be enable for every single firewall rule. If enabled, other
+log options can be defined.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log
+ [disable | enable]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> log
+ [disable | enable]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> log
+ [disable | enable]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log
+ [disable | enable]
+
+ Enable or disable logging for the matched packet.
+
+.. cfgcmd:: set firewall ipv4 forward filter enable-default-log
+.. cfgcmd:: set firewall ipv4 input filter enable-default-log
+.. cfgcmd:: set firewall ipv4 output filter enable-default-log
+.. cfgcmd:: set firewall ipv4 name <name> enable-default-log
+
+ Use this command to enable the logging of the default action on
+ the specified chain.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ log-options level [emerg | alert | crit | err | warn | notice
+ | info | debug]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ log-options level [emerg | alert | crit | err | warn | notice
+ | info | debug]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ log-options level [emerg | alert | crit | err | warn | notice
+ | info | debug]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ log-options level [emerg | alert | crit | err | warn | notice
+ | info | debug]
+
+ Define log-level. Only applicable if rule log is enable.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ log-options group <0-65535>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ log-options group <0-65535>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ log-options group <0-65535>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ log-options group <0-65535>
+
+ Define log group to send message to. Only applicable if rule log is enable.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ log-options snapshot-length <0-9000>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ log-options snapshot-length <0-9000>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ log-options snapshot-length <0-9000>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ log-options snapshot-length <0-9000>
+
+ Define length of packet payload to include in netlink message. Only
+ applicable if rule log is enable and log group is defined.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ log-options queue-threshold <0-65535>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ log-options queue-threshold <0-65535>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ log-options queue-threshold <0-65535>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ log-options queue-threshold <0-65535>
+
+ Define number of packets to queue inside the kernel before sending them to
+ userspace. Only applicable if rule log is enable and log group is defined.
+
+Firewall Description
+====================
+
+For reference, a description can be defined for every single rule, and for
+every defined custom chain.
+
+.. cfgcmd:: set firewall ipv4 name <name> description <text>
+
+ Provide a rule-set description to a custom firewall chain.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ description <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ description <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ description <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> description <text>
+
+ Provide a description for each rule.
+
+Rule Status
+===========
+
+When defining a rule, it is enable by default. In some cases, it is useful to
+just disable the rule, rather than removing it.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> disable
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> disable
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> disable
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> disable
+
+ Command for disabling a rule but keep it in the configuration.
+
+Matching criteria
+=================
+
+There are a lot of matching criteria against which the package can be tested.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ connection-status nat [destination | source]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ connection-status nat [destination | source]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ connection-status nat [destination | source]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ connection-status nat [destination | source]
+
+ Match criteria based on nat connection status.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ connection-mark <1-2147483647>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ connection-mark <1-2147483647>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ connection-mark <1-2147483647>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ connection-mark <1-2147483647>
+
+ Match criteria based on connection mark.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source address [address | addressrange | CIDR]
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination address [address | addressrange | CIDR]
+
+ Match criteria based on source and/or destination address. This is similar
+ to the network groups part, but here you are able to negate the matching
+ addresses.
+
+ .. code-block:: none
+
+ set firewall ipv4 name FOO rule 50 source address 192.0.2.10-192.0.2.11
+ # with a '!' the rule match everything except the specified subnet
+ set firewall ipv4 input filter FOO rule 51 source address !203.0.113.0/24
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source address-mask [address]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source address-mask [address]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source address-mask [address]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source address-mask [address]
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination address-mask [address]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination address-mask [address]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination address-mask [address]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination address-mask [address]
+
+ An arbitrary netmask can be applied to mask addresses to only match against
+ a specific portion.
+
+ This functions for both individual addresses and address groups.
+
+ .. code-block:: none
+
+ # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet
+ set firewall ipv4 name FOO rule 100 destination address 0.11.0.13
+ set firewall ipv4 name FOO rule 100 destination address-mask 0.255.0.255
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source fqdn <fqdn>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source fqdn <fqdn>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source fqdn <fqdn>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source fqdn <fqdn>
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination fqdn <fqdn>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination fqdn <fqdn>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination fqdn <fqdn>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination fqdn <fqdn>
+
+ Specify a Fully Qualified Domain Name as source/destination matcher. Ensure
+ router is able to resolve such dns query.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source geoip country-code <country>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source geoip country-code <country>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source geoip country-code <country>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source geoip country-code <country>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination geoip country-code <country>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination geoip country-code <country>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination geoip country-code <country>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination geoip country-code <country>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source geoip inverse-match
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source geoip inverse-match
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source geoip inverse-match
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source geoip inverse-match
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination geoip inverse-match
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination geoip inverse-match
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination geoip inverse-match
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination geoip inverse-match
+
+ Match IP addresses based on its geolocation. More info: `geoip matching
+ <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
+ Use inverse-match to match anything except the given country-codes.
+
+Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
+permits redistribution so we can include a database in images(~3MB
+compressed). Includes cron script (manually callable by op-mode update
+geoip) to keep database and rules updated.
+
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source mac-address <mac-address>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source mac-address <mac-address>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source mac-address <mac-address>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source mac-address <mac-address>
+
+ Only in the source criteria, you can specify a mac-address.
+
+ .. code-block:: none
+
+ set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33
+ set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34
+
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source port [1-65535 | portname | start-end]
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination port [1-65535 | portname | start-end]
+
+ A port can be set with a port number or a name which is here
+ defined: ``/etc/services``.
+
+ .. code-block:: none
+
+ set firewall ipv4 forward filter rule 10 source port '22'
+ set firewall ipv4 forward filter rule 11 source port '!http'
+ set firewall ipv4 forward filter rule 12 source port 'https'
+
+ Multiple source ports can be specified as a comma-separated list.
