diff options
Diffstat (limited to 'docs/configuration')
37 files changed, 3598 insertions, 3083 deletions
diff --git a/docs/configuration/firewall/bridge.rst b/docs/configuration/firewall/bridge.rst new file mode 100644 index 00000000..4a0dc3bb --- /dev/null +++ b/docs/configuration/firewall/bridge.rst @@ -0,0 +1,42 @@ +:lastproofread: 2023-11-08 + +.. _firewall-configuration: + +############################# +Bridge Firewall Configuration +############################# + +.. note:: **Documentation under development** + +******** +Overview +******** + +In this section there's useful information of all firewall configuration that +can be done regarding bridge, and appropiate op-mode commands. +Configuration commands covered in this section: + +.. cfgcmd:: set firewall bridge ... + +From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * bridge + - forward + + filter + - name + + custom_name + +Traffic which is received by the router on an interface which is member of a +bridge is processed on the **Bridge Layer**. A simplified packet flow diagram +for this layer is shown next: + +.. figure:: /_static/images/firewall-bridge-packet-flow.png + +For traffic that needs to be forwared internally by the bridge, base chain is +is **forward**, and it's base command for filtering is ``set firewall bridge +forward filter ...`` diff --git a/docs/configuration/firewall/flowtables.rst b/docs/configuration/firewall/flowtables.rst new file mode 100644 index 00000000..8b44a9b9 --- /dev/null +++ b/docs/configuration/firewall/flowtables.rst @@ -0,0 +1,52 @@ +:lastproofread: 2023-11-08 + +.. _firewall-flowtables-configuration: + +################################# +Flowtables Firewall Configuration +################################# + +.. note:: **Documentation under development** + +******** +Overview +******** + +In this section there's useful information of all firewall configuration that +can be done regarding flowtables + +.. cfgcmd:: set firewall flowtables ... + +From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * flowtable + - custom_flow_table + + ... + + +Flowtables allows you to define a fastpath through the flowtable datapath. +The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP +and UDP protocols. + +.. figure:: /_static/images/firewall-flowtable-packet-flow.png + +Once the first packet of the flow successfully goes through the IP forwarding +path (black circles path), from the second packet on, you might decide to +offload the flow to the flowtable through your ruleset. The flowtable +infrastructure provides a rule action that allows you to specify when to add +a flow to the flowtable (On forward filtering, red circle number 6) + +A packet that finds a matching entry in the flowtable (flowtable hit) is +transmitted to the output netdevice, hence, packets bypass the classic IP +forwarding path and uses the **Fast Path** (orange circles path). The visible +effect is that you do not see these packets from any of the Netfilter +hooks coming after ingress. In case that there is no matching entry in the +flowtable (flowtable miss), the packet follows the classic IP forwarding path. + +.. note:: **Flowtable Reference:** + https://docs.kernel.org/networking/nf_flowtable.html diff --git a/docs/configuration/firewall/general-legacy.rst b/docs/configuration/firewall/general-legacy.rst deleted file mode 100644 index 5d235eb8..00000000 --- a/docs/configuration/firewall/general-legacy.rst +++ /dev/null @@ -1,1054 +0,0 @@ -:lastproofread: 2021-06-29 - -.. _legacy-firewall: - -################################### -Firewall Configuration (Deprecated) -################################### - -.. note:: **Important note:** - This documentation is valid only for VyOS Sagitta prior to - 1.4-rolling-202308040557 - -******** -Overview -******** - -VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet -filtering. - -The firewall supports the creation of groups for ports, addresses, and -networks (implemented using netfilter ipset) and the option of interface -or zone based firewall policy. - -.. note:: **Important note on usage of terms:** - The firewall makes use of the terms `in`, `out`, and `local` - for firewall policy. Users experienced with netfilter often confuse - `in` to be a reference to the `INPUT` chain, and `out` the `OUTPUT` - chain from netfilter. This is not the case. These instead indicate - the use of the `FORWARD` chain and either the input or output - interface. The `INPUT` chain, which is used for local traffic to the - OS, is a reference to as `local` with respect to its input interface. - - -*************** -Global settings -*************** - -Some firewall settings are global and have an affect on the whole system. - -.. cfgcmd:: set firewall all-ping [enable | disable] - - By default, when VyOS receives an ICMP echo request packet destined for - itself, it will answer with an ICMP echo reply, unless you avoid it - through its firewall. - - With the firewall you can set rules to accept, drop or reject ICMP in, - out or local traffic. You can also use the general **firewall all-ping** - command. This command affects only to LOCAL (packets destined for your - VyOS system), not to IN or OUT traffic. - - .. note:: **firewall all-ping** affects only to LOCAL and it always - behaves in the most restrictive way - - .. code-block:: none - - set firewall all-ping enable - - When the command above is set, VyOS will answer every ICMP echo request - addressed to itself, but that will only happen if no other rule is - applied dropping or rejecting local echo requests. In case of conflict, - VyOS will not answer ICMP echo requests. - - .. code-block:: none - - set firewall all-ping disable - - When the command above is set, VyOS will answer no ICMP echo request - addressed to itself at all, no matter where it comes from or whether - more specific rules are being applied to accept them. - -.. cfgcmd:: set firewall broadcast-ping [enable | disable] - - This setting enable or disable the response of icmp broadcast - messages. The following system parameter will be altered: - - * ``net.ipv4.icmp_echo_ignore_broadcasts`` - -.. cfgcmd:: set firewall ip-src-route [enable | disable] -.. cfgcmd:: set firewall ipv6-src-route [enable | disable] - - This setting handle if VyOS accept packets with a source route - option. The following system parameter will be altered: - - * ``net.ipv4.conf.all.accept_source_route`` - * ``net.ipv6.conf.all.accept_source_route`` - -.. cfgcmd:: set firewall receive-redirects [enable | disable] -.. cfgcmd:: set firewall ipv6-receive-redirects [enable | disable] - - enable or disable of ICMPv4 or ICMPv6 redirect messages accepted - by VyOS. The following system parameter will be altered: - - * ``net.ipv4.conf.all.accept_redirects`` - * ``net.ipv6.conf.all.accept_redirects`` - -.. cfgcmd:: set firewall send-redirects [enable | disable] - - enable or disable ICMPv4 redirect messages send by VyOS - The following system parameter will be altered: - - * ``net.ipv4.conf.all.send_redirects`` - -.. cfgcmd:: set firewall log-martians [enable | disable] - - enable or disable the logging of martian IPv4 packets. - The following system parameter will be altered: - - * ``net.ipv4.conf.all.log_martians`` - -.. cfgcmd:: set firewall source-validation [strict | loose | disable] - - Set the IPv4 source validation mode. - The following system parameter will be altered: - - * ``net.ipv4.conf.all.rp_filter`` - -.. cfgcmd:: set firewall syn-cookies [enable | disable] - - Enable or Disable if VyOS use IPv4 TCP SYN Cookies. - The following system parameter will be altered: - - * ``net.ipv4.tcp_syncookies`` - -.. cfgcmd:: set firewall twa-hazards-protection [enable | disable] - - Enable or Disable VyOS to be :rfc:`1337` conform. - The following system parameter will be altered: - - * ``net.ipv4.tcp_rfc1337`` - -.. cfgcmd:: set firewall state-policy established action [accept | drop | - reject] - -.. cfgcmd:: set firewall state-policy established log enable - - Set the global setting for an established connection. - -.. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject] - -.. cfgcmd:: set firewall state-policy invalid log enable - - Set the global setting for invalid packets. - -.. cfgcmd:: set firewall state-policy related action [accept | drop | reject] - -.. cfgcmd:: set firewall state-policy related log enable - - Set the global setting for related connections. - - -****** -Groups -****** - -Firewall groups represent collections of IP addresses, networks, ports, -mac addresses or domains. Once created, a group can be referenced by -firewall, nat and policy route rules as either a source or destination -matcher. Members can be added or removed from a group without changes to, -or the need to reload, individual firewall rules. - -Groups need to have unique names. Even though some contain IPv4 -addresses and others contain IPv6 addresses, they still need to have -unique names, so you may want to append "-v4" or "-v6" to your group -names. - - -Address Groups -============== - -In an **address group** a single IP address or IP address ranges are -defined. - -.. cfgcmd:: set firewall group address-group <name> address [address | - address range] -.. cfgcmd:: set firewall group ipv6-address-group <name> address <address> - - Define a IPv4 or a IPv6 address group - - .. code-block:: none - - set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1 - set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8 - set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1 - -.. cfgcmd:: set firewall group address-group <name> description <text> -.. cfgcmd:: set firewall group ipv6-address-group <name> description <text> - - Provide a IPv4 or IPv6 address group description - -Network Groups -============== - -While **network groups** accept IP networks in CIDR notation, specific -IP addresses can be added as a 32-bit prefix. If you foresee the need -to add a mix of addresses and networks, the network group is -recommended. - -.. cfgcmd:: set firewall group network-group <name> network <CIDR> -.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR> - - Define a IPv4 or IPv6 Network group. - - .. code-block:: none - - set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24 - set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24 - set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64 - -.. cfgcmd:: set firewall group network-group <name> description <text> -.. cfgcmd:: set firewall group ipv6-network-group <name> description <text> - - Provide a IPv4 or IPv6 network group description. - -Port Groups -=========== - -A **port group** represents only port numbers, not the protocol. Port -groups can be referenced for either TCP or UDP. It is recommended that -TCP and UDP groups are created separately to avoid accidentally -filtering unnecessary ports. Ranges of ports can be specified by using -`-`. - -.. cfgcmd:: set firewall group port-group <name> port - [portname | portnumber | startport-endport] - - Define a port group. A port name can be any name defined in - /etc/services. e.g.: http - - .. code-block:: none - - set firewall group port-group PORT-TCP-SERVER1 port http - set firewall group port-group PORT-TCP-SERVER1 port 443 - set firewall group port-group PORT-TCP-SERVER1 port 5000-5010 - -.. cfgcmd:: set firewall group port-group <name> description <text> - - Provide a port group description. - -MAC Groups -========== - -A **mac group** represents a collection of mac addresses. - -.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address> - - Define a mac group. - -.. code-block:: none - - set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f - set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81 - - -Domain Groups -============= - -A **domain group** represents a collection of domains. - -.. cfgcmd:: set firewall group domain-group <name> address <domain> - - Define a domain group. - -.. code-block:: none - - set firewall group domain-group DOM address example.com - - -********* -Rule-Sets -********* - -A rule-set is a named collection of firewall rules that can be applied -to an interface or a zone. Each rule is numbered, has an action to apply -if the rule is matched, and the ability to specify the criteria to -match. Data packets go through the rules from 1 - 999999, at the first match -the action of the rule will be executed. - -.. cfgcmd:: set firewall name <name> description <text> -.. cfgcmd:: set firewall ipv6-name <name> description <text> - - Provide a rule-set description. - -.. cfgcmd:: set firewall name <name> default-action [accept | drop | jump | - reject | return] -.. cfgcmd:: set firewall ipv6-name <name> default-action [accept | drop | - jump | reject | return] - - This set the default action of the rule-set if no rule matched a packet - criteria. If defacult-action is set to ``jump``, then - ``default-jump-target`` is also needed. - -.. cfgcmd:: set firewall name <name> default-jump-target <text> -.. cfgcmd:: set firewall ipv6-name <name> default-jump-target <text> - - To be used only when ``defult-action`` is set to ``jump``. Use this - command to specify jump target for default rule. - -.. cfgcmd:: set firewall name <name> enable-default-log -.. cfgcmd:: set firewall ipv6-name <name> enable-default-log - - Use this command to enable the logging of the default action. - -.. cfgcmd:: set firewall name <name> rule <1-999999> action [accept | drop | - jump | queue | reject | return] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [accept | - drop | jump | queue | reject | return] - - This required setting defines the action of the current rule. If action - is set to ``jump``, then ``jump-target`` is also needed. - -.. cfgcmd:: set firewall name <name> rule <1-999999> jump-target <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> jump-target <text> - - To be used only when ``action`` is set to ``jump``. Use this - command to specify jump target. - -.. cfgcmd:: set firewall name <name> rule <1-999999> queue <0-65535> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> queue <0-65535> - - Use this command to set the target to use. Action queue must be defined - to use this setting - -.. cfgcmd:: set firewall name <name> rule <1-999999> queue-options - <bypass-fanout> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> queue-options - <bypass-fanout> - - Options used for queue target. Action queue must be defined to use this - setting - -.. cfgcmd:: set firewall name <name> rule <1-999999> description <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> description <text> - - Provide a description for each rule. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log [disable | enable] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable | - enable] - - Enable or disable logging for the matched packet. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log-options level - [emerg | alert | crit | err | warn | notice | info | debug] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options level - [emerg | alert | crit | err | warn | notice | info | debug] - - Define log-level. Only applicable if rule log is enable. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log-options group - <0-65535> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options group - <0-65535> - - Define log group to send message to. Only applicable if rule log is enable. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log-options snaplen - <0-9000> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options snaplen - <0-9000> - - Define length of packet payload to include in netlink message. Only - applicable if rule log is enable and log group is defined. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log-options - queue-threshold <0-65535> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options - queue-threshold <0-65535> - - Define number of packets to queue inside the kernel before sending them to - userspace. Only applicable if rule log is enable and log group is defined. - -.. cfgcmd:: set firewall name <name> rule <1-999999> disable -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> disable - - If you want to disable a rule but let it in the configuration. - -Matching criteria -================= - -There are a lot of matching criteria against which the package can be tested. - -.. cfgcmd:: set firewall name <name> rule <1-999999> connection-status nat - [destination | source] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-status - nat [destination | source] - - Match criteria based on nat connection status. - -.. cfgcmd:: set firewall name <name> rule <1-999999> connection-mark - <1-2147483647> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-mark - <1-2147483647> - - Match criteria based on connection mark. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source address - [address | addressrange | CIDR] -.. cfgcmd:: set firewall name <name> rule <1-999999> destination address - [address | addressrange | CIDR] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address - [address | addressrange | CIDR] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination address - [address | addressrange | CIDR] - - This is similar to the network groups part, but here you are able to negate - the matching addresses. - - .. code-block:: none - - set firewall name WAN-IN-v4 rule 100 source address 192.0.2.10-192.0.2.11 - # with a '!' the rule match everything except the specified subnet - set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24 - set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202 - -.. cfgcmd:: set firewall name <name> rule <1-999999> source address-mask - [address] -.. cfgcmd:: set firewall name <name> rule <1-999999> destination address-mask - [address] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address-mask - [address] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination - address-mask [address] - - An arbitrary netmask can be applied to mask addresses to only match against - a specific portion. This is particularly useful with IPv6 and a zone-based - firewall as rules will remain valid if the IPv6 prefix changes and the host - portion of systems IPv6 address is static (for example, with SLAAC or - `tokenised IPv6 addresses - <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_). - - This functions for both individual addresses and address groups. - - .. stop_vyoslinter - .. code-block:: none - - # Match any IPv6 address with the suffix ::0000:0000:0000:beef - set firewall ipv6-name WAN-LAN-v6 rule 100 destination address ::beef - set firewall ipv6-name WAN-LAN-v6 rule 100 destination address-mask ::ffff:ffff:ffff:ffff - # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet - set firewall name WAN-LAN-v4 rule 100 destination address 0.11.0.13 - set firewall name WAN-LAN-v4 rule 100 destination address-mask 0.255.0.255 - # Address groups - set firewall group ipv6-address-group WEBSERVERS address ::1000 - set firewall group ipv6-address-group WEBSERVERS address ::2000 - set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS - set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff - .. start_vyoslinter - -.. cfgcmd:: set firewall name <name> rule <1-999999> source fqdn <fqdn> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination fqdn <fqdn> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source fqdn <fqdn> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination fqdn - <fqdn> - - Specify a Fully Qualified Domain Name as source/destination matcher. Ensure - router is able to resolve such dns query. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code - <country> -.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip - country-code <country> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip - inverse-match -.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip - country-code <country> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip - inverse-match -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip - country-code <country> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip - inverse-match - -Match IP addresses based on its geolocation. -More info: `geoip matching -<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. - -Use inverse-match to match anything except the given country-codes. - -Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, -permits redistribution so we can include a database in images(~3MB -compressed). Includes cron script (manually callable by op-mode update -geoip) to keep database and rules updated. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source mac-address - <mac-address> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source mac-address - <mac-address> - - Only in the source criteria, you can specify a mac-address. - - .. code-block:: none - - set firewall name LAN-IN-v4 rule 100 source mac-address 00:53:00:11:22:33 - set firewall name LAN-IN-v4 rule 101 source mac-address !00:53:00:aa:12:34 - -.. cfgcmd:: set firewall name <name> rule <1-999999> source port - [1-65535 | portname | start-end] -.. cfgcmd:: set firewall name <name> rule <1-999999> destination port - [1-65535 | portname | start-end] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source port - [1-65535 | portname | start-end] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination port - [1-65535 | portname | start-end] - - A port can be set with a port number or a name which is here - defined: ``/etc/services``. - - .. code-block:: none - - set firewall name WAN-IN-v4 rule 10 source port '22' - set firewall name WAN-IN-v4 rule 11 source port '!http' - set firewall name WAN-IN-v4 rule 12 source port 'https' - - Multiple source ports can be specified as a comma-separated list. - The whole list can also be "negated" using ``!``. For example: - - .. code-block:: none - - set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338' - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - address-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - address-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - address-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - address-group <name | !name> - - Use a specific address-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - network-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - network-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - network-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - network-group <name | !name> - - Use a specific network-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - port-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - port-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - port-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - port-group <name | !name> - - Use a specific port-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - domain-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - domain-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - domain-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - domain-group <name | !name> - - Use a specific domain-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - mac-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - mac-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - mac-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - mac-group <name | !name> - - Use a specific mac-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> dscp [0-63 | start-end] -.. cfgcmd:: set firewall name <name> rule <1-999999> dscp-exclude [0-63 | - start-end] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp [0-63 | - start-end] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp-exclude [0-63 | - start-end] - - Match based on dscp value. - -.. cfgcmd:: set firewall name <name> rule <1-999999> fragment [match-frag | - match-non-frag] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> fragment [match-frag - | match-non-frag] - - Match based on fragment criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> icmp [code | type] - <0-255> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 [code | type] - <0-255> - - Match based on icmp|icmpv6 code and type. - -.. cfgcmd:: set firewall name <name> rule <1-999999> icmp type-name <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 type-name - <text> - - Match based on icmp|icmpv6 type-name criteria. Use tab for information - about what **type-name** criteria are supported. - -.. cfgcmd:: set firewall name <name> rule <1-999999> inbound-interface - <iface> -.. cfgcmd:: set firewall name <name> rule <1-999999> outbound-interface - <iface> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> inbound-interface - <iface> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> outbound-interface - <iface> - - Match based on inbound/outbound interface. Wilcard ``*`` can be used. - For example: ``eth2*`` - -.. cfgcmd:: set firewall name <name> rule <1-999999> ipsec [match-ipsec - | match-none] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> ipsec [match-ipsec - | match-none] - - Match based on ipsec criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> limit burst - <0-4294967295> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit burst - <0-4294967295> - - Match based on the maximum number of packets to allow in excess of rate. - -.. cfgcmd:: set firewall name <name> rule <1-999999> limit rate - <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit rate - <text> - - Match based on the maximum average rate, specified as **integer/unit**. - For example **5/minutes** - -.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length - <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length - <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length-exclude - <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length-exclude - <text> - - Match based on packet length criteria. Multiple values from 1 to 65535 - and ranges are supported. - -.. cfgcmd:: set firewall name <name> rule <1-999999> packet-type - [broadcast | host | multicast | other] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-type - [broadcast | host | multicast | other] - - Match based on packet type criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> protocol [<text> | - <0-255> | all | tcp_udp] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> protocol [<text> | - <0-255> | all | tcp_udp] - - Match a protocol criteria. A protocol number or a name which is here - defined: ``/etc/protocols``. - Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp - based packets. The ``!`` negate the selected protocol. - - .. code-block:: none - - set firewall name WAN-IN-v4 rule 10 protocol tcp_udp - set firewall name WAN-IN-v4 rule 11 protocol !tcp_udp - set firewall ipv6-name WAN-IN-v6 rule 10 protocol tcp - -.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255> -.. cfgcmd:: set firewall name <name> rule <1-999999> recent time - [second | minute | hour] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time - [second | minute | hour] - - Match bases on recently seen sources. - -.. cfgcmd:: set firewall name <name> rule <1-999999> tcp flags <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> tcp flags <text> - - Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``, - ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma - separated. The ``!