summaryrefslogtreecommitdiff
path: root/docs/configuration/firewall
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/firewall')
-rw-r--r--docs/configuration/firewall/bridge.rst32
-rw-r--r--docs/configuration/firewall/flowtables.rst17
-rw-r--r--docs/configuration/firewall/groups.rst281
-rw-r--r--docs/configuration/firewall/index.rst6
-rw-r--r--docs/configuration/firewall/ipv4.rst82
-rw-r--r--docs/configuration/firewall/ipv6.rst90
-rw-r--r--docs/configuration/firewall/zone.rst2
7 files changed, 393 insertions, 117 deletions
diff --git a/docs/configuration/firewall/bridge.rst b/docs/configuration/firewall/bridge.rst
index 9fb019c5..f84fd456 100644
--- a/docs/configuration/firewall/bridge.rst
+++ b/docs/configuration/firewall/bridge.rst
@@ -13,7 +13,7 @@ Overview
********
In this section there's useful information of all firewall configuration that
-can be done regarding bridge, and appropiate op-mode commands.
+can be done regarding bridge, and appropriate op-mode commands.
Configuration commands covered in this section:
.. cfgcmd:: set firewall bridge ...
@@ -37,13 +37,13 @@ for this layer is shown next:
.. figure:: /_static/images/firewall-bridge-packet-flow.png
-For traffic that needs to be forwared internally by the bridge, base chain is
+For traffic that needs to be forwarded internally by the bridge, base chain is
is **forward**, and it's base command for filtering is ``set firewall bridge
-forward filter ...``, which happens in stage 4, highlightened with red color.
+forward filter ...``, which happens in stage 4, highlighted with red color.
Custom bridge firewall chains can be create with command ``set firewall bridge
name <name> ...``. In order to use such custom chain, a rule with action jump,
-and the appropiate target should be defined in a base chain.
+and the appropriate target should be defined in a base chain.
.. note:: **Layer 3 bridge**:
When an IP address is assigned to the bridge interface, and if traffic
@@ -137,7 +137,7 @@ not match any rule in it's chain. For base chains, possible options for
.. cfgcmd:: set firewall bridge name <name> default-jump-target <text>
- To be used only when ``defult-action`` is set to ``jump``. Use this
+ To be used only when ``default-action`` is set to ``jump``. Use this
command to specify jump target for default rule.
.. note:: **Important note about default-actions:**
@@ -157,8 +157,8 @@ log options can be defined.
Enable logging for the matched packet. If this configuration command is not
present, then log is not enabled.
-.. cfgcmd:: set firewall bridge forward filter enable-default-log
-.. cfgcmd:: set firewall bridge name <name> enable-default-log
+.. cfgcmd:: set firewall bridge forward filter default-log
+.. cfgcmd:: set firewall bridge name <name> default-log
Use this command to enable the logging of the default action on
the specified chain.
@@ -236,9 +236,9 @@ There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
inbound-interface name <iface>
- Match based on inbound interface. Wilcard ``*`` can be used.
+ Match based on inbound interface. Wildcard ``*`` can be used.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
- criteria is also supportd. For example ``!eth2``
+ criteria is also supported. For example ``!eth2``
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
inbound-interface group <iface_group>
@@ -246,16 +246,16 @@ There are a lot of matching criteria against which the packet can be tested.
inbound-interface group <iface_group>
Match based on inbound interface group. Prepending character ``!`` for
- inverted matching criteria is also supportd. For example ``!IFACE_GROUP``
+ inverted matching criteria is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
outbound-interface name <iface>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
outbound-interface name <iface>
- Match based on outbound interface. Wilcard ``*`` can be used.
+ Match based on outbound interface. Wildcard ``*`` can be used.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
- criteria is also supportd. For example ``!eth2``
+ criteria is also supported. For example ``!eth2``
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
outbound-interface group <iface_group>
@@ -263,7 +263,7 @@ There are a lot of matching criteria against which the packet can be tested.
outbound-interface group <iface_group>
Match based on outbound interface group. Prepending character ``!`` for
- inverted matching criteria is also supportd. For example ``!IFACE_GROUP``
+ inverted matching criteria is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
vlan id <0-4096>
@@ -288,7 +288,7 @@ Rule-set overview
In this section you can find all useful firewall op-mode commands.