+ The whole list can also be "negated" using ``!``. For example:
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source group address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source group address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source group address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source group address-group <name | !name>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination group address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination group address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination group address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination group address-group <name | !name>
+
+ Use a specific address-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source group network-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source group network-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source group network-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source group network-group <name | !name>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination group network-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination group network-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination group network-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination group network-group <name | !name>
+
+ Use a specific network-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source group port-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source group port-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source group port-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source group port-group <name | !name>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination group port-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination group port-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination group port-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination group port-group <name | !name>
+
+ Use a specific port-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source group domain-group <name | !name>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination group domain-group <name | !name>
+
+ Use a specific domain-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source group mac-group <name | !name>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination group mac-group <name | !name>
+
+ Use a specific mac-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ dscp [0-63 | start-end]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ dscp [0-63 | start-end]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ dscp [0-63 | start-end]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ dscp [0-63 | start-end]
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ dscp-exclude [0-63 | start-end]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ dscp-exclude [0-63 | start-end]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ dscp-exclude [0-63 | start-end]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ dscp-exclude [0-63 | start-end]
+
+ Match based on dscp value.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ fragment [match-frag | match-non-frag]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ fragment [match-frag | match-non-frag]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ fragment [match-frag | match-non-frag]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ fragment [match-frag | match-non-frag]
+
+ Match based on fragment criteria.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ icmp [code | type] <0-255>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ icmp [code | type] <0-255>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ icmp [code | type] <0-255>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ icmp [code | type] <0-255>
+
+ Match based on icmp code and type.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ icmp type-name <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ icmp type-name <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ icmp type-name <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ icmp type-name <text>
+
+ Match based on icmp type-name criteria. Use tab for information
+ about what **type-name** criteria are supported.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ inbound-interface name <iface>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ inbound-interface name <iface>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ inbound-interface name <iface>
+
+ Match based on inbound interface. Wilcard ``*`` can be used.
+ For example: ``eth2*``. Prepending character ``!`` for inverted matching
+ criteria is also supportd. For example ``!eth2``
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ inbound-interface group <iface_group>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ inbound-interface group <iface_group>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ inbound-interface group <iface_group>
+
+ Match based on inbound interface group. Prepending character ``!`` for
+ inverted matching criteria is also supportd. For example ``!IFACE_GROUP``
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ outbound-interface name <iface>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ outbound-interface name <iface>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ outbound-interface name <iface>
+
+ Match based on outbound interface. Wilcard ``*`` can be used.
+ For example: ``eth2*``. Prepending character ``!`` for inverted matching
+ criteria is also supportd. For example ``!eth2``
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ outbound-interface group <iface_group>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ outbound-interface group <iface_group>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ outbound-interface group <iface_group>
+
+ Match based on outbound interface group. Prepending character ``!`` for
+ inverted matching criteria is also supportd. For example ``!IFACE_GROUP``
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ ipsec [match-ipsec | match-none]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ ipsec [match-ipsec | match-none]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ ipsec [match-ipsec | match-none]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ ipsec [match-ipsec | match-none]
+
+ Match based on ipsec criteria.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ limit burst <0-4294967295>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ limit burst <0-4294967295>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ limit burst <0-4294967295>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ limit burst <0-4294967295>
+
+ Match based on the maximum number of packets to allow in excess of rate.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ limit rate <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ limit rate <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ limit rate <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ limit rate <text>
+
+ Match based on the maximum average rate, specified as **integer/unit**.
+ For example **5/minutes**
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ packet-length <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ packet-length <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ packet-length <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ packet-length <text>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ packet-length-exclude <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ packet-length-exclude <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ packet-length-exclude <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ packet-length-exclude <text>
+
+ Match based on packet length criteria. Multiple values from 1 to 65535
+ and ranges are supported.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ packet-type [broadcast | host | multicast | other]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ packet-type [broadcast | host | multicast | other]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ packet-type [broadcast | host | multicast | other]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ packet-type [broadcast | host | multicast | other]
+
+ Match based on packet type criteria.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ protocol [<text> | <0-255> | all | tcp_udp]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ protocol [<text> | <0-255> | all | tcp_udp]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ protocol [<text> | <0-255> | all | tcp_udp]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ protocol [<text> | <0-255> | all | tcp_udp]
+
+ Match a protocol criteria. A protocol number or a name which is here
+ defined: ``/etc/protocols``.
+ Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
+ based packets. The ``!`` negate the selected protocol.
+
+ .. code-block:: none
+
+ set firewall ipv4 forward fitler rule 10 protocol tcp_udp
+ set firewall ipv4 forward fitler rule 11 protocol !tcp_udp
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ recent count <1-255>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ recent time [second | minute | hour]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ recent time [second | minute | hour]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ recent time [second | minute | hour]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ recent time [second | minute | hour]
+
+ Match bases on recently seen sources.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ tcp flags [not] <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ tcp flags [not] <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ tcp flags [not] <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ tcp flags [not] <text>
+
+ Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``,
+ ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for
+ inverted selection use ``not``, as shown in the example.
+
+ .. code-block:: none
+
+ set firewall ipv4 input filter rule 10 tcp flags 'ack'
+ set firewall ipv4 input filter rule 12 tcp flags 'syn'
+ set firewall ipv4 input filter rule 13 tcp flags not 'fin'
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ state [established | invalid | new | related] [enable | disable]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ state [established | invalid | new | related] [enable | disable]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ state [established | invalid | new | related] [enable | disable]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ state [established | invalid | new | related] [enable | disable]
+
+ Match against the state of a packet.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ time startdate <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ time startdate <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ time startdate <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ time startdate <text>
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ time starttime <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ time starttime <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ time starttime <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ time starttime <text>
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ time stopdate <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ time stopdate <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ time stopdate <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ time stopdate <text>
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ time stoptime <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ time stoptime <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ time stoptime <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ time stoptime <text>
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ time weekdays <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ time weekdays <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ time weekdays <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ time weekdays <text>
+
+ Time to match the defined rule.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ ttl <eq | gt | lt> <0-255>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ ttl <eq | gt | lt> <0-255>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ ttl <eq | gt | lt> <0-255>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ ttl <eq | gt | lt> <0-255>
+
+ Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for
+ 'greater than', and 'lt' stands for 'less than'.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ recent count <1-255>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ recent time <second | minute | hour>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ recent time <second | minute | hour>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ recent time <second | minute | hour>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ recent time <second | minute | hour>
+
+ Match when 'count' amount of connections are seen within 'time'. These
+ matching criteria can be used to block brute-force attempts.