`` negate the selected protocol. - - .. code-block:: none - - set firewall name WAN-IN-v4 rule 10 tcp flags 'ACK' - set firewall name WAN-IN-v4 rule 12 tcp flags 'SYN' - set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST' - -.. cfgcmd:: set firewall name <name> rule <1-999999> state [established | - invalid | new | related] [enable | disable] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> state [established | - invalid | new | related] [enable | disable] - - Match against the state of a packet. - -.. cfgcmd:: set firewall name <name> rule <1-999999> time startdate <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time startdate <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> time starttime <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time starttime <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> time stopdate <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stopdate <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> time stoptime <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stoptime <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> time weekdays <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time weekdays <text> - - Time to match the defined rule. - -.. cfgcmd:: set firewall name <name> rule <1-999999> ttl <eq | gt | lt> <0-255> - - Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for - 'greater than', and 'lt' stands for 'less than'. - -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> hop-limit <eq | gt | - lt> <0-255> - - Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for - 'greater than', and 'lt' stands for 'less than'. - -.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255> -.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second | - minute | hour> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second | - minute | hour> - - Match when 'count' amount of connections are seen within 'time'. These - matching criteria can be used to block brute-force attempts. - -*********************************** -Applying a Rule-Set to an Interface -*********************************** - -A Rule-Set can be applied to every interface: - -* ``in``: Ruleset for forwarded packets on an inbound interface -* ``out``: Ruleset for forwarded packets on an outbound interface -* ``local``: Ruleset for packets destined for this router - -.. cfgcmd:: set firewall interface <interface> [in | out | local] [name | - ipv6-name] <rule-set> - - - Here are some examples for applying a rule-set to an interface - - .. code-block:: none - - set firewall interface eth1.100 in name LANv4-IN - set firewall interface eth1.100 out name LANv4-OUT - set firewall interface bond0 in name LANv4-IN - set firewall interface vtun1 in name LANv4-IN - set firewall interface eth2* in name LANv4-IN - - .. note:: - As you can see in the example here, you can assign the same rule-set to - several interfaces. An interface can only have one rule-set per chain. - - .. note:: - You can use wildcard ``*`` to match a group of interfaces. - -*********************** -Operation-mode Firewall -*********************** - -Rule-set overview -================= - -.. opcmd:: show firewall - - This will show you a basic firewall overview - - .. code-block:: none - - vyos@vyos:~$ show firewall - - ------------------------ - Firewall Global Settings - ------------------------ - - Firewall state-policy for all IPv4 and Ipv6 traffic - - state action log - ----- ------ --- - invalid accept disabled - established accept disabled - related accept disabled - - ----------------------------- - Rulesets Information - ----------------------------- - -------------------------------------------------------------------------- - IPv4 Firewall "DMZv4-1-IN": - - Active on (eth0,IN) - - rule action proto packets bytes - ---- ------ ----- ------- ----- - 10 accept icmp 0 0 - condition - saddr 10.1.0.0/24 daddr 0.0.0.0/0 LOG enabled - - 10000 drop all 0 0 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled - - -------------------------------------------------------------------------- - IPv4 Firewall "DMZv4-1-OUT": - - Active on (eth0,OUT) - - rule action proto packets bytes - ---- ------ ----- ------- ----- - 10 accept tcp_udp 1 60 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-DST-PORT-GROUP DMZ-Ports /* - DMZv4-1-OUT-10 */LOG enabled - - 11 accept icmp 1 84 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* DMZv4-1-OUT-11 */LOG enabled - - 10000 drop all 6 360 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled - - -------------------------------------------------------------------------- - IPv4 Firewall "LANv4-IN": - - Inactive - Not applied to any interfaces or zones. - - rule action proto packets bytes - ---- ------ ----- ------- ----- - 10 accept all 0 0 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* LANv4-IN-10 */ - - 10000 drop all 0 0 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 - -.. opcmd:: show firewall summary - - This will show you a summary of rule-sets and groups - - .. code-block:: none - - vyos@vyos:~$ show firewall summary - - ------------------------ - Firewall Global Settings - ------------------------ - - Firewall state-policy for all IPv4 and Ipv6 traffic - - state action log - ----- ------ --- - invalid accept disabled - related accept disabled - established accept disabled - - ------------------------ - Firewall Rulesets - ------------------------ - - IPv4 name: - - Rule-set name Description References - ------------- ----------- ---------- - DMZv4-1-OUT (eth0,OUT) - DMZv4-1-IN (eth0,IN) - - ------------------------ - Firewall Groups - ------------------------ - - Port Groups: - - Group name Description References - ---------- ----------- ---------- - DMZ-Ports DMZv4-1-OUT-10-destination - - Network Groups: - - Group name Description References - ---------- ----------- ---------- - LANv4 LANv4-IN-10-source, - DMZv4-1-OUT-10-source, - DMZv4-1-OUT-11-source - -.. opcmd:: show firewall statistics - - This will show you a statistic of all rule-sets since the last boot. - -.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999> - - This command will give an overview of a rule in a single rule-set - -.. opcmd:: show firewall group <name> - - Overview of defined groups. You see the type, the members, and where the - group is used. - - .. code-block:: none - - vyos@vyos:~$ show firewall group DMZ-Ports - Name : DMZ-Ports - Type : port - References : none - Members : - 80 - 443 - 8080 - 8443 - - vyos@vyos:~$ show firewall group LANv4 - Name : LANv4 - Type : network - References : LANv4-IN-10-source - Members : - 10.10.0.0/16 - -.. opcmd:: show firewall [name | ipv6name] <name> - - This command will give an overview of a single rule-set. - -.. opcmd:: show firewall [name | ipv6name] <name> statistics - - This will show you a rule-set statistic since the last boot. - -.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999> - - This command will give an overview of a rule in a single rule-set. - - -Zone-Policy Overview -==================== - -.. opcmd:: show zone-policy zone <name> - - Use this command to get an overview of a zone. - - .. code-block:: none - - vyos@vyos:~$ show zone-policy zone DMZ - ------------------- - Name: DMZ - - Interfaces: eth0 eth1 - - From Zone: - name firewall - ---- -------- - LAN DMZv4-1-OUT - - -Show Firewall log -================= - -.. opcmd:: show log firewall [name | ipv6name] <name> - - Show the logs of a specific Rule-Set. - -.. note:: - At the moment it not possible to look at the whole firewall log with VyOS - operational commands. All logs will save to ``/var/logs/messages``. - For example: ``grep '10.10.0.10' /var/log/messages`` - - - -Example Partial Config -====================== - -.. code-block:: none - - firewall { - interface eth0 { - in { - name FROM-INTERNET - } - } - all-ping enable - broadcast-ping disable - config-trap disable - group { - network-group BAD-NETWORKS { - network 198.51.100.0/24 - network 203.0.113.0/24 - } - network-group GOOD-NETWORKS { - network 192.0.2.0/24 - } - port-group BAD-PORTS { - port 65535 - } - } - name FROM-INTERNET { - default-action accept - description "From the Internet" - rule 10 { - action accept - description "Authorized Networks" - protocol all - source { - group { - network-group GOOD-NETWORKS - } - } - } - rule 11 { - action drop - description "Bad Networks" - protocol all - source { - group { - network-group BAD-NETWORKS - } - } - } - rule 30 { - action drop - description "BAD PORTS" - destination { - group { - port-group BAD-PORTS - } - } - log enable - protocol all - } - } - } - interfaces { - ethernet eth1 { - address dhcp - description OUTSIDE - duplex auto - } - } - - -Update geoip database -===================== - -.. opcmd:: update geoip - - Command used to update GeoIP database and firewall sets. diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst deleted file mode 100644 index 3fe876f2..00000000 --- a/docs/configuration/firewall/general.rst +++ /dev/null @@ -1,1544 +0,0 @@ -:lastproofread: 2023-09-17 - -.. _firewall-configuration: - -###################### -Firewall Configuration -###################### - -******** -Overview -******** - -VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet -filtering. - -The firewall supports the creation of groups for addresses, domains, -interfaces, mac-addresses, networks and port groups. This groups can be used -later in firewall ruleset as desired. - -Main structure is shown next: - -.. code-block:: none - - - set firewall - * global-options - + all-ping - + broadcast-ping - + ... - * group - - address-group - - ipv6-address-group - - network-group - - ipv6-network-group - - interface-group - - mac-group - - port-group - - domain-group - * ipv4 - - forward - + filter - - input - + filter - - output - + filter - - name - + custom_name - * ipv6 - - forward - + filter - - input - + filter - - output - + filter - - ipv6-name - + custom_name - -Where, main key words and configuration paths that needs to be understood: - - * For firewall filtering, configuration should be done in ``set firewall - [ipv4 | ipv6] ...`` - - * For transit traffic, which is received by the router and forwarded, - base chain is **forward filter**: ``set firewall [ipv4 | ipv6] - forward filter ...`` - - * For traffic originated by the router, base chain is **output filter**: - ``set firewall [ipv4 | ipv6] output filter ...`` - - * For traffic towards the router itself, base chain is **input filter**: - ``set firewall [ipv4 | ipv6] input filter ...`` - -.. note:: **Important note about default-actions:** - If default action for any chain is not defined, then the default - action is set to **accept** for that chain. Only for custom chains, - the default action is set to **drop**. - -Custom firewall chains can be created, with commands -``set firewall [ipv4 | ipv6] [name | ipv6-name] <name> ...``. In order to use -such custom chain, a rule with **action jump**, and the appropiate **target** -should be defined in a base chain. - -************** -Global Options -************** - -Some firewall settings are global and have an affect on the whole system. - -.. cfgcmd:: set firewall global-options all-ping [enable | disable] - - By default, when VyOS receives an ICMP echo request packet destined for - itself, it will answer with an ICMP echo reply, unless you avoid it - through its firewall. - - With the firewall you can set rules to accept, drop or reject ICMP in, - out or local traffic. You can also use the general **firewall all-ping** - command. This command affects only to LOCAL (packets destined for your - VyOS system), not to IN or OUT traffic. - - .. note:: **firewall global-options all-ping** affects only to LOCAL - and it always behaves in the most restrictive way - - .. code-block:: none - - set firewall global-options all-ping enable - - When the command above is set, VyOS will answer every ICMP echo request - addressed to itself, but that will only happen if no other rule is - applied dropping or rejecting local echo requests. In case of conflict, - VyOS will not answer ICMP echo requests. - - .. code-block:: none - - set firewall global-options all-ping disable - - When the command above is set, VyOS will answer no ICMP echo request - addressed to itself at all, no matter where it comes from or whether - more specific rules are being applied to accept them. - -.. cfgcmd:: set firewall global-options broadcast-ping [enable | disable] - - This setting enable or disable the response of icmp broadcast - messages. The following system parameter will be altered: - - * ``net.ipv4.icmp_echo_ignore_broadcasts`` - -.. cfgcmd:: set firewall global-options ip-src-route [enable | disable] -.. cfgcmd:: set firewall global-options ipv6-src-route [enable | disable] - - This setting handle if VyOS accept packets with a source route - option. The following system parameter will be altered: - - * ``net.ipv4.conf.all.accept_source_route`` - * ``net.ipv6.conf.all.accept_source_route`` - -.. cfgcmd:: set firewall global-options receive-redirects [enable | disable] -.. cfgcmd:: set firewall global-options ipv6-receive-redirects - [enable | disable] - - enable or disable of ICMPv4 or ICMPv6 redirect messages accepted - by VyOS. The following system parameter will be altered: - - * ``net.ipv4.conf.all.accept_redirects`` - * ``net.ipv6.conf.all.accept_redirects`` - -.. cfgcmd:: set firewall global-options send-redirects [enable | disable] - - enable or disable ICMPv4 redirect messages send by VyOS - The following system parameter will be altered: - - * ``net.ipv4.conf.all.send_redirects`` - -.. cfgcmd:: set firewall global-options log-martians [enable | disable] - - enable or disable the logging of martian IPv4 packets. - The following system parameter will be altered: - - * ``net.ipv4.conf.all.log_martians`` - -.. cfgcmd:: set firewall global-options source-validation - [strict | loose | disable] - - Set the IPv4 source validation mode. - The following system parameter will be altered: - - * ``net.ipv4.conf.all.rp_filter`` - -.. cfgcmd:: set firewall global-options syn-cookies [enable | disable] - - Enable or Disable if VyOS use IPv4 TCP SYN Cookies. - The following system parameter will be altered: - - * ``net.ipv4.tcp_syncookies`` - -.. cfgcmd:: set firewall global-options twa-hazards-protection - [enable | disable] - - Enable or Disable VyOS to be :rfc:`1337` conform. - The following system parameter will be altered: - - * ``net.ipv4.tcp_rfc1337`` - -****** -Groups -****** - -Firewall groups represent collections of IP addresses, networks, ports, -mac addresses, domains or interfaces. Once created, a group can be referenced -by firewall, nat and policy route rules as either a source or destination -matcher, and as inbpund/outbound in the case of interface group. - -Address Groups -============== - -In an **address group** a single IP address or IP address ranges are -defined. - -.. cfgcmd:: set firewall group address-group <name> address [address | - address range] -.. cfgcmd:: set firewall group ipv6-address-group <name> address <address> - - Define a IPv4 or a IPv6 address group - - .. code-block:: none - - set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1 - set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8 - set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1 - -.. cfgcmd:: set firewall group address-group <name> description <text> -.. cfgcmd:: set firewall group ipv6-address-group <name> description <text> - - Provide a IPv4 or IPv6 address group description - -Network Groups -============== - -While **network groups** accept IP networks in CIDR notation, specific -IP addresses can be added as a 32-bit prefix. If you foresee the need -to add a mix of addresses and networks, the network group is -recommended. - -.. cfgcmd:: set firewall group network-group <name> network <CIDR> -.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR> - - Define a IPv4 or IPv6 Network group. - - .. code-block:: none - - set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24 - set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24 - set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64 - -.. cfgcmd:: set firewall group network-group <name> description <text> -.. cfgcmd:: set firewall group ipv6-network-group <name> description <text> - - Provide an IPv4 or IPv6 network group description. - -Interface Groups -================ - -An **interface group** represents a collection of interfaces. - -.. cfgcmd:: set firewall group interface-group <name> interface <text> - - Define an interface group. Wildcard are accepted too. - -.. code-block:: none - - set firewall group interface-group LAN interface bond1001 - set firewall group interface-group LAN interface eth3* - -.. cfgcmd:: set firewall group interface-group <name> description <text> - - Provide an interface group description - -Port Groups -=========== - -A **port group** represents only port numbers, not the protocol. Port -groups can be referenced for either TCP or UDP. It is recommended that -TCP and UDP groups are created separately to avoid accidentally -filtering unnecessary ports. Ranges of ports can be specified by using -`-`. - -.. cfgcmd:: set firewall group port-group <name> port - [portname | portnumber | startport-endport] - - Define a port group. A port name can be any name defined in - /etc/services. e.g.: http - - .. code-block:: none - - set firewall group port-group PORT-TCP-SERVER1 port http - set firewall group port-group PORT-TCP-SERVER1 port 443 - set firewall group port-group PORT-TCP-SERVER1 port 5000-5010 - -.. cfgcmd:: set firewall group port-group <name> description <text> - - Provide a port group description. - -MAC Groups -========== - -A **mac group** represents a collection of mac addresses. - -.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address> - - Define a mac group. - -.. code-block:: none - - set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f - set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81 - -.. cfgcmd:: set firewall group mac-group <name> description <text> - - Provide a mac group description. - -Domain Groups -============= - -A **domain group** represents a collection of domains. - -.. cfgcmd:: set firewall group domain-group <name> address <domain> - - Define a domain group. - -.. code-block:: none - - set firewall group domain-group DOM address example.com - -.. cfgcmd:: set firewall group domain-group <name> description <text> - - Provide a domain group description. - -************** -Firewall Rules -************** - -For firewall filtering, firewall rules needs to be created. Each rule is -numbered, has an action to apply if the rule is matched, and the ability -to specify multiple criteria matchers. Data packets go through the rules -from 1 - 999999, so order is crucial. At the first match the action of the -rule will be executed. - -Actions -======= - -If a rule is defined, then an action must be defined for it. This tells the -firewall what to do if all criteria matchers defined for such rule do match. - -The action can be : - - * ``accept``: accept the packet. - - * ``drop``: drop the packet. - - * ``reject``: reject the packet. - - * ``jump``: jump to another custom chain. - - * ``return``: Return from the current chain and continue at the next rule - of the last chain. - - * ``queue``: Enqueue packet to userspace. - - * ``synproxy``: synproxy the packet. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> action - [accept | drop | jump | queue | reject | return | synproxy] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> action - [accept | drop | jump | queue | reject | return | synproxy] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> action - [accept | drop | jump | queue | reject | return] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action - [accept | drop | jump | queue | reject | return] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> action - [accept | drop | jump | queue | reject | return] - - This required setting defines the action of the current rule. If action is - set to jump, then jump-target is also needed. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - jump-target <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - jump-target <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - jump-target <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - jump-target <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - jump-target <text> - - To be used only when action is set to jump. Use this command to specify - jump target. - -Also, **default-action** is an action that takes place whenever a packet does -not match any rule in it's chain. For base chains, possible options for -**default-action** are **accept** or **drop**. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter default-action - [accept | drop] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter default-action - [accept | drop] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter default-action - [accept | drop] -.. cfgcmd:: set firewall ipv4 name <name> default-action - [accept | drop | jump | queue | reject | return] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> default-action - [accept | drop | jump | queue | reject | return] - - This set the default action of the rule-set if no rule matched a packet - criteria. If defacult-action is set to ``jump``, then - ``default-jump-target`` is also needed. Note that for base chains, default - action can only be set to ``accept`` or ``drop``, while on custom chain, - more actions are available. - -.. cfgcmd:: set firewall name <name> default-jump-target <text> -.. cfgcmd:: set firewall ipv6-name <name> default-jump-target <text> - - To be used only when ``defult-action`` is set to ``jump``. Use this - command to specify jump target for default rule. - -.. note:: **Important note about default-actions:** - If default action for any chain is not defined, then the default - action is set to **drop** for that chain. - - -Firewall Logs -============= - -Logging can be enable for every single firewall rule. If enabled, other -log options can be defined. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> log - [disable | enable] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> log - [disable | enable] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> log - [disable | enable] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log - [disable | enable] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> log - [disable | enable] - - Enable or disable logging for the matched packet. - -.. cfgcmd:: set firewall ipv4 name <name> enable-default-log -.. cfgcmd:: set firewall ipv6 ipv6-name <name> enable-default-log - - Use this command to enable the logging of the default action on - custom chains. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] - - Define log-level. Only applicable if rule log is enable. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - log-options group <0-65535> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - log-options group <0-65535> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - log-options group <0-65535> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - log-options group <0-65535> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - log-options group <0-65535> - - Define log group to send message to. Only applicable if rule log is enable. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - log-options snapshot-length <0-9000> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - log-options snapshot-length <0-9000> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - log-options snapshot-length <0-9000> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - log-options snapshot-length <0-9000> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - log-options snapshot-length <0-9000> - - Define length of packet payload to include in netlink message. Only - applicable if rule log is enable and log group is defined. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - log-options queue-threshold <0-65535> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - log-options queue-threshold <0-65535> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - log-options queue-threshold <0-65535> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - log-options queue-threshold <0-65535> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - log-options queue-threshold <0-65535> - - Define number of packets to queue inside the kernel before sending them to - userspace. Only applicable if rule log is enable and log group is defined. - - -Firewall Description -==================== - -For reference, a description can be defined for every single rule, and for -every defined custom chain. - -.. cfgcmd:: set firewall ipv4 name <name> description <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> description <text> - - Provide a rule-set description to a custom firewall chain. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - description <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - description <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - description <text> - -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> description <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> description <text> - - Provide a description for each rule. - - -Rule Status -=========== - -When defining a rule, it is enable by default. In some cases, it is useful to -just disable the rule, rather than removing it. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> disable -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> disable -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> disable -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> disable -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> disable - - Command for disabling a rule but keep it in the configuration. - - -Matching criteria -================= - -There are a lot of matching criteria against which the package can be tested. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - connection-status nat [destination | source] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - connection-status nat [destination | source] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - connection-status nat [destination | source] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - connection-status nat [destination | source] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - connection-status nat [destination | source] - - Match criteria based on nat connection status. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - connection-mark <1-2147483647> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - connection-mark <1-2147483647> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - connection-mark <1-2147483647> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - connection-mark <1-2147483647> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - connection-mark <1-2147483647> - - Match criteria based on connection mark. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source address [address | addressrange | CIDR] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source address [address | addressrange | CIDR] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source address [address | addressrange | CIDR] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source address [address | addressrange | CIDR] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source address [address | addressrange | CIDR] - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination address [address | addressrange | CIDR] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination address [address | addressrange | CIDR] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination address [address | addressrange | CIDR] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination address [address | addressrange | CIDR] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination address [address | addressrange | CIDR] - - Match criteria based on source and/or destination address. This is similar - to the network groups part, but here you are able to negate the matching - addresses. - - .. code-block:: none - - set firewall ipv4 name FOO rule 50 source address 192.0.2.10-192.0.2.11 - # with a '!' the rule match everything except the specified subnet - set firewall ipv4 input filter FOO rule 51 source address !203.0.113.0/24 - set firewall ipv6 ipv6-name FOO rule 100 source address 2001:db8::202 - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source address-mask [address] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source address-mask [address] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source address-mask [address] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source address-mask [address] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source address-mask [address] - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination address-mask [address] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination address-mask [address] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination address-mask [address] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination address-mask [address] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination address-mask [address] - - An arbitrary netmask can be applied to mask addresses to only match against - a specific portion. This is particularly useful with IPv6 as rules will - remain valid if the IPv6 prefix changes and the host - portion of systems IPv6 address is static (for example, with SLAAC or - `tokenised IPv6 addresses - <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_) - - This functions for both individual addresses and address groups. - - .. code-block:: none - - # Match any IPv6 address with the suffix ::0000:0000:0000:beef - set firewall ipv6 forward filter rule 100 destination address ::beef - set firewall ipv6 forward filter rule 100 destination address-mask ::ffff:ffff:ffff:ffff - # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet - set firewall ipv4 name FOO rule 100 destination address 0.11.0.13 - set firewall ipv4 name FOO rule 100 destination address-mask 0.255.0.255 - # Address groups - set firewall group ipv6-address-group WEBSERVERS address ::1000 - set firewall group ipv6-address-group WEBSERVERS address ::2000 - set firewall ipv6 forward filter rule 200 source group address-group WEBSERVERS - set firewall ipv6 forward filter rule 200 source address-mask ::ffff:ffff:ffff:ffff - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source fqdn <fqdn> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source fqdn <fqdn> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source fqdn <fqdn> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source fqdn <fqdn> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source fqdn <fqdn> -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination fqdn <fqdn> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination fqdn <fqdn> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination fqdn <fqdn> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination fqdn <fqdn> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination fqdn <fqdn> - - Specify a Fully Qualified Domain Name as source/destination matcher. Ensure - router is able to resolve such dns query. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source geoip country-code <country> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source geoip country-code <country> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source geoip country-code <country> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source geoip country-code <country> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source geoip country-code <country> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination geoip country-code <country> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination geoip country-code <country> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination geoip country-code <country> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination geoip country-code <country> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination geoip country-code <country> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source geoip inverse-match -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source geoip inverse-match -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source geoip inverse-match -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source geoip inverse-match -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source geoip inverse-match - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination geoip inverse-match -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination geoip inverse-match -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination geoip inverse-match -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination geoip inverse-match -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination geoip inverse-match - - Match IP addresses based on its geolocation. More info: `geoip matching - <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. - Use inverse-match to match anything except the given country-codes. - -Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, -permits redistribution so we can include a database in images(~3MB -compressed). Includes cron script (manually callable by op-mode update -geoip) to keep database and rules updated. - - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source mac-address <mac-address> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source mac-address <mac-address> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source mac-address <mac-address> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source mac-address <mac-address> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source mac-address <mac-address> - - Only in the source criteria, you can specify a mac-address. - - .. code-block:: none - - set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33 - set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34 - - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source port [1-65535 | portname | start-end] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source port [1-65535 | portname | start-end] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source port [1-65535 | portname | start-end] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source port [1-65535 | portname | start-end] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source port [1-65535 | portname | start-end] - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination port [1-65535 | portname | start-end] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination port [1-65535 | portname | start-end] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination port [1-65535 | portname | start-end] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination port [1-65535 | portname | start-end] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination port [1-65535 | portname | start-end] - - A port can be set with a port number or a name which is here - defined: ``/etc/services``. - - .. code-block:: none - - set firewall ipv4 forward filter rule 10 source port '22' - set firewall ipv4 forward filter rule 11 source port '!http' - set firewall ipv4 forward filter rule 12 source port 'https' - - Multiple source ports can be specified as a comma-separated list. - The whole list can also be "negated" using ``!``. For example: - - .. code-block:: none - - set firewall ipv6 forward filter rule 10 source port '!22,https,3333-3338' - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source group address-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source group address-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source group address-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source group address-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source group address-group <name | !name> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination group address-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination group address-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination group address-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination group address-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination group address-group <name | !name> - - Use a specific address-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source group network-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source group network-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source group network-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source group network-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source group network-group <name | !name> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination group network-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination group network-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination group network-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination group network-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination group network-group <name | !name> - - Use a specific network-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source group port-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source group port-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source group port-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source group port-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source group port-group <name | !name> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination group port-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination group port-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination group port-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination group port-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination group port-group <name | !name> - - Use a specific port-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source group domain-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source group domain-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source group domain-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source group domain-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source group domain-group <name | !name> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination group domain-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination group domain-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination group domain-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination group domain-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination group domain-group <name | !name> - - Use a specific domain-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source group mac-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source group mac-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source group mac-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source group mac-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source group mac-group <name | !name> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination group mac-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination group mac-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination group mac-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination group mac-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination group mac-group <name | !name> - - Use a specific mac-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - dscp [0-63 | start-end] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - dscp [0-63 | start-end] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - dscp [0-63 | start-end] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - dscp [0-63 | start-end] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - dscp [0-63 | start-end] - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - dscp-exclude [0-63 | start-end] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - dscp-exclude [0-63 | start-end] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - dscp-exclude [0-63 | start-end] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - dscp-exclude [0-63 | start-end] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - dscp-exclude [0-63 | start-end] - - Match based on dscp value. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - fragment [match-frag | match-non-frag] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - fragment [match-frag | match-non-frag] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - fragment [match-frag | match-non-frag] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - fragment [match-frag | match-non-frag] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - fragment [match-frag | match-non-frag] - - Match based on fragment criteria. - -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - icmp [code | type] <0-255> -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - icmp [code | type] <0-255> -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - icmp [code | type] <0-255> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - icmp [code | type] <0-255> -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - icmpv6 [code | type] <0-255> -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - icmpv6 [code | type] <0-255> -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - icmpv6 [code | type] <0-255> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - icmpv6 [code | type] <0-255> - - Match based on icmp|icmpv6 code and type. - -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - icmp type-name <text> -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - icmp type-name <text> -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - icmp type-name <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - icmp type-name <text> -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - icmpv6 type-name <text> -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - icmpv6 type-name <text> -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - icmpv6 type-name <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - icmpv6 type-name <text> - - Match based on icmp|icmpv6 type-name criteria. Use tab for information - about what **type-name** criteria are supported. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - inbound-interface <iface> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - inbound-interface <iface> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - inbound-interface <iface> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - inbound-interface <iface> - - Match based on inbound interface. Wilcard ``*`` can be used. - For example: ``eth2*`` - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - outbound-interface <iface> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - outbound-interface <iface> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - outbound-interface <iface> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - outbound-interface <iface> - - Match based on outbound interface. Wilcard ``*`` can be used. - For example: ``eth2*`` - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - ipsec [match-ipsec | match-none] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - ipsec [match-ipsec | match-none] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - ipsec [match-ipsec | match-none] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - ipsec [match-ipsec | match-none] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - ipsec [match-ipsec | match-none] - - Match based on ipsec criteria. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - limit burst <0-4294967295> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - limit burst <0-4294967295> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - limit burst <0-4294967295> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - limit burst <0-4294967295> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - limit burst <0-4294967295> - - Match based on the maximum number of packets to allow in excess of rate. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - limit rate <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - limit rate <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - limit rate <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - limit rate <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - limit rate <text> - - Match based on the maximum average rate, specified as **integer/unit**. - For example **5/minutes** - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - packet-length <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - packet-length <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - packet-length <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - packet-length <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - packet-length <text> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - packet-length-exclude <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - packet-length-exclude <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - packet-length-exclude <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - packet-length-exclude <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - packet-length-exclude <text> - - Match based on packet length criteria. Multiple values from 1 to 65535 - and ranges are supported. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - packet-type [broadcast | host | multicast | other] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - packet-type [broadcast | host | multicast | other] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - packet-type [broadcast | host | multicast | other] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - packet-type [broadcast | host | multicast | other] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - packet-type [broadcast | host | multicast | other] - - Match based on packet type criteria. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - protocol [<text> | <0-255> | all | tcp_udp] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - protocol [<text> | <0-255> | all | tcp_udp] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - protocol [<text> | <0-255> | all | tcp_udp] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - protocol [<text> | <0-255> | all | tcp_udp] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - protocol [<text> | <0-255> | all | tcp_udp] - - Match a protocol criteria. A protocol number or a name which is here - defined: ``/etc/protocols``. - Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp - based packets. The ``!`` negate the selected protocol. - - .. code-block:: none - - set firewall ipv4 forward fitler rule 10 protocol tcp_udp - set firewall ipv4 forward fitler rule 11 protocol !tcp_udp - set firewall ipv6 input filter rule 10 protocol tcp - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - recent count <1-255> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - recent count <1-255> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - recent count <1-255> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - recent count <1-255> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - recent count <1-255> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - recent time [second | minute | hour] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - recent time [second | minute | hour] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - recent time [second | minute | hour] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - recent time [second | minute | hour] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - recent time [second | minute | hour] - - Match bases on recently seen sources. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - tcp flags <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - tcp flags <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - tcp flags <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - tcp flags <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - tcp flags <text> - - Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``, - ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma - separated. The ``!`` negate the selected protocol. - - .. code-block:: none - - set firewall ipv4 input filter rule 10 tcp flags 'ACK' - set firewall ipv4 input filter rule 12 tcp flags 'SYN' - set firewall ipv4 input filter rule 13 tcp flags 'SYN,!ACK,!FIN,!RST' - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - state [established | invalid | new | related] [enable | disable] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - state [established | invalid | new | related] [enable | disable] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - state [established | invalid | new | related] [enable | disable] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - state [established | invalid | new | related] [enable | disable] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - state [established | invalid | new | related] [enable | disable] - - Match against the state of a packet. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - time startdate <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - time startdate <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - time startdate <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - time startdate <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - time startdate <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - time starttime <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - time starttime <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - time starttime <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - time starttime <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - time starttime <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - time stopdate <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - time stopdate <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - time stopdate <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - time stopdate <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - time stopdate <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - time stoptime <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - time stoptime <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - time stoptime <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - time stoptime <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - time stoptime <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - time weekdays <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - time weekdays <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - time weekdays <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - time weekdays <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - time weekdays <text> - - Time to match the defined rule. - -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - ttl <eq | gt | lt> <0-255> -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - ttl <eq | gt | lt> <0-255> -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - ttl <eq | gt | lt> <0-255> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - ttl <eq | gt | lt> <0-255> - - Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for - 'greater than', and 'lt' stands for 'less than'. - -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - hop-limit <eq | gt | lt> <0-255> -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - hop-limit <eq | gt | lt> <0-255> -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - hop-limit <eq | gt | lt> <0-255> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - hop-limit <eq | gt | lt> <0-255> - - Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for - 'greater than', and 'lt' stands for 'less than'. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - recent count <1-255> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - recent count <1-255> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - recent count <1-255> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - recent count <1-255> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - recent count <1-255> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - recent time <second | minute | hour> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - recent time <second | minute | hour> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - recent time <second | minute | hour> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - recent time <second | minute | hour> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - recent time <second | minute | hour> - - Match when 'count' amount of connections are seen within 'time'. These - matching criteria can be used to block brute-force attempts. - -******** -Synproxy -******** -Synproxy connections - -.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> action synproxy -.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> protocol tcp -.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535> - - Set TCP-MSS (maximum segment size) for the connection - -.