-General commands for firewall configuration, counter and statiscits:
+General commands for firewall configuration, counter and statistics:
.. opcmd:: show firewall
.. opcmd:: show firewall summary
@@ -325,7 +325,7 @@ Configuration example:
.. code-block:: none
set firewall bridge forward filter default-action 'drop'
- set firewall bridge forward filter enable-default-log
+ set firewall bridge forward filter default-log
set firewall bridge forward filter rule 10 action 'continue'
set firewall bridge forward filter rule 10 inbound-interface name 'eth2'
set firewall bridge forward filter rule 10 vlan id '22'
@@ -341,7 +341,7 @@ Configuration example:
set firewall bridge forward filter rule 40 destination mac-address '66:55:44:33:22:11'
set firewall bridge forward filter rule 40 source mac-address '11:22:33:44:55:66'
set firewall bridge name TEST default-action 'accept'
- set firewall bridge name TEST enable-default-log
+ set firewall bridge name TEST default-log
set firewall bridge name TEST rule 10 action 'continue'
set firewall bridge name TEST rule 10 log
set firewall bridge name TEST rule 10 vlan priority '0'
diff --git a/docs/configuration/firewall/flowtables.rst b/docs/configuration/firewall/flowtables.rst
index bc7b9212..e8a5f2e8 100644
--- a/docs/configuration/firewall/flowtables.rst
+++ b/docs/configuration/firewall/flowtables.rst
@@ -17,7 +17,8 @@ can be done regarding flowtables.
.. cfgcmd:: set firewall flowtables ...
-From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>`
+From main structure defined in
+:doc:`Firewall Overview</configuration/firewall/index>`
in this section you can find detailed information only for the next part
of the general structure:
@@ -99,20 +100,20 @@ Creating rules for using flow tables:
Configuration Example
*********************
-Things to be considred in this setup:
+Things to be considered in this setup:
* Two interfaces are going to be used in the flowtables: eth0 and eth1
- * Minumum firewall ruleset is provided, which includes some filtering rules,
- and appropiate rules for using flowtable offload capabilities.
+ * Minimum firewall ruleset is provided, which includes some filtering rules,
+ and appropriate rules for using flowtable offload capabilities.
As described, first packet will be evaluated by all the firewall path, so
-desired connection should be explicitely accepted. Same thing should be taken
+desired connection should be explicitly accepted. Same thing should be taken
into account for traffic in reverse order. In most cases state policies are
used in order to accept connection in reverse patch.
-We will only accept traffic comming from interface eth0, protocol tcp and
-destination port 1122. All other traffic traspassing the router should be
+We will only accept traffic coming from interface eth0, protocol tcp and
+destination port 1122. All other traffic trespassing the router should be
blocked.
Commands
@@ -152,7 +153,7 @@ Analysis on what happens for desired connection:
4. Once answer from server 192.0.2.100 is seen in opposite direction,
connection state will be triggered to **established**, so this reply is
- accepted in rule 10.
+ accepted in rule 20.
5. Second packet for this connection is received by the router. Since
connection state is **established**, then rule 10 is hit, and a new entry
diff --git a/docs/configuration/firewall/groups.rst b/docs/configuration/firewall/groups.rst
index aee68793..6111650a 100644
--- a/docs/configuration/firewall/groups.rst
+++ b/docs/configuration/firewall/groups.rst
@@ -21,9 +21,9 @@ Address Groups
In an **address group** a single IP address or IP address ranges are
defined.
-.. cfgcmd:: set firewall group address-group <name> address [address |
+.. cfgcmd:: set firewall group address-group <name> address [address |
address range]
-.. cfgcmd:: set firewall group ipv6-address-group <name> address <address>
+.. cfgcmd:: set firewall group ipv6-address-group <name> address <address>
Define a IPv4 or a IPv6 address group
@@ -33,8 +33,8 @@ defined.
set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8
set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1
-.. cfgcmd:: set firewall group address-group <name> description <text>
-.. cfgcmd:: set firewall group ipv6-address-group <name> description <text>
+.. cfgcmd:: set firewall group address-group <name> description <text>
+.. cfgcmd:: set firewall group ipv6-address-group <name> description <text>
Provide a IPv4 or IPv6 address group description
@@ -46,8 +46,8 @@ IP addresses can be added as a 32-bit prefix. If you foresee the need
to add a mix of addresses and networks, the network group is
recommended.
-.. cfgcmd:: set firewall group network-group <name> network <CIDR>
-.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR>
+.. cfgcmd:: set firewall group network-group <name> network <CIDR>
+.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR>
Define a IPv4 or IPv6 Network group.
@@ -57,8 +57,8 @@ recommended.
set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24
set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64
-.. cfgcmd:: set firewall group network-group <name> description <text>
-.. cfgcmd:: set firewall group ipv6-network-group <name> description <text>
+.. cfgcmd:: set firewall group network-group <name> description <text>
+.. cfgcmd:: set firewall group ipv6-network-group <name> description <text>
Provide an IPv4 or IPv6 network group description.
@@ -67,7 +67,7 @@ Interface Groups
An **interface group** represents a collection of interfaces.
-.. cfgcmd:: set firewall group interface-group <name> interface <text>
+.. cfgcmd:: set firewall group interface-group <name> interface <text>
Define an interface group. Wildcard are accepted too.
@@ -76,7 +76,7 @@ An **interface group** represents a collection of interfaces.
set firewall group interface-group LAN interface bond1001
set firewall group interface-group LAN interface eth3*
-.. cfgcmd:: set firewall group interface-group <name> description <text>
+.. cfgcmd:: set firewall group interface-group <name> description <text>
Provide an interface group description
@@ -110,7 +110,7 @@ MAC Groups
A **mac group** represents a collection of mac addresses.
