diff options
Diffstat (limited to 'docs')
72 files changed, 4747 insertions, 3217 deletions
diff --git a/docs/404.rst b/docs/404.rst index 5073773a..2ae79f2e 100644 --- a/docs/404.rst +++ b/docs/404.rst @@ -8,4 +8,5 @@ Try using the search box or go to the release homepage: * `1.2.x (crux) <https://docs.vyos.io/en/crux/>`_ * `1.3.x (equuleus) <https://docs.vyos.io/en/equuleus/>`_ - * `rolling release (sagitta) <https://docs.vyos.io/en/latest/>`_ + * `1.4.x (sagitta) <https://docs.vyos.io/en/sagitta/>`_ + * `rolling release (circinus) <https://docs.vyos.io/en/latest/>`_ diff --git a/docs/_include/interface-dhcp-options.txt b/docs/_include/interface-dhcp-options.txt index 27a80acd..c5683ca3 100644 --- a/docs/_include/interface-dhcp-options.txt +++ b/docs/_include/interface-dhcp-options.txt @@ -28,6 +28,11 @@ .. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} {{ var5 }} {{ var6 }} dhcp-options vendor-class-id <vendor-id> + This option is used by some DHCP clients to identify the vendor type and + possibly the configuration of a DHCP client. The information is a string of + bytes whose contents are specific to the vendor and are not specified in a + standard. + The vendor-class-id option can be used to request a specific class of vendor options from the server. @@ -74,3 +79,17 @@ .. code-block:: none set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} dhcp-options reject 192.168.100.0/24 + +.. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }} + {{ var5 }} {{ var6 }} dhcp-options user-class <string> + + This option is used by some DHCP clients as a way for users to specify + identifying information to the client. This can be used in a similar way to + the vendor-class-identifier option, but the value of the option is specified + by the user, not the vendor. + + Example: + + .. code-block:: none + + set interfaces {{ var0 }} {{ var1 }} {{ var2 }} {{ var4 }} {{ var5 }} {{ var7 }} dhcp-options user-class VyOS diff --git a/docs/_include/vyos-1x b/docs/_include/vyos-1x -Subproject 7720ee247c03eeeab895da27804996571ffb476 +Subproject 18b2bb669bb87cde14324cbc2ae3a16d11fa578 diff --git a/docs/_locale/de/LC_MESSAGES/configuration.mo b/docs/_locale/de/LC_MESSAGES/configuration.mo Binary files differindex e300f5c4..0bbe8f6c 100644 --- a/docs/_locale/de/LC_MESSAGES/configuration.mo +++ b/docs/_locale/de/LC_MESSAGES/configuration.mo diff --git a/docs/_locale/de/configuration.pot b/docs/_locale/de/configuration.pot index d2dc913e..6641dd72 100644 --- a/docs/_locale/de/configuration.pot +++ b/docs/_locale/de/configuration.pot @@ -225,6 +225,14 @@ msgstr "**Important note on usage of terms:** The firewall makes use of the term msgid "**Interface name**" msgstr "**Interface name**" +#: ../../configuration/vpn/site2site_ipsec.rst:299 +msgid "**LEFT**" +msgstr "**LEFT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:283 +msgid "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +msgstr "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" + #: ../../configuration/interfaces/vxlan.rst:214 msgid "**Leaf2 configuration:**" msgstr "**Leaf2 configuration:**" @@ -401,6 +409,14 @@ msgstr "**RADIUS based IP pools (Framed-IP-Address)**" msgid "**RADIUS sessions management DM/CoA**" msgstr "**RADIUS sessions management DM/CoA**" +#: ../../configuration/vpn/site2site_ipsec.rst:335 +msgid "**RIGHT**" +msgstr "**RIGHT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:289 +msgid "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +msgstr "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" + #: ../../configuration/protocols/bgp.rst:113 msgid "**Router-ID check**" msgstr "**Router-ID check**" @@ -2619,7 +2635,7 @@ msgstr "Before enabling any hardware segmentation offload a corresponding softwa msgid "Before you are able to apply a rule-set to a zone you have to create the zones first." msgstr "Before you are able to apply a rule-set to a zone you have to create the zones first." -#: ../../configuration/vpn/site2site_ipsec.rst:392 +#: ../../configuration/vpn/site2site_ipsec.rst:413 msgid "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." msgstr "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." @@ -4609,7 +4625,7 @@ msgstr "Don't forget, the CIDR declared in the network statement **MUST exist in msgid "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" msgstr "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" -#: ../../configuration/vpn/site2site_ipsec.rst:284 +#: ../../configuration/vpn/site2site_ipsec.rst:295 msgid "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." msgstr "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." @@ -7636,6 +7652,10 @@ msgstr "In addition you can also disable the whole service without the need to r msgid "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." msgstr "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +#: ../../configuration/interfaces/wireguard.rst:416 +msgid "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +msgstr "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." + #: ../../configuration/firewall/general.rst:194 #: ../../configuration/firewall/general-legacy.rst:170 msgid "In an **address group** a single IP address or IP address ranges are defined." @@ -7997,7 +8017,7 @@ msgstr "Instead of sending the real system hostname to the DHCP server, overwrit msgid "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." msgstr "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." -#: ../../configuration/interfaces/wireless.rst:600 +#: ../../configuration/interfaces/wireless.rst:602 msgid "Intel AX200" msgstr "Intel AX200" @@ -8238,7 +8258,7 @@ msgstr "Key Generation" msgid "Key Management" msgstr "Key Management" -#: ../../configuration/vpn/site2site_ipsec.rst:353 +#: ../../configuration/vpn/site2site_ipsec.rst:374 msgid "Key Parameters:" msgstr "Key Parameters:" @@ -10952,7 +10972,7 @@ msgstr "Restarts the DNS recursor process. This also invalidates the local DNS f #: ../../configuration/interfaces/wireless.rst:315 #: ../../configuration/interfaces/wireless.rst:369 -#: ../../configuration/interfaces/wireless.rst:566 +#: ../../configuration/interfaces/wireless.rst:567 msgid "Resulting in" msgstr "Resulting in" @@ -12463,7 +12483,7 @@ msgstr "Sierra Wireless AirPrime MC7455 miniPCIe card (LTE)" msgid "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" msgstr "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" -#: ../../configuration/vpn/site2site_ipsec.rst:397 +#: ../../configuration/vpn/site2site_ipsec.rst:418 msgid "Similar combinations are applicable for the dead-peer-detection." msgstr "Similar combinations are applicable for the dead-peer-detection." @@ -13325,7 +13345,7 @@ msgstr "The HTTP service listen on TCP port 80." msgid "The IP address of the internal system we wish to forward traffic to." msgstr "The IP address of the internal system we wish to forward traffic to." -#: ../../configuration/interfaces/wireless.rst:602 +#: ../../configuration/interfaces/wireless.rst:604 msgid "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" msgstr "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" @@ -16258,7 +16278,7 @@ msgstr "To forward all broadcast packets