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14> - - Set the window scale factor for TCP window scaling - -Example synproxy -================ -Requirements to enable synproxy: - - * Traffic must be symmetric - * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled - * Disable conntrack loose track option - -.. code-block:: none - - set system sysctl parameter net.ipv4.tcp_timestamps value '1' - - set system conntrack tcp loose disable - set system conntrack ignore ipv4 rule 10 destination port '8080' - set system conntrack ignore ipv4 rule 10 protocol 'tcp' - set system conntrack ignore ipv4 rule 10 tcp flags syn - - set firewall global-options syn-cookies 'enable' - set firewall ipv4 input filter rule 10 action 'synproxy' - set firewall ipv4 input filter rule 10 destination port '8080' - set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1' - set firewall ipv4 input filter rule 10 protocol 'tcp' - set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' - set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7' - set firewall ipv4 input filter rule 1000 action 'drop' - set firewall ipv4 input filter rule 1000 state invalid 'enable' - - -*********************** -Operation-mode Firewall -*********************** - -Rule-set overview -================= - -.. opcmd:: show firewall - - This will show you a basic firewall overview - - .. code-block:: none - - vyos@vyos:~$ show firewall - Rulesets Information - - --------------------------------- - IPv4 Firewall "forward filter" - - Rule Action Protocol Packets Bytes Conditions - ------- -------- ---------- --------- ------- ----------------------------------------- - 5 jump all 0 0 iifname "eth1" jump NAME_VyOS_MANAGEMENT - 10 jump all 0 0 oifname "eth1" jump NAME_WAN_IN - 15 jump all 0 0 iifname "eth3" jump NAME_WAN_IN - default accept all - - --------------------------------- - IPv4 Firewall "name VyOS_MANAGEMENT" - - Rule Action Protocol Packets Bytes Conditions - ------- -------- ---------- --------- ------- -------------------------------- - 5 accept all 0 0 ct state established accept - 10 drop all 0 0 ct state invalid - 20 accept all 0 0 ip saddr @A_GOOD_GUYS accept - 30 accept all 0 0 ip saddr @N_ENTIRE_RANGE accept - 40 accept all 0 0 ip saddr @A_VyOS_SERVERS accept - 50 accept icmp 0 0 meta l4proto icmp accept - default drop all 0 0 - - --------------------------------- - IPv6 Firewall "forward filter" - - Rule Action Protocol - ------- -------- ---------- - 5 jump all - 10 jump all - 15 jump all - default accept all - - --------------------------------- - IPv6 Firewall "input filter" - - Rule Action Protocol - ------- -------- ---------- - 5 jump all - default accept all - - --------------------------------- - IPv6 Firewall "ipv6_name IPV6-VyOS_MANAGEMENT" - - Rule Action Protocol - ------- -------- ---------- - 5 accept all - 10 drop all - 20 accept all - 30 accept all - 40 accept all - 50 accept ipv6-icmp - default drop all - -.. opcmd:: show firewall summary - - This will show you a summary of rule-sets and groups - - .. code-block:: none - - vyos@vyos:~$ show firewall summary - Ruleset Summary - - IPv6 Ruleset: - - Ruleset Hook Ruleset Priority Description - -------------- -------------------- ------------------------- - forward filter - input filter - ipv6_name IPV6-VyOS_MANAGEMENT - ipv6_name IPV6-WAN_IN PUBLIC_INTERNET - - IPv4 Ruleset: - - Ruleset Hook Ruleset Priority Description - -------------- ------------------ ------------------------- - forward filter - input filter - name VyOS_MANAGEMENT - name WAN_IN PUBLIC_INTERNET - - Firewall Groups - - Name Type References Members - ----------------------- ------------------ ----------------------- ---------------- - PBX address_group WAN_IN-100 198.51.100.77 - SERVERS address_group WAN_IN-110 192.0.2.10 - WAN_IN-111 192.0.2.11 - WAN_IN-112 192.0.2.12 - WAN_IN-120 - WAN_IN-121 - WAN_IN-122 - SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2 - WAN_IN-20 - PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2 - PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2 - WAN_IN-171 - PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1 - SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2 - IPV6-WAN_IN-111 2001:db8::3 - IPV6-WAN_IN-112 2001:db8::4 - IPV6-WAN_IN-120 - IPV6-WAN_IN-121 - IPV6-WAN_IN-122 - SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5 - IPV6-WAN_IN-20 - - -.. opcmd:: show firewall [ipv4 | ipv6] [forward | input | output] filter - -.. opcmd:: show firewall ipv4 name <name> - -.. opcmd:: show firewall ipv6 ipv6-name <name> - - This command will give an overview of a single rule-set. - - .. code-block:: none - - vyos@vyos:~$ show firewall ipv4 input filter - Ruleset Information - - --------------------------------- - IPv4 Firewall "input filter" - - Rule Action Protocol Packets Bytes Conditions - ------- -------- ---------- --------- ------- ----------------------------------------- - 5 jump all 0 0 iifname "eth2" jump NAME_VyOS_MANAGEMENT - default accept all - -.. opcmd:: show firewall [ipv4 | ipv6] [forward | input | output] - filter rule <1-999999> - -.. opcmd:: show firewall ipv4 name <name> rule <1-999999> - -.. opcmd:: show firewall ipv6 ipv6-name <name> rule <1-999999> - - This command will give an overview of a rule in a single rule-set - -.. opcmd:: show firewall group <name> - - Overview of defined groups. You see the type, the members, and where the - group is used. - - .. code-block:: none - - vyos@vyos:~$ show firewall group LAN - Firewall Groups - - Name Type References Members - ------------ ------------------ ----------------------- ---------------- - LAN ipv6_network_group IPV6-VyOS_MANAGEMENT-30 2001:db8::0/64 - IPV6-WAN_IN-30 - LAN network_group VyOS_MANAGEMENT-30 192.168.200.0/24 - WAN_IN-30 - - -.. opcmd:: show firewall statistics - - This will show you a statistic of all rule-sets since the last boot. - -Show Firewall log -================= - -.. opcmd:: show log firewall [name | ipv6name] <name> - - Show the logs of a specific Rule-Set. - -.. note:: - At the moment it not possible to look at the whole firewall log with VyOS - operational commands. All logs will save to ``/var/logs/messages``. - For example: ``grep '10.10.0.10' /var/log/messages`` - - -Example Partial Config -====================== - -.. code-block:: none - - firewall { - group { - network-group BAD-NETWORKS { - network 198.51.100.0/24 - network 203.0.113.0/24 - } - network-group GOOD-NETWORKS { - network 192.0.2.0/24 - } - port-group BAD-PORTS { - port 65535 - } - } - ipv4 { - forward { - filter { - default-action accept - rule 5 { - action accept - source { - group { - network-group GOOD-NETWORKS - } - } - } - rule 10 { - action drop - description "Bad Networks" - protocol all - source { - group { - network-group BAD-NETWORKS - } - } - } - } - } - } - } - -Update geoip database -===================== - -.. opcmd:: update geoip - - Command used to update GeoIP database and firewall sets. diff --git a/docs/configuration/firewall/global-options.rst b/docs/configuration/firewall/global-options.rst new file mode 100644 index 00000000..316e0802 --- /dev/null +++ b/docs/configuration/firewall/global-options.rst @@ -0,0 +1,117 @@ +:lastproofread: 2023-11-07 + +.. _firewall-global-options-configuration: + +##################################### +Global Options Firewall Configuration +##################################### + +******** +Overview +******** + +Some firewall settings are global and have an affect on the whole system. +In this section there's useful information about these global-options that can +be configured using vyos cli. + +Configuration commands covered in this section: + +.. cfgcmd:: set firewall global-options ... + +************* +Configuration +************* + +.. cfgcmd:: set firewall global-options all-ping [enable | disable] + + By default, when VyOS receives an ICMP echo request packet destined for + itself, it will answer with an ICMP echo reply, unless you avoid it + through its firewall. + + With the firewall you can set rules to accept, drop or reject ICMP in, + out or local traffic. You can also use the general **firewall all-ping** + command. This command affects only to LOCAL (packets destined for your + VyOS system), not to IN or OUT traffic. + + .. note:: **firewall global-options all-ping** affects only to LOCAL + and it always behaves in the most restrictive way + + .. code-block:: none + + set firewall global-options all-ping enable + + When the command above is set, VyOS will answer every ICMP echo request + addressed to itself, but that will only happen if no other rule is + applied dropping or rejecting local echo requests. In case of conflict, + VyOS will not answer ICMP echo requests. + + .. code-block:: none + + set firewall global-options all-ping disable + + When the command above is set, VyOS will answer no ICMP echo request + addressed to itself at all, no matter where it comes from or whether + more specific rules are being applied to accept them. + +.. cfgcmd:: set firewall global-options broadcast-ping [enable | disable] + + This setting enable or disable the response of icmp broadcast + messages. The following system parameter will be altered: + + * ``net.ipv4.icmp_echo_ignore_broadcasts`` + +.. cfgcmd:: set firewall global-options ip-src-route [enable | disable] +.. cfgcmd:: set firewall global-options ipv6-src-route [enable | disable] + + This setting handle if VyOS accept packets with a source route + option. The following system parameter will be altered: + + * ``net.ipv4.conf.all.accept_source_route`` + * ``net.ipv6.conf.all.accept_source_route`` + +.. cfgcmd:: set firewall global-options receive-redirects [enable | disable] +.. cfgcmd:: set firewall global-options ipv6-receive-redirects + [enable | disable] + + enable or disable of ICMPv4 or ICMPv6 redirect messages accepted + by VyOS. The following system parameter will be altered: + + * ``net.ipv4.conf.all.accept_redirects`` + * ``net.ipv6.conf.all.accept_redirects`` + +.. cfgcmd:: set firewall global-options send-redirects [enable | disable] + + enable or disable ICMPv4 redirect messages send by VyOS + The following system parameter will be altered: + + * ``net.ipv4.conf.all.send_redirects`` + +.. cfgcmd:: set firewall global-options log-martians [enable | disable] + + enable or disable the logging of martian IPv4 packets. + The following system parameter will be altered: + + * ``net.ipv4.conf.all.log_martians`` + +.. cfgcmd:: set firewall global-options source-validation + [strict | loose | disable] + + Set the IPv4 source validation mode. + The following system parameter will be altered: + + * ``net.ipv4.conf.all.rp_filter`` + +.. cfgcmd:: set firewall global-options syn-cookies [enable | disable] + + Enable or Disable if VyOS use IPv4 TCP SYN Cookies. + The following system parameter will be altered: + + * ``net.ipv4.tcp_syncookies`` + +.. cfgcmd:: set firewall global-options twa-hazards-protection + [enable | disable] + + Enable or Disable VyOS to be :rfc:`1337` conform. + The following system parameter will be altered: + + * ``net.ipv4.tcp_rfc1337``
\ No newline at end of file diff --git a/docs/configuration/firewall/groups.rst b/docs/configuration/firewall/groups.rst new file mode 100644 index 00000000..aee68793 --- /dev/null +++ b/docs/configuration/firewall/groups.rst @@ -0,0 +1,210 @@ +:lastproofread: 2023-11-08 + +.. _firewall-groups-configuration: + +############### +Firewall groups +############### + +************* +Configuration +************* + +Firewall groups represent collections of IP addresses, networks, ports, +mac addresses, domains or interfaces. Once created, a group can be referenced +by firewall, nat and policy route rules as either a source or destination +matcher, and/or as inbound/outbound in the case of interface group. + +Address Groups +============== + +In an **address group** a single IP address or IP address ranges are +defined. + +.. cfgcmd:: set firewall group address-group <name> address [address | + address range] +.. cfgcmd:: set firewall group ipv6-address-group <name> address <address> + + Define a IPv4 or a IPv6 address group + + .. code-block:: none + + set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1 + set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8 + set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1 + +.. cfgcmd:: set firewall group address-group <name> description <text> +.. cfgcmd:: set firewall group ipv6-address-group <name> description <text> + + Provide a IPv4 or IPv6 address group description + +Network Groups +============== + +While **network groups** accept IP networks in CIDR notation, specific +IP addresses can be added as a 32-bit prefix. If you foresee the need +to add a mix of addresses and networks, the network group is +recommended. + +.. cfgcmd:: set firewall group network-group <name> network <CIDR> +.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR> + + Define a IPv4 or IPv6 Network group. + + .. code-block:: none + + set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24 + set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24 + set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64 + +.. cfgcmd:: set firewall group network-group <name> description <text> +.. cfgcmd:: set firewall group ipv6-network-group <name> description <text> + + Provide an IPv4 or IPv6 network group description. + +Interface Groups +================ + +An **interface group** represents a collection of interfaces. + +.. cfgcmd:: set firewall group interface-group <name> interface <text> + + Define an interface group. Wildcard are accepted too. + +.. code-block:: none + + set firewall group interface-group LAN interface bond1001 + set firewall group interface-group LAN interface eth3* + +.. cfgcmd:: set firewall group interface-group <name> description <text> + + Provide an interface group description + +Port Groups +=========== + +A **port group** represents only port numbers, not the protocol. Port +groups can be referenced for either TCP or UDP. It is recommended that +TCP and UDP groups are created separately to avoid accidentally +filtering unnecessary ports. Ranges of ports can be specified by using +`-`. + +.. cfgcmd:: set firewall group port-group <name> port + [portname | portnumber | startport-endport] + + Define a port group. A port name can be any name defined in + /etc/services. e.g.: http + + .. code-block:: none + + set firewall group port-group PORT-TCP-SERVER1 port http + set firewall group port-group PORT-TCP-SERVER1 port 443 + set firewall group port-group PORT-TCP-SERVER1 port 5000-5010 + +.. cfgcmd:: set firewall group port-group <name> description <text> + + Provide a port group description. + +MAC Groups +========== + +A **mac group** represents a collection of mac addresses. + +.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address> + + Define a mac group. + +.. code-block:: none + + set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f + set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81 + +.. cfgcmd:: set firewall group mac-group <name> description <text> + + Provide a mac group description. + +Domain Groups +============= + +A **domain group** represents a collection of domains. + +.. cfgcmd:: set firewall group domain-group <name> address <domain> + + Define a domain group. + +.. code-block:: none + + set firewall group domain-group DOM address example.com + +.. cfgcmd:: set firewall group domain-group <name> description <text> + + Provide a domain group description. + +******** +Examples +******** + +As said before, once firewall groups are created, they can be referenced +either in firewall, nat, nat66 and/or policy-route rules. + +Here is an example were multiple groups are created: + + .. code-block:: none + + set firewall group address-group SERVERS address 198.51.100.101 + set firewall group address-group SERVERS address 198.51.100.102 + set firewall group network-group TRUSTEDv4 network 192.0.2.0/30 + set firewall group network-group TRUSTEDv4 network 203.0.113.128/25 + set firewall group ipv6-network-group TRUSTEDv6 network 2001:db8::/64 + set firewall group interface-group LAN interface eth2.2001 + set firewall group interface-group LAN interface bon0 + set firewall group port-group PORT-SERVERS port http + set firewall group port-group PORT-SERVERS port 443 + set firewall group port-group PORT-SERVERS port 5000-5010 + +And next, some configuration example where groups are used: + + .. code-block:: none + + set firewall ipv4 input filter rule 10 action accept + set firewall ipv4 input filter rule 10 inbound-interface group !LAN + set firewall ipv4 forward filter rule 20 action accept + set firewall ipv4 forward filter rule 20 source group network-group TRUSTEDv4 + set firewall ipv6 input filter rule 10 action accept + set firewall ipv6 input filter rule 10 source-group network-group TRUSTEDv6 + set nat destination rule 101 inbound-interface group LAN + set nat destination rule 101 destination group address-group SERVERS + set nat destination rule 101 protocol tcp + set nat destination rule 101 destination group port-group PORT-SERVERS + set nat destination rule 101 translation address 203.0.113.250 + set policy route PBR rule 201 destination group port-group PORT-SERVERS + set policy route PBR rule 201 protocol tcp + set policy route PBR rule 201 set table 15 + +************** +Operation-mode +************** + +.. opcmd:: show firewall group <name> + + Overview of defined groups. You see the type, the members, and where the + group is used. + + .. code-block:: none + + vyos@ZBF-15-CLean:~$ show firewall group + Firewall Groups + + Name Type References Members + ------------ ------------------ ---------------------- ---------------- + SERVERS address_group nat-destination-101 198.51.100.101 + 198.51.100.102 + LAN interface_group ipv4-input-filter-10 bon0 + nat-destination-101 eth2.2001 + TRUSTEDv6 ipv6_network_group ipv6-input-filter-10 2001:db8::/64 + TRUSTEDv4 network_group ipv4-forward-filter-20 192.0.2.0/30 + 203.0.113.128/25 + PORT-SERVERS port_group route-PBR-201 443 + nat-destination-101 5000-5010 + http + vyos@ZBF-15-CLean:~$ diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 4b923143..3887e26a 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -1,66 +1,158 @@ -:lastproofread: 2023-09-17 +:lastproofread: 2023-11-23 ######## Firewall ######## -.. attention:: - Starting from VyOS 1.4-rolling-202308040557, a new firewall structure - can be found on all vyos installations. +With VyOS being based on top of Linux and its kernel, the Netfilter project +created the iptables and now the successor nftables for the Linux kernel to +work directly on the data flows. This now extends the concept of zone-based +security to allow for manipulating the data at multiple stages once accepted +by the network interface and the driver before being handed off to the +destination (e.g. a web server OR another device). -.. note:: - The legacy and zone-based firewall configuration options is not longer - supported. They are here for reference purposes only. +A simplified traffic flow, based on Netfilter packet flow, is shown next, in +order to have a full view and understanding of how packets are processed, and +what possible paths can take. + +.. figure:: /_static/images/firewall-gral-packet-flow.png + +Main notes regarding this packet flow and terminology used in VyOS firewall: + + * **Bridge Port?**: choose appropiate path based on if interface were the + packet was received is part of a bridge, or not. + +If interface were the packet was received isn't part of a bridge, then packet +is processed at the **IP Layer**: + + * **Prerouting**: several actions can be done in this stage, and currently + these actions are defined in different parts in vyos configuration. Order + is important, and all these actions are performed before any actions + define under ``firewall`` section. Relevant configuration that acts in + this stage are: + + * **Conntrack Ignore**: rules defined under ``set system conntrack ignore + [ipv4 | ipv6] ...``. + + * **Policy Route**: rules defined under ``set policy [route | route6] + ...``. + + * **Destination NAT**: rules defined under ``set [nat | nat66] + destination...``. + + * **Destination is the router?**: choose appropiate path based on + destination IP address. Transit forward continunes to **forward**, + while traffic that destination IP address is configured on the router + continues to **input**. + + * **Input**: stage where traffic destinated to the router itself can be + filtered and controlled. This is where all rules for securing the router + should take place. This includes ipv4 and ipv6 filtering rules, defined + in: + + * ``set firewall ipv4 input filter ...``. + + * ``set firewall ipv6 input filter ...``. + + * **Forward**: stage where transit traffic can be filtered and controlled. + This includes ipv4 and ipv6 filtering rules, defined in: + + * ``set firewall ipv4 forward filter ...``. + + * ``set firewall ipv6 forward filter ...``. + + * **Output**: stage where traffic that is originated by the router itself + can be filtered and controlled. Bare in mind that this traffic can be a + new connection originted by a internal process running on VyOS router, + such as NTP, or can be a response to traffic received externaly through + **inputt** (for example response to an ssh login attempt to the router). + This includes ipv4 and ipv6 filtering rules, defined in: + + * ``set firewall ipv4 input filter ...``. + + * ``set firewall ipv6 output filter ...``. + + * **Postrouting**: as in **Prerouting**, several actions defined in + different parts of VyOS configuration are performed in this + stage. This includes: + + * **Source NAT**: rules defined under ``set [nat | nat66] + destination...``. + +If interface were the packet was received is part of a bridge, then packet +is processed at the **Bridge Layer**, which contains a ver basic setup where +for bridge filtering: + + * **Forward (Bridge)**: stage where traffic that is trasspasing through the + bridge is filtered and controlled: + + * ``set firewall bridge forward filter ...``. + +Main structure VyOS firewall cli is shown next: + +.. code-block:: none + + - set firewall + * bridge + - forward + + filter + * flowtable + - custom_flow_table + + ... + * global-options + + all-ping + + broadcast-ping + + ... + * group + - address-group + - ipv6-address-group + - network-group + - ipv6-network-group + - interface-group + - mac-group + - port-group + - domain-group + * ipv4 + - forward + + filter + - input + + filter + - output + + filter + - name + + custom_name + * ipv6 + - forward + + filter + - input + + filter + - output + + filter + - ipv6-name + + custom_name + * zone + - custom_zone_name + + ... + +Please, refer to appropiate section for more information about firewall +configuration: -Netfilter based -^^^^^^^^^^^^^^^ .. toctree:: :maxdepth: 1 :includehidden: - general - -With VyOS being based on top of Linux and its kernel, the Netfilter project created -the iptables and now the successor nftables for the Linux kernel to work directly -on the data flows. This now extends the concept of zone-based security to allow -for manipulating the data at multiple stages once accepted by the network interface -and the driver before being handed off to the destination (e.g. a web server OR -another device). - -To configure VyOS with the new :doc:`firewall configuration </configuration/firewall/general>` - -The only stages VyOS will process as part of the firewall configuration is the -`forward` (F4 stage), `input` (L4 stage), and `output` (L5 stage). All the other -stages and steps are for reference and cant be manipulated through VyOS. - -In this example image, a simplifed traffic flow is shown to help provide context -to the terms of `forward`, `input`, and `output` for the new firewall CLI format. - -.. figure:: /_static/images/firewall-netfilter.png + global-options + groups + bridge + ipv4 + ipv6 + flowtables .. note:: **For more information** of Netfilter hooks and Linux networking packet flows can be found in `Netfilter-Hooks <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_ -Legacy Firewall -^^^^^^^^^^^^^^^ -.. toctree:: - :maxdepth: 1 - :includehidden: - - general-legacy - -Traditionally firewalls weere configured with the concept of data going in and -out of an interface. The router just listened to the data flowing through and -responding as required if it was directed at the router itself. - -To configure VyOS with the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>` - -As the example image below shows, the device was configured with rules blocking -inbound or outbound traffic on each interface. - -.. figure:: /_static/images/firewall-traditional.png Zone-based firewall ^^^^^^^^^^^^^^^^^^^ @@ -70,16 +162,18 @@ Zone-based firewall zone -With zone-based firewalls a new concept was implemented, in addtion to the standard -in and out traffic flows, a local flow was added. This local was for traffic -originating and destined to the router itself. Which means additional rules were -required to secure the firewall itself from the network, in addition to the existing -inbound and outbound rules from the traditional concept above. +With zone-based firewalls a new concept was implemented, in addtion to the +standard in and out traffic flows, a local flow was added. This local was for +traffic originating and destined to the router itself. Which means additional +rules were required to secure the firewall itself from the network, in +addition to the existing inbound and outbound rules from the traditional +concept above. -To configure VyOS with the :doc:`zone-based firewall configuration </configuration/firewall/zone>` +To configure VyOS with the +:doc:`zone-based firewall configuration </configuration/firewall/zone>` -As the example image below shows, the device now needs rules to allow/block traffic -to or from the services running on the device that have open connections on that -interface. +As the example image below shows, the device now needs rules to allow/block +traffic to or from the services running on the device that have open +connections on that interface. .. figure:: /_static/images/firewall-zonebased.png diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst new file mode 100644 index 00000000..3fd365e1 --- /dev/null +++ b/docs/configuration/firewall/ipv4.rst @@ -0,0 +1,1145 @@ +:lastproofread: 2023-11-08 + +.. _firewall-ipv4-configuration: + +########################### +IPv4 Firewall Configuration +########################### + +******** +Overview +******** + +In this section there's useful information of all firewall configuration that +can be done regarding IPv4, and appropiate op-mode commands. +Configuration commands covered in this section: + +.. cfgcmd:: set firewall ipv4 ... + +From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * ipv4 + - forward + + filter + - input + + filter + - output + + filter + - name + + custom_name + +For transit traffic, which is received by the router and forwarded, base chain +is **forward**. A simplified packet flow diagram for transit traffic is shown +next: + +.. figure:: /_static/images/firewall-fwd-packet-flow.png + +Where firewall base chain to configure firewall filtering rules for transit +traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, +highlightened with red color. + +For traffic towards the router itself, base chain is **input**, while traffic +originated by the router, base chain is **output**. +A new simplified packet flow diagram is shown next, which shows the path +for traffic destinated to the router itself, and traffic generated by the +router (starting from circle number 6): + +.. figure:: /_static/images/firewall-input-packet-flow.png + +Base chain is for traffic toward the router is ``set firewall ipv4 input +filter ...`` + +And base chain for traffic generated by the router is ``set firewall ipv4 +output filter ...`` + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop** + +Custom firewall chains can be created, with commands +``set firewall ipv4 name <name> ...