-.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address>
+.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address>
Define a mac group.
@@ -128,7 +128,7 @@ Domain Groups
A **domain group** represents a collection of domains.
-.. cfgcmd:: set firewall group domain-group <name> address <domain>
+.. cfgcmd:: set firewall group domain-group <name> address <domain>
Define a domain group.
@@ -140,10 +140,108 @@ A **domain group** represents a collection of domains.
Provide a domain group description.
+Dynamic Groups
+==============
+
+Firewall dynamic groups are different from all the groups defined previously
+because, not only they can be used as source/destination in firewall rules,
+but members of these groups are not defined statically using vyos
+configuration.
+
+Instead, members of these groups are added dynamically using firewall
+rules.
+
+Defining Dynamic Address Groups
+-------------------------------
+
+Dynamic address group is supported by both IPv4 and IPv6 families.
+Commands used to define dynamic IPv4|IPv6 address groups are:
+
+.. cfgcmd:: set firewall group dynamic-group address-group <name>
+.. cfgcmd:: set firewall group dynamic-group ipv6-address-group <name>
+
+Add description to firewall groups:
+
+.. cfgcmd:: set firewall group dynamic-group address-group <name>
+ description <text>
+.. cfgcmd:: set firewall group dynamic-group ipv6-address-group <name>
+ description <text>
+
+Adding elements to Dynamic Firewall Groups
+------------------------------------------
+
+Once dynamic firewall groups are defined, they should be used in firewall
+rules in order to dynamically add elements to it.
+
+Commands used for this task are:
+
+* Add destination IP address of the connection to a dynamic address group:
+
+.. cfgcmd:: set firewall ipv4 [forward | input | output] filter rule
+ <1-999999> add-address-to-group destination-address address-group <name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> add-address-to-group
+ destination-address address-group <name>
+.. cfgcmd:: set firewall ipv6 [forward | input | output] filter rule
+ <1-999999> add-address-to-group destination-address address-group <name>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> add-address-to-group
+ destination-address address-group <name>
+
+* Add source IP address of the connection to a dynamic address group:
+
+.. cfgcmd:: set firewall ipv4 [forward | input | output] filter rule
+ <1-999999> add-address-to-group source-address address-group <name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> add-address-to-group
+ source-address address-group <name>
+.. cfgcmd:: set firewall ipv6 [forward | input | output] filter rule
+ <1-999999> add-address-to-group source-address address-group <name>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> add-address-to-group
+ source-address address-group <name>
+
+Also, specific timeout can be defined per rule. In case rule gets a hit,
+source or destinatination address will be added to the group, and this
+element will remain in the group until timeout expires. If no timeout
+is defined, then the element will remain in the group until next reboot,
+or until a new commit that changes firewall configuration is done.
+
+.. cfgcmd:: set firewall ipv4 [forward | input | output] filter rule
+ <1-999999> add-address-to-group [destination-address | source-address]
+ timeout <timeout>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> add-address-to-group
+ [destination-address | source-address] timeout <timeout>
+.. cfgcmd:: set firewall ipv6 [forward | input | output] filter rule
+ <1-999999> add-address-to-group [destination-address | source-address]
+ timeout <timeout>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> add-address-to-group
+ [destination-address | source-address] timeout <timeout>
+
+Timeout can be defined using seconds, minutes, hours or days:
+
+.. code-block:: none
+
+ set firewall ipv6 name FOO rule 10 add-address-to-group source-address timeout
+ Possible completions:
+ <number>s Timeout value in seconds
+ <number>m Timeout value in minutes
+ <number>h Timeout value in hours
+ <number>d Timeout value in days
+
+Using Dynamic Firewall Groups
+-----------------------------
+
+As any other firewall group, dynamic firewall groups can be used in firewall
+rules as matching options. For example:
+
+.. code-block:: none
+ set firewall ipv4 input filter rule 10 source group dynamic-address-group FOO
+ set firewall ipv4 input filter rule 10 destination group dynamic-address-group BAR
+
********
Examples
********
+General example
+===============
+
As said before, once firewall groups are created, they can be referenced
either in firewall, nat, nat66 and/or policy-route rules.
@@ -166,12 +264,12 @@ And next, some configuration example where groups are used:
.. code-block:: none
- set firewall ipv4 input filter rule 10 action accept
- set firewall ipv4 input filter rule 10 inbound-interface group !LAN
+ set firewall ipv4 output filter rule 10 action accept
+ set firewall ipv4 output filter rule 10 outbound-interface group !LAN
set firewall ipv4 forward filter rule 20 action accept
set firewall ipv4 forward filter rule 20 source group network-group TRUSTEDv4
set firewall ipv6 input filter rule 10 action accept
- set firewall ipv6 input filter rule 10 source-group network-group TRUSTEDv6
+ set firewall ipv6 input filter rule 10 source group network-group TRUSTEDv6
set nat destination rule 101 inbound-interface group LAN
set nat destination rule 101 destination group address-group SERVERS
set nat destination rule 101 protocol tcp
@@ -181,30 +279,151 @@ And next, some configuration example where groups are used:
set policy route PBR rule 201 protocol tcp
set policy route PBR rule 201 set table 15
+Port knocking example
+=====================
+
+Using dynamic firewall groups, we can secure access to the router, or any other
+device if needed, by using the technique of port knocking.