received on `UDP port 1900` on `eth3`, msgid "To generate the CA, the server private key and certificates the following commands can be used." msgstr "To generate the CA, the server private key and certificates the following commands can be used." -#: ../../configuration/interfaces/wireless.rst:592 +#: ../../configuration/interfaces/wireless.rst:594 msgid "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." msgstr "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." @@ -18077,7 +18097,7 @@ msgstr "When starting a VyOS live system (the installation CD) the configured ke msgid "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." msgstr "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." -#: ../../configuration/vpn/site2site_ipsec.rst:386 +#: ../../configuration/vpn/site2site_ipsec.rst:407 msgid "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." msgstr "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." @@ -18483,10 +18503,13 @@ msgid "You should add a firewall to your configuration above as well by assignin msgstr "You should add a firewall to your configuration above as well by assigning it to the pppoe0 itself as shown here:" #: ../../configuration/interfaces/openvpn.rst:227 -#: ../../configuration/interfaces/wireguard.rst:225 msgid "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." msgstr "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +#: ../../configuration/interfaces/wireguard.rst:225 +msgid "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +msgstr "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." + #: ../../configuration/interfaces/wireguard.rst:136 msgid "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." msgstr "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." @@ -19112,7 +19135,7 @@ msgstr "``all-available`` all checking target addresses must be available to pas msgid "``any-available`` any of the checking target addresses must be available to pass this check" msgstr "``any-available`` any of the checking target addresses must be available to pass this check" -#: ../../configuration/vpn/site2site_ipsec.rst:355 +#: ../../configuration/vpn/site2site_ipsec.rst:376 msgid "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." msgstr "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." @@ -19168,7 +19191,7 @@ msgstr "``cert-file`` - certificate file, which will be used for authenticating msgid "``clear`` set action to clear;" msgstr "``clear`` set action to clear;" -#: ../../configuration/vpn/site2site_ipsec.rst:381 +#: ../../configuration/vpn/site2site_ipsec.rst:402 msgid "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." msgstr "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." @@ -19200,7 +19223,7 @@ msgstr "``crl-file`` - file with the Certificate Revocation List. Using to check msgid "``d`` - Execution interval in days" msgstr "``d`` - Execution interval in days" -#: ../../configuration/vpn/site2site_ipsec.rst:370 +#: ../../configuration/vpn/site2site_ipsec.rst:391 msgid "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." msgstr "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." @@ -19232,7 +19255,7 @@ msgstr "``dhcp-interface`` - use an IP address, received from DHCP for IPSec con msgid "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." msgstr "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." -#: ../../configuration/vpn/site2site_ipsec.rst:366 +#: ../../configuration/vpn/site2site_ipsec.rst:387 msgid "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." msgstr "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." diff --git a/docs/_locale/en/LC_MESSAGES/configuration.mo b/docs/_locale/en/LC_MESSAGES/configuration.mo Binary files differindex db09832e..39936707 100644 --- a/docs/_locale/en/LC_MESSAGES/configuration.mo +++ b/docs/_locale/en/LC_MESSAGES/configuration.mo diff --git a/docs/_locale/es/LC_MESSAGES/configuration.mo b/docs/_locale/es/LC_MESSAGES/configuration.mo Binary files differindex b431bd09..01a535c8 100644 --- a/docs/_locale/es/LC_MESSAGES/configuration.mo +++ b/docs/_locale/es/LC_MESSAGES/configuration.mo diff --git a/docs/_locale/es/configuration.pot b/docs/_locale/es/configuration.pot index a05518ea..88324a87 100644 --- a/docs/_locale/es/configuration.pot +++ b/docs/_locale/es/configuration.pot @@ -225,6 +225,14 @@ msgstr "**Nota importante sobre el uso de términos:** El cortafuegos utiliza lo msgid "**Interface name**" msgstr "**Nombre de interfaz**" +#: ../../configuration/vpn/site2site_ipsec.rst:299 +msgid "**LEFT**" +msgstr "**LEFT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:283 +msgid "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +msgstr "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" + #: ../../configuration/interfaces/vxlan.rst:214 msgid "**Leaf2 configuration:**" msgstr "**Configuración hoja2:**" @@ -401,6 +409,14 @@ msgstr "**Grupos de IP basados en RADIUS (dirección IP enmarcada)**" msgid "**RADIUS sessions management DM/CoA**" msgstr "**Administración de sesiones RADIUS DM/CoA**" +#: ../../configuration/vpn/site2site_ipsec.rst:335 +msgid "**RIGHT**" +msgstr "**RIGHT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:289 +msgid "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +msgstr "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" + #: ../../configuration/protocols/bgp.rst:113 msgid "**Router-ID check**" msgstr "** Verificación de ID de enrutador **" @@ -2619,7 +2635,7 @@ msgstr "Antes de habilitar cualquier descarga de segmentación de hardware, se r msgid "Before you are able to apply a rule-set to a zone you have to create the zones first." msgstr "Antes de poder aplicar un conjunto de reglas a una zona, primero debe crear las zonas." -#: ../../configuration/vpn/site2site_ipsec.rst:392 +#: ../../configuration/vpn/site2site_ipsec.rst:413 msgid "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." msgstr "El siguiente diagrama de flujo podría ser una referencia rápida para la combinación de acción de cierre, según cómo esté configurado el par." @@ -4609,7 +4625,7 @@ msgstr "No olvide, el CIDR declarado en la declaración de red **DEBE existir en msgid "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" msgstr "No olvide que el CIDR declarado en la declaración de red DEBE **existir en su tabla de enrutamiento (dinámico o estático), la mejor manera de asegurarse de que sea cierto es creando una ruta estática:**" -#: ../../configuration/vpn/site2site_ipsec.rst:284 +#: ../../configuration/vpn/site2site_ipsec.rst:295 msgid "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." msgstr "No se confunda con la subred del túnel /31 utilizada. :rfc:`3021` le brinda información adicional para usar subredes /31 en enlaces punto a punto." @@ -7636,6 +7652,10 @@ msgstr "Además también puedes deshabilitar todo el servicio sin necesidad de e msgid "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." msgstr "Además, especificará la dirección IP o FQDN del cliente al que se conectará. El parámetro de dirección se puede usar hasta dos veces y se usa para asignar direcciones IPv4 (/32) o IPv6 (/128) específicas a los clientes." +#: ../../configuration/interfaces/wireguard.rst:416 +msgid "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +msgstr "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." + #: ../../configuration/firewall/general.rst:194 #: ../../configuration/firewall/general-legacy.rst:170 msgid "In an **address group** a single IP address or IP address ranges are defined." @@ -7997,7 +8017,7 @@ msgstr "En lugar de enviar el nombre de host real del sistema al servidor DHCP, msgid "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." msgstr "Integridad: integridad del mensaje para garantizar que un paquete no haya sido manipulado durante el tránsito, incluido un mecanismo opcional de protección de reproducción de paquetes." -#: ../../configuration/interfaces/wireless.rst:600 +#: ../../configuration/interfaces/wireless.rst:602 msgid "Intel AX200" msgstr "Intel AX200" @@ -8238,7 +8258,7 @@ msgstr "Generación de claves" msgid "Key Management" msgstr "Gestión de claves" -#: ../../configuration/vpn/site2site_ipsec.rst:353 +#: ../../configuration/vpn/site2site_ipsec.rst:374 msgid "Key Parameters:" msgstr "Parámetros clave:" @@ -10952,7 +10972,7 @@ msgstr "Reinicia el proceso de recurso de DNS. Esto también invalida el caché #: ../../configuration/interfaces/wireless.rst:315 #: ../../configuration/interfaces/wireless.rst:369 -#: ../../configuration/interfaces/wireless.rst:566 +#: ../../configuration/interfaces/wireless.rst:567 msgid "Resulting in" msgstr "Resultando en" @@ -12463,7 +12483,7 @@ msgstr "Tarjeta miniPCIe (LTE) Sierra Wireless AirPrime MC7455" msgid "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" msgstr "Sierra Wireless AirPrime MC7710 tarjeta miniPCIe (LTE)" -#: ../../configuration/vpn/site2site_ipsec.rst:397 +#: ../../configuration/vpn/site2site_ipsec.rst:418 msgid "Similar combinations are applicable for the dead-peer-detection." msgstr "Se aplican combinaciones similares para la detección de pares muertos." @@ -13325,7 +13345,7 @@ msgstr "El servicio HTTP escucha en el puerto TCP 80." msgid "The IP address of the internal system we wish to forward traffic to." msgstr "La dirección IP del sistema interno al que deseamos reenviar el tráfico." -#: ../../configuration/interfaces/wireless.rst:602 +#: ../../configuration/interfaces/wireless.rst:604 msgid "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" msgstr "La tarjeta Intel AX200 no funciona de fábrica en modo AP, consulte https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. Todavía puede poner esta tarjeta en modo AP usando la siguiente configuración:" @@ -16258,7 +16278,7 @@ msgstr "Para reenviar todos los paquetes de difusión recibidos en el "puer msgid "To generate the CA, the server private key and certificates the following commands can be used." msgstr "Para generar la CA, la clave privada del servidor y los certificados, se pueden utilizar los siguientes comandos." -#: ../../configuration/interfaces/wireless.rst:592 +#: ../../configuration/interfaces/wireless.rst:594 msgid "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." msgstr "Para que funcione como un punto de acceso con esta configuración, deberá configurar un servidor DHCP para que funcione con esa red. Por supuesto, también puede unir la interfaz inalámbrica con cualquier puente configurado (:ref:`bridge-interface`) en el sistema." @@ -18077,7 +18097,7 @@ msgstr "Al iniciar un sistema VyOS en vivo (el CD de instalación), el diseño d msgid "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." msgstr "Cuando el servidor DHCP está considerando asignar dinámicamente una dirección IP a un cliente, primero envía una solicitud de eco ICMP (un ping) a la dirección asignada. Espera un segundo y, si no se escucha ninguna respuesta de eco ICMP, asigna la dirección." -#: ../../configuration/vpn/site2site_ipsec.rst:386 +#: ../../configuration/vpn/site2site_ipsec.rst:407 msgid "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." msgstr "Cuando la opción de acción de cierre se establece en los pares, el tipo de conexión de cada par debe considerarse cuidadosamente. Por ejemplo, si la opción está configurada en ambos pares, ambos intentarán iniciar y mantener abiertas varias copias de cada SA secundario. Esto podría conducir a la inestabilidad del dispositivo o la utilización de la CPU/memoria." @@ -18483,10 +18503,13 @@ msgid "You should add a firewall to your configuration above as well by assignin msgstr "También debe agregar un firewall a su configuración anterior asignándolo al propio pppoe0 como se muestra aquí:" #: ../../configuration/interfaces/openvpn.rst:227 -#: ../../configuration/interfaces/wireguard.rst:225 msgid "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." msgstr "También debe asegurarse de que el grupo de firewall OUTISDE_LOCAL se aplique a la interfaz WAN y una dirección (local)." +#: ../../configuration/interfaces/wireguard.rst:225 +msgid "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +msgstr "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." + #: ../../configuration/interfaces/wireguard.rst:136 msgid "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." msgstr "También necesitará la clave pública de su par, así como la(s) red(es) que desea tunelizar (ips permitidas) para configurar un túnel WireGuard. La clave pública a continuación es siempre la clave pública de su par, no la local." @@ -19112,7 +19135,7 @@ msgstr "``todas disponibles`` todas las direcciones de destino de verificación msgid "``any-available`` any of the checking target addresses must be available to pass this check" msgstr "``cualquiera disponible`` cualquiera de las direcciones de destino de verificación debe estar disponible para pasar esta verificación" -#: ../../configuration/vpn/site2site_ipsec.rst:355 +#: ../../configuration/vpn/site2site_ipsec.rst:376 msgid "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." msgstr "``authentication local-id/remote-id``: la identificación de IKE se utiliza para la validación de los dispositivos del mismo nivel de VPN durante la negociación de IKE. Si no configura la identidad local/remota, el dispositivo utiliza la dirección IPv4 o IPv6 que corresponde al par local/remoto de forma predeterminada. En ciertas configuraciones de red (como la interfaz ipsec con dirección dinámica o detrás de NAT), la ID de IKE recibida del par no coincide con la puerta de enlace IKE configurada en el dispositivo. Esto puede conducir a una falla de validación de Fase 1. Por lo tanto, asegúrese de configurar la identificación local/remota explícitamente y asegúrese de que la identificación IKE sea la misma que la identidad remota configurada en el dispositivo par." @@ -19168,7 +19191,7 @@ msgstr "``cert-file``: archivo de certificado, que se usará para autenticar el msgid "``clear`` set action to clear;" msgstr "``borrar`` establece la acción para borrar;" -#: ../../configuration/vpn/site2site_ipsec.rst:381 +#: ../../configuration/vpn/site2site_ipsec.rst:402 msgid "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." msgstr "``cierre-acción = ninguno | claro | espera | restart`` - define la acción a tomar si el par remoto cierra inesperadamente un CHILD_SA (ver arriba para el significado de los valores). No se debe usar una acción de cierre