+
+********
+Synproxy
+********
+Synproxy connections
+
+.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> action synproxy
+.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> protocol tcp
+.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535>
+
+ Set TCP-MSS (maximum segment size) for the connection
+
+.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14>
+
+ Set the window scale factor for TCP window scaling
+
+Example synproxy
+================
+Requirements to enable synproxy:
+
+ * Traffic must be symmetric
+ * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled
+ * Disable conntrack loose track option
+
+.. code-block:: none
+
+ set system sysctl parameter net.ipv4.tcp_timestamps value '1'
+
+ set system conntrack tcp loose disable
+ set system conntrack ignore ipv4 rule 10 destination port '8080'
+ set system conntrack ignore ipv4 rule 10 protocol 'tcp'
+ set system conntrack ignore ipv4 rule 10 tcp flags syn
+
+ set firewall global-options syn-cookies 'enable'
+ set firewall ipv4 input filter rule 10 action 'synproxy'
+ set firewall ipv4 input filter rule 10 destination port '8080'
+ set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1'
+ set firewall ipv4 input filter rule 10 protocol 'tcp'
+ set firewall ipv4 input filter rule 10 synproxy tcp mss '1460'
+ set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
+ set firewall ipv4 input filter rule 1000 action 'drop'
+ set firewall ipv4 input filter rule 1000 state invalid 'enable'
+
+
+***********************
+Operation-mode Firewall
+***********************
+
+Rule-set overview
+=================
+
+.. opcmd:: show firewall
+
+ This will show you a basic firewall overview, for all ruleset, and not
+ only for ipv4
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show firewall
+ Rulesets Information
+
+ ---------------------------------
+ ipv4 Firewall "forward filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- -----------------------------
+ 20 accept all 0 0 ip saddr @N_TRUSTEDv4 accept
+ 21 jump all 0 0 jump NAME_AUX
+ default accept all 0 0
+
+ ---------------------------------
+ ipv4 Firewall "input filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- -------------------------
+ 10 accept all 156 14377 iifname != @I_LAN accept
+ default accept all 0 0
+
+ ---------------------------------
+ ipv4 Firewall "name AUX"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------ -------- ---------- --------- ------- --------------------------------------------
+ 10 accept icmp 0 0 meta l4proto icmp accept
+ 20 accept udp 0 0 meta l4proto udp ip saddr @A_SERVERS accept
+ 30 drop all 0 0 ip saddr != @A_SERVERS iifname "eth2"
+
+ ---------------------------------
+ ipv4 Firewall "output filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- ----------------------------------------
+ 10 reject all 0 0 oifname @I_LAN
+ 20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept
+ default accept all 72 9258
+
+ ---------------------------------
+ ipv6 Firewall "input filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- -------------------------------
+ 10 accept all 0 0 ip6 saddr @N6_TRUSTEDv6 accept
+ default accept all 2 112
+
+ vyos@vyos:~$
+
+.. opcmd:: show firewall summary
+
+ This will show you a summary of rule-sets and groups
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show firewall summary
+ Ruleset Summary
+
+ IPv6 Ruleset:
+
+ Ruleset Hook Ruleset Priority Description
+ -------------- -------------------- -------------------------
+ forward filter
+ input filter
+ ipv6_name IPV6-VyOS_MANAGEMENT
+ ipv6_name IPV6-WAN_IN PUBLIC_INTERNET
+
+ IPv4 Ruleset:
+
+ Ruleset Hook Ruleset Priority Description
+ -------------- ------------------ -------------------------
+ forward filter
+ input filter
+ name VyOS_MANAGEMENT
+ name WAN_IN PUBLIC_INTERNET
+
+ Firewall Groups
+
+ Name Type References Members
+ ----------------------- ------------------ ----------------------- ----------------
+ PBX address_group WAN_IN-100 198.51.100.77
+ SERVERS address_group WAN_IN-110 192.0.2.10
+ WAN_IN-111 192.0.2.11
+ WAN_IN-112 192.0.2.12
+ WAN_IN-120
+ WAN_IN-121
+ WAN_IN-122
+ SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2
+ WAN_IN-20
+ PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2
+ PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2
+ WAN_IN-171
+ PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1
+ SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2
+ IPV6-WAN_IN-111 2001:db8::3
+ IPV6-WAN_IN-112 2001:db8::4
+ IPV6-WAN_IN-120
+ IPV6-WAN_IN-121
+ IPV6-WAN_IN-122
+ SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5
+ IPV6-WAN_IN-20
+
+
+.. opcmd:: show firewall ipv4 [forward | input | output] filter
+
+.. opcmd:: show firewall ipv4 name <name>
+
+ This command will give an overview of a single rule-set.
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show firewall ipv4 input filter
+ Ruleset Information
+
+ ---------------------------------
+ IPv4 Firewall "input filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- -----------------------------------------
+ 5 jump all 0 0 iifname "eth2" jump NAME_VyOS_MANAGEMENT
+ default accept all
+
+.. opcmd:: show firewall ipv4 [forward | input | output]
+ filter rule <1-999999>
+.. opcmd:: show firewall ipv4 name <name> rule <1-999999>
+
+ This command will give an overview of a rule in a single rule-set, plus
+ information for default action.
+
+.. code-block:: none
+
+ vyos@vyos:~$show firewall ipv4 output filter rule 20
+ Rule Information
+
+ ---------------------------------
+ ipv4 Firewall "output filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- ----------------------------------------
+ 20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept
+ default accept all 286 47614
+
+ vyos@vyos:~$
+
+
+.. opcmd:: show firewall statistics
+
+ This will show you a statistic of all rule-sets since the last boot.