+
+A 4 step port knocking example is shown next:
+
+ .. code-block:: none
+
+ set firewall global-options state-policy established action 'accept'
+ set firewall global-options state-policy invalid action 'drop'
+ set firewall global-options state-policy related action 'accept'
+ set firewall group dynamic-group address-group ALLOWED
+ set firewall group dynamic-group address-group PN_01
+ set firewall group dynamic-group address-group PN_02
+ set firewall ipv4 input filter default-action 'drop'
+ set firewall ipv4 input filter rule 5 action 'accept'
+ set firewall ipv4 input filter rule 5 protocol 'icmp'
+ set firewall ipv4 input filter rule 10 action 'drop'
+ set firewall ipv4 input filter rule 10 add-address-to-group source-address address-group 'PN_01'
+ set firewall ipv4 input filter rule 10 add-address-to-group source-address timeout '2m'
+ set firewall ipv4 input filter rule 10 description 'Port_nock 01'
+ set firewall ipv4 input filter rule 10 destination port '9990'
+ set firewall ipv4 input filter rule 10 protocol 'tcp'
+ set firewall ipv4 input filter rule 20 action 'drop'
+ set firewall ipv4 input filter rule 20 add-address-to-group source-address address-group 'PN_02'
+ set firewall ipv4 input filter rule 20 add-address-to-group source-address timeout '3m'
+ set firewall ipv4 input filter rule 20 description 'Port_nock 02'
+ set firewall ipv4 input filter rule 20 destination port '9991'
+ set firewall ipv4 input filter rule 20 protocol 'tcp'
+ set firewall ipv4 input filter rule 20 source group dynamic-address-group 'PN_01'
+ set firewall ipv4 input filter rule 30 action 'drop'
+ set firewall ipv4 input filter rule 30 add-address-to-group source-address address-group 'ALLOWED'
+ set firewall ipv4 input filter rule 30 add-address-to-group source-address timeout '2h'
+ set firewall ipv4 input filter rule 30 description 'Port_nock 03'
+ set firewall ipv4 input filter rule 30 destination port '9992'
+ set firewall ipv4 input filter rule 30 protocol 'tcp'
+ set firewall ipv4 input filter rule 30 source group dynamic-address-group 'PN_02'
+ set firewall ipv4 input filter rule 99 action 'accept'
+ set firewall ipv4 input filter rule 99 description 'Port_nock 04 - Allow ssh'
+ set firewall ipv4 input filter rule 99 destination port '22'
+ set firewall ipv4 input filter rule 99 protocol 'tcp'
+ set firewall ipv4 input filter rule 99 source group dynamic-address-group 'ALLOWED'
+
+Before testing, we can check members of firewall groups:
+
+ .. code-block:: none
+
+ vyos@vyos# run show firewall group
+ Firewall Groups
+
+ Name Type References Members Timeout Expires
+ ------- ---------------------- -------------------- ------------- --------- ---------
+ ALLOWED address_group(dynamic) ipv4-input-filter-30 N/D N/D N/D
+ PN_01 address_group(dynamic) ipv4-input-filter-10 N/D N/D N/D
+ PN_02 address_group(dynamic) ipv4-input-filter-20 N/D N/D N/D
+ [edit]
+ vyos@vyos#
+
+With this configuration, in order to get ssh access to the router, user
+needs to:
+
+1. Generate a new TCP connection with destination port 9990. As shown next,
+a new entry was added to dynamic firewall group **PN_01**
+
+ .. code-block:: none
+
+ vyos@vyos# run show firewall group
+ Firewall Groups
+
+ Name Type References Members Timeout Expires
+ ------- ---------------------- -------------------- ------------- --------- ---------
+ ALLOWED address_group(dynamic) ipv4-input-filter-30 N/D N/D N/D
+ PN_01 address_group(dynamic) ipv4-input-filter-10 192.168.89.31 120 119
+ PN_02 address_group(dynamic) ipv4-input-filter-20 N/D N/D N/D
+ [edit]
+ vyos@vyos#
+
+2. Generate a new TCP connection with destination port 9991. As shown next,
+a new entry was added to dynamic firewall group **PN_02**
+
+ .. code-block:: none
+
+ vyos@vyos# run show firewall group
+ Firewall Groups
+
+ Name Type References Members Timeout Expires
+ ------- ---------------------- -------------------- ------------- --------- ---------
+ ALLOWED address_group(dynamic) ipv4-input-filter-30 N/D N/D N/D
+ PN_01 address_group(dynamic) ipv4-input-filter-10 192.168.89.31 120 106
+ PN_02 address_group(dynamic) ipv4-input-filter-20 192.168.89.31 180 179
+ [edit]
+ vyos@vyos#
+
+3. Generate a new TCP connection with destination port 9992. As shown next,
+a new entry was added to dynamic firewall group **ALLOWED**
+
+ .. code-block:: none
+
+ vyos@vyos# run show firewall group
+ Firewall Groups
+
+ Name Type References Members Timeout Expires
+ ------- ---------------------- -------------------- ------------- --------- ---------
+ ALLOWED address_group(dynamic) ipv4-input-filter-30 192.168.89.31 7200 7199
+ PN_01 address_group(dynamic) ipv4-input-filter-10 192.168.89.31 120 89
+ PN_02 address_group(dynamic) ipv4-input-filter-20 192.168.89.31 180 170
+ [edit]
+ vyos@vyos#
+
+4. Now user can connect through ssh to the router (assuming ssh is configured).