``. In order to use +such custom chain, a rule with **action jump**, and the appropiate **target** +should be defined in a base chain. + +********************* +Firewall - IPv4 Rules +********************* + +For firewall filtering, firewall rules needs to be created. Each rule is +numbered, has an action to apply if the rule is matched, and the ability +to specify multiple criteria matchers. Data packets go through the rules +from 1 - 999999, so order is crucial. At the first match the action of the +rule will be executed. + +Actions +======= + +If a rule is defined, then an action must be defined for it. This tells the +firewall what to do if all criteria matchers defined for such rule do match. + +The action can be : + + * ``accept``: accept the packet. + + * ``continue``: continue parsing next rule. + + * ``drop``: drop the packet. + + * ``reject``: reject the packet. + + * ``jump``: jump to another custom chain. + + * ``return``: Return from the current chain and continue at the next rule + of the last chain. + + * ``queue``: Enqueue packet to userspace. + + * ``synproxy``: synproxy the packet. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return | synproxy] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return | synproxy] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return] + + This required setting defines the action of the current rule. If action is + set to jump, then jump-target is also needed. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + jump-target <text> + + To be used only when action is set to jump. Use this command to specify + jump target. + +Also, **default-action** is an action that takes place whenever a packet does +not match any rule in it's chain. For base chains, possible options for +**default-action** are **accept** or **drop**. + +.. cfgcmd:: set firewall ipv4 forward filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv4 input filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv4 output filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv4 name <name> default-action + [accept | drop | jump | queue | reject | return] + + This set the default action of the rule-set if no rule matched a packet + criteria. If defacult-action is set to ``jump``, then + ``default-jump-target`` is also needed. Note that for base chains, default + action can only be set to ``accept`` or ``drop``, while on custom chain, + more actions are available. + +.. cfgcmd:: set firewall ipv4 name <name> default-jump-target <text> + + To be used only when ``defult-action`` is set to ``jump``. Use this + command to specify jump target for default rule. + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop** + +Firewall Logs +============= + +Logging can be enable for every single firewall rule. If enabled, other +log options can be defined. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log + [disable | enable] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> log + [disable | enable] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> log + [disable | enable] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log + [disable | enable] + + Enable or disable logging for the matched packet. + +.. cfgcmd:: set firewall ipv4 forward filter enable-default-log +.. cfgcmd:: set firewall ipv4 input filter enable-default-log +.. cfgcmd:: set firewall ipv4 output filter enable-default-log +.. cfgcmd:: set firewall ipv4 name <name> enable-default-log + + Use this command to enable the logging of the default action on + the specified chain. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] + + Define log-level. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options group <0-65535> + + Define log group to send message to. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options snapshot-length <0-9000> + + Define length of packet payload to include in netlink message. Only + applicable if rule log is enable and log group is defined. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options queue-threshold <0-65535> + + Define number of packets to queue inside the kernel before sending them to + userspace. Only applicable if rule log is enable and log group is defined. + +Firewall Description +==================== + +For reference, a description can be defined for every single rule, and for +every defined custom chain. + +.. cfgcmd:: set firewall ipv4 name <name> description <text> + + Provide a rule-set description to a custom firewall chain. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> description <text> + + Provide a description for each rule. + +Rule Status +=========== + +When defining a rule, it is enable by default. In some cases, it is useful to +just disable the rule, rather than removing it. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> disable + + Command for disabling a rule but keep it in the configuration. + +Matching criteria +================= + +There are a lot of matching criteria against which the package can be tested. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + connection-status nat [destination | source] + + Match criteria based on nat connection status. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + connection-mark <1-2147483647> + + Match criteria based on connection mark. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source address [address | addressrange | CIDR] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination address [address | addressrange | CIDR] + + Match criteria based on source and/or destination address. This is similar + to the network groups part, but here you are able to negate the matching + addresses. + + .. code-block:: none + + set firewall ipv4 name FOO rule 50 source address 192.0.2.10-192.0.2.11 + # with a '!' the rule match everything except the specified subnet + set firewall ipv4 input filter FOO rule 51 source address !203.0.113.0/24 + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source address-mask [address] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination address-mask [address] + + An arbitrary netmask can be applied to mask addresses to only match against + a specific portion. + + This functions for both individual addresses and address groups. + + .. code-block:: none + + # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet + set firewall ipv4 name FOO rule 100 destination address 0.11.0.13 + set firewall ipv4 name FOO rule 100 destination address-mask 0.255.0.255 + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination fqdn <fqdn> + + Specify a Fully Qualified Domain Name as source/destination matcher. Ensure + router is able to resolve such dns query. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source geoip country-code <country> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination geoip country-code <country> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source geoip inverse-match + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination geoip inverse-match + + Match IP addresses based on its geolocation. More info: `geoip matching + <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. + Use inverse-match to match anything except the given country-codes. + +Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, +permits redistribution so we can include a database in images(~3MB +compressed). Includes cron script (manually callable by op-mode update +geoip) to keep database and rules updated. + + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source mac-address <mac-address> + + Only in the source criteria, you can specify a mac-address. + + .. code-block:: none + + set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33 + set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34 + + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source port [1-65535 | portname | start-end] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination port [1-65535 | portname | start-end] + + A port can be set with a port number or a name which is here + defined: ``/etc/services``. + + .. code-block:: none + + set firewall ipv4 forward filter rule 10 source port '22' + set firewall ipv4 forward filter rule 11 source port '!http' + set firewall ipv4 forward filter rule 12 source port 'https' + + Multiple source ports can be specified as a comma-separated list. + The whole list can also be "negated" using ``!``. For example: + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group address-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group address-group <name | !name> + + Use a specific address-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group network-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group network-group <name | !name> + + Use a specific network-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group port-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group port-group <name | !name> + + Use a specific port-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group domain-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group domain-group <name | !name> + + Use a specific domain-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group mac-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group mac-group <name | !name> + + Use a specific mac-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + dscp [0-63 | start-end] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + dscp-exclude [0-63 | start-end] + + Match based on dscp value. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + fragment [match-frag | match-non-frag] + + Match based on fragment criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + icmp [code | type] <0-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + icmp [code | type] <0-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + icmp [code | type] <0-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + icmp [code | type] <0-255> + + Match based on icmp code and type. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + icmp type-name <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + icmp type-name <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + icmp type-name <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + icmp type-name <text> + + Match based on icmp type-name criteria. Use tab for information + about what **type-name** criteria are supported. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + inbound-interface name <iface> + + Match based on inbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + inbound-interface group <iface_group> + + Match based on inbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + outbound-interface name <iface> + + Match based on outbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + outbound-interface group <iface_group> + + Match based on outbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + ipsec [match-ipsec | match-none] + + Match based on ipsec criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + limit burst <0-4294967295> + + Match based on the maximum number of packets to allow in excess of rate. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + limit rate <text> + + Match based on the maximum average rate, specified as **integer/unit**. + For example **5/minutes** + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + packet-length <text> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + packet-length-exclude <text> + + Match based on packet length criteria. Multiple values from 1 to 65535 + and ranges are supported. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + packet-type [broadcast | host | multicast | other] + + Match based on packet type criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] + + Match a protocol criteria. A protocol number or a name which is here + defined: ``/etc/protocols``. + Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp + based packets. The ``!`` negate the selected protocol. + + .. code-block:: none + + set firewall ipv4 forward fitler rule 10 protocol tcp_udp + set firewall ipv4 forward fitler rule 11 protocol !tcp_udp + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent count <1-255> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent time [second | minute | hour] + + Match bases on recently seen sources. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + tcp flags [not] <text> + + Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, + ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for + inverted selection use ``not``, as shown in the example. + + .. code-block:: none + + set firewall ipv4 input filter rule 10 tcp flags 'ack' + set firewall ipv4 input filter rule 12 tcp flags 'syn' + set firewall ipv4 input filter rule 13 tcp flags not 'fin' + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + state [established | invalid | new | related] [enable | disable] + + Match against the state of a packet. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time weekdays <text> + + Time to match the defined rule. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + ttl <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + ttl <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + ttl <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + ttl <eq | gt | lt> <0-255> + + Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for + 'greater than', and 'lt' stands for 'less than'. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent count <1-255> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent time <second | minute | hour> + + Match when 'count' amount of connections are seen within 'time'. These + matching criteria can be used to block brute-force attempts. + +******** +Synproxy +******** +Synproxy connections + +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> action synproxy +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> protocol tcp +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535> + + Set TCP-MSS (maximum segment size) for the connection + +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14> + + Set the window scale factor for TCP window scaling + +Example synproxy +================ +Requirements to enable synproxy: + + * Traffic must be symmetric + * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled + * Disable conntrack loose track option + +.. code-block:: none + + set system sysctl parameter net.ipv4.tcp_timestamps value '1' + + set system conntrack tcp loose disable + set system conntrack ignore ipv4 rule 10 destination port '8080' + set system conntrack ignore ipv4 rule 10 protocol 'tcp' + set system conntrack ignore ipv4 rule 10 tcp flags syn + + set firewall global-options syn-cookies 'enable' + set firewall ipv4 input filter rule 10 action 'synproxy' + set firewall ipv4 input filter rule 10 destination port '8080' + set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1' + set firewall ipv4 input filter rule 10 protocol 'tcp' + set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' + set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7' + set firewall ipv4 input filter rule 1000 action 'drop' + set firewall ipv4 input filter rule 1000 state invalid 'enable' + + +*********************** +Operation-mode Firewall +*********************** + +Rule-set overview +================= + +.. opcmd:: show firewall + + This will show you a basic firewall overview, for all ruleset, and not + only for ipv4 + + .. code-block:: none + + vyos@vyos:~$ show firewall + Rulesets Information + + --------------------------------- + ipv4 Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ----------------------------- + 20 accept all 0 0 ip saddr @N_TRUSTEDv4 accept + 21 jump all 0 0 jump NAME_AUX + default accept all 0 0 + + --------------------------------- + ipv4 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ------------------------- + 10 accept all 156 14377 iifname != @I_LAN accept + default accept all 0 0 + + --------------------------------- + ipv4 Firewall "name AUX" + + Rule Action Protocol Packets Bytes Conditions + ------ -------- ---------- --------- ------- -------------------------------------------- + 10 accept icmp 0 0 meta l4proto icmp accept + 20 accept udp 0 0 meta l4proto udp ip saddr @A_SERVERS accept + 30 drop all 0 0 ip saddr != @A_SERVERS iifname "eth2" + + --------------------------------- + ipv4 Firewall "output filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------- + 10 reject all 0 0 oifname @I_LAN + 20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept + default accept all 72 9258 + + --------------------------------- + ipv6 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ------------------------------- + 10 accept all 0 0 ip6 saddr @N6_TRUSTEDv6 accept + default accept all 2 112 + + vyos@vyos:~$ + +.. opcmd:: show firewall summary + + This will show you a summary of rule-sets and groups + + .. code-block:: none + + vyos@vyos:~$ show firewall summary + Ruleset Summary + + IPv6 Ruleset: + + Ruleset Hook Ruleset Priority Description + -------------- -------------------- ------------------------- + forward filter + input filter + ipv6_name IPV6-VyOS_MANAGEMENT + ipv6_name IPV6-WAN_IN PUBLIC_INTERNET + + IPv4 Ruleset: + + Ruleset Hook Ruleset Priority Description + -------------- ------------------ ------------------------- + forward filter + input filter + name VyOS_MANAGEMENT + name WAN_IN PUBLIC_INTERNET + + Firewall Groups + + Name Type References Members + ----------------------- ------------------ ----------------------- ---------------- + PBX address_group WAN_IN-100 198.51.100.77 + SERVERS address_group WAN_IN-110 192.0.2.10 + WAN_IN-111 192.0.2.11 + WAN_IN-112 192.0.2.12 + WAN_IN-120 + WAN_IN-121 + WAN_IN-122 + SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2 + WAN_IN-20 + PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2 + PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2 + WAN_IN-171 + PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1 + SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2 + IPV6-WAN_IN-111 2001:db8::3 + IPV6-WAN_IN-112 2001:db8::4 + IPV6-WAN_IN-120 + IPV6-WAN_IN-121 + IPV6-WAN_IN-122 + SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5 + IPV6-WAN_IN-20 + + +.. opcmd:: show firewall ipv4 [forward | input | output] filter + +.. opcmd:: show firewall ipv4 name <name> + + This command will give an overview of a single rule-set. + + .. code-block:: none + + vyos@vyos:~$ show firewall ipv4 input filter + Ruleset Information + + --------------------------------- + IPv4 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ----------------------------------------- + 5 jump all 0 0 iifname "eth2" jump NAME_VyOS_MANAGEMENT + default accept all + +.. opcmd:: show firewall ipv4 [forward | input | output] + filter rule <1-999999> +.. opcmd:: show firewall ipv4 name <name> rule <1-999999> + + This command will give an overview of a rule in a single rule-set, plus + information for default action. + +.. code-block:: none + + vyos@vyos:~$show firewall ipv4 output filter rule 20 + Rule Information + + --------------------------------- + ipv4 Firewall "output filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------- + 20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept + default accept all 286 47614 + + vyos@vyos:~$ + + +.. opcmd:: show firewall statistics + + This will show you a statistic of all rule-sets since the last boot. + +Show Firewall log +================= + +.. opcmd:: show log firewall +.. opcmd:: show log firewall ipv4 +.. opcmd:: show log firewall ipv4 [forward | input | output | name] +.. opcmd:: show log firewall ipv4 [forward | input | output] filter +.. opcmd:: show log firewall ipv4 name <name> +.. opcmd:: show log firewall ipv4 [forward | input | output] filter rule <rule> +.. opcmd:: show log firewall ipv4 name <name> rule <rule> + + Show the logs of all firewall; show all ipv4 firewall logs; show all logs + for particular hook; show all logs for particular hook and priority; show all logs + for particular custom chain; show logs for specific Rule-Set. + +Example Partial Config +====================== + +.. code-block:: none + + firewall { + group { + network-group BAD-NETWORKS { + network 198.51.100.0/24 + network 203.0.113.0/24 + } + network-group GOOD-NETWORKS { + network 192.0.2.0/24 + } + port-group BAD-PORTS { + port 65535 + } + } + ipv4 { + forward { + filter { + default-action accept + rule 5 { + action accept + source { + group { + network-group GOOD-NETWORKS + } + } + } + rule 10 { + action drop + description "Bad Networks" + protocol all + source { + group { + network-group BAD-NETWORKS + } + } + } + } + } + } + } + +Update geoip database +===================== + +.. opcmd:: update geoip + + Command used to update GeoIP database and firewall sets. diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst new file mode 100644 index 00000000..83a5f694 --- /dev/null +++ b/docs/configuration/firewall/ipv6.rst @@ -0,0 +1,1167 @@ +:lastproofread: 2023-11-08 + +.. _firewall-ipv6-configuration: + +########################### +IPv6 Firewall Configuration +########################### + +******** +Overview +******** + +In this section there's useful information of all firewall configuration that +can be done regarding IPv6, and appropiate op-mode commands. +Configuration commands covered in this section: + +.. cfgcmd:: set firewall ipv6 ... + +From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * ipv6 + - forward + + filter + - input + + filter + - output + + filter + - name + + custom_name + +For transit traffic, which is received by the router and forwarded, base chain +is **forward**. A simplified packet flow diagram for transit traffic is shown +next: + +.. figure:: /_static/images/firewall-fwd-packet-flow.png + +Where firewall base chain to configure firewall filtering rules for transit +traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, +highlightened with red color. + +For traffic towards the router itself, base chain is **input**, while traffic +originated by the router, base chain is **output**. +A new simplified packet flow diagram is shown next, which shows the path +for traffic destinated to the router itself, and traffic generated by the +router (starting from circle number 6): + +.. figure:: /_static/images/firewall-input-packet-flow.png + +Base chain is for traffic toward the router is ``set firewall ipv6 input +filter ...`` + +And base chain for traffic generated by the router is ``set firewall ipv6 +output filter ...`` + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop** + +Custom firewall chains can be created, with commands +``set firewall ipv6 name <name> ...``. In order to use +such custom chain, a rule with **action jump**, and the appropiate **target** +should be defined in a base chain. + +****************************** +Firewall - IPv6 Rules +****************************** + +For firewall filtering, firewall rules needs to be created. Each rule is +numbered, has an action to apply if the rule is matched, and the ability +to specify multiple criteria matchers. Data packets go through the rules +from 1 - 999999, so order is crucial. At the first match the action of the +rule will be executed. + +Actions +======= + +If a rule is defined, then an action must be defined for it. This tells the +firewall what to do if all criteria matchers defined for such rule do match. + +The action can be : + + * ``accept``: accept the packet. + + * ``continue``: continue parsing next rule. + + * ``drop``: drop the packet. + + * ``reject``: reject the packet. + + * ``jump``: jump to another custom chain. + + * ``return``: Return from the current chain and continue at the next rule + of the last chain. + + * ``queue``: Enqueue packet to userspace. + + * ``synproxy``: synproxy the packet. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return | synproxy] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return | synproxy] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return] + + This required setting defines the action of the current rule. If action is + set to jump, then jump-target is also needed. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + jump-target <text> + + To be used only when action is set to jump. Use this command to specify + jump target. + +Also, **default-action** is an action that takes place whenever a packet does +not match any rule in it's chain. For base chains, possible options for +**default-action** are **accept** or **drop**. + +.. cfgcmd:: set firewall ipv6 forward filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv6 input filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv6 output filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv6 name <name> default-action + [accept | drop | jump | queue | reject | return] + + This set the default action of the rule-set if no rule matched a packet + criteria. If defacult-action is set to ``jump``, then + ``default-jump-target`` is also needed. Note that for base chains, default + action can only be set to ``accept`` or ``drop``, while on custom chain, + more actions are available. + +.. cfgcmd:: set firewall ipv6 name <name> default-jump-target <text> + + To be used only when ``defult-action`` is set to ``jump``. Use this + command to specify jump target for default rule. + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop** + +Firewall Logs +============= + +Logging can be enable for every single firewall rule. If enabled, other +log options can be defined. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> log + [disable | enable] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> log + [disable | enable] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> log + [disable | enable] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> log + [disable | enable] + + Enable or disable logging for the matched packet. + +.. cfgcmd:: set firewall ipv6 forward filter enable-default-log +.. cfgcmd:: set firewall ipv6 input filter enable-default-log +.. cfgcmd:: set firewall ipv6 output filter enable-default-log +.. cfgcmd:: set firewall ipv6 name <name> enable-default-log + + Use this command to enable the logging of the default action on + the specified chain. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] + + Define log-level. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + log-options group <0-65535> + + Define log group to send message to. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + log-options snapshot-length <0-9000> + + Define length of packet payload to include in netlink message. Only + applicable if rule log is enable and log group is defined. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + log-options queue-threshold <0-65535> + + Define number of packets to queue inside the kernel before sending them to + userspace. Only applicable if rule log is enable and log group is defined. + +Firewall Description +==================== + +For reference, a description can be defined for every single rule, and for +every defined custom chain. + +.. cfgcmd:: set firewall ipv6 name <name> description <text> + + Provide a rule-set description to a custom firewall chain. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> description <text> + + Provide a description for each rule. + +Rule Status +=========== + +When defining a rule, it is enable by default. In some cases, it is useful to +just disable the rule, rather than removing it. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> disable + + Command for disabling a rule but keep it in the configuration. + +Matching criteria +================= + +There are a lot of matching criteria against which the package can be tested. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + connection-status nat [destination | source] + + Match criteria based on nat connection status. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + connection-mark <1-2147483647> + + Match criteria based on connection mark. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source address [address | addressrange | CIDR] + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination address [address | addressrange | CIDR] + + Match criteria based on source and/or destination address. This is similar + to the network groups part, but here you are able to negate the matching + addresses. + + .. code-block:: none + + set firewall ipv6 name FOO rule 100 source address 2001:db8::202 + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source address-mask [address] + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination address-mask [address] + + An arbitrary netmask can be applied to mask addresses to only match against + a specific portion. This is particularly useful with IPv6 as rules will + remain valid if the IPv6 prefix changes and the host + portion of systems IPv6 address is static (for example, with SLAAC or + `tokenised IPv6 addresses + <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_) + + This functions for both individual addresses and address groups. + + .. code-block:: none + + # Match any IPv6 address with the suffix ::0000:0000:0000:beef + set firewall ipv6 forward filter rule 100 destination address ::beef + set firewall ipv6 forward filter rule 100 destination address-mask ::ffff:ffff:ffff:ffff + # Address groups + set firewall group ipv6-address-group WEBSERVERS address ::1000 + set firewall group ipv6-address-group WEBSERVERS address ::2000 + set firewall ipv6 forward filter rule 200 source group address-group WEBSERVERS + set firewall ipv6 forward filter rule 200 source address-mask ::ffff:ffff:ffff:ffff + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination fqdn <fqdn> + + Specify a Fully Qualified Domain Name as source/destination matcher. Ensure + router is able to resolve such dns query. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source geoip country-code <country> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination geoip country-code <country> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source geoip inverse-match + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination geoip inverse-match + + Match IP addresses based on its geolocation. More info: `geoip matching + <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. + Use inverse-match to match anything except the given country-codes. + +Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, +permits redistribution so we can include a database in images(~3MB +compressed). Includes cron script (manually callable by op-mode update +geoip) to keep database and rules updated. + + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source mac-address <mac-address> + + Only in the source criteria, you can specify a mac-address. + + .. code-block:: none + + set firewall ipv6 input filter rule 100 source mac-address 00:53:00:11:22:33 + set firewall ipv6 input filter rule 101 source mac-address !00:53:00:aa:12:34 + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source port [1-65535 | portname | start-end] + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination port [1-65535 | portname | start-end] + + A port can be set with a port number or a name which is here + defined: ``/etc/services``. + + .. code-block:: none + + set firewall ipv6 forward filter rule 10 source port '22' + set firewall ipv6 forward filter rule 11 source port '!http' + set firewall ipv6 forward filter rule 12 source port 'https' + + Multiple source ports can be specified as a comma-separated list. + The whole list can also be "negated" using ``!``. For example: + + .. code-block:: none + + set firewall ipv6 forward filter rule 10 source port '!22,https,3333-3338' + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group address-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group address-group <name | !name> + + Use a specific address-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group network-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group network-group <name | !name> + + Use a specific network-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group port-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group port-group <name | !name> + + Use a specific port-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group domain-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group domain-group <name | !name> + + Use a specific domain-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group mac-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group mac-group <name | !name> + + Use a specific mac-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + dscp [0-63 | start-end] + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + dscp-exclude [0-63 | start-end] + + Match based on dscp value. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + fragment [match-frag | match-non-frag] + + Match based on fragment criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + icmpv6 [code | type] <0-255> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + icmpv6 [code | type] <0-255> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + icmpv6 [code | type] <0-255> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + icmpv6 [code | type] <0-255> + + Match based on icmp|icmpv6 code and type. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + icmpv6 type-name <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + icmpv6 type-name <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + icmpv6 type-name <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + icmpv6 type-name <text> + + Match based on icmpv6 type-name criteria. Use tab for information + about what **type-name** criteria are supported. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + inbound-interface name <iface> + + Match based on inbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + inbound-interface group <iface_group> + + Match based on inbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + outbound-interface name <iface> + + Match based on outbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + outbound-interface group <iface_group> + + Match based on outbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + ipsec [match-ipsec | match-none] + + Match based on ipsec criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + limit burst <0-4294967295> + + Match based on the maximum number of packets to allow in excess of rate. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + limit rate <text> + + Match based on the maximum average rate, specified as **integer/unit**. + For example **5/minutes** + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + packet-length <text> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + packet-length-exclude <text> + + Match based on packet length criteria. Multiple values from 1 to 65535 + and ranges are supported. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + packet-type [broadcast | host | multicast | other] + + Match based on packet type criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] + + Match a protocol criteria. A protocol number or a name which is here + defined: ``/etc/protocols``. + Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp + based packets. The ``!`` negate the selected protocol. + + .. code-block:: none + + set firewall ipv6 input filter rule 10 protocol tcp + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + recent count <1-255> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + recent time [second | minute | hour] + + Match bases on recently seen sources. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + tcp flags [not] <text> + + Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, + ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for + inverted selection use ``not``, as shown in the example. + + .. code-block:: none + + set firewall ipv6 input filter rule 10 tcp flags 'ack' + set firewall ipv6 input filter rule 12 tcp flags 'syn' + set firewall ipv6 input filter rule 13 tcp flags not 'fin' + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + state [established | invalid | new | related] [enable | disable] + + Match against the state of a packet. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time weekdays <text> + + Time to match the defined rule. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + hop-limit <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + hop-limit <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + hop-limit <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + hop-limit <eq | gt | lt> <0-255> + + Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for + 'greater than', and 'lt' stands for 'less than'. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + recent count <1-255> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + recent time <second | minute | hour> + + Match when 'count' amount of connections are seen within 'time'. These + matching criteria can be used to block brute-force attempts. + +******** +Synproxy +******** +Synproxy connections + +.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> action synproxy +.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> protocol tcp +.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535> + + Set TCP-MSS (maximum segment size) for the connection + +.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14> + + Set the window scale factor for TCP window scaling + +Example synproxy +================ +Requirements to enable synproxy: + + * Traffic must be symmetric + * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled + * Disable conntrack loose track option + +.. code-block:: none + + set system sysctl parameter net.ipv4.tcp_timestamps value '1' + + set system conntrack tcp loose disable + set system conntrack ignore ipv6 rule 10 destination port '8080' + set system conntrack ignore ipv6 rule 10 protocol 'tcp' + set system conntrack ignore ipv6 rule 10 tcp flags syn + + set firewall global-options syn-cookies 'enable' + set firewall ipv6 input filter rule 10 action 'synproxy' + set firewall ipv6 input filter rule 10 destination port '8080' + set firewall ipv6 input filter rule 10 inbound-interface interface-name 'eth1' + set firewall ipv6 input filter rule 10 protocol 'tcp' + set firewall ipv6 input filter rule 10 synproxy tcp mss '1460' + set firewall ipv6 input filter rule 10 synproxy tcp window-scale '7' + set firewall ipv6 input filter rule 1000 action 'drop' + set firewall ipv6 input filter rule 1000 state invalid 'enable' + +*********************** +Operation-mode Firewall +*********************** + +Rule-set overview +================= + +.. opcmd:: show firewall + + This will show you a basic firewall overview + + .. code-block:: none + + vyos@vyos:~$ show firewall + Rulesets Information + + --------------------------------- + IPv4 Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ----------------------------------------- + 5 jump all 0 0 iifname "eth1" jump NAME_VyOS_MANAGEMENT + 10 jump all 0 0 oifname "eth1" jump NAME_WAN_IN + 15 jump all 0 0 iifname "eth3" jump NAME_WAN_IN + default accept all + + --------------------------------- + IPv4 Firewall "name VyOS_MANAGEMENT" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- -------------------------------- + 5 accept all 0 0 ct state established accept + 10 drop all 0 0 ct state invalid + 20 accept all 0 0 ip saddr @A_GOOD_GUYS accept + 30 accept all 0 0 ip saddr @N_ENTIRE_RANGE accept + 40 accept all 0 0 ip saddr @A_VyOS_SERVERS accept + 50 accept icmp 0 0 meta l4proto icmp accept + default drop all 0 0 + + --------------------------------- + IPv6 Firewall "forward filter" + + Rule Action Protocol + ------- -------- ---------- + 5 jump all + 10 jump all + 15 jump all + default accept all + + --------------------------------- + IPv6 Firewall "input filter" + + Rule Action Protocol + ------- -------- ---------- + 5 jump all + default accept all + + --------------------------------- + IPv6 Firewall "ipv6_name IPV6-VyOS_MANAGEMENT" + + Rule Action Protocol + ------- -------- ---------- + 5 accept all + 10 drop all + 20 accept all + 30 accept all + 40 accept all + 50 accept ipv6-icmp + default drop all + +.. opcmd:: show firewall summary + + This will show you a summary of rule-sets and groups + + .. code-block:: none + + vyos@vyos:~$ show firewall summary + Ruleset Summary + + IPv6 Ruleset: + + Ruleset Hook Ruleset Priority Description + -------------- -------------------- ------------------------- + forward filter + input filter + ipv6_name IPV6-VyOS_MANAGEMENT + ipv6_name IPV6-WAN_IN PUBLIC_INTERNET + + IPv4 Ruleset: + + Ruleset Hook Ruleset Priority Description + -------------- ------------------ ------------------------- + forward filter + input filter + name VyOS_MANAGEMENT + name WAN_IN PUBLIC_INTERNET + + Firewall Groups + + Name Type References Members + ----------------------- ------------------ ----------------------- ---------------- + PBX address_group WAN_IN-100 198.51.100.77 + SERVERS address_group WAN_IN-110 192.0.2.10 + WAN_IN-111 192.0.2.11 + WAN_IN-112 192.0.2.12 + WAN_IN-120 + WAN_IN-121 + WAN_IN-122 + SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2 + WAN_IN-20 + PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2 + PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2 + WAN_IN-171 + PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1 + SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2 + IPV6-WAN_IN-111 2001:db8::3 + IPV6-WAN_IN-112 2001:db8::4 + IPV6-WAN_IN-120 + IPV6-WAN_IN-121 + IPV6-WAN_IN-122 + SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5 + IPV6-WAN_IN-20 + + +.. opcmd:: show firewall ipv6 [forward | input | output] filter + +.. opcmd:: show firewall ipv4 name <name> + +.. opcmd:: show firewall ipv6 ipv6-name <name> + + This command will give an overview of a single rule-set. + + .. code-block:: none + + vyos@vyos:~$ show firewall ipv4 input filter + Ruleset Information + + --------------------------------- + IPv4 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ----------------------------------------- + 5 jump all 0 0 iifname "eth2" jump NAME_VyOS_MANAGEMENT + default accept all + +.. opcmd:: show firewall ipv6 [forward | input | output] + filter rule <1-999999> + +.. opcmd:: show firewall ipv4 name <name> rule <1-999999> + +.. opcmd:: show firewall ipv6 ipv6-name <name> rule <1-999999> + + This command will give an overview of a rule in a single rule-set + +.. opcmd:: show firewall group <name> + + Overview of defined groups. You see the type, the members, and where the + group is used. + + .. code-block:: none + + vyos@vyos:~$ show firewall group LAN + Firewall Groups + + Name Type References Members + ------------ ------------------ ----------------------- ---------------- + LAN ipv6_network_group IPV6-VyOS_MANAGEMENT-30 2001:db8::0/64 + IPV6-WAN_IN-30 + LAN network_group VyOS_MANAGEMENT-30 192.168.200.0/24 + WAN_IN-30 + + +.. opcmd:: show firewall statistics + + This will show you a statistic of all rule-sets since the last boot. + +Show Firewall log +================= + +.. opcmd:: show log firewall +.. opcmd:: show log firewall ipv6 +.. opcmd:: show log firewall ipv6 [forward | input | output | name] +.. opcmd:: show log firewall ipv6 [forward | input | output] filter +.. opcmd:: show log firewall ipv6 name <name> +.. opcmd:: show log firewall ipv6 [forward | input | output] filter rule <rule> +.. opcmd:: show log firewall ipv6 name <name> rule <rule> + + Show the logs of all firewall; show all ipv6 firewall logs; show all logs + for particular hook; show all logs for particular hook and priority; show all logs + for particular custom chain; show logs for specific Rule-Set. + +Example Partial Config +====================== + +.. code-block:: none + + firewall { + group { + network-group BAD-NETWORKS { + network 198.51.100.0/24 + network 203.0.113.0/24 + } + network-group GOOD-NETWORKS { + network 192.0.2.0/24 + } + port-group BAD-PORTS { + port 65535 + } + } + ipv4 { + forward { + filter { + default-action accept + rule 5 { + action accept + source { + group { + network-group GOOD-NETWORKS + } + } + } + rule 10 { + action drop + description "Bad Networks" + protocol all + source { + group { + network-group BAD-NETWORKS + } + } + } + } + } + } + } + +Update geoip database +===================== + +.. opcmd:: update geoip + + Command used to update GeoIP database and firewall sets. diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst index 38869c32..1ab9c630 100644 --- a/docs/configuration/firewall/zone.rst +++ b/docs/configuration/firewall/zone.rst @@ -1,25 +1,44 @@ -:lastproofread: 2022-09-14 +:lastproofread: 2023-11-01 .. _firewall-zone: -################################ -Zone Based Firewall (Deprecated) -################################ +################### +Zone Based Firewall +################### + +******** +Overview +******** .. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall - structure can be found on all vyos instalations, and zone based firewall is - no longer supported. Documentation for most of the new firewall CLI can be + structure can be found on all vyos instalations. Zone based firewall was + removed in that version, but re introduced in VyOS 1.4 and 1.5. All + versions built after 2023-10-22 has this feature. + Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before - 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` - chapter. The examples in this section use the legacy firewall configuration - commands, since this feature has been removed in earlier releases. - -.. note:: For latest releases, refer the `firewall (interface-groups) - <https://docs.vyos.io/en/latest/configuration/firewall/general.html#interface-groups>`_ - main page to configure zone based rules. New syntax was introduced here - :vytask:`T5160` + 1.4-rolling-202308040557 and can be found in the + :doc:`legacy firewall configuration </configuration/firewall/general-legacy>` + chapter. + +In this section there's useful information of all firewall configuration that +is needed for zone-based firewall. +Configuration commands covered in this section: + +.. cfgcmd:: set firewall zone ... + +From main structure defined in +:doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * zone + - custom_zone_name + + ... In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to diff --git a/docs/configuration/highavailability/index.rst b/docs/configuration/highavailability/index.rst index 2f20e783..7f06faa8 100644 --- a/docs/configuration/highavailability/index.rst +++ b/docs/configuration/highavailability/index.rst @@ -450,7 +450,7 @@ Port "0" is required if multiple ports are used. set high-availability virtual-server vyos real-server 192.0.2.12 health-check script '/config/scripts/check-real-server-second.sh' set high-availability virtual-server vyos real-server 192.0.2.12 port '0' - set nat source rule 100 outbound-interface 'eth0' + set nat source rule 100 outbound-interface name 'eth0' set nat source rule 100 source address '192.0.2.0/24' set nat source rule 100 translation address 'masquerade' diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index 70161e1e..d92ac080 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -71,7 +71,7 @@ In both cases, we will use the following settings: dynamic IP for our remote router. Setting up certificates ------------------------ +======================= Setting up a full-blown PKI with a CA certificate would arguably defeat the purpose of site-to-site OpenVPN, since its main goal is supposed to be configuration simplicity, @@ -129,7 +129,7 @@ Note: certificate names don't matter, we use 'openvpn-local' and 'openvpn-remote Repeat the procedure on the other router. Setting up OpenVPN ------------------- +================== Local Configuration: @@ -166,7 +166,7 @@ Remote Configuration: on the local router Pre-shared keys ---------------- +=============== Until VyOS 1.4, the only option for site-to-site OpenVPN without PKI was to use pre-shared keys. That option is still available but it is deprecated and will be removed in the future. diff --git a/docs/configuration/interfaces/vxlan.rst b/docs/configuration/interfaces/vxlan.rst index 2cb0b2f1..af00fdec 100644 --- a/docs/configuration/interfaces/vxlan.rst +++ b/docs/configuration/interfaces/vxlan.rst @@ -67,15 +67,36 @@ VXLAN specific options Source IP address used for VXLAN underlay. This is mandatory when using VXLAN via L2VPN/EVPN. -.. cfgcmd:: set interfaces vxlan <interface> external +.. cfgcmd:: set interfaces vxlan <interface> gpe + + Enables the Generic Protocol extension (VXLAN-GPE). Currently, this is only + supported together with the external keyword. + +.. cfgcmd:: set interfaces vxlan <interface> parameters external Specifies whether an external control plane (e.g. BGP L2VPN/EVPN) or the internal FDB should be used. -.. cfgcmd:: set interfaces vxlan <interface> gpe +.. cfgcmd:: set interfaces vxlan <interface> parameters neighbor-suppress - Eenables the Generic Protocol extension (VXLAN-GPE). Currently, this is only - supported together with the external keyword. + In order to minimize the flooding of ARP and ND messages in the VXLAN network, + EVPN includes provisions :rfc:`7432#section-10` that allow participating VTEPs + to suppress such messages in case they know the MAC-IP binding and can reply + on behalf of the remote host. + +.. cfgcmd:: set interfaces vxlan <interface> parameters nolearning + + Specifies if unknown source link layer addresses and IP addresses are entered + into the VXLAN device forwarding database. + +.. cfgcmd:: set interfaces vxlan <interface> parameters vni-filter + + Specifies whether the VXLAN device is capable of vni filtering. + + Only works with a VXLAN device with external flag set. + + .. note:: The device can only receive packets with VNIs configured in + the VNI filtering table. Unicast ^^^^^^^ @@ -155,7 +176,7 @@ interface is no longer required for each VNI. .. code-block:: none set interfaces bridge br0 member interface vxlan0 - set interfaces vxlan vxlan0 external + set interfaces vxlan vxlan0 parameters external set interfaces vxlan vxlan0 source-interface 'dum0' set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010' set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011' diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst index 8b829b64..885720e1 100644 --- a/docs/configuration/interfaces/wireguard.rst +++ b/docs/configuration/interfaces/wireguard.rst @@ -222,7 +222,7 @@ firewall exception. set firewall ipv4 name OUTSIDE_LOCAL rule 20 protocol udp set firewall ipv4 name OUTSIDE_LOCAL rule 20 source -You should also ensure that the OUTISDE_LOCAL firewall group is applied to the +You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local). .. code-block:: none @@ -413,7 +413,7 @@ the VyOS CLI. into the VyOS CLI if needed. The supplied ``<name>`` on the CLI will become the peer name in the snippet. - In addition you will specifiy the IP address or FQDN for the client where it + In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address. diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst index e853a1ec..df153763 100644 --- a/docs/configuration/interfaces/wireless.rst +++ b/docs/configuration/interfaces/wireless.rst @@ -562,6 +562,7 @@ The WAP in this example has the following characteristics: set interfaces wireless wlan0 security wpa mode wpa2 set interfaces wireless wlan0 security wpa cipher CCMP set interfaces wireless wlan0 security wpa passphrase '12345678' + set interfaces wireless wlan0 country-code de Resulting in @@ -572,6 +573,7 @@ Resulting in wireless wlan0 { address 192.168.2.1/24 channel 1 + country-code de mode n security { wpa { diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst index c660f8f4..98b230a9 100644 --- a/docs/configuration/nat/nat44.rst +++ b/docs/configuration/nat/nat44.rst @@ -148,23 +148,35 @@ rule. * **outbound-interface** - applicable only to :ref:`source-nat`. It configures the interface which is used for the outside traffic that - this translation rule applies to. + this translation rule applies to. Interface groups, inverted + selection and wildcard, are also supported. - Example: + Examples: .. code-block:: none - set nat source rule 20 outbound-interface eth0 + set nat source rule 20 outbound-interface name eth0 + set nat source rule 30 outbound-interface name bond1* + set nat source rule 20 outbound-interface name !vtun2 + set nat source rule 20 outbound-interface group GROUP1 + set nat source rule 20 outbound-interface group !GROUP2 + * **inbound-interface** - applicable only to :ref:`destination-nat`. It configures the interface which is used for the inside traffic the - translation rule applies to. + translation rule applies to. Interface groups, inverted + selection and wildcard, are also supported. Example: .. code-block:: none - set nat destination rule 20 inbound-interface eth1 + set nat destination rule 20 inbound-interface name eth0 + set nat destination rule 30 inbound-interface name bond1* + set nat destination rule 20 inbound-interface name !vtun2 + set nat destination rule 20 inbound-interface group GROUP1 + set nat destination rule 20 inbound-interface group !GROUP2 + * **protocol** - specify which types of protocols this translation rule applies to. Only packets matching the specified protocol are NATed. @@ -323,7 +335,7 @@ demonstrate the following configuration: .. code-block:: none - set nat source rule 100 outbound-interface 'eth0' + set nat source rule 100 outbound-interface name 'eth0' set nat source rule 100 source address '192.168.0.0/24' set nat source rule 100 translation address 'masquerade' @@ -332,7 +344,9 @@ Which generates the following configuration: .. code-block:: none rule 100 { - outbound-interface eth0 + outbound-interface { + name eth0 + } source { address 192.168.0.0/24 } @@ -424,19 +438,19 @@ Example: set nat destination rule 100 description 'Regular destination NAT from external' set nat destination rule 100 destination port '3389' - set nat destination rule 100 inbound-interface 'pppoe0' + set nat destination rule 100 inbound-interface name 'pppoe0' set nat destination rule 100 protocol 'tcp' set nat destination rule 100 translation address '192.0.2.40' set nat destination rule 110 description 'NAT Reflection: INSIDE' set nat destination rule 110 destination port '3389' - set nat destination rule 110 inbound-interface 'eth0.10' + set nat destination rule 110 inbound-interface name 'eth0.10' set nat destination rule 110 protocol 'tcp' set nat destination rule 110 translation address '192.0.2.40' set nat source rule 110 description 'NAT Reflection: INSIDE' set nat source rule 110 destination address '192.0.2.0/24' - set nat source rule 110 outbound-interface 'eth0.10' + set nat source rule 110 outbound-interface name 'eth0.10' set nat source rule 110 protocol 'tcp' set nat source rule 110 source address '192.0.2.0/24' set nat source rule 110 translation address 'masquerade' @@ -452,7 +466,9 @@ Which results in a configuration of: destination { port 3389 } - inbound-interface pppoe0 + inbound-interface { + name pppoe0 + } protocol tcp translation { address 192.0.2.40 @@ -463,7 +479,9 @@ Which results in a configuration of: destination { port 3389 } - inbound-interface eth0.10 + inbound-interface { + name eth0.10 + } protocol tcp translation { address 192.0.2.40 @@ -476,7 +494,9 @@ Which results in a configuration of: destination { address 192.0.2.0/24 } - outbound-interface eth0.10 + outbound-interface { + name eth0.10 + } protocol tcp source { address 192.0.2.0/24 @@ -515,7 +535,7 @@ Our configuration commands would be: set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100' set nat destination rule 10 destination port '80' - set nat destination rule 10 inbound-interface 'eth0' + set nat destination rule 10 inbound-interface name 'eth0' set nat destination rule 10 protocol 'tcp' set nat destination rule 10 translation address '192.168.0.100' @@ -530,7 +550,9 @@ Which would generate the following NAT destination configuration: destination { port 80 } - inbound-interface eth0 + inbound-interface { + name eth0 + } protocol tcp translation { address 192.168.0.100 @@ -546,43 +568,45 @@ Which would generate the following NAT destination configuration: This establishes our Port Forward rule, but if we created a firewall policy it will likely block the traffic. -It is important to note that when creating firewall rules that the DNAT +Firewall rules for Destination NAT +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +It is important to note that when creating firewall rules, the DNAT translation occurs **before** traffic traverses the firewall. In other words, the destination address has already been translated to 192.168.0.100. -So in our firewall policy, we want to allow traffic coming in on the -outside interface, destined for TCP port 80 and the IP address of -192.168.0.100. +So in our firewall ruleset, we want to allow traffic which previously matched +a destination nat rule. In order to avoid creating many rules, one for each +destination nat rule, we can accept all **'dnat'** connections with one simple +rule, using ``connection-status`` matcher: .. code-block:: none - set firewall name OUTSIDE-IN rule 20 action 'accept' - set firewall name OUTSIDE-IN rule 20 destination address '192.168.0.100' - set firewall name OUTSIDE-IN rule 20 destination port '80' - set firewall name OUTSIDE-IN rule 20 protocol 'tcp' - set firewall name OUTSIDE-IN rule 20 state new 'enable' + set firewall ipv4 forward filter rule 10 action accept + set firewall ipv4 forward filter rule 10 connection-status nat destination + set firewall ipv4 forward filter rule 10 state new enable This would generate the following configuration: .. code-block:: none - rule 20 { - action accept - destination { - address 192.168.0.100 - port 80 - } - protocol tcp - state { - new enable + ipv4 { + forward { + filter { + rule 10 { + action accept + connection-status { + nat destination + } + state { + new enable + } + } + } } } -.. note:: - - If you have configured the `INSIDE-OUT` policy, you will need to add - additional rules to permit inbound NAT traffic. 