si el par usa reautenticación o identificadores únicos." @@ -19200,7 +19223,7 @@ msgstr "``crl-file`` - archivo con la Lista de Revocación de Certificados. Uso msgid "``d`` - Execution interval in days" msgstr "``d`` - Intervalo de ejecución en días" -#: ../../configuration/vpn/site2site_ipsec.rst:370 +#: ../../configuration/vpn/site2site_ipsec.rst:391 msgid "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." msgstr "``acción de detección de pares muertos = borrar | espera | reiniciar``: los mensajes de notificación R_U_THERE (IKEv1) o los mensajes INFORMATIVOS vacíos (IKEv2) se envían periódicamente para verificar la actividad del par IPsec. Los valores borrar, mantener y reiniciar activan DPD y determinan la acción a realizar en un tiempo de espera. Con ``clear`` la conexión se cierra sin que se realicen más acciones. ``hold`` instala una política de captura, que capturará el tráfico coincidente e intentará renegociar la conexión a pedido. ``reiniciar`` activará inmediatamente un intento de renegociar la conexión." @@ -19232,7 +19255,7 @@ msgstr "``dhcp-interface``: use una dirección IP, recibida de DHCP para la cone msgid "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." msgstr "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." -#: ../../configuration/vpn/site2site_ipsec.rst:366 +#: ../../configuration/vpn/site2site_ipsec.rst:387 msgid "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." msgstr "``disable-route-autoinstall``: esta opción, cuando se configura, deshabilita las rutas instaladas en la tabla predeterminada 220 para ipsec de sitio a sitio. Se utiliza sobre todo con la configuración de VTI." diff --git a/docs/_locale/ja/LC_MESSAGES/configuration.mo b/docs/_locale/ja/LC_MESSAGES/configuration.mo Binary files differindex 336afc77..1716cef9 100644 --- a/docs/_locale/ja/LC_MESSAGES/configuration.mo +++ b/docs/_locale/ja/LC_MESSAGES/configuration.mo diff --git a/docs/_locale/ja/configuration.pot b/docs/_locale/ja/configuration.pot index 9f253648..b76eeeb0 100644 --- a/docs/_locale/ja/configuration.pot +++ b/docs/_locale/ja/configuration.pot @@ -225,6 +225,14 @@ msgstr "**Important note on usage of terms:** The firewall makes use of the term msgid "**Interface name**" msgstr "**Interface name**" +#: ../../configuration/vpn/site2site_ipsec.rst:299 +msgid "**LEFT**" +msgstr "**LEFT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:283 +msgid "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +msgstr "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" + #: ../../configuration/interfaces/vxlan.rst:214 msgid "**Leaf2 configuration:**" msgstr "**Leaf2 configuration:**" @@ -401,6 +409,14 @@ msgstr "**RADIUS based IP pools (Framed-IP-Address)**" msgid "**RADIUS sessions management DM/CoA**" msgstr "**RADIUS sessions management DM/CoA**" +#: ../../configuration/vpn/site2site_ipsec.rst:335 +msgid "**RIGHT**" +msgstr "**RIGHT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:289 +msgid "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +msgstr "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" + #: ../../configuration/protocols/bgp.rst:113 msgid "**Router-ID check**" msgstr "**Router-ID check**" @@ -2619,7 +2635,7 @@ msgstr "Before enabling any hardware segmentation offload a corresponding softwa msgid "Before you are able to apply a rule-set to a zone you have to create the zones first." msgstr "Before you are able to apply a rule-set to a zone you have to create the zones first." -#: ../../configuration/vpn/site2site_ipsec.rst:392 +#: ../../configuration/vpn/site2site_ipsec.rst:413 msgid "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." msgstr "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." @@ -4609,7 +4625,7 @@ msgstr "Don't forget, the CIDR declared in the network statement **MUST exist in msgid "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" msgstr "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" -#: ../../configuration/vpn/site2site_ipsec.rst:284 +#: ../../configuration/vpn/site2site_ipsec.rst:295 msgid "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." msgstr "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." @@ -7636,6 +7652,10 @@ msgstr "In addition you can also disable the whole service without the need to r msgid "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." msgstr "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +#: ../../configuration/interfaces/wireguard.rst:416 +msgid "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +msgstr "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." + #: ../../configuration/firewall/general.rst:194 #: ../../configuration/firewall/general-legacy.rst:170 msgid "In an **address group** a single IP address or IP address ranges are defined." @@ -7997,7 +8017,7 @@ msgstr "Instead of sending the real system hostname to the DHCP server, overwrit msgid "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." msgstr "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." -#: ../../configuration/interfaces/wireless.rst:600 +#: ../../configuration/interfaces/wireless.rst:602 msgid "Intel AX200" msgstr "Intel AX200" @@ -8238,7 +8258,7 @@ msgstr "Key Generation" msgid "Key Management" msgstr "Key Management" -#: ../../configuration/vpn/site2site_ipsec.rst:353 +#: ../../configuration/vpn/site2site_ipsec.rst:374 msgid "Key Parameters:" msgstr "Key Parameters:" @@ -10952,7 +10972,7 @@ msgstr "Restarts the DNS recursor process. This also invalidates the local DNS f #: ../../configuration/interfaces/wireless.rst:315 #: ../../configuration/interfaces/wireless.rst:369 -#: ../../configuration/interfaces/wireless.rst:566 +#: ../../configuration/interfaces/wireless.rst:567 msgid "Resulting in" msgstr "Resulting in" @@ -12463,7 +12483,7 @@ msgstr "Sierra Wireless AirPrime MC7455 miniPCIe card (LTE)" msgid "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" msgstr "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" -#: ../../configuration/vpn/site2site_ipsec.rst:397 +#: ../../configuration/vpn/site2site_ipsec.rst:418 msgid "Similar combinations are applicable for the dead-peer-detection." msgstr "Similar combinations are applicable for the dead-peer-detection." @@ -13325,7 +13345,7 @@ msgstr "The HTTP service listen on TCP port 80." msgid "The IP address of the internal system we wish to forward traffic to." msgstr "The IP address of the internal system we wish to forward traffic to." -#: ../../configuration/interfaces/wireless.rst:602 +#: ../../configuration/interfaces/wireless.rst:604 msgid "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" msgstr "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" @@ -16258,7 +16278,7 @@ msgstr "To forward all broadcast packets received on `UDP port 1900` on `eth3`, msgid "To generate the CA, the server private key and certificates the following commands can be used." msgstr "To generate the CA, the server private key and certificates the following commands can be used." -#: ../../configuration/interfaces/wireless.rst:592 +#: ../../configuration/interfaces/wireless.rst:594 msgid "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." msgstr "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." @@ -18077,7 +18097,7 @@ msgstr "When starting a VyOS live system (the installation CD) the configured ke msgid "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." msgstr "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." -#: ../../configuration/vpn/site2site_ipsec.rst:386 +#: ../../configuration/vpn/site2site_ipsec.rst:407 msgid "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." msgstr "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." @@ -18483,10 +18503,13 @@ msgid "You should add a firewall to your configuration above as well by assignin msgstr "You should add a firewall to your configuration above as well by assigning it to the pppoe0 itself as shown here:" #: ../../configuration/interfaces/openvpn.rst:227 -#: ../../configuration/interfaces/wireguard.rst:225 msgid "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." msgstr "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +#: ../../configuration/interfaces/wireguard.rst:225 +msgid "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +msgstr "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." + #: ../../configuration/interfaces/wireguard.rst:136 msgid "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." msgstr "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." @@ -19112,7 +19135,7 @@ msgstr "``all-available`` all checking target addresses must be available to pas msgid "``any-available`` any of the checking target addresses must be available to pass this check" msgstr "``any-available`` any of the checking target addresses must be available to pass this check" -#: ../../configuration/vpn/site2site_ipsec.rst:355 +#: ../../configuration/vpn/site2site_ipsec.rst:376 msgid "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." msgstr "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." @@ -19168,7 +19191,7 @@ msgstr "``cert-file`` - certificate file, which will be used for authenticating msgid "``clear`` set action to clear;" msgstr "``clear`` set action to clear;" -#: ../../configuration/vpn/site2site_ipsec.rst:381 +#: ../../configuration/vpn/site2site_ipsec.rst:402 msgid "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." msgstr "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." @@ -19200,7 +19223,7 @@ msgstr "``crl-file`` - file with the Certificate Revocation List. Using to check msgid "``d`` - Execution interval in days" msgstr "``d`` - Execution interval in days" -#: ../../configuration/vpn/site2site_ipsec.rst:370 +#: ../../configuration/vpn/site2site_ipsec.rst:391 msgid "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." msgstr "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." @@ -19232,7 +19255,7 @@ msgstr "``dhcp-interface`` - use an IP address, received from DHCP for IPSec con msgid "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." msgstr "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." -#: ../../configuration/vpn/site2site_ipsec.rst:366 +#: ../../configuration/vpn/site2site_ipsec.rst:387 msgid "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." msgstr "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." diff --git a/docs/_locale/pt/LC_MESSAGES/configuration.mo b/docs/_locale/pt/LC_MESSAGES/configuration.mo Binary files differindex 08df0708..62817f09 100644 --- a/docs/_locale/pt/LC_MESSAGES/configuration.mo +++ b/docs/_locale/pt/LC_MESSAGES/configuration.mo diff --git a/docs/_locale/pt/configuration.pot b/docs/_locale/pt/configuration.pot index 5a12333e..dbe8970c 100644 --- a/docs/_locale/pt/configuration.pot +++ b/docs/_locale/pt/configuration.pot @@ -225,6 +225,14 @@ msgstr "**Important note on usage of terms:** The firewall makes use of the term msgid "**Interface name**" msgstr "**Interface name**" +#: ../../configuration/vpn/site2site_ipsec.rst:299 +msgid "**LEFT**" +msgstr "**LEFT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:283 +msgid "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +msgstr "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" + #: ../../configuration/interfaces/vxlan.rst:214 msgid "**Leaf2 configuration:**" msgstr "**Leaf2 configuration:**" @@ -401,6 +409,14 @@ msgstr "**RADIUS based IP pools (Framed-IP-Address)**" msgid "**RADIUS sessions management DM/CoA**" msgstr "**RADIUS sessions management DM/CoA**" +#: ../../configuration/vpn/site2site_ipsec.rst:335 +msgid "**RIGHT**" +msgstr "**RIGHT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:289 +msgid "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +msgstr "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" + #: ../../configuration/protocols/bgp.rst:113 msgid "**Router-ID check**" msgstr "**Router-ID check**" @@ -2619,7 +2635,7 @@ msgstr "Before enabling any hardware segmentation offload a corresponding softwa msgid "Before you are able to apply a rule-set to a zone you have to create the zones first." msgstr "Before you are able to apply a rule-set to a zone you have to create the zones first." -#: ../../configuration/vpn/site2site_ipsec.rst:392 +#: ../../configuration/vpn/site2site_ipsec.rst:413 msgid "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." msgstr "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." @@ -4609,7 +4625,7 @@ msgstr "Don't forget, the CIDR declared in the network statement **MUST exist in msgid "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" msgstr "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" -#: ../../configuration/vpn/site2site_ipsec.rst:284 +#: ../../configuration/vpn/site2site_ipsec.rst:295 msgid "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." msgstr "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." @@ -7636,6 +7652,10 @@ msgstr "In addition you can also disable the whole service without the need to r msgid "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." msgstr "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +#: ../../configuration/interfaces/wireguard.rst:416 +msgid "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +msgstr "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." + #: ../../configuration/firewall/general.rst:194 #: ../../configuration/firewall/general-legacy.rst:170 msgid "In an **address group** a single IP address or IP address ranges are defined." @@ -7997,7 +8017,7 @@ msgstr "Instead of sending the real system hostname to the DHCP server, overwrit msgid "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." msgstr "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." -#: ../../configuration/interfaces/wireless.rst:600 +#: ../../configuration/interfaces/wireless.rst:602 msgid "Intel AX200" msgstr "Intel AX200" @@ -8238,7 +8258,7 @@ msgstr "Key Generation" msgid "Key Management" msgstr "Key Management" -#: ../../configuration/vpn/site2site_ipsec.rst:353 +#: ../../configuration/vpn/site2site_ipsec.rst:374 msgid "Key Parameters:" msgstr "Key Parameters:" @@ -10952,7 +10972,7 @@ msgstr "Restarts the DNS recursor process. This also invalidates the local DNS f #: ../../configuration/interfaces/wireless.rst:315 #: ../../configuration/interfaces/wireless.rst:369 -#: ../../configuration/interfaces/wireless.rst:566 +#: ../../configuration/interfaces/wireless.rst:567 msgid "Resulting in" msgstr "Resulting in" @@ -12463,7 +12483,7 @@ msgstr "Sierra Wireless AirPrime MC7455 miniPCIe card (LTE)" msgid "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" msgstr "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" -#: ../../configuration/vpn/site2site_ipsec.rst:397 +#: ../../configuration/vpn/site2site_ipsec.rst:418 msgid "Similar combinations are applicable for the dead-peer-detection." msgstr "Similar combinations are applicable for the dead-peer-detection." @@ -13325,7 +13345,7 @@ msgstr "The HTTP service listen on TCP port 80." msgid "The IP address of the internal system we wish to forward traffic to." msgstr "The IP address of the internal system we wish to forward traffic to." -#: ../../configuration/interfaces/wireless.rst:602 +#: ../../configuration/interfaces/wireless.rst:604 msgid "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" msgstr "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" @@ -16258,7 +16278,7 @@ msgstr "To forward all broadcast packets received on `UDP port 1900` on `eth3`, msgid "To generate the CA, the server private key and certificates the following commands can be used." msgstr "To generate the CA, the server private key and certificates the following commands can be used." -#: ../../configuration/interfaces/wireless.rst:592 +#: ../../configuration/interfaces/wireless.rst:594 msgid "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." msgstr "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." @@ -18077,7 +18097,7 @@ msgstr "When starting a VyOS live system (the installation CD) the configured ke msgid "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." msgstr "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." -#: ../../configuration/vpn/site2site_ipsec.rst:386 +#: ../../configuration/vpn/site2site_ipsec.rst:407 msgid "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." msgstr "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." @@ -18483,10 +18503,13 @@ msgid "You should add a firewall to your configuration above as well by assignin msgstr "You should add a firewall to your configuration above as well by assigning it to the pppoe0 itself as shown here:" #: ../../configuration/interfaces/openvpn.rst:227 -#: ../../configuration/interfaces/wireguard.rst:225 msgid "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." msgstr "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +#: ../../configuration/interfaces/wireguard.rst:225 +msgid "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +msgstr "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." + #: ../../configuration/interfaces/wireguard.rst:136 msgid "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." msgstr "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." @@ -19112,7 +19135,7 @@ msgstr "``all-available`` all checking target addresses must be available to pas msgid "``any-available`` any of the checking target addresses must be available to pass this check" msgstr "``any-available`` any of the checking target addresses must be available to pass this check" -#: ../../configuration/vpn/site2site_ipsec.rst:355 +#: ../../configuration/vpn/site2site_ipsec.rst:376 msgid "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." msgstr "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." @@ -19168,7 +19191,7 @@ msgstr "``cert-file`` - certificate file, which will be used for authenticating msgid "``clear`` set action to clear;" msgstr "``clear`` set action to clear;" -#: ../../configuration/vpn/site2site_ipsec.rst:381 +#: ../../configuration/vpn/site2site_ipsec.rst:402 msgid "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." msgstr "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." @@ -19200,7 +19223,7 @@ msgstr "``crl-file`` - file with the Certificate Revocation List. Using to check msgid "``d`` - Execution interval in days" msgstr "``d`` - Execution interval in days" -#: ../../configuration/vpn/site2site_ipsec.rst:370 +#: ../../configuration/vpn/site2site_ipsec.rst:391 msgid "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." msgstr "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." @@ -19232,7 +19255,7 @@ msgstr "``dhcp-interface`` - use an IP address, received from DHCP for IPSec con msgid "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." msgstr "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." -#: ../../configuration/vpn/site2site_ipsec.rst:366 +#: ../../configuration/vpn/site2site_ipsec.rst:387 msgid "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." msgstr "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." diff --git a/docs/_locale/uk/LC_MESSAGES/configuration.mo b/docs/_locale/uk/LC_MESSAGES/configuration.mo Binary files differindex d6a4812d..a7fe23ad 100644 --- a/docs/_locale/uk/LC_MESSAGES/configuration.mo +++ b/docs/_locale/uk/LC_MESSAGES/configuration.mo diff --git a/docs/_locale/uk/configuration.pot b/docs/_locale/uk/configuration.pot index 1e440479..a3a1a512 100644 --- a/docs/_locale/uk/configuration.pot +++ b/docs/_locale/uk/configuration.pot @@ -225,6 +225,14 @@ msgstr "**Important note on usage of terms:** The firewall makes use of the term msgid "**Interface name**" msgstr "**Interface name**" +#: ../../configuration/vpn/site2site_ipsec.rst:299 +msgid "**LEFT**" +msgstr "**LEFT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:283 +msgid "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" +msgstr "**LEFT:** * WAN interface on `eth0.201` * `eth0.201` interface IP: `172.18.201.10/24` * `vti10` interface IP: `10.0.0.2/31` * `dum0` interface IP: `10.0.11.1/24` (for testing purposes)" + #: ../../configuration/interfaces/vxlan.rst:214 msgid "**Leaf2 configuration:**" msgstr "**Leaf2 configuration:**" @@ -401,6 +409,14 @@ msgstr "**RADIUS based IP pools (Framed-IP-Address)**" msgid "**RADIUS sessions management DM/CoA**" msgstr "**RADIUS sessions management DM/CoA**" +#: ../../configuration/vpn/site2site_ipsec.rst:335 +msgid "**RIGHT**" +msgstr "**RIGHT**" + +#: ../../configuration/vpn/site2site_ipsec.rst:289 +msgid "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" +msgstr "**RIGHT:** * WAN interface on `eth0.202` * `eth0.201` interface IP: `172.18.202.10/24` * `vti10` interface IP: `10.0.0.3/31` * `dum0` interface IP: `10.0.12.1/24` (for testing purposes)" + #: ../../configuration/protocols/bgp.rst:113 msgid "**Router-ID check**" msgstr "**Router-ID check**" @@ -2619,7 +2635,7 @@ msgstr "Before enabling any hardware segmentation offload a corresponding softwa msgid "Before you are able to apply a rule-set to a zone you have to create the zones first." msgstr "Before you are able to apply a rule-set to a zone you have to create the zones first." -#: ../../configuration/vpn/site2site_ipsec.rst:392 +#: ../../configuration/vpn/site2site_ipsec.rst:413 msgid "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." msgstr "Below flow-chart could be a quick reference for the close-action combination depending on how the peer is configured." @@ -4609,7 +4625,7 @@ msgstr "Don't forget, the CIDR declared in the network statement **MUST exist in msgid "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" msgstr "Don't forget, the