+
**************
Operation-mode
**************
+.. opcmd:: show firewall group
.. opcmd:: show firewall group <name>
- Overview of defined groups. You see the type, the members, and where the
- group is used.
+ Overview of defined groups. You see the firewall group name, type,
+ references (where the group is used), members, timeout and expiration (last
+ two only present in dynamic firewall groups).
+
+Here is an example of such command:
.. code-block:: none
- vyos@ZBF-15-CLean:~$ show firewall group
+ vyos@vyos:~$ show firewall group
Firewall Groups
- Name Type References Members
- ------------ ------------------ ---------------------- ----------------
- SERVERS address_group nat-destination-101 198.51.100.101
- 198.51.100.102
- LAN interface_group ipv4-input-filter-10 bon0
- nat-destination-101 eth2.2001
- TRUSTEDv6 ipv6_network_group ipv6-input-filter-10 2001:db8::/64
- TRUSTEDv4 network_group ipv4-forward-filter-20 192.0.2.0/30
- 203.0.113.128/25
- PORT-SERVERS port_group route-PBR-201 443
- nat-destination-101 5000-5010
- http
- vyos@ZBF-15-CLean:~$
+ Name Type References Members Timeout Expires
+ ------------ ---------------------- ---------------------- ---------------- --------- ---------
+ SERVERS address_group nat-destination-101 198.51.100.101
+ 198.51.100.102
+ ALLOWED address_group(dynamic) ipv4-input-filter-30 192.168.77.39 7200 7174
+ PN_01 address_group(dynamic) ipv4-input-filter-10 192.168.0.245 120 112
+ 192.168.77.39 120 85
+ PN_02 address_group(dynamic) ipv4-input-filter-20 192.168.77.39 180 151
+ LAN interface_group ipv4-output-filter-10 bon0
+ nat-destination-101 eth2.2001
+ TRUSTEDv6 ipv6_network_group ipv6-input-filter-10 2001:db8::/64
+ TRUSTEDv4 network_group ipv4-forward-filter-20 192.0.2.0/30
+ 203.0.113.128/25
+ PORT-SERVERS port_group route-PBR-201 443
+ route-PBR-201 5000-5010
+ nat-destination-101 http
+ vyos@vyos:~$ \ No newline at end of file
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index 44e0cd20..1d904901 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -24,7 +24,7 @@ firewall are covered below:
where the packet was received is part of a bridge, or not.
If the interface where the packet was received isn't part of a bridge, then
-packetis processed at the **IP Layer**:
+packet is processed at the **IP Layer**:
* **Prerouting**: several actions can be done in this stage, and currently
these actions are defined in different parts in VyOS configuration. Order
@@ -65,7 +65,7 @@ packetis processed at the **IP Layer**:
* **Output**: stage where traffic that originates from the router itself
can be filtered and controlled. Bear in mind that this traffic can be a
new connection originated by a internal process running on VyOS router,
- such as NTP, or a response to traffic received externaly through
+ such as NTP, or a response to traffic received externally through
**input** (for example response to an ssh login attempt to the router).
This includes ipv4 and ipv6 filtering rules, defined in:
@@ -84,7 +84,7 @@ If the interface where the packet was received is part of a bridge, then
the packet is processed at the **Bridge Layer**, which contains a basic setup for
bridge filtering:
- * **Forward (Bridge)**: stage where traffic that is trespasing through the
+ * **Forward (Bridge)**: stage where traffic that is trespassing through the
bridge is filtered and controlled:
* ``set firewall bridge forward filter ...``.
diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst
index ff739418..f7f98dc7 100644
--- a/docs/configuration/firewall/ipv4.rst
+++ b/docs/configuration/firewall/ipv4.rst
@@ -11,12 +11,13 @@ Overview
********
In this section there's useful information of all firewall configuration that
-can be done regarding IPv4, and appropiate op-mode commands.
