summaryrefslogtreecommitdiff
path: root/docs/configuration/firewall
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/firewall')
-rw-r--r--docs/configuration/firewall/bridge.rst98
-rw-r--r--docs/configuration/firewall/ipv4.rst58
-rw-r--r--docs/configuration/firewall/ipv6.rst58
3 files changed, 204 insertions, 10 deletions
diff --git a/docs/configuration/firewall/bridge.rst b/docs/configuration/firewall/bridge.rst
index 14b4e148..9c360d35 100644
--- a/docs/configuration/firewall/bridge.rst
+++ b/docs/configuration/firewall/bridge.rst
@@ -327,8 +327,102 @@ There are a lot of matching criteria against which the packet can be tested.
Please refer to :doc:`IPv4</configuration/firewall/ipv4>` and
:doc:`IPv6</configuration/firewall/ipv6>` matching criteria for more details.
-Since bridges operates at layer 2, both matchers for IPv4 and IPv6 are
-supported in bridge firewall configuration. Same applies for firewall groups.
+Since bridges operats at layer 2, both matchers for IPv4 and IPv6 are
+supported in bridge firewall configuration. Same applies to firewall groups.
+
+Same specific matching criteria that can be used in bridge firewall are
+described in this section:
+
+.. cfgcmd:: set firewall bridge forward filter rule <1-999999> ethernet-type
+ [802.1q | 802.1ad | arp | ipv4 | ipv6]
+.. cfgcmd:: set firewall bridge input filter rule <1-999999> ethernet-type
+ [802.1q | 802.1ad | arp | ipv4 | ipv6]
+.. cfgcmd:: set firewall bridge output filter rule <1-999999> ethernet-type
+ [802.1q | 802.1ad | arp | ipv4 | ipv6]
+.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> ethernet-type
+ [802.1q | 802.1ad | arp | ipv4 | ipv6]
+.. cfgcmd:: set firewall bridge name <name> rule <1-999999> ethernet-type
+ [802.1q | 802.1ad | arp | ipv4 | ipv6]
+
+ Match based on the Ethernet type of the packet.
+
+.. cfgcmd:: set firewall bridge forward filter rule <1-999999> vlan
+ ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6]
+.. cfgcmd:: set firewall bridge input filter rule <1-999999> vlan
+ ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6]
+.. cfgcmd:: set firewall bridge output filter rule <1-999999> vlan
+ ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6]
+.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> vlan
+ ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6]
+.. cfgcmd:: set firewall bridge name <name> rule <1-999999> vlan
+ ethernet-type [802.1q | 802.1ad | arp | ipv4 | ipv6]
+
+ Match based on the Ethernet type of the packet when it is VLAN tagged.
+
+.. cfgcmd:: set firewall bridge forward filter rule <1-999999> vlan id
+ <0-4096>
+.. cfgcmd:: set firewall bridge input filter rule <1-999999> vlan id
+ <0-4096>
+.. cfgcmd:: set firewall bridge output filter rule <1-999999> vlan id
+ <0-4096>
+.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> vlan id
+ <0-4096>
+.. cfgcmd:: set firewall bridge name <name> rule <1-999999> vlan id
+ <0-4096>
+
+ Match based on VLAN identifier. Range is also supported.
+
+.. cfgcmd:: set firewall bridge forward filter rule <1-999999> vlan priority
+ <0-7>
+.. cfgcmd:: set firewall bridge input filter rule <1-999999> vlan priority
+ <0-7>
+.. cfgcmd:: set firewall bridge output filter rule <1-999999> vlan priority
+ <0-7>
+.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> vlan priority
+ <0-7>
+.. cfgcmd:: set firewall bridge name <name> rule <1-999999> vlan priority
+ <0-7>
+
+ Match based on VLAN priority (Priority Code Point - PCP). Range is also
+ supported.
+
+Packet Modifications
+====================
+
+Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify
+packets before they are sent out. This feaure provides more flexibility in
+packet handling.
+
+.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter
+ rule <1-999999> set dscp <0-63>
+
+ Set a specific value of Differentiated Services Codepoint (DSCP).
+
+.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter
+ rule <1-999999> set mark <1-2147483647>
+
+ Set a specific packet mark value.
+
+.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter
+ rule <1-999999> set tcp-mss <500-1460>
+
+ Set the TCP-MSS (TCP maximum segment size) for the connection.
+
+.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter
+ rule <1-999999> set ttl <0-255>
+
+ Set the TTL (Time to Live) value.
+
+.. cfgcmd:: set firewall bridge [prerouting | forward | output] filter
+ rule <1-999999> set hop-limit <0-255>
+
+ Set hop limit value.