1-to-1 NAT ---------- @@ -610,10 +634,10 @@ and one external interface: set interfaces ethernet eth1 description 'Outside interface' set nat destination rule 2000 description '1-to-1 NAT example' set nat destination rule 2000 destination address '192.0.2.30' - set nat destination rule 2000 inbound-interface 'eth1' + set nat destination rule 2000 inbound-interface name 'eth1' set nat destination rule 2000 translation address '192.168.1.10' set nat source rule 2000 description '1-to-1 NAT example' - set nat source rule 2000 outbound-interface 'eth1' + set nat source rule 2000 outbound-interface name 'eth1' set nat source rule 2000 source address '192.168.1.10' set nat source rule 2000 translation address '192.0.2.30' @@ -639,7 +663,7 @@ We will use source and destination address for hash generation. .. code-block:: none - set nat destination rule 10 inbound-interface eth0 + set nat destination rule 10 inbound-interface name eth0 set nat destination rule 10 protocol tcp set nat destination rule 10 destination port 80 set nat destination rule 10 load-balance hash source-address @@ -655,7 +679,7 @@ We will generate the hash randomly. .. code-block:: none - set nat source rule 10 outbound-interface eth0 + set nat source rule 10 outbound-interface name eth0 set nat source rule 10 source address 10.0.0.0/8 set nat source rule 10 load-balance hash random set nat source rule 10 load-balance backend 192.0.2.251 weight 33 @@ -709,12 +733,10 @@ NAT Configuration set nat source rule 110 description 'Internal to ASP' set nat source rule 110 destination address '172.27.1.0/24' - set nat source rule 110 outbound-interface 'any' set nat source rule 110 source address '192.168.43.0/24' set nat source rule 110 translation address '172.29.41.89' set nat source rule 120 description 'Internal to ASP' set nat source rule 120 destination address '10.125.0.0/16' - set nat source rule 120 outbound-interface 'any' set nat source rule 120 source address '192.168.43.0/24' set nat source rule 120 translation address '172.29.41.89' diff --git a/docs/configuration/nat/nat66.rst b/docs/configuration/nat/nat66.rst index 93dd3353..66cceb0a 100644 --- a/docs/configuration/nat/nat66.rst +++ b/docs/configuration/nat/nat66.rst @@ -82,7 +82,7 @@ Example: .. code-block:: none - set nat66 source rule 1 outbound-interface 'eth0' + set nat66 source rule 1 outbound-interface name 'eth0' set nat66 source rule 1 source prefix 'fc01::/64' set nat66 source rule 1 translation address 'fc00::/64' @@ -101,7 +101,7 @@ Example: .. code-block:: none - set nat66 destination rule 1 inbound-interface 'eth0' + set nat66 destination rule 1 inbound-interface name 'eth0' set nat66 destination rule 1 destination address 'fc00::/64' set nat66 destination rule 1 translation address 'fc01::/64' @@ -122,9 +122,9 @@ R1: set interfaces ethernet eth0 ipv6 address autoconf set interfaces ethernet eth1 address 'fc01::1/64' set nat66 destination rule 1 destination address 'fc00:470:f1cd:101::/64' - set nat66 destination rule 1 inbound-interface 'eth0' + set nat66 destination rule 1 inbound-interface name 'eth0' set nat66 destination rule 1 translation address 'fc01::/64' - set nat66 source rule 1 outbound-interface 'eth0' + set nat66 source rule 1 outbound-interface name 'eth0' set nat66 source rule 1 source prefix 'fc01::/64' set nat66 source rule 1 translation address 'fc00:470:f1cd:101::/64' diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst index e83272f5..66ad84a3 100644 --- a/docs/configuration/pki/index.rst +++ b/docs/configuration/pki/index.rst @@ -148,11 +148,11 @@ WireGuard ``interface`` is used for the VyOS CLI command to identify the WireGuard interface where this private key is to be used. -.. opcmd:: generate pki wireguard pre-shared-key +.. opcmd:: generate pki wireguard preshared-key Generate a WireGuard pre-shared secret used for peers to communicate. -.. opcmd:: generate pki wireguard pre-shared-key install <peer> +.. opcmd:: generate pki wireguard preshared-key install <peer> Generate a WireGuard pre-shared secret used for peers to communicate. diff --git a/docs/configuration/policy/route-map.rst b/docs/configuration/policy/route-map.rst index 9fe1eef7..07cfcf02 100644 --- a/docs/configuration/policy/route-map.rst +++ b/docs/configuration/policy/route-map.rst @@ -318,10 +318,12 @@ Route Map Set BGP local preference attribute. .. cfgcmd:: set policy route-map <text> rule <1-65535> set metric - <+/-metric|0-4294967295> + <+/-metric|0-4294967295|rtt|+rtt|-rtt> - Set destination routing protocol metric. Add or subtract metric, or set - metric value. + Set the route metric. When used with BGP, set the BGP attribute MED + to a specific value. Use ``+/-`` to add or subtract the specified value + to/from the existing/MED. Use ``rtt`` to set the MED to the round trip + time or ``+rtt/-rtt`` to add/subtract the round trip time to/from the MED. .. cfgcmd:: set policy route-map <text> rule <1-65535> set metric-type <type-1|type-2> diff --git a/docs/configuration/protocols/igmp-proxy.rst b/docs/configuration/protocols/igmp-proxy.rst new file mode 100644 index 00000000..f62a289e --- /dev/null +++ b/docs/configuration/protocols/igmp-proxy.rst @@ -0,0 +1,77 @@ +:lastproofread: 2023-11-13 + +.. _igmp_proxy: + +########## +IGMP Proxy +########## + +:abbr:`IGMP (Internet Group Management Protocol)` proxy sends IGMP host messages +on behalf of a connected client. The configuration must define one, and only one +upstream interface, and one or more downstream interfaces. + +Configuration +============= + +.. cfgcmd:: set protocols igmp-proxy interface <interface> role + <upstream | downstream> + + * **upstream:** The upstream network interface is the outgoing interface + which is responsible for communicating to available multicast data sources. + There can only be one upstream interface. + + * **downstream:** Downstream network interfaces are the distribution + interfaces to the destination networks, where multicast clients can join + groups and receive multicast data. One or more downstream interfaces must + be configured. + +.. cfgcmd:: set protocols igmp-proxy interface <interface> alt-subnet <network> + + Defines alternate sources for multicasting and IGMP data. The network address + must be on the following format 'a.b.c.d/n'. By default, the router will + accept data from sources on the same network as configured on an interface. + If the multicast source lies on a remote network, one must define from where + traffic should be accepted. + + This is especially useful for the upstream interface, since the source for + multicast traffic is often from a remote location. + + This option can be supplied multiple times. + +.. cfgcmd:: set protocols igmp-proxy disable-quickleave + + Disables quickleave mode. In this mode the daemon will not send a Leave IGMP + message upstream as soon as it receives a Leave message for any downstream + interface. The daemon will not ask for Membership reports on the downstream + interfaces, and if a report is received the group is not joined again the + upstream. + + If it's vital that the daemon should act exactly like a real multicast client + on the upstream interface, this function should be enabled. + + Enabling this function increases the risk of bandwidth saturation. + +.. cfgcmd:: set protocols igmp-proxy disable + + Disable this service. + +.. _igmp:proxy_example: + +Example +------- + +Interface `eth1` LAN is behind NAT. In order to subscribe `10.0.0.0/23` subnet +multicast which is in `eth0` WAN we need to configure igmp-proxy. + +.. code-block:: none + + set protocols igmp-proxy interface eth0 role upstream + set protocols igmp-proxy interface eth0 alt-subnet 10.0.0.0/23 + set protocols igmp-proxy interface eth1 role downstream + +Operation +========= + +.. opcmd:: restart igmp-proxy + + Restart the IGMP proxy process. diff --git a/docs/configuration/protocols/igmp.rst b/docs/configuration/protocols/igmp.rst deleted file mode 100644 index d3492632..00000000 --- a/docs/configuration/protocols/igmp.rst +++ /dev/null @@ -1,249 +0,0 @@ -:lastproofread: 2023-01-27 - -.. _multicast: - -######### -Multicast -######### - -VyOS facilitates IP Multicast by supporting **PIM Sparse Mode**, -**IGMP** and **IGMP-Proxy**. - -************ -PIM and IGMP -************ - -PIM (Protocol Independent Multicast) must be configured in every -interface of every participating router. Every router must also have the -location of the Rendevouz Point manually configured. Then, -unidirectional shared trees rooted at the Rendevouz Point will -automatically be built for multicast distribution. - -Traffic from multicast sources will go to the Rendezvous Point, and -receivers will pull it from a shared tree using IGMP (Internet Group -Management Protocol). - -Multicast receivers will talk IGMP to their local router, so, besides -having PIM configured in every router, IGMP must also be configured in -any router where there could be a multicast receiver locally connected. - -VyOS supports both IGMP version 2 and version 3 (which allows -source-specific multicast). - - -Example -======= - -In the following example we can see a basic multicast setup: - -.. image:: /_static/images/multicast-basic.png - :width: 90% - :align: center - :alt: Network Topology Diagram - - - -**Router 1** - -.. code-block:: none - - set interfaces ethernet eth2 address '172.16.0.2/24' - set interfaces ethernet eth1 address '100.64.0.1/24' - set protocols ospf area 0 network '172.16.0.0/24' - set protocols ospf area 0 network '100.64.0.0/24' - set protocols igmp interface eth1 - set protocols pim interface eth1 - set protocols pim interface eth2 - set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' - -**Router 3** - -.. code-block:: none - - set interfaces dummy dum0 address '172.16.255.1/24' - set interfaces ethernet eth0 address '172.16.0.1/24' - set interfaces ethernet eth1 address '172.16.1.1/24' - set protocols ospf area 0 network '172.16.0.0/24' - set protocols ospf area 0 network '172.16.255.0/24' - set protocols ospf area 0 network '172.16.1.0/24' - set protocols pim interface dum0 - set protocols pim interface eth0 - set protocols pim interface eth1 - set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' - -**Router 2** - -.. code-block:: none - - set interfaces ethernet eth1 address '10.0.0.1/24' - set interfaces ethernet eth2 address '172.16.1.2/24' - set protocols ospf area 0 network '10.0.0.0/24' - set protocols ospf area 0 network '172.16.1.0/24' - set protocols pim interface eth1 - set protocols pim interface eth2 - set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' - - - - - -Basic commands -============== - -These are the commands for a basic setup. - -.. cfgcmd:: set protocols pim interface <interface-name> - - Use this command to enable PIM in the selected interface so that it - can communicate with PIM neighbors. - - -.. cfgcmd:: set protocols pim rp address <address> group - <multicast-address/mask-bits> - - Use this command to manually configure a Rendezvous Point for PIM so - that join messages can be sent there. Set the Rendevouz Point address - and the matching prefix of group ranges covered. These values must - be shared with every router participating in the PIM network. - - -.. cfgcmd:: set protocols igmp interface eth1 - - Use this command to configure an interface with IGMP so that PIM can - receive IGMP reports and query on the selected interface. By default - IGMP version 3 will be used. - - - -Tuning commands -=============== - -You can also tune multicast with the following commands. - -.. cfgcmd:: set protocols pim interface <interface> dr-priority <value> - - Use this PIM command in the selected interface to set the priority - (1-4294967295) you want to influence in the election of a node to - become the Designated Router for a LAN segment. The default priority - is 1, set a higher value to give the router more preference in the - DR election process. - - -.. cfgcmd:: set protocols pim int <interface> hello <seconds> - - Use this command to configure the PIM hello interval in seconds - (1-180) for the selected interface. - - -.. cfgcmd:: set protocols pim rp keep-alive-timer <seconds> - - Use this PIM command to modify the time out value (31-60000 - seconds) for an `(S,G) <https://tools.ietf.org/html/rfc7761#section-4.1>`_ - flow. 31 seconds is chosen for a lower bound as some hardware - platforms cannot see data flowing in better than 30 seconds chunks. - - -.. cfgcmd:: set protocols igmp interface <interface> join <multicast-address> - source <IP-address> - - Use this command to allow the selected interface to join a multicast - group defining the multicast address you want to join and the source - IP address too. - - -.. cfgcmd:: set protocols igmp interface <interface> query-interval <seconds> - - Use this command to configure in the selected interface the IGMP - host query interval (1-1800) in seconds that PIM will use. - - -.. cfgcmd:: set protocols igmp interface <interface> query-max-response-time - <deciseconds> - - Use this command to configure in the selected interface the IGMP - query response timeout value (10-250) in deciseconds. If a report is - not returned in the specified time, it will be assumed the `(S,G) or - (*,G) state <https://tools.ietf.org/html/rfc7761#section-4.1>`_ has - timed out. - - -.. cfgcmd:: set protocols igmp interface <interface> version <version-number> - - Use this command to define in the selected interface whether you - choose IGMP version 2 or 3. The default value is 3. - - - -********** -IGMP Proxy -********** - -:abbr:`IGMP (Internet Group Management Protocol)` proxy sends IGMP host messages -on behalf of a connected client. The configuration must define one, and only one -upstream interface, and one or more downstream interfaces. - -Configuration -============= - -.. cfgcmd:: set protocols igmp-proxy interface <interface> role - <upstream | downstream> - - * **upstream:** The upstream network interface is the outgoing interface - which is responsible for communicating to available multicast data sources. - There can only be one upstream interface. - - * **downstream:** Downstream network interfaces are the distribution - interfaces to the destination networks, where multicast clients can join - groups and receive multicast data. One or more downstream interfaces must - be configured. - -.. cfgcmd:: set protocols igmp-proxy interface <interface> alt-subnet <network> - - Defines alternate sources for multicasting and IGMP data. The network address - must be on the following format 'a.b.c.d/n'. By default, the router will - accept data from sources on the same network as configured on an interface. - If the multicast source lies on a remote network, one must define from where - traffic should be accepted. - - This is especially useful for the upstream interface, since the source for - multicast traffic is often from a remote location. - - This option can be supplied multiple times. - -.. cfgcmd:: set protocols igmp-proxy disable-quickleave - - Disables quickleave mode. In this mode the daemon will not send a Leave IGMP - message upstream as soon as it receives a Leave message for any downstream - interface. The daemon will not ask for Membership reports on the downstream - interfaces, and if a report is received the group is not joined again the - upstream. - - If it's vital that the daemon should act exactly like a real multicast client - on the upstream interface, this function should be enabled. - - Enabling this function increases the risk of bandwidth saturation. - -.. cfgcmd:: set protocols igmp-proxy disable - - Disable this service. - -.. _igmp:proxy_example: - -Example -------- - -Interface `eth1` LAN is behind NAT. In order to subscribe `10.0.0.0/23` subnet -multicast which is in `eth0` WAN we need to configure igmp-proxy. - -.. code-block:: none - - set protocols igmp-proxy interface eth0 role upstream - set protocols igmp-proxy interface eth0 alt-subnet 10.0.0.0/23 - set protocols igmp-proxy interface eth1 role downstream - -Operation -========= - -.. opcmd:: restart igmp-proxy - - Restart the IGMP proxy process. diff --git a/docs/configuration/protocols/index.rst b/docs/configuration/protocols/index.rst index 237608a1..ea217d3c 100644 --- a/docs/configuration/protocols/index.rst +++ b/docs/configuration/protocols/index.rst @@ -2,7 +2,6 @@ Protocols ######### - .. toctree:: :maxdepth: 1 :includehidden: @@ -11,11 +10,12 @@ Protocols bfd bgp failover - igmp + igmp-proxy isis mpls segment-routing ospf + pim pim6 rip rpki diff --git a/docs/configuration/protocols/isis.rst b/docs/configuration/protocols/isis.rst index 18a7c166..1f779d0a 100644 --- a/docs/configuration/protocols/isis.rst +++ b/docs/configuration/protocols/isis.rst @@ -302,6 +302,34 @@ Timers control the timing of the execution of SPF calculations in response to IGP events. The process described in :rfc:`8405`. +Loop Free Alternate (LFA) +------------------------- + +.. cfgcmd:: set protocols isis fast-reroute lfa remote prefix-list <name> + <level-1|level-2> + + This command enables IP fast re-routing that is part of :rfc:`5286`. + Specifically this is a prefix list which references a prefix in which + will select eligible PQ nodes for remote LFA backups. + +.. cfgcmd:: set protocols isis fast-reroute lfa local load-sharing disable + <level-1|level-2> + + This command disables the load sharing across multiple LFA backups. + +.. cfgcmd:: set protocols isis fast-reroute lfa local tiebreaker + <downstream|lowest-backup-metric|node-protecting> index <number> + <level-1|level-2> + + This command will configure a tie-breaker for multiple local LFA backups. + The lower index numbers will be processed first. + +.. cfgcmd:: set protocols isis fast-reroute lfa local priority-limit + <medium|high|critical> <level-1|level-2> + + This command will limit LFA backup computation up to the specified + prefix priority. + ******** Examples diff --git a/docs/configuration/protocols/ospf.rst b/docs/configuration/protocols/ospf.rst index e360d86a..9891c77d 100644 --- a/docs/configuration/protocols/ospf.rst +++ b/docs/configuration/protocols/ospf.rst @@ -1204,7 +1204,7 @@ Interface Configuration synchronizing process of the router's database with all neighbors. The default value is 1 seconds. The interval range is 3 to 65535. -.. _ospf:v3_redistribution_config: +.. _ospf:v3_graceful_restart: Graceful Restart ---------------- @@ -1245,6 +1245,8 @@ Graceful Restart By default, it supports both planned and unplanned outages. +.. _ospf:v3_redistribution_config: + Redistribution Configuration ---------------------------- diff --git a/docs/configuration/protocols/pim.disable b/docs/configuration/protocols/pim.disable deleted file mode 100644 index 1dd373d8..00000000 --- a/docs/configuration/protocols/pim.disable +++ /dev/null @@ -1,2 +0,0 @@ -PIM -###
\ No newline at end of file diff --git a/docs/configuration/protocols/pim.rst b/docs/configuration/protocols/pim.rst new file mode 100644 index 00000000..2e881943 --- /dev/null +++ b/docs/configuration/protocols/pim.rst @@ -0,0 +1,266 @@ +:lastproofread: 2023-11-13 + +.. _pim: + +#################################### +PIM – Protocol Independent Multicast +#################################### + +VyOS supports :abbr:`PIM-SM (PIM Sparse Mode)` as well as +:abbr:`IGMP (Internet Group Management Protocol)` v2 and v3 + +:abbr:`PIM (Protocol Independent Multicast)` must be configured in every +interface of every participating router. Every router must also have the +location of the Rendevouz Point manually configured. Then, unidirectional +shared trees rooted at the Rendevouz Point will automatically be built +for multicast distribution. + +Traffic from multicast sources will go to the Rendezvous Point, and +receivers will pull it from a shared tree using :abbr:`IGMP (Internet +Group Management Protocol)`. + +Multicast receivers will talk IGMP to their local router, so, besides +having PIM configured in every router, IGMP must also be configured in +any router where there could be a multicast receiver locally connected. + +VyOS supports both IGMP version 2 and version 3 (which allows +source-specific multicast). + +************************ +PIM-SM - PIM Sparse Mode +************************ + +.. cfgcmd:: set protocols pim ecmp + + If PIM has the a choice of ECMP nexthops for a particular + :abbr:`RPF (Reverse Path Forwarding)`, PIM will cause S,G flows to be + spread out amongst the nexthops. If this command is not specified then + the first nexthop found will be used. + +.. cfgcmd:: set protocols pim ecmp rebalance + + If PIM is using ECMP and an interface goes down, cause PIM to rebalance all + S,G flows across the remaining nexthops. If this command is not configured + PIM only modifies those S,G flows that were using the interface that went + down. + +.. cfgcmd:: set protocols pim join-prune-interval <n> + + Modify the join/prune interval that PIM uses to the new value. Time is + specified in seconds. + + The default time is 60 seconds. + + If you enter a value smaller than 60 seconds be aware that this can and + will affect convergence at scale. + +.. cfgcmd:: set protocols pim keep-alive-timer <n> + + Modify the time out value for a S,G flow from 1-65535 seconds. If choosing + a value below 31 seconds be aware that some hardware platforms cannot see + data flowing in better than 30 second chunks. + +.. cfgcmd:: set protocols pim packets <n> + + When processing packets from a neighbor process the number of packets + incoming at one time before moving on to the next task. + + The default value is 3 packets. + + This command is only useful at scale when you can possibly have a large + number of PIM control packets flowing. + +.. cfgcmd:: set protocols pim register-accept-list <prefix-list> + + When PIM receives a register packet the source of the packet will be compared + to the prefix-list specified, and if a permit is received normal processing + continues. If a deny is returned for the source address of the register packet + a register stop message is sent to the source. + +.. cfgcmd:: set protocols pim register-suppress-time <n> + + Modify the time that pim will register suppress a FHR will send register + notifications to the kernel. + +.. cfgcmd:: set protocols pim rp <address> group <group> + + In order to use PIM, it is necessary to configure a :abbr:`RP (Rendezvous Point)` + for join messages to be sent to. Currently the only methodology to do this is + via static rendezvous point commands. + + All routers in the PIM network must agree on these values. + + The first ip address is the RP's address and the second value is the matching + prefix of group ranges covered. + +.. cfgcmd:: set protocols pim rp keep-alive-timer <n> + + Modify the time out value for a S,G flow from 1-65535 seconds at + :abbr:`RP (Rendezvous Point)`. The normal keepalive period for the KAT(S,G) + defaults to 210 seconds. However, at the :abbr:`RP (Rendezvous Point)`, the + keepalive period must be at least the Register_Suppression_Time, or the RP + may time out the (S,G) state before the next Null-Register arrives. + Thus, the KAT(S,G) is set to max(Keepalive_Period, RP_Keepalive_Period) + when a Register-Stop is sent. + + If choosing a value below 31 seconds be aware that some hardware platforms + cannot see data flowing in better than 30 second chunks. + + See :rfc:`7761#section-4.1` for details. + +.. cfgcmd:: set protocols pim no-v6-secondary + + When sending PIM hello packets tell PIM to not send any v6 secondary + addresses on the interface. This information is used to allow PIM to use v6 + nexthops in it's decision for :abbr:`RPF (Reverse Path Forwarding)` lookup + if this option is not set (default). + +.. cfgcmd:: set protocols pim spt-switchover infinity-and-beyond [prefix-list <list>] + + On the last hop