+
+Show Firewall log
+=================
+
+.. opcmd:: show log firewall
+.. opcmd:: show log firewall ipv4
+.. opcmd:: show log firewall ipv4 [forward | input | output | name]
+.. opcmd:: show log firewall ipv4 [forward | input | output] filter
+.. opcmd:: show log firewall ipv4 name <name>
+.. opcmd:: show log firewall ipv4 [forward | input | output] filter rule <rule>
+.. opcmd:: show log firewall ipv4 name <name> rule <rule>
+
+ Show the logs of all firewall; show all ipv4 firewall logs; show all logs
+ for particular hook; show all logs for particular hook and priority; show all logs
+ for particular custom chain; show logs for specific Rule-Set.
+
+Example Partial Config
+======================
+
+.. code-block:: none
+
+ firewall {
+ group {
+ network-group BAD-NETWORKS {
+ network 198.51.100.0/24
+ network 203.0.113.0/24
+ }
+ network-group GOOD-NETWORKS {
+ network 192.0.2.0/24
+ }
+ port-group BAD-PORTS {
+ port 65535
+ }
+ }
+ ipv4 {
+ forward {
+ filter {
+ default-action accept
+ rule 5 {
+ action accept
+ source {
+ group {
+ network-group GOOD-NETWORKS
+ }
+ }
+ }
+ rule 10 {
+ action drop
+ description "Bad Networks"
+ protocol all
+ source {
+ group {
+ network-group BAD-NETWORKS
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+Update geoip database
+=====================
+
+.. opcmd:: update geoip
+
+ Command used to update GeoIP database and firewall sets.
diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst
new file mode 100644
index 00000000..83a5f694
--- /dev/null
+++ b/docs/configuration/firewall/ipv6.rst
@@ -0,0 +1,1167 @@
+:lastproofread: 2023-11-08
+
+.. _firewall-ipv6-configuration:
+
+###########################
+IPv6 Firewall Configuration
+###########################
+
+********
+Overview
+********
+
+In this section there's useful information of all firewall configuration that
+can be done regarding IPv6, and appropiate op-mode commands.
+Configuration commands covered in this section:
+
+.. cfgcmd:: set firewall ipv6 ...
+
+From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>`
+in this section you can find detailed information only for the next part
+of the general structure:
+
+.. code-block:: none
+
+ - set firewall
+ * ipv6
+ - forward
+ + filter
+ - input
+ + filter
+ - output
+ + filter
+ - name
+ + custom_name
+
+For transit traffic, which is received by the router and forwarded, base chain
+is **forward**. A simplified packet flow diagram for transit traffic is shown
+next:
+
+.. figure:: /_static/images/firewall-fwd-packet-flow.png
+
+Where firewall base chain to configure firewall filtering rules for transit
+traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5,
+highlightened with red color.
+
+For traffic towards the router itself, base chain is **input**, while traffic
+originated by the router, base chain is **output**.
+A new simplified packet flow diagram is shown next, which shows the path
+for traffic destinated to the router itself, and traffic generated by the
+router (starting from circle number 6):
+
+.. figure:: /_static/images/firewall-input-packet-flow.png
+
+Base chain is for traffic toward the router is ``set firewall ipv6 input
+filter ...``
+
+And base chain for traffic generated by the router is ``set firewall ipv6
+output filter ...``
+
+.. note:: **Important note about default-actions:**
+ If default action for any base chain is not defined, then the default
+ action is set to **accept** for that chain. For custom chains, if default
+ action is not defined, then the default-action is set to **drop**
+
+Custom firewall chains can be created, with commands
+``set firewall ipv6 name <name> ...``. In order to use
+such custom chain, a rule with **action jump**, and the appropiate **target**
+should be defined in a base chain.
+
+******************************
+Firewall - IPv6 Rules
+******************************
+
+For firewall filtering, firewall rules needs to be created. Each rule is
+numbered, has an action to apply if the rule is matched, and the ability
+to specify multiple criteria matchers. Data packets go through the rules
+from 1 - 999999, so order is crucial. At the first match the action of the
+rule will be executed.
+
+Actions
+=======
+
+If a rule is defined, then an action must be defined for it. This tells the
+firewall what to do if all criteria matchers defined for such rule do match.
+
+The action can be :
+
+ * ``accept``: accept the packet.
+
+ * ``continue``: continue parsing next rule.
+
+ * ``drop``: drop the packet.
+
+ * ``reject``: reject the packet.
+
+ * ``jump``: jump to another custom chain.
+
+ * ``return``: Return from the current chain and continue at the next rule
+ of the last chain.
+
+ * ``queue``: Enqueue packet to userspace.
+
+ * ``synproxy``: synproxy the packet.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> action
+ [accept | continue | drop | jump | queue | reject | return | synproxy]
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> action
+ [accept | continue | drop | jump | queue | reject | return | synproxy]
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> action
+ [accept | continue | drop | jump | queue | reject | return]
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> action
+ [accept | continue | drop | jump | queue | reject | return]
+
+ This required setting defines the action of the current rule. If action is
+ set to jump, then jump-target is also needed.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ jump-target <text>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ jump-target <text>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ jump-target <text>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ jump-target <text>
+
+ To be used only when action is set to jump. Use this command to specify
+ jump target.
+
+Also, **default-action** is an action that takes place whenever a packet does
+not match any rule in it's chain. For base chains, possible options for
+**default-action** are **accept** or **drop**.
+
+.. cfgcmd:: set firewall ipv6 forward filter default-action
+ [accept | drop]
+.. cfgcmd:: set firewall ipv6 input filter default-action
+ [accept | drop]
+.. cfgcmd:: set firewall ipv6 output filter default-action
+ [accept | drop]
+.. cfgcmd:: set firewall ipv6 name <name> default-action
+ [accept | drop | jump | queue | reject | return]
+
+ This set the default action of the rule-set if no rule matched a packet
+ criteria. If defacult-action is set to ``jump``, then
+ ``default-jump-target`` is also needed. Note that for base chains, default
+ action can only be set to ``accept`` or ``drop``, while on custom chain,
+ more actions are available.
+
+.. cfgcmd:: set firewall ipv6 name <name> default-jump-target <text>
+
+ To be used only when ``defult-action`` is set to ``jump``. Use this
+ command to specify jump target for default rule.