+
+.. cfgcmd:: set firewall bridge [forward | output] filter
+ rule <1-999999> set connection-mark <0-2147483647>
+
+ Set connection mark value.
+
Use IP firewall
===============
diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst
index abae31a5..5fc9bd4c 100644
--- a/docs/configuration/firewall/ipv4.rst
+++ b/docs/configuration/firewall/ipv4.rst
@@ -771,13 +771,13 @@ geoip) to keep database and rules updated.
invert the criteria to match is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
- ipsec [match-ipsec | match-none]
+ ipsec [match-ipsec-in | match-ipsec-out | match-none-in | match-none-out]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
- ipsec [match-ipsec | match-none]
+ ipsec [match-ipsec-in | match-none-in]
.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
- ipsec [match-ipsec | match-none]
+ ipsec [match-ipsec-out | match-none-out]
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
- ipsec [match-ipsec | match-none]
+ ipsec [match-ipsec-in | match-ipsec-out | match-none-in | match-none-out]
Match based on ipsec.
@@ -980,6 +980,56 @@ geoip) to keep database and rules updated.
Match when 'count' amount of connections are seen within 'time'. These
matching criteria can be used to block brute-force attempts.
+Packet Modifications
+====================
+
+Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify
+packets before they are sent out. This feaure provides more flexibility in
+packet handling.
+
+.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999>
+ set dscp <0-63>
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ set dscp <0-63>
+.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999>
+ set dscp <0-63>
+
+ Set a specific value of Differentiated Services Codepoint (DSCP).
+
+.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999>
+ set mark <1-2147483647>
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ set mark <1-2147483647>
+.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999>
+ set mark <1-2147483647>
+
+ Set a specific packet mark value.
+
+.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999>
+ set tcp-mss <500-1460>
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ set tcp-mss <500-1460>
+.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999>
+ set tcp-mss <500-1460>
+
+ Set the TCP-MSS (TCP maximum segment size) for the connection.
+
+.. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999>
+ set ttl <0-255>
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ set ttl <0-255>
+.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999>
+ set ttl <0-255>
+
+ Set the TTL (Time to Live) value.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ set connection-mark <0-2147483647>
+.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999>
+ set connection-mark <0-2147483647>
+
+ Set connection mark value.
+
********
Synproxy
********
diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst
index 5f526dac..c579b6d1 100644
--- a/docs/configuration/firewall/ipv6.rst
+++ b/docs/configuration/firewall/ipv6.rst
@@ -762,13 +762,13 @@ geoip) to keep database and rules updated.
invert the criteria to match is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
- ipsec [match-ipsec | match-none]
+ ipsec [match-ipsec-in | match-ipsec-out | match-none-in | match-none-out]
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
- ipsec [match-ipsec | match-none]
+ ipsec [match-ipsec-in | match-none-in]
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
- ipsec [match-ipsec | match-none]
+ ipsec [match-ipsec-out | match-none-out]
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
- ipsec [match-ipsec | match-none]
+ ipsec [match-ipsec-in | match-ipsec-out | match-none-in | match-none-out]
Match based on ipsec.
@@ -970,6 +970,56 @@ geoip) to keep database and rules updated.
Match when 'count' amount of connections are seen within 'time'. These
matching criteria can be used to block brute-force attempts.
+Packet Modifications
+====================
+
+Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify
+packets before they are sent out. This feaure provides more flexibility in
+packet handling.
+
+.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999>
+ set dscp <0-63>
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ set dscp <0-63>
+.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999>
+ set dscp <0-63>
+
+ Set a specific value of Differentiated Services Codepoint (DSCP).
+
+.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999>
+ set mark <1-2147483647>
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ set mark <1-2147483647>
+.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999>
+ set mark <1-2147483647>
+
+ Set a specific packet mark value.
+
+.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999>
+ set tcp-mss <500-1460>
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ set tcp-mss <500-1460>
+.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999>
+ set tcp-mss <500-1460>
+
+ Set the TCP-MSS (TCP maximum segment size) for the connection.
+
+.. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999>
+ set hop-limit <0-255>
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ set hop-limit <0-255>
+.. cfgcmd:: set firewall ipv6 output [filter | raw] rule <1-999999>
+ set hop-limit <0-255>
+
+ Set hop limit value.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ set connection-mark <0-2147483647>
+.. cfgcmd:: set firewall ipv4 output [filter | raw] rule <1-999999>
+ set connection-mark <0-2147483647>
+
+ Set connection mark value.
+
********
Synproxy
********
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-18 01:11:55 +0000