+can be done regarding IPv4, and appropriate op-mode commands.
Configuration commands covered in this section:
.. cfgcmd:: set firewall ipv4 ...
-From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>`
+From main structure defined in
+:doc:`Firewall Overview</configuration/firewall/index>`
in this section you can find detailed information only for the next part
of the general structure:
@@ -41,12 +42,12 @@ next:
Where firewall base chain to configure firewall filtering rules for transit
traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5,
-highlightened with red color.
+highlighted with red color.
For traffic towards the router itself, base chain is **input**, while traffic
originated by the router, base chain is **output**.
A new simplified packet flow diagram is shown next, which shows the path
-for traffic destinated to the router itself, and traffic generated by the
+for traffic destined to the router itself, and traffic generated by the
router (starting from circle number 6):
.. figure:: /_static/images/firewall-input-packet-flow.png
@@ -64,7 +65,7 @@ output filter ...``
Custom firewall chains can be created, with commands
``set firewall ipv4 name <name> ...``. In order to use
-such custom chain, a rule with **action jump**, and the appropiate **target**
+such custom chain, a rule with **action jump**, and the appropriate **target**
should be defined in a base chain.
*********************
@@ -184,7 +185,7 @@ not match any rule in it's chain. For base chains, possible options for
.. cfgcmd:: set firewall ipv4 name <name> default-jump-target <text>
- To be used only when ``defult-action`` is set to ``jump``. Use this
+ To be used only when ``default-action`` is set to ``jump``. Use this
command to specify jump target for default rule.
.. note:: **Important note about default-actions:**
@@ -206,10 +207,10 @@ log options can be defined.
Enable logging for the matched packet. If this configuration command is not
present, then log is not enabled.
-.. cfgcmd:: set firewall ipv4 forward filter enable-default-log
-.. cfgcmd:: set firewall ipv4 input filter enable-default-log
-.. cfgcmd:: set firewall ipv4 output filter enable-default-log
-.. cfgcmd:: set firewall ipv4 name <name> enable-default-log
+.. cfgcmd:: set firewall ipv4 forward filter default-log
+.. cfgcmd:: set firewall ipv4 input filter default-log
+.. cfgcmd:: set firewall ipv4 output filter default-log
+.. cfgcmd:: set firewall ipv4 name <name> default-log
Use this command to enable the logging of the default action on
the specified chain.
@@ -539,6 +540,27 @@ geoip) to keep database and rules updated.
criteria.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source group dynamic-address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source group dynamic-address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source group dynamic-address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source group dynamic-address-group <name | !name>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination group dynamic-address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination group dynamic-address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination group dynamic-address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination group dynamic-address-group <name | !name>
+
+ Use a specific dynamic-address-group. Prepend character ``!`` for inverted
+ matching criteria.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source group network-group <name | !name>
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
source group network-group <name | !name>
@@ -683,9 +705,9 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
inbound-interface name <iface>
- Match based on inbound interface. Wilcard ``*`` can be used.
+ Match based on inbound interface. Wildcard ``*`` can be used.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
- criteria is also supportd. For example ``!eth2``
+ criteria is also supported. For example ``!eth2``
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
inbound-interface group <iface_group>
@@ -695,7 +717,7 @@ geoip) to keep database and rules updated.
inbound-interface group <iface_group>
Match based on inbound interface group. Prepending character ``!`` for
- inverted matching criteria is also supportd. For example ``!IFACE_GROUP``
+ inverted matching criteria is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
outbound-interface name <iface>
@@ -704,9 +726,9 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
outbound-interface name <iface>
- Match based on outbound interface. Wilcard ``*`` can be used.
+ Match based on outbound interface. Wildcard ``*`` can be used.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
- criteria is also supportd. For example ``!eth2``
+ criteria is also supported. For example ``!eth2``
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
outbound-interface group <iface_group>
@@ -716,7 +738,7 @@ geoip) to keep database and rules updated.
outbound-interface group <iface_group>
Match based on outbound interface group. Prepending character ``!`` for
- inverted matching criteria is also supportd. For example ``!IFACE_GROUP``
+ inverted matching criteria is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
ipsec [match-ipsec | match-none]
@@ -843,13 +865,13 @@ geoip) to keep database and rules updated.
set firewall ipv4 input filter rule 13 tcp flags not 'fin'
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
- state [established | invalid | new | related] [enable | disable]
+ state [established | invalid | new | related]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
- state [established | invalid | new | related] [enable | disable]
+ state [established | invalid | new | related]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
- state [established | invalid | new | related] [enable | disable]
+ state [established | invalid | new | related]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- state [established | invalid | new | related] [enable | disable]
+ state [established | invalid | new | related]
Match against the state of a packet.