+
+.. note:: **Important note about default-actions:**
+ If default action for any base chain is not defined, then the default
+ action is set to **accept** for that chain. For custom chains, if default
+ action is not defined, then the default-action is set to **drop**
+
+Firewall Logs
+=============
+
+Logging can be enable for every single firewall rule. If enabled, other
+log options can be defined.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> log
+ [disable | enable]
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> log
+ [disable | enable]
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> log
+ [disable | enable]
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> log
+ [disable | enable]
+
+ Enable or disable logging for the matched packet.
+
+.. cfgcmd:: set firewall ipv6 forward filter enable-default-log
+.. cfgcmd:: set firewall ipv6 input filter enable-default-log
+.. cfgcmd:: set firewall ipv6 output filter enable-default-log
+.. cfgcmd:: set firewall ipv6 name <name> enable-default-log
+
+ Use this command to enable the logging of the default action on
+ the specified chain.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ log-options level [emerg | alert | crit | err | warn | notice
+ | info | debug]
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ log-options level [emerg | alert | crit | err | warn | notice
+ | info | debug]
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ log-options level [emerg | alert | crit | err | warn | notice
+ | info | debug]
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ log-options level [emerg | alert | crit | err | warn | notice
+ | info | debug]
+
+ Define log-level. Only applicable if rule log is enable.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ log-options group <0-65535>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ log-options group <0-65535>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ log-options group <0-65535>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ log-options group <0-65535>
+
+ Define log group to send message to. Only applicable if rule log is enable.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ log-options snapshot-length <0-9000>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ log-options snapshot-length <0-9000>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ log-options snapshot-length <0-9000>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ log-options snapshot-length <0-9000>
+
+ Define length of packet payload to include in netlink message. Only
+ applicable if rule log is enable and log group is defined.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ log-options queue-threshold <0-65535>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ log-options queue-threshold <0-65535>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ log-options queue-threshold <0-65535>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ log-options queue-threshold <0-65535>
+
+ Define number of packets to queue inside the kernel before sending them to
+ userspace. Only applicable if rule log is enable and log group is defined.
+
+Firewall Description
+====================
+
+For reference, a description can be defined for every single rule, and for
+every defined custom chain.
+
+.. cfgcmd:: set firewall ipv6 name <name> description <text>
+
+ Provide a rule-set description to a custom firewall chain.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ description <text>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ description <text>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ description <text>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> description <text>
+
+ Provide a description for each rule.
+
+Rule Status
+===========
+
+When defining a rule, it is enable by default. In some cases, it is useful to
+just disable the rule, rather than removing it.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> disable
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> disable
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> disable
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> disable
+
+ Command for disabling a rule but keep it in the configuration.
+
+Matching criteria
+=================
+
+There are a lot of matching criteria against which the package can be tested.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ connection-status nat [destination | source]
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ connection-status nat [destination | source]
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ connection-status nat [destination | source]
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ connection-status nat [destination | source]
+
+ Match criteria based on nat connection status.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ connection-mark <1-2147483647>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ connection-mark <1-2147483647>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ connection-mark <1-2147483647>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ connection-mark <1-2147483647>
+
+ Match criteria based on connection mark.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ source address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ source address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ source address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ source address [address | addressrange | CIDR]
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ destination address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ destination address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ destination address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ destination address [address | addressrange | CIDR]
+
+ Match criteria based on source and/or destination address. This is similar
+ to the network groups part, but here you are able to negate the matching
+ addresses.
+
+ .. code-block:: none
+
+ set firewall ipv6 name FOO rule 100 source address 2001:db8::202
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ source address-mask [address]
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ source address-mask [address]
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ source address-mask [address]
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ source address-mask [address]
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ destination address-mask [address]
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ destination address-mask [address]
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ destination address-mask [address]
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ destination address-mask [address]
+
+ An arbitrary netmask can be applied to mask addresses to only match against
+ a specific portion. This is particularly useful with IPv6 as rules will
+ remain valid if the IPv6 prefix changes and the host
+ portion of systems IPv6 address is static (for example, with SLAAC or
+ `tokenised IPv6 addresses
+ <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)
+
+ This functions for both individual addresses and address groups.
+
+ .. code-block:: none
+
+ # Match any IPv6 address with the suffix ::0000:0000:0000:beef
+ set firewall ipv6 forward filter rule 100 destination address ::beef
+ set firewall ipv6 forward filter rule 100 destination address-mask ::ffff:ffff:ffff:ffff
+ # Address groups
+ set firewall group ipv6-address-group WEBSERVERS address ::1000
+ set firewall group ipv6-address-group WEBSERVERS address ::2000
+ set firewall ipv6 forward filter rule 200 source group address-group WEBSERVERS
+ set firewall ipv6 forward filter rule 200 source address-mask ::ffff:ffff:ffff:ffff
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ source fqdn <fqdn>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ source fqdn <fqdn>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ source fqdn <fqdn>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ source fqdn <fqdn>
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ destination fqdn <fqdn>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ destination fqdn <fqdn>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ destination fqdn <fqdn>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ destination fqdn <fqdn>
+
+ Specify a Fully Qualified Domain Name as source/destination matcher. Ensure
+ router is able to resolve such dns query.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ source geoip country-code <country>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ source geoip country-code <country>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ source geoip country-code <country>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ source geoip country-code <country>
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ destination geoip country-code <country>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ destination geoip country-code <country>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ destination geoip country-code <country>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ destination geoip country-code <country>
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ source geoip inverse-match
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ source geoip inverse-match
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ source geoip inverse-match
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ source geoip inverse-match
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ destination geoip inverse-match
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ destination geoip inverse-match
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ destination geoip inverse-match
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ destination geoip inverse-match
+
+ Match IP addresses based on its geolocation. More info: `geoip matching
+ <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
+ Use inverse-match to match anything except the given country-codes.
+
+Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
+permits redistribution so we can include a database in images(~3MB
+compressed). Includes cron script (manually callable by op-mode update
+geoip) to keep database and rules updated.
+
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ source mac-address <mac-address>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ source mac-address <mac-address>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ source mac-address <mac-address>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ source mac-address <mac-address>
+
+ Only in the source criteria, you can specify a mac-address.
