diff options
Diffstat (limited to 'docs/configuration/firewall')
-rw-r--r-- | docs/configuration/firewall/general.rst | 75 |
1 files changed, 68 insertions, 7 deletions
diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst index 0cf8bcec..a8d5c9c2 100644 --- a/docs/configuration/firewall/general.rst +++ b/docs/configuration/firewall/general.rst @@ -148,11 +148,11 @@ Some firewall settings are global and have an affect on the whole system. Groups ****** -Firewall groups represent collections of IP addresses, networks, or -ports. Once created, a group can be referenced by firewall rules as -either a source or destination. Members can be added or removed from a -group without changes to, or the need to reload, individual firewall -rules. +Firewall groups represent collections of IP addresses, networks, ports, +mac addresses or domains. Once created, a group can be referenced by +firewall, nat and policy route rules as either a source or destination +matcher. Members can be added or removed from a group without changes to, +or the need to reload, individual firewall rules. Groups need to have unique names. Even though some contain IPv4 addresses and others contain IPv6 addresses, they still need to have @@ -183,7 +183,6 @@ defined. Provide a IPv4 or IPv6 address group description - Network Groups ============== @@ -208,7 +207,6 @@ recommended. Provide a IPv4 or IPv6 network group description. - Port Groups =========== @@ -234,6 +232,34 @@ filtering unnecessary ports. Ranges of ports can be specified by using Provide a port group description. +MAC Groups +========== + +A **mac group** represents a collection of mac addresses. + +.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address> + + Define a mac group. + +.. code-block:: none + + set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f + set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81 + + +Domain Groups +============= + +A **domain group** represents a collection of domains. + +.. cfgcmd:: set firewall group domain-group <name> address <domain> + + Define a domain group. + +.. code-block:: none + + set firewall group domain-group DOM address example.com + ********* Rule-Sets @@ -323,6 +349,37 @@ There are a lot of matching criteria against which the package can be tested. set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24 set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202 +.. cfgcmd:: set firewall name <name> rule <1-999999> source address-mask + [address] +.. cfgcmd:: set firewall name <name> rule <1-999999> destination address-mask + [address] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address-mask + [address] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination + address-mask [address] + + An arbitrary netmask can be applied to mask addresses to only match against + a specific portion. This is particularly useful with IPv6 and a zone-based + firewall as rules will remain valid if the IPv6 prefix changes and the host + portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses + <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_) + + This functions for both individual addresses and address groups. + + .. code-block:: none + + # Match any IPv6 address with the suffix ::0000:0000:0000:beef + set firewall ipv6-name WAN-LAN-v6 rule 100 destination address ::beef + set firewall ipv6-name WAN-LAN-v6 rule 100 destination address-mask ::ffff:ffff:ffff:ffff + # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet + set firewall name WAN-LAN-v4 rule 100 destination address 0.11.0.13 + set firewall name WAN-LAN-v4 rule 100 destination address-mask 0.255.0.255 + # Address groups + set firewall group ipv6-address-group WEBSERVERS address ::1000 + set firewall group ipv6-address-group WEBSERVERS address ::2000 + set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS + set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff + .. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code <country> .. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match @@ -603,11 +660,15 @@ A Rule-Set can be applied to every interface: set firewall interface eth1.100 out name LANv4-OUT set firewall interface bond0 in name LANv4-IN set firewall interface vtun1 in name LANv4-IN + set firewall interface eth2* in name LANv4-IN .. note:: As you can see in the example here, you can assign the same rule-set to several interfaces. An interface can only have one rule-set per chain. + .. note:: + You can use wildcard ``*`` to match a group of interfaces. + *********************** Operation-mode Firewall *********************** |