@@ -934,13 +956,17 @@ Synproxy
********
Synproxy connections
-.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> action synproxy
-.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> protocol tcp
-.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535>
+.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999>
+ action synproxy
+.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999>
+ protocol tcp
+.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999>
+ synproxy tcp mss <501-65535>
Set TCP-MSS (maximum segment size) for the connection
-.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14>
+.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999>
+ synproxy tcp window-scale <1-14>
Set the window scale factor for TCP window scaling
@@ -964,12 +990,12 @@ Requirements to enable synproxy:
set firewall global-options syn-cookies 'enable'
set firewall ipv4 input filter rule 10 action 'synproxy'
set firewall ipv4 input filter rule 10 destination port '8080'
- set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1'
+ set firewall ipv4 input filter rule 10 inbound-interface name 'eth1'
set firewall ipv4 input filter rule 10 protocol 'tcp'
set firewall ipv4 input filter rule 10 synproxy tcp mss '1460'
set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
set firewall ipv4 input filter rule 1000 action 'drop'
- set firewall ipv4 input filter rule 1000 state invalid 'enable'
+ set firewall ipv4 input filter rule 1000 state invalid
***********************
@@ -1146,8 +1172,8 @@ Show Firewall log
.. opcmd:: show log firewall ipv4 name <name> rule <rule>
Show the logs of all firewall; show all ipv4 firewall logs; show all logs
- for particular hook; show all logs for particular hook and priority; show all logs
- for particular custom chain; show logs for specific Rule-Set.
+ for particular hook; show all logs for particular hook and priority;
+ show all logs for particular custom chain; show logs for specific Rule-Set.
Example Partial Config
======================
diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst
index 0aa8a137..cbf18a7d 100644
--- a/docs/configuration/firewall/ipv6.rst
+++ b/docs/configuration/firewall/ipv6.rst
@@ -11,12 +11,13 @@ Overview
********
In this section there's useful information of all firewall configuration that
-can be done regarding IPv6, and appropiate op-mode commands.
+can be done regarding IPv6, and appropriate op-mode commands.
Configuration commands covered in this section:
.. cfgcmd:: set firewall ipv6 ...
-From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>`
+From main structure defined in
+:doc:`Firewall Overview</configuration/firewall/index>`
in this section you can find detailed information only for the next part
of the general structure:
@@ -41,12 +42,12 @@ next:
Where firewall base chain to configure firewall filtering rules for transit
traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5,
-highlightened with red color.
+highlighted with red color.
For traffic towards the router itself, base chain is **input**, while traffic
originated by the router, base chain is **output**.
A new simplified packet flow diagram is shown next, which shows the path
-for traffic destinated to the router itself, and traffic generated by the
+for traffic destined to the router itself, and traffic generated by the
router (starting from circle number 6):
.. figure:: /_static/images/firewall-input-packet-flow.png
@@ -64,7 +65,7 @@ output filter ...``
Custom firewall chains can be created, with commands
``set firewall ipv6 name <name> ...``. In order to use
-such custom chain, a rule with **action jump**, and the appropiate **target**
+such custom chain, a rule with **action jump**, and the appropriate **target**
should be defined in a base chain.
******************************
@@ -184,7 +185,7 @@ not match any rule in it's chain. For base chains, possible options for
.. cfgcmd:: set firewall ipv6 name <name> default-jump-target <text>
- To be used only when ``defult-action`` is set to ``jump``. Use this
+ To be used only when ``default-action`` is set to ``jump``. Use this
command to specify jump target for default rule.
.. note:: **Important note about default-actions:**
@@ -206,10 +207,10 @@ log options can be defined.
Enable logging for the matched packet. If this configuration command is not
present, then log is not enabled.
-.. cfgcmd:: set firewall ipv6 forward filter enable-default-log
-.. cfgcmd:: set firewall ipv6 input filter enable-default-log
-.. cfgcmd:: set firewall ipv6 output filter enable-default-log
-.. cfgcmd:: set firewall ipv6 name <name> enable-default-log
+.. cfgcmd:: set firewall ipv6 forward filter default-log
+.. cfgcmd:: set firewall ipv6 input filter default-log
+.. cfgcmd:: set firewall ipv6 output filter default-log
+.. cfgcmd:: set firewall ipv6 name <name> default-log
Use this command to enable the logging of the default action on
the specified chain.
@@ -373,10 +374,12 @@ There are a lot of matching criteria against which the packet can be tested.
remain valid if the IPv6 prefix changes and the host
portion of systems IPv6 address is static (for example, with SLAAC or
`tokenised IPv6 addresses
- <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)
+ <https://datatracker.ietf.org
+ /doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)
This functions for both individual addresses and address groups.