+
+ .. code-block:: none
+
+ set firewall ipv6 input filter rule 100 source mac-address 00:53:00:11:22:33
+ set firewall ipv6 input filter rule 101 source mac-address !00:53:00:aa:12:34
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ source port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ source port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ source port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ source port [1-65535 | portname | start-end]
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ destination port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ destination port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ destination port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ destination port [1-65535 | portname | start-end]
+
+ A port can be set with a port number or a name which is here
+ defined: ``/etc/services``.
+
+ .. code-block:: none
+
+ set firewall ipv6 forward filter rule 10 source port '22'
+ set firewall ipv6 forward filter rule 11 source port '!http'
+ set firewall ipv6 forward filter rule 12 source port 'https'
+
+ Multiple source ports can be specified as a comma-separated list.
+ The whole list can also be "negated" using ``!``. For example:
+
+ .. code-block:: none
+
+ set firewall ipv6 forward filter rule 10 source port '!22,https,3333-3338'
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ source group address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ source group address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ source group address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ source group address-group <name | !name>
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ destination group address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ destination group address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ destination group address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ destination group address-group <name | !name>
+
+ Use a specific address-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ source group network-group <name | !name>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ source group network-group <name | !name>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ source group network-group <name | !name>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ source group network-group <name | !name>
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ destination group network-group <name | !name>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ destination group network-group <name | !name>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ destination group network-group <name | !name>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ destination group network-group <name | !name>
+
+ Use a specific network-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ source group port-group <name | !name>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ source group port-group <name | !name>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ source group port-group <name | !name>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ source group port-group <name | !name>
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ destination group port-group <name | !name>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ destination group port-group <name | !name>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ destination group port-group <name | !name>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ destination group port-group <name | !name>
+
+ Use a specific port-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ source group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ source group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ source group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ source group domain-group <name | !name>
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ destination group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ destination group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ destination group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ destination group domain-group <name | !name>
+
+ Use a specific domain-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ source group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ source group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ source group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ source group mac-group <name | !name>
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ destination group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ destination group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ destination group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ destination group mac-group <name | !name>
+
+ Use a specific mac-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ dscp [0-63 | start-end]
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ dscp [0-63 | start-end]
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ dscp [0-63 | start-end]
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ dscp [0-63 | start-end]
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ dscp-exclude [0-63 | start-end]
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ dscp-exclude [0-63 | start-end]
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ dscp-exclude [0-63 | start-end]
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ dscp-exclude [0-63 | start-end]
+
+ Match based on dscp value.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ fragment [match-frag | match-non-frag]
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ fragment [match-frag | match-non-frag]
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ fragment [match-frag | match-non-frag]
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ fragment [match-frag | match-non-frag]
+
+ Match based on fragment criteria.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ icmpv6 [code | type] <0-255>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ icmpv6 [code | type] <0-255>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ icmpv6 [code | type] <0-255>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ icmpv6 [code | type] <0-255>
+
+ Match based on icmp|icmpv6 code and type.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ icmpv6 type-name <text>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ icmpv6 type-name <text>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ icmpv6 type-name <text>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ icmpv6 type-name <text>
+
+ Match based on icmpv6 type-name criteria. Use tab for information
+ about what **type-name** criteria are supported.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ inbound-interface name <iface>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ inbound-interface name <iface>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ inbound-interface name <iface>
+
+ Match based on inbound interface. Wilcard ``*`` can be used.
+ For example: ``eth2*``. Prepending character ``!`` for inverted matching
+ criteria is also supportd. For example ``!eth2``
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ inbound-interface group <iface_group>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ inbound-interface group <iface_group>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ inbound-interface group <iface_group>
+
+ Match based on inbound interface group. Prepending character ``!`` for
+ inverted matching criteria is also supportd. For example ``!IFACE_GROUP``
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ outbound-interface name <iface>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ outbound-interface name <iface>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ outbound-interface name <iface>
+
+ Match based on outbound interface. Wilcard ``*`` can be used.
+ For example: ``eth2*``. Prepending character ``!`` for inverted matching
+ criteria is also supportd. For example ``!eth2``
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ outbound-interface group <iface_group>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ outbound-interface group <iface_group>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ outbound-interface group <iface_group>
+
+ Match based on outbound interface group. Prepending character ``!`` for
+ inverted matching criteria is also supportd. For example ``!IFACE_GROUP``
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ ipsec [match-ipsec | match-none]
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ ipsec [match-ipsec | match-none]
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ ipsec [match-ipsec | match-none]
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ ipsec [match-ipsec | match-none]
+
+ Match based on ipsec criteria.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ limit burst <0-4294967295>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ limit burst <0-4294967295>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ limit burst <0-4294967295>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ limit burst <0-4294967295>
+
+ Match based on the maximum number of packets to allow in excess of rate.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ limit rate <text>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ limit rate <text>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ limit rate <text>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ limit rate <text>
+
+ Match based on the maximum average rate, specified as **integer/unit**.
+ For example **5/minutes**
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ packet-length <text>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ packet-length <text>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ packet-length <text>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ packet-length <text>
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ packet-length-exclude <text>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ packet-length-exclude <text>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ packet-length-exclude <text>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ packet-length-exclude <text>
+
+ Match based on packet length criteria. Multiple values from 1 to 65535
+ and ranges are supported.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ packet-type [broadcast | host | multicast | other]
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ packet-type [broadcast | host | multicast | other]
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ packet-type [broadcast | host | multicast | other]
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ packet-type [broadcast | host | multicast | other]
+
+ Match based on packet type criteria.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ protocol [<text> | <0-255> | all | tcp_udp]
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ protocol [<text> | <0-255> | all | tcp_udp]
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ protocol [<text> | <0-255> | all | tcp_udp]
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ protocol [<text> | <0-255> | all | tcp_udp]
+
+ Match a protocol criteria. A protocol number or a name which is here
+ defined: ``/etc/protocols``.
+ Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
+ based packets. The ``!`` negate the selected protocol.