router if it is desired to not switch over to the SPT tree + configure this command. + + Optional parameter prefix-list can be use to control which groups to switch or + not switch. If a group is PERMIT as per the prefix-list, then the SPT switchover + does not happen for it and if it is DENY, then the SPT switchover happens. + +.. cfgcmd:: set protocols pim ssm prefix-list <list> + + Specify a range of group addresses via a prefix-list that forces PIM to never + do :abbr:`SSM (Source-Specific Multicast)` over. + +Interface specific commands +=========================== + +.. cfgcmd:: set protocols pim interface <interface> bfd [profile <name>] + + Automatically create BFD session for each RIP peer discovered in this + interface. When the BFD session monitor signalize that the link is down + the RIP peer is removed and all the learned routes associated with that + peer are removed. + + If optional profile parameter is used, select a BFD profile for the BFD + sessions created via this interface. + +.. cfgcmd:: set protocols pim interface <interface> dr-priority <n> + + Set the :abbr:`DR (Designated Router)` Priority for the interface. + This command is useful to allow the user to influence what node becomes + the DR for a LAN segment. + +.. cfgcmd:: set protocols pim interface <interface> hello <n> + + Set the PIM hello and hold interval for a interface. + +.. cfgcmd:: set protocols pim interface <interface> no-bsm + + Tell PIM that we would not like to use this interface to process + bootstrap messages. + +.. cfgcmd:: set protocols pim interface <interface> no-unicast-bsm + + Tell PIM that we would not like to use this interface to process + unicast bootstrap messages. + +.. cfgcmd:: set protocols pim interface <interface> passive + + Disable sending and receiving PIM control packets on the interface. + + .. cfgcmd:: set protocols pim interface <interface> source-address <ip-address> + + If you have multiple addresses configured on a particular interface and would + like PIM to use a specific source address associated with that interface. + +****************************************** +IGMP - Internet Group Management Protocol) +****************************************** + +.. cfgcmd:: set protocols pim igmp watermark-warning <n> + + Configure watermark warning generation for an IGMP group limit. Generates + warning once the configured group limit is reached while adding new groups. + +.. _pim:igmp_interface_commands: + +Interface specific commands +=========================== + +.. cfgcmd:: set protocols pim interface <interface> igmp + join <multicast-address> source-address <IP-address> + + Use this command to allow the selected interface to join a multicast + group defining the multicast address you want to join and the source + IP address too. + +.. cfgcmd:: set protocols pim interface <interface> igmp + query-interval <seconds> + + Use this command to configure in the selected interface the IGMP + host query interval (1-1800) in seconds that PIM will use. + +.. cfgcmd:: set protocols pim interface <interface> igmp + query-max-response-time <n> + + Use this command to configure in the selected interface the IGMP + query response timeout value (10-250) in deciseconds. If a report is + not returned in the specified time, it will be assumed the (S,G) or + (\*,G) state :rfc:`7761#section-4.1` has timed out. + +.. cfgcmd:: set protocols pim interface <interface> igmp version <version-number> + + Use this command to define in the selected interface whether you + choose IGMP version 2 or 3. + + The default value is 3. + +Example +------- + +In the following example we can see a basic multicast setup: + +.. image:: /_static/images/multicast-basic.png + :width: 90% + :align: center + :alt: Network Topology Diagram + + + +**Router 1** + +.. code-block:: none + + set interfaces ethernet eth2 address '172.16.0.2/24' + set interfaces ethernet eth1 address '100.64.0.1/24' + set protocols ospf area 0 network '172.16.0.0/24' + set protocols ospf area 0 network '100.64.0.0/24' + set protocols igmp interface eth1 + set protocols pim interface eth1 + set protocols pim interface eth2 + set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' + +**Router 3** + +.. code-block:: none + + set interfaces dummy dum0 address '172.16.255.1/24' + set interfaces ethernet eth0 address '172.16.0.1/24' + set interfaces ethernet eth1 address '172.16.1.1/24' + set protocols ospf area 0 network '172.16.0.0/24' + set protocols ospf area 0 network '172.16.255.0/24' + set protocols ospf area 0 network '172.16.1.0/24' + set protocols pim interface dum0 + set protocols pim interface eth0 + set protocols pim interface eth1 + set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' + +**Router 2** + +.. code-block:: none + + set interfaces ethernet eth1 address '10.0.0.1/24' + set interfaces ethernet eth2 address '172.16.1.2/24' + set protocols ospf area 0 network '10.0.0.0/24' + set protocols ospf area 0 network '172.16.1.0/24' + set protocols pim interface eth1 + set protocols pim interface eth2 + set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' diff --git a/docs/configuration/protocols/pim6.rst b/docs/configuration/protocols/pim6.rst index 1d316cfb..2b2276a7 100644 --- a/docs/configuration/protocols/pim6.rst +++ b/docs/configuration/protocols/pim6.rst @@ -1,8 +1,8 @@ .. _pim6: -############## -IPv6 Multicast -############## +############################################## +PIM6 - Protocol Independent Multicast for IPv6 +############################################## VyOS facilitates IPv6 Multicast by supporting **PIMv6** and **MLD**. diff --git a/docs/configuration/service/dhcp-relay.rst b/docs/configuration/service/dhcp-relay.rst index e1fbe1d2..dc45d071 100644 --- a/docs/configuration/service/dhcp-relay.rst +++ b/docs/configuration/service/dhcp-relay.rst @@ -154,6 +154,8 @@ Configuration Disable dhcpv6-relay service. +.. _dhcp_relay:v6_options: + Options ------- diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst index 08b16575..eb2e30eb 100644 --- a/docs/configuration/service/https.rst +++ b/docs/configuration/service/https.rst @@ -20,28 +20,19 @@ Configuration .. cfgcmd:: set service https api debug - To enable debug messages. Available via :opcmd:`show log` or + To enable debug messages. Available via :opcmd:`show log` or :opcmd:`monitor log` -.. cfgcmd:: set service https api port - - Set the listen port of the local API, this has no effect on the - webserver. The default is port 8080 - -.. cfgcmd:: set service https api socket - - Use local socket for API - .. cfgcmd:: set service https api strict Enforce strict path checking -.. cfgcmd:: set service https virtual-host <vhost> listen-address +.. cfgcmd:: set service https virtual-host <vhost> listen-address <ipv4 or ipv6 address> Address to listen for HTTPS requests -.. cfgcmd:: set service https virtual-host <vhost> listen-port <1-65535> +.. cfgcmd:: set service https virtual-host <vhost> port <1-65535> Port to listen for HTTPS requests; default 443 @@ -91,6 +82,6 @@ To use this full configuration we asume a public accessible hostname. set service https certificates certbot domain-name rtr01.example.com set service https certificates certbot email mail@example.com set service https virtual-host rtr01 listen-address 198.51.100.2 - set service https virtual-host rtr01 listen-port 11443 + set service https virtual-host rtr01 port 11443 set service https virtual-host rtr01 server-name rtr01.example.com set service https api-restrict virtual-host rtr01 diff --git a/docs/configuration/service/mdns.rst b/docs/configuration/service/mdns.rst index 9d6a292a..51fbf1a1 100644 --- a/docs/configuration/service/mdns.rst +++ b/docs/configuration/service/mdns.rst @@ -5,28 +5,44 @@ Starting with VyOS 1.2 a :abbr:`mDNS (Multicast DNS)` repeater functionality is provided. Additional information can be obtained from https://en.wikipedia.org/wiki/Multicast_DNS. -Multicast DNS uses the 224.0.0.251 address, which is "administratively scoped" -and does not leave the subnet. It retransmits mDNS packets from one interface -to other interfaces. This enables support for e.g. Apple Airplay devices across -multiple VLANs. +Multicast DNS uses the reserved address ``224.0.0.251``, which is +`"administratively scoped"` and does not leave the subnet. mDNS repeater +retransmits mDNS packets from one interface to other interfaces. This enables +support for devices using mDNS discovery (like network printers, Apple Airplay, +Chromecast, various IP based home-automation devices etc) across multiple VLANs. -Since the mDNS protocol sends the AA records in the packet itself, the repeater -does not need to forge the source address. Instead, the source address is of -the interface that repeats the packet. +Since the mDNS protocol sends the :abbr:`AA(Authoritative Answer)` records in +the packet itself, the repeater does not need to forge the source address. +Instead, the source address is of the interface that repeats the packet. Configuration ============= .. cfgcmd:: set service mdns repeater interface <interface> - To enable mDNS repeater you need to configure at least two interfaces. To - re-broadcast all incoming mDNS packets from any interface configured here to - any other interface configured under this section. + To enable mDNS repeater you need to configure at least two interfaces so that + all incoming mDNS packets from one interface configured here can be + re-broadcasted to any other interface(s) configured under this section. .. cfgcmd:: set service mdns repeater disable mDNS repeater can be temporarily disabled without deleting the service using +.. cfgcmd:: set service mdns repeater ip-version <ipv4 | ipv6 | both> + + mDNS repeater can be enabled either on IPv4 socket or on IPv6 socket or both + to re-broadcast. By default, mDNS repeater will listen on both IPv4 and IPv6. + +.. cfgcmd:: set service mdns repeater allow-service <service> + + mDNS repeater can be configured to re-broadcast only specific services. By + default, all services are re-broadcasted. + +.. cfgcmd:: set service mdns repeater browse-domain <domain> + + Allow listing additional custom domains to be browsed (in addition to the + default ``local``) so that they can be reflected. + .. note:: You can not run this in a VRRP setup, if multiple mDNS repeaters are launched in a subnet you will experience the mDNS packet storm death! @@ -41,4 +57,35 @@ received on `eth0` to `eth1` (and vice-versa) use the following commands: set service mdns repeater interface 'eth0' set service mdns repeater interface 'eth1' +To allow only specific services, for example ``_airplay._tcp`` or ``_ipp._tcp``, +(instead of all services) to be re-broadcasted, use the following command: + +.. code-block:: none + + set service mdns repeater allow-service '_airplay._tcp' + set service mdns repeater allow-service '_ipp._tcp' + +To allow listing additional custom domain, for example +``openthread.thread.home.arpa``, so that it can reflected in addition to the +default ``local``, use the following command: + +.. code-block:: none + + set service mdns repeater browse-domain 'openthread.thread.home.arpa' + .. _`Multicast DNS`: https://en.wikipedia.org/wiki/Multicast_DNS + +Operation +========= + +.. opcmd:: restart mdns repeater + + Restart mDNS repeater service. + +.. opcmd:: show log mdns repeater + + Show logs for mDNS repeater service. + +.. opcmd:: monitor log mdns repeater + + Follow the logs for mDNS repeater service. diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst index 15c2390c..efdbc651 100644 --- a/docs/configuration/service/ssh.rst +++ b/docs/configuration/service/ssh.rst @@ -218,3 +218,31 @@ Operation commit save exit + +.. opcmd:: show log ssh + + Show SSH server log. + +.. opcmd:: monitor log ssh + + Follow the SSH server log. + +.. opcmd:: show log ssh dynamic-protection + + Show SSH dynamic-protection log. + +.. opcmd:: monitor log ssh dynamic-protection + + Follow the SSH dynamic-protection log. + +.. opcmd:: show ssh dynamic-protection + + Show list of IPs currently blocked by SSH dynamic-protection. + +.. opcmd:: show ssh fingerprints + + Show SSH server public key fingerprints. + +.. opcmd:: show ssh fingerprints ascii + + Show SSH server public key fingerprints, including a visual ASCII art representation. diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst index 0cbcecde..98e05cdd 100644 --- a/docs/configuration/system/login.rst +++ b/docs/configuration/system/login.rst @@ -344,6 +344,8 @@ Configuration Source all connections to the TACACS servers from given VRF `<name>`. +.. _login:tacacs_example: + Configuration Example --------------------- diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst index a85e03b4..7a4b81f7 100644 --- a/docs/configuration/vpn/dmvpn.rst +++ b/docs/configuration/vpn/dmvpn.rst @@ -190,7 +190,7 @@ Hub set interfaces tunnel tun100 address '172.16.253.134/29' set interfaces tunnel tun100 encapsulation 'gre' - set interfaces tunnel tun100 local-ip '192.0.2.1' + set interfaces tunnel tun100 source-address '192.0.2.1' set interfaces tunnel tun100 enable-multicast set interfaces tunnel tun100 parameters ip key '1' @@ -294,7 +294,7 @@ VyOS can also run in DMVPN spoke mode. set interfaces ethernet eth0 address 'dhcp' set interfaces tunnel tun100 address '172.16.253.133/29' - set interfaces tunnel tun100 local-ip 0.0.0.0 + set interfaces tunnel tun100 source-address 0.0.0.0 set interfaces tunnel tun100 encapsulation 'gre' set interfaces tunnel tun100 enable-multicast set interfaces tunnel tun100 parameters ip key '1' diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index ece06fa2..b6ee86af 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -221,8 +221,8 @@ On the LEFT: On the RIGHT, setup by analogy and swap local and remote addresses. -Source tunnel from loopbacks -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Source tunnel from dummy interface +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The scheme above doesn't work when one of the routers has a dynamic external address though. The classic workaround for this is to setup an address on a @@ -240,7 +240,7 @@ On the LEFT: .. code-block:: none - set interfaces loopback lo address 192.168.99.1/32 + set interfaces dummy dum0 address 192.168.99.1/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 address 10.10.10.1/30 @@ -251,7 +251,7 @@ On the RIGHT: .. code-block:: none - set interfaces loopback lo address 192.168.99.2/32 + set interfaces dummy dum0 address 192.168.99.2/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 address 10.10.10.2/30 diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst index 6ea1cc7d..26de47b3 100644 --- a/docs/configuration/vpn/l2tp.rst +++ b/docs/configuration/vpn/l2tp.rst @@ -60,7 +60,7 @@ To allow VPN-clients access via your external address, a NAT rule is required: .. code-block:: none - set nat source rule 110 outbound-interface 'eth0' + set nat source rule 110 outbound-interface name 'eth0' set nat source rule 110 source address '192.168.255.0/24' set nat source rule 110 translation address masquerade diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 5f8e5263..23df1b76 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -10,8 +10,8 @@ connected/routed networks. To configure site-to-site connection you need to add peers with the ``set vpn ipsec site-to-site peer <name>`` command. -The peer name must be an alphanumeric and can have hypen or underscore as -special characters. It is purely informational. +The peer name must be an alphanumeric and can have hypen or underscore as +special characters. It is purely informational. Each site-to-site peer has the next options: @@ -20,11 +20,11 @@ Each site-to-site peer has the next options: * ``psk`` - Preshared secret key name: - * ``dhcp-interface`` - ID for authentication generated from DHCP address + * ``dhcp-interface`` - ID for authentication generated from DHCP address dynamically; - * ``id`` - static ID's for authentication. In general local and remote + * ``id`` - static ID's for authentication. In general local and remote address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``; - * ``secret`` - predefined shared secret. Used if configured mode + * ``secret`` - predefined shared secret. Used if configured mode ``pre-shared-secret``; @@ -110,7 +110,7 @@ Each site-to-site peer has the next options: * ``remote-address`` - remote IP address or hostname for IPSec connection. IPv4 or IPv6 address is used when a peer has a public static IP address. - Hostname is a DNS name which could be used when a peer has a public IP + Hostname is a DNS name which could be used when a peer has a public IP address and DNS name, but an IP address could be changed from time to time. * ``tunnel`` - define criteria for traffic to be matched for encrypting and send @@ -149,9 +149,9 @@ Each site-to-site peer has the next options: * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI interface. -* ``virtual-address`` - Defines a virtual IP address which is requested by the - initiator and one or several IPv4 and/or IPv6 addresses are assigned from - multiple pools by the responder. +* ``virtual-address`` - Defines a virtual IP address which is requested by the + initiator and one or several IPv4 and/or IPv6 addresses are assigned from + multiple pools by the responder. Examples: ------------------ @@ -245,13 +245,13 @@ If there is SNAT rules on eth1, need to add exclude rule # server side set nat source rule 10 destination address '10.0.0.0/24' set nat source rule 10 'exclude' - set nat source rule 10 outbound-interface 'eth1' + set nat source rule 10 outbound-interface name 'eth1' set nat source rule 10 source address '192.168.0.0/24' # remote office side set nat source rule 10 destination address '192.168.0.0/24' set nat source rule 10 'exclude' - set nat source rule 10 outbound-interface 'eth1' + set nat source rule 10 outbound-interface name 'eth1' set nat source rule 10 source address '10.0.0.0/24' To allow traffic to pass through to clients, you need to add the following @@ -284,118 +284,144 @@ Imagine the following topology IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio) +**LEFT:** +* WAN interface on `eth0.201` +* `eth0.201` interface IP: `172.18.201.10/24` +* `vti10` interface IP: `10.0.0.2/31` +* `dum0` interface IP: `10.0.11.1/24` (for testing purposes) + +**RIGHT:** +* WAN interface on `eth0.202` +* `eth0.201` interface IP: `172.18.202.10/24` +* `vti10` interface IP: `10.0.0.3/31` +* `dum0` interface IP: `10.0.12.1/24` (for testing purposes) .. note:: Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links. -**left** +**LEFT** .. code-block:: none + set interfaces ethernet eth0 vif 201 address '172.18.201.10/24' + set interfaces dummy dum0 address '10.0.11.1/24' set interfaces vti vti10 address '10.0.0.2/31' - set vpn ipsec authentication psk OFFICE-B id '172.18.201.10' - set vpn ipsec authentication psk OFFICE-B id '172.18.202.10' - set vpn ipsec authentication psk OFFICE-B secret 'secretkey' + set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.201.10' + set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.202.10' + set vpn ipsec authentication psk peer_172-18-202-10 secret 'secretkey' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' + set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' + set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' - set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' set vpn ipsec interface 'eth0.201' - set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10' - set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10' - set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond' - set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT' - set vpn ipsec site-to-site peer OFFICE-B local-address '192.168.0.10' - set vpn ipsec site-to-site peer OFFICE-B remote-address '172.18.202.10' - set vpn ipsec site-to-site peer OFFICE-B vti bind 'vti10' - set vpn ipsec site-to-site peer OFFICE-B vti esp-group 'ESP_DEFAULT' + set vpn ipsec site-to-site peer peer_172-18-202-10 authentication local-id '172.18.201.10' + set vpn ipsec site-to-site peer peer_172-18-202-10 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer peer_172-18-202-10 authentication remote-id '172.18.202.10' + set vpn ipsec site-to-site peer peer_172-18-202-10 connection-type 'initiate' + set vpn ipsec site-to-site peer peer_172-18-202-10 ike-group 'IKEv2_DEFAULT' + set vpn ipsec site-to-site peer peer_172-18-202-10 ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer peer_172-18-202-10 local-address '172.18.201.10' + set vpn ipsec site-to-site peer peer_172-18-202-10 remote-address '172.18.202.10' + set vpn ipsec site-to-site peer peer_172-18-202-10 vti bind 'vti10' + set vpn ipsec site-to-site peer peer_172-18-202-10 vti esp-group 'ESP_DEFAULT' + + set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10 -**right** +**RIGHT** .. code-block:: none + set interfaces ethernet eth0 vif 202 address '172.18.202.10/24' + set interfaces dummy dum0 address '10.0.12.1/24' set interfaces vti vti10 address '10.0.0.3/31' - set vpn ipsec authentication psk OFFICE-A id '172.18.201.10' - set vpn ipsec authentication psk OFFICE-A id '172.18.202.10' - set vpn ipsec authentication psk OFFICE-A secret 'secretkey' + set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.202.10' + set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.201.10' + set vpn ipsec authentication psk peer_172-18-201-10 secret 'secretkey' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart' + set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' + set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' - set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' set vpn ipsec interface 'eth0.202' - set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10' - set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10' - set vpn ipsec site-to-site peer OFFICE-A connection-type 'initiate' - set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKEv2_DEFAULT' - set vpn ipsec site-to-site peer OFFICE-A local-address '172.18.202.10' - set vpn ipsec site-to-site peer OFFICE-A remote-address '172.18.201.10' - set vpn ipsec site-to-site peer OFFICE-A vti bind 'vti10' - set vpn ipsec site-to-site peer OFFICE-A vti esp-group 'ESP_DEFAULT' + set vpn ipsec site-to-site peer peer_172-18-201-10 authentication local-id '172.18.202.10' + set vpn ipsec site-to-site peer peer_172-18-201-10 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer peer_172-18-201-10 authentication remote-id '172.18.201.10' + set vpn ipsec site-to-site peer peer_172-18-201-10 connection-type 'initiate' + set vpn ipsec site-to-site peer peer_172-18-201-10 ike-group 'IKEv2_DEFAULT' + set vpn ipsec site-to-site peer peer_172-18-201-10 ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer peer_172-18-201-10 local-address '172.18.202.10' + set vpn ipsec site-to-site peer peer_172-18-201-10 remote-address '172.18.201.10' + set vpn ipsec site-to-site peer peer_172-18-201-10 vti bind 'vti10' + set vpn ipsec site-to-site peer peer_172-18-201-10 vti esp-group 'ESP_DEFAULT' + + set protocols static interface-route 10.0.11.0/24 next-hop-interface vti10 Key Parameters: * ``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure - local/remote-identity, the device uses the IPv4 or IPv6 address that + local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. - In certain network setups (like ipsec interface with dynamic address, or - behind the NAT ), the IKE ID received from the peer does not match the IKE - gateway configured on the device. This can lead to a Phase 1 validation + In certain network setups (like ipsec interface with dynamic address, or + behind the NAT ), the IKE ID received from the peer does not match the IKE + gateway configured on the device. This can lead to a Phase 1 validation failure. - So, make sure to configure the local/remote id explicitly and ensure that the + So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device. * ``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration. -* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE - notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) - are periodically sent in order to check the liveliness of the IPsec peer. The - values clear, hold, and restart all activate DPD and determine the action to +* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE + notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) + are periodically sent in order to check the liveliness of the IPsec peer. The + values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. - With ``clear`` the connection is closed with no further actions taken. - ``hold`` installs a trap policy, which will catch matching traffic and tries - to re-negotiate the connection on demand. - ``restart`` will immediately trigger an attempt to re-negotiate the + With ``clear`` the connection is closed with no further actions taken. + ``hold`` installs a trap policy, which will catch matching traffic and tries + to re-negotiate the connection on demand. + ``restart`` will immediately trigger an attempt to re-negotiate the connection. -* ``close-action = none | clear | hold | restart`` - defines the action to take - if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of +* ``close-action = none | clear | hold | restart`` - defines the action to take + if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids. - - When the close-action option is set on the peers, the connection-type + + When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set - on both peers, then both would attempt to initiate and hold open multiple - copies of each child SA. This might lead to instability of the device or - cpu/memory utilization. - - Below flow-chart could be a quick reference for the close-action - combination depending on how the peer is configured. + on both peers, then both would attempt to initiate and hold open multiple + copies of each child SA. This might lead to instability of the device or + cpu/memory utilization. + + Below flow-chart could be a quick reference for the close-action + combination depending on how the peer is configured. .. figure:: /_static/images/IPSec_close_action_settings.jpg - + Similar combinations are applicable for the dead-peer-detection. diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst index dea53321..bd482cd9 100644 --- a/docs/configuration/vrf/index.rst +++ b/docs/configuration/vrf/index.rst @@ -282,6 +282,8 @@ Configuration VRF and NAT ----------- +.. _vrf:nat_configuration: + Configuration ^^^^^^^^^^^^^ @@ -295,11 +297,11 @@ Configuration set nat destination rule 110 description 'NAT ssh- INSIDE' set nat destination rule 110 destination port '2022' - set nat destination rule 110 inbound-interface 'eth0' + set nat destination rule 110 inbound-interface name 'eth0' set nat destination rule 110 protocol 'tcp' set nat destination rule 110 translation address '192.168.130.40' - set nat source rule 100 outbound-interface 'eth0' + set nat source rule 100 outbound-interface name 'eth0' set nat source rule 100 protocol 'all' set nat source rule 100 source address '192.168.130.0/24' set nat source rule 100 translation address 'masquerade' |