+ .. stop_vyoslinter
.. code-block:: none
# Match any IPv6 address with the suffix ::0000:0000:0000:beef
@@ -388,6 +391,8 @@ There are a lot of matching criteria against which the packet can be tested.
set firewall ipv6 forward filter rule 200 source group address-group WEBSERVERS
set firewall ipv6 forward filter rule 200 source address-mask ::ffff:ffff:ffff:ffff
+ .. start_vyoslinter
+
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
source fqdn <fqdn>
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
@@ -526,6 +531,27 @@ geoip) to keep database and rules updated.
criteria.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ source group dynamic-address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ source group dynamic-address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ source group dynamic-address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ source group dynamic-address-group <name | !name>
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ destination group dynamic-address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ destination group dynamic-address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ destination group dynamic-address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ destination group dynamic-address-group <name | !name>
+
+ Use a specific dynamic-address-group. Prepend character ``!`` for inverted
+ matching criteria.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
source group network-group <name | !name>
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
source group network-group <name | !name>
@@ -670,9 +696,9 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
inbound-interface name <iface>
- Match based on inbound interface. Wilcard ``*`` can be used.
+ Match based on inbound interface. Wildcard ``*`` can be used.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
- criteria is also supportd. For example ``!eth2``
+ criteria is also supported. For example ``!eth2``
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
inbound-interface group <iface_group>
@@ -682,7 +708,7 @@ geoip) to keep database and rules updated.
inbound-interface group <iface_group>
Match based on inbound interface group. Prepending character ``!`` for
- inverted matching criteria is also supportd. For example ``!IFACE_GROUP``
+ inverted matching criteria is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
outbound-interface name <iface>
@@ -691,9 +717,9 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
outbound-interface name <iface>
- Match based on outbound interface. Wilcard ``*`` can be used.
+ Match based on outbound interface. Wildcard ``*`` can be used.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
- criteria is also supportd. For example ``!eth2``
+ criteria is also supported. For example ``!eth2``
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
outbound-interface group <iface_group>
@@ -703,7 +729,7 @@ geoip) to keep database and rules updated.
outbound-interface group <iface_group>
Match based on outbound interface group. Prepending character ``!`` for
- inverted matching criteria is also supportd. For example ``!IFACE_GROUP``
+ inverted matching criteria is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
ipsec [match-ipsec | match-none]
@@ -829,13 +855,13 @@ geoip) to keep database and rules updated.
set firewall ipv6 input filter rule 13 tcp flags not 'fin'
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
- state [established | invalid | new | related] [enable | disable]
+ state [established | invalid | new | related]
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
- state [established | invalid | new | related] [enable | disable]
+ state [established | invalid | new | related]
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
- state [established | invalid | new | related] [enable | disable]
+ state [established | invalid | new | related]
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
- state [established | invalid | new | related] [enable | disable]
+ state [established | invalid | new | related]
Match against the state of a packet.
@@ -920,13 +946,17 @@ Synproxy
********
Synproxy connections
-.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> action synproxy
-.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> protocol tcp
-.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535>
+.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>
+ action synproxy
+.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>
+ protocol tcp
+.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>
+ synproxy tcp mss <501-65535>
Set TCP-MSS (maximum segment size) for the connection
-.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14>
+.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>
+ synproxy tcp window-scale <1-14>
Set the window scale factor for TCP window scaling
@@ -950,12 +980,12 @@ Requirements to enable synproxy:
set firewall global-options syn-cookies 'enable'
set firewall ipv6 input filter rule 10 action 'synproxy'
set firewall ipv6 input filter rule 10 destination port '8080'
- set firewall ipv6 input filter rule 10 inbound-interface interface-name 'eth1'
+ set firewall ipv6 input filter rule 10 inbound-interface name 'eth1'
set firewall ipv6 input filter rule 10 protocol 'tcp'
set firewall ipv6 input filter rule 10 synproxy tcp mss '1460'
set firewall ipv6 input filter rule 10 synproxy tcp window-scale '7'
set firewall ipv6 input filter rule 1000 action 'drop'
- set firewall ipv6 input filter rule 1000 state invalid 'enable'
+ set firewall ipv6 input filter rule 1000 state invalid
***********************
Operation-mode Firewall
@@ -1146,8 +1176,8 @@ Show Firewall log
.. opcmd:: show log firewall ipv6 name <name> rule <rule>
Show the logs of all firewall; show all ipv6 firewall logs; show all logs
- for particular hook; show all logs for particular hook and priority; show all logs
- for particular custom chain; show logs for specific Rule-Set.
+ for particular hook; show all logs for particular hook and priority;
+ show all logs for particular custom chain; show logs for specific Rule-Set.
Example Partial Config
======================
@@ -1177,7 +1207,7 @@ Example Partial Config
}
name INP-ETH1 {
default-action drop
- enable-default-log
+ default-log
rule 10 {
action accept
protocol tcp_udp
diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst
index 059b029d..f71ad8c1 100644
--- a/docs/configuration/firewall/zone.rst
+++ b/docs/configuration/firewall/zone.rst
@@ -11,7 +11,7 @@ Overview
********
.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall
- structure can be found on all vyos instalations. Zone based firewall was
+ structure can be found on all VyOS installations. Zone based firewall was
removed in that version, but re introduced in VyOS 1.4 and 1.5. All
versions built after 2023-10-22 has this feature.
Documentation for most of the new firewall CLI can be
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-22 22:59:17 +0000