+
+ .. code-block:: none
+
+ set firewall ipv6 input filter rule 10 protocol tcp
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ recent count <1-255>
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ recent time [second | minute | hour]
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ recent time [second | minute | hour]
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ recent time [second | minute | hour]
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ recent time [second | minute | hour]
+
+ Match bases on recently seen sources.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ tcp flags [not] <text>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ tcp flags [not] <text>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ tcp flags [not] <text>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ tcp flags [not] <text>
+
+ Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``,
+ ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for
+ inverted selection use ``not``, as shown in the example.
+
+ .. code-block:: none
+
+ set firewall ipv6 input filter rule 10 tcp flags 'ack'
+ set firewall ipv6 input filter rule 12 tcp flags 'syn'
+ set firewall ipv6 input filter rule 13 tcp flags not 'fin'
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ state [established | invalid | new | related] [enable | disable]
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ state [established | invalid | new | related] [enable | disable]
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ state [established | invalid | new | related] [enable | disable]
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ state [established | invalid | new | related] [enable | disable]
+
+ Match against the state of a packet.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ time startdate <text>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ time startdate <text>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ time startdate <text>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ time startdate <text>
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ time starttime <text>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ time starttime <text>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ time starttime <text>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ time starttime <text>
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ time stopdate <text>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ time stopdate <text>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ time stopdate <text>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ time stopdate <text>
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ time stoptime <text>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ time stoptime <text>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ time stoptime <text>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ time stoptime <text>
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ time weekdays <text>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ time weekdays <text>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ time weekdays <text>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ time weekdays <text>
+
+ Time to match the defined rule.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ hop-limit <eq | gt | lt> <0-255>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ hop-limit <eq | gt | lt> <0-255>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ hop-limit <eq | gt | lt> <0-255>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ hop-limit <eq | gt | lt> <0-255>
+
+ Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
+ 'greater than', and 'lt' stands for 'less than'.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ recent count <1-255>
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ recent time <second | minute | hour>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ recent time <second | minute | hour>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ recent time <second | minute | hour>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ recent time <second | minute | hour>
+
+ Match when 'count' amount of connections are seen within 'time'. These
+ matching criteria can be used to block brute-force attempts.
+
+********
+Synproxy
+********
+Synproxy connections
+
+.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> action synproxy
+.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> protocol tcp
+.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535>
+
+ Set TCP-MSS (maximum segment size) for the connection
+
+.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14>
+
+ Set the window scale factor for TCP window scaling
+
+Example synproxy
+================
+Requirements to enable synproxy:
+
+ * Traffic must be symmetric
+ * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled
+ * Disable conntrack loose track option
+
+.. code-block:: none
+
+ set system sysctl parameter net.ipv4.tcp_timestamps value '1'
+
+ set system conntrack tcp loose disable
+ set system conntrack ignore ipv6 rule 10 destination port '8080'
+ set system conntrack ignore ipv6 rule 10 protocol 'tcp'
+ set system conntrack ignore ipv6 rule 10 tcp flags syn
+
+ set firewall global-options syn-cookies 'enable'
+ set firewall ipv6 input filter rule 10 action 'synproxy'
+ set firewall ipv6 input filter rule 10 destination port '8080'
+ set firewall ipv6 input filter rule 10 inbound-interface interface-name 'eth1'
+ set firewall ipv6 input filter rule 10 protocol 'tcp'
+ set firewall ipv6 input filter rule 10 synproxy tcp mss '1460'
+ set firewall ipv6 input filter rule 10 synproxy tcp window-scale '7'
+ set firewall ipv6 input filter rule 1000 action 'drop'
+ set firewall ipv6 input filter rule 1000 state invalid 'enable'
+
+***********************
+Operation-mode Firewall
+***********************
+
+Rule-set overview
+=================
+
+.. opcmd:: show firewall
+
+ This will show you a basic firewall overview
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show firewall
+ Rulesets Information
+
+ ---------------------------------
+ IPv4 Firewall "forward filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- -----------------------------------------
+ 5 jump all 0 0 iifname "eth1" jump NAME_VyOS_MANAGEMENT
+ 10 jump all 0 0 oifname "eth1" jump NAME_WAN_IN
+ 15 jump all 0 0 iifname "eth3" jump NAME_WAN_IN
+ default accept all
+
+ ---------------------------------
+ IPv4 Firewall "name VyOS_MANAGEMENT"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- --------------------------------
+ 5 accept all 0 0 ct state established accept
+ 10 drop all 0 0 ct state invalid
+ 20 accept all 0 0 ip saddr @A_GOOD_GUYS accept
+ 30 accept all 0 0 ip saddr @N_ENTIRE_RANGE accept
+ 40 accept all 0 0 ip saddr @A_VyOS_SERVERS accept
+ 50 accept icmp 0 0 meta l4proto icmp accept
+ default drop all 0 0
+
+ ---------------------------------
+ IPv6 Firewall "forward filter"
+
+ Rule Action Protocol
+ ------- -------- ----------
+ 5 jump all
+ 10 jump all
+ 15 jump all
+ default accept all
+
+ ---------------------------------
+ IPv6 Firewall "input filter"
+
+ Rule Action Protocol
+ ------- -------- ----------
+ 5 jump all
+ default accept all
+
+ ---------------------------------
+ IPv6 Firewall "ipv6_name IPV6-VyOS_MANAGEMENT"
+
+ Rule Action Protocol
+ ------- -------- ----------
+ 5 accept all
+ 10 drop all
+ 20 accept all
+ 30 accept all
+ 40 accept all
+ 50 accept ipv6-icmp
+ default drop all
+
+.. opcmd:: show firewall summary
+
+ This will show you a summary of rule-sets and groups
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show firewall summary
+ Ruleset Summary
+
+ IPv6 Ruleset:
+
+ Ruleset Hook Ruleset Priority Description
+ -------------- -------------------- -------------------------
+ forward filter
+ input filter
+ ipv6_name IPV6-VyOS_MANAGEMENT
+ ipv6_name IPV6-WAN_IN PUBLIC_INTERNET
+
+ IPv4 Ruleset:
+
+ Ruleset Hook Ruleset Priority Description
+ -------------- ------------------ -------------------------
+ forward filter
+ input filter
+ name VyOS_MANAGEMENT
+ name WAN_IN PUBLIC_INTERNET
+
+ Firewall Groups
+
+ Name Type References Members
+ ----------------------- ------------------ ----------------------- ----------------
+ PBX address_group WAN_IN-100 198.51.100.77
+ SERVERS address_group WAN_IN-110 192.0.2.10
+ WAN_IN-111 192.0.2.11
+ WAN_IN-112 192.0.2.12
+ WAN_IN-120
+ WAN_IN-121
+ WAN_IN-122
+ SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2
+ WAN_IN-20
+ PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2
+ PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2
+ WAN_IN-171
+ PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1
+ SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2
+ IPV6-WAN_IN-111 2001:db8::3
+ IPV6-WAN_IN-112 2001:db8::4
+ IPV6-WAN_IN-120
+ IPV6-WAN_IN-121
+ IPV6-WAN_IN-122
+ SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5
+ IPV6-WAN_IN-20
+
+
+.. opcmd:: show firewall ipv6 [forward | input | output] filter
+
+.. opcmd:: show firewall ipv4 name <name>
+
+.. opcmd:: show firewall ipv6 ipv6-name <name>
+
+ This command will give an overview of a single rule-set.
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show firewall ipv4 input filter
+ Ruleset Information
+
+ ---------------------------------
+ IPv4 Firewall "input filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- -----------------------------------------
+ 5 jump all 0 0 iifname "eth2" jump NAME_VyOS_MANAGEMENT
+ default accept all
+
+.. opcmd:: show firewall ipv6 [forward | input | output]
+ filter rule <1-999999>
+
+.. opcmd:: show firewall ipv4 name <name> rule <1-999999>
+
+.. opcmd:: show firewall ipv6 ipv6-name <name> rule <1-999999>
+
+ This command will give an overview of a rule in a single rule-set
+
+.. opcmd:: show firewall group <name>
+
+ Overview of defined groups. You see the type, the members, and where the
+ group is used.
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show firewall group LAN
+ Firewall Groups
+
+ Name Type References Members
+ ------------ ------------------ ----------------------- ----------------
+ LAN ipv6_network_group IPV6-VyOS_MANAGEMENT-30 2001:db8::0/64
+ IPV6-WAN_IN-30
+ LAN network_group VyOS_MANAGEMENT-30 192.168.200.0/24
+ WAN_IN-30
+
+
+.. opcmd:: show firewall statistics
+
+ This will show you a statistic of all rule-sets since the last boot.
+
+Show Firewall log
+=================
+
+.. opcmd:: show log firewall
+.. opcmd:: show log firewall ipv6
+.. opcmd:: show log firewall ipv6 [forward | input | output | name]
+.. opcmd:: show log firewall ipv6 [forward | input | output] filter
+.. opcmd:: show log firewall ipv6 name <name>
+.. opcmd:: show log firewall ipv6 [forward | input | output] filter rule <rule>
+.. opcmd:: show log firewall ipv6 name <name> rule <rule>
+
+ Show the logs of all firewall; show all ipv6 firewall logs; show all logs
+ for particular hook; show all logs for particular hook and priority; show all logs
+ for particular custom chain; show logs for specific Rule-Set.
+
+Example Partial Config
+======================
+
+.. code-block:: none
+
+ firewall {
+ group {
+ network-group BAD-NETWORKS {
+ network 198.51.100.0/24
+ network 203.0.113.0/24
+ }
+ network-group GOOD-NETWORKS {
+ network 192.0.2.0/24
+ }
+ port-group BAD-PORTS {
+ port 65535
+ }
+ }
+ ipv4 {
+ forward {
+ filter {
+ default-action accept
+ rule 5 {
+ action accept
+ source {
+ group {
+ network-group GOOD-NETWORKS
+ }
+ }
+ }
+ rule 10 {
+ action drop
+ description "Bad Networks"
+ protocol all
+ source {
+ group {
+ network-group BAD-NETWORKS
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+Update geoip database
+=====================
+
+.. opcmd:: update geoip
+
+ Command used to update GeoIP database and firewall sets.
diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst
index 38869c32..1ab9c630 100644
--- a/docs/configuration/firewall/zone.rst
+++ b/docs/configuration/firewall/zone.rst
@@ -1,25 +1,44 @@
-:lastproofread: 2022-09-14
+:lastproofread: 2023-11-01
.. _firewall-zone:
-################################
-Zone Based Firewall (Deprecated)
-################################
+###################
+Zone Based Firewall
+###################
+
+********
+Overview
+********
.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall
- structure can be found on all vyos instalations, and zone based firewall is
- no longer supported. Documentation for most of the new firewall CLI can be
+ structure can be found on all vyos instalations. Zone based firewall was
+ removed in that version, but re introduced in VyOS 1.4 and 1.5. All
+ versions built after 2023-10-22 has this feature.
+ Documentation for most of the new firewall CLI can be
found in the `firewall
<https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_
chapter. The legacy firewall is still available for versions before
- 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy`
- chapter. The examples in this section use the legacy firewall configuration
- commands, since this feature has been removed in earlier releases.
-
-.. note:: For latest releases, refer the `firewall (interface-groups)
- <https://docs.vyos.io/en/latest/configuration/firewall/general.html#interface-groups>`_
- main page to configure zone based rules. New syntax was introduced here
- :vytask:`T5160`
+ 1.4-rolling-202308040557 and can be found in the
+ :doc:`legacy firewall configuration </configuration/firewall/general-legacy>`
+ chapter.
+
+In this section there's useful information of all firewall configuration that
+is needed for zone-based firewall.
+Configuration commands covered in this section:
+
+.. cfgcmd:: set firewall zone ...
+
+From main structure defined in
+:doc:`Firewall Overview</configuration/firewall/index>`
+in this section you can find detailed information only for the next part
+of the general structure:
+
+.. code-block:: none
+
+ - set firewall
+ * zone
+ - custom_zone_name
+ + ...
In zone-based policy, interfaces are assigned to zones, and inspection policy
is applied to traffic moving between the zones and acted on according to