CIDR declared in the network statement MUST **exist in your routing table (dynamic or static), the best way to make sure that is true is creating a static route:**" -#: ../../configuration/vpn/site2site_ipsec.rst:284 +#: ../../configuration/vpn/site2site_ipsec.rst:295 msgid "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." msgstr "Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links." @@ -7636,6 +7652,10 @@ msgstr "In addition you can also disable the whole service without the need to r msgid "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." msgstr "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +#: ../../configuration/interfaces/wireguard.rst:416 +msgid "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." +msgstr "In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address." + #: ../../configuration/firewall/general.rst:194 #: ../../configuration/firewall/general-legacy.rst:170 msgid "In an **address group** a single IP address or IP address ranges are defined." @@ -7997,7 +8017,7 @@ msgstr "Instead of sending the real system hostname to the DHCP server, overwrit msgid "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." msgstr "Integrity – Message integrity to ensure that a packet has not been tampered while in transit including an optional packet replay protection mechanism." -#: ../../configuration/interfaces/wireless.rst:600 +#: ../../configuration/interfaces/wireless.rst:602 msgid "Intel AX200" msgstr "Intel AX200" @@ -8238,7 +8258,7 @@ msgstr "Key Generation" msgid "Key Management" msgstr "Key Management" -#: ../../configuration/vpn/site2site_ipsec.rst:353 +#: ../../configuration/vpn/site2site_ipsec.rst:374 msgid "Key Parameters:" msgstr "Key Parameters:" @@ -10952,7 +10972,7 @@ msgstr "Restarts the DNS recursor process. This also invalidates the local DNS f #: ../../configuration/interfaces/wireless.rst:315 #: ../../configuration/interfaces/wireless.rst:369 -#: ../../configuration/interfaces/wireless.rst:566 +#: ../../configuration/interfaces/wireless.rst:567 msgid "Resulting in" msgstr "Resulting in" @@ -12463,7 +12483,7 @@ msgstr "Sierra Wireless AirPrime MC7455 miniPCIe card (LTE)" msgid "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" msgstr "Sierra Wireless AirPrime MC7710 miniPCIe card (LTE)" -#: ../../configuration/vpn/site2site_ipsec.rst:397 +#: ../../configuration/vpn/site2site_ipsec.rst:418 msgid "Similar combinations are applicable for the dead-peer-detection." msgstr "Similar combinations are applicable for the dead-peer-detection." @@ -13325,7 +13345,7 @@ msgstr "The HTTP service listen on TCP port 80." msgid "The IP address of the internal system we wish to forward traffic to." msgstr "The IP address of the internal system we wish to forward traffic to." -#: ../../configuration/interfaces/wireless.rst:602 +#: ../../configuration/interfaces/wireless.rst:604 msgid "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" msgstr "The Intel AX200 card does not work out of the box in AP mode, see https://unix.stackexchange.com/questions/598275/intel-ax200-ap-mode. You can still put this card into AP mode using the following configuration:" @@ -16258,7 +16278,7 @@ msgstr "To forward all broadcast packets received on `UDP port 1900` on `eth3`, msgid "To generate the CA, the server private key and certificates the following commands can be used." msgstr "To generate the CA, the server private key and certificates the following commands can be used." -#: ../../configuration/interfaces/wireless.rst:592 +#: ../../configuration/interfaces/wireless.rst:594 msgid "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." msgstr "To get it to work as an access point with this configuration you will need to set up a DHCP server to work with that network. You can - of course - also bridge the Wireless interface with any configured bridge (:ref:`bridge-interface`) on the system." @@ -18077,7 +18097,7 @@ msgstr "When starting a VyOS live system (the installation CD) the configured ke msgid "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." msgstr "When the DHCP server is considering dynamically allocating an IP address to a client, it first sends an ICMP Echo request (a ping) to the address being assigned. It waits for a second, and if no ICMP Echo response has been heard, it assigns the address." -#: ../../configuration/vpn/site2site_ipsec.rst:386 +#: ../../configuration/vpn/site2site_ipsec.rst:407 msgid "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." msgstr "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization." @@ -18483,10 +18503,13 @@ msgid "You should add a firewall to your configuration above as well by assignin msgstr "You should add a firewall to your configuration above as well by assigning it to the pppoe0 itself as shown here:" #: ../../configuration/interfaces/openvpn.rst:227 -#: ../../configuration/interfaces/wireguard.rst:225 msgid "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." msgstr "You should also ensure that the OUTISDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +#: ../../configuration/interfaces/wireguard.rst:225 +msgid "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." +msgstr "You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local)." + #: ../../configuration/interfaces/wireguard.rst:136 msgid "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." msgstr "You will also need the public key of your peer as well as the network(s) you want to tunnel (allowed-ips) to configure a WireGuard tunnel. The public key below is always the public key from your peer, not your local one." @@ -19112,7 +19135,7 @@ msgstr "``all-available`` all checking target addresses must be available to pas msgid "``any-available`` any of the checking target addresses must be available to pass this check" msgstr "``any-available`` any of the checking target addresses must be available to pass this check" -#: ../../configuration/vpn/site2site_ipsec.rst:355 +#: ../../configuration/vpn/site2site_ipsec.rst:376 msgid "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." msgstr "``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. In certain network setups (like ipsec interface with dynamic address, or behind the NAT ), the IKE ID received from the peer does not match the IKE gateway configured on the device. This can lead to a Phase 1 validation failure. So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device." @@ -19168,7 +19191,7 @@ msgstr "``cert-file`` - certificate file, which will be used for authenticating msgid "``clear`` set action to clear;" msgstr "``clear`` set action to clear;" -#: ../../configuration/vpn/site2site_ipsec.rst:381 +#: ../../configuration/vpn/site2site_ipsec.rst:402 msgid "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." msgstr "``close-action = none | clear | hold | restart`` - defines the action to take if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids." @@ -19200,7 +19223,7 @@ msgstr "``crl-file`` - file with the Certificate Revocation List. Using to check msgid "``d`` - Execution interval in days" msgstr "``d`` - Execution interval in days" -#: ../../configuration/vpn/site2site_ipsec.rst:370 +#: ../../configuration/vpn/site2site_ipsec.rst:391 msgid "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." msgstr "``dead-peer-detection action = clear | hold | restart`` - R_U_THERE notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) are periodically sent in order to check the liveliness of the IPsec peer. The values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. With ``clear`` the connection is closed with no further actions taken. ``hold`` installs a trap policy, which will catch matching traffic and tries to re-negotiate the connection on demand. ``restart`` will immediately trigger an attempt to re-negotiate the connection." @@ -19232,7 +19255,7 @@ msgstr "``dhcp-interface`` - use an IP address, received from DHCP for IPSec con msgid "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." msgstr "``disable-mobike`` disables MOBIKE Support. MOBIKE is only available for IKEv2 and enabled by default." -#: ../../configuration/vpn/site2site_ipsec.rst:366 +#: ../../configuration/vpn/site2site_ipsec.rst:387 msgid "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." msgstr "``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration." diff --git a/docs/_static/images/ansible.png b/docs/_static/images/ansible.png Binary files differnew file mode 100644 index 00000000..1d80b3f4 --- /dev/null +++ b/docs/_static/images/ansible.png diff --git a/docs/_static/images/firewall-bridge-packet-flow.png b/docs/_static/images/firewall-bridge-packet-flow.png Binary files differnew file mode 100644 index 00000000..9e32315e --- /dev/null +++ b/docs/_static/images/firewall-bridge-packet-flow.png diff --git a/docs/_static/images/firewall-flowtable-packet-flow.png b/docs/_static/images/firewall-flowtable-packet-flow.png Binary files differnew file mode 100644 index 00000000..fca7e13a --- /dev/null +++ b/docs/_static/images/firewall-flowtable-packet-flow.png diff --git a/docs/_static/images/firewall-fwd-packet-flow.png b/docs/_static/images/firewall-fwd-packet-flow.png Binary files differnew file mode 100644 index 00000000..e4bc2adc --- /dev/null +++ b/docs/_static/images/firewall-fwd-packet-flow.png diff --git a/docs/_static/images/firewall-gral-packet-flow.png b/docs/_static/images/firewall-gral-packet-flow.png Binary files differnew file mode 100644 index 00000000..ee4e7b70 --- /dev/null +++ b/docs/_static/images/firewall-gral-packet-flow.png diff --git a/docs/_static/images/firewall-input-packet-flow.png b/docs/_static/images/firewall-input-packet-flow.png Binary files differnew file mode 100644 index 00000000..1c53c34a --- /dev/null +++ b/docs/_static/images/firewall-input-packet-flow.png diff --git a/docs/_templates/layout.html b/docs/_templates/layout.html index e7ede58c..6cb68508 100644 --- a/docs/_templates/layout.html +++ b/docs/_templates/layout.html @@ -1,5 +1,5 @@ {% extends "!layout.html" %} -{%- set current_version = "1.4.x sagitta" %} +{%- set current_version = "1.5.x circinus" %} {% block extrahead %} <link href="{{ pathto("_static/css/custom.css", True) }}" rel="stylesheet" type="text/css"> <link href="{{ pathto("_static/css/datatables.css", True) }}" rel="stylesheet" type="text/css"> diff --git a/docs/automation/command-scripting.rst b/docs/automation/command-scripting.rst index 64564e5a..c8a72a36 100644 --- a/docs/automation/command-scripting.rst +++ b/docs/automation/command-scripting.rst @@ -94,7 +94,7 @@ Here is a simple example: #!/bin/vbash source /opt/vyatta/etc/functions/script-template configure - source < /config/scripts/setfirewallgroup.py + source <(/config/scripts/setfirewallgroup.py) commit diff --git a/docs/automation/vyos-api.rst b/docs/automation/vyos-api.rst index efd00dd8..afcc1767 100644 --- a/docs/automation/vyos-api.rst +++ b/docs/automation/vyos-api.rst @@ -143,6 +143,43 @@ The ``reset`` endpoint run a ``reset`` command. "error": null } +/reboot +======= + +To initiate a reboot use the ``reboot`` endpoint. + +.. code-block:: none + + curl --location --request POST 'https://vyos/reboot' \ + --form data='{"op": "reboot", "path": ["now"]}' \ + --form key='MY-HTTPS-API-PLAINTEXT-KEY' + + respone: + { + "success": true, + "data": "", + "error": null + } + +/poweroff +========= + +To power off the system use the ``poweroff`` endpoint. + +.. code-block:: none + + curl --location --request POST 'https://vyos/poweroff' \ + --form data='{"op": "poweroff", "path": ["now"]}' \ + --form key='MY-HTTPS-API-PLAINTEXT-KEY' + + respone: + { + "success": true, + "data": "", + "error": null + } + + /image ====== diff --git a/docs/changelog/1.3.rst b/docs/changelog/1.3.rst index dc9c3414..11d3be91 100644 --- a/docs/changelog/1.3.rst +++ b/docs/changelog/1.3.rst @@ -8,6 +8,89 @@ _ext/releasenotes.py +2023-11-30 +========== + +* :vytask:`T4601` ``(bug): dhcp : relay agent IP address issue.`` + + +2023-11-28 +========== + +* :vytask:`T5777` ``(bug): frr: backport and upstream recent bgpd daemon crashes`` + + +2023-11-27 +========== + +* :vytask:`T5763` ``(bug): Fix imprecise check for remote file name in vyos-load-config.py`` + + +2023-11-25 +========== + +* :vytask:`T5655` ``(bug): commit-archive: Ctrl+C should not eror out with stack trace, signal should be cought`` + + +2023-11-24 +========== + +* :vytask:`T5402` ``(bug): VRRP router with rfc3768-compatibility sends multiple ARP replies`` + + +2023-11-22 +========== + +* :vytask:`T5578` ``(bug): "ikev2-reauth" description contains outdated information`` + + +2023-11-15 +========== + +* :vytask:`T5661` ``(enhancment): Add show show ssh dynamic-protection attacker and show log ssh dynamic-protection`` +* :vytask:`T1276` ``(bug): dhcp relay + VLAN fails`` + + +2023-11-07 +========== + +* :vytask:`T5586` ``(feature): Disable by default SNMP for Keepalived VRRP`` + + +2023-11-06 +========== + +* :vytask:`T4269` ``(feature): node.def generator should automatically add default values`` + + +2023-10-26 +========== + +* :vytask:`T5684` ``(bug): services using VRF generates the error "Failed to load BPF prog: 'Operation not permitted'" when the system boots.`` +* :vytask:`T5594` ``(bug): VRRP - Error if using IPv6 Link Local as hello source address`` + + +2023-10-21 +========== + +* :vytask:`T5670` ``(bug): bridge: missing member interface validator`` +* :vytask:`T5191` ``(default): Replace underscores with hyphens in command-line options generated by vyos.opmode`` +* :vytask:`T4402` ``(bug): OpenVPN client-ip-pool option is broken`` +* :vytask:`T2719` ``(feature): Standardized op mode script structure`` + + +2023-10-19 +========== + +* :vytask:`T5669` ``(bug): VXLAN interface changing port does not work`` + + +2023-10-17 +========== + +* :vytask:`T5235` ``(bug): SSH keys with special characters cannot be applied via Cloud-init`` + + 2023-10-08 ========== @@ -229,12 +312,6 @@ * :vytask:`T5313` ``(bug): UDP broadcast relay - missing verify() that relay interfaces have an IP address assigned`` -2023-06-28 -========== - -* :vytask:`T1237` ``(feature): Static Route Path Monitoring, failover`` - - 2023-06-26 ========== diff --git a/docs/changelog/1.4.rst b/docs/changelog/1.4.rst index 86fec4d4..3919ade7 100644 --- a/docs/changelog/1.4.rst +++ b/docs/changelog/1.4.rst @@ -8,6 +8,314 @@ _ext/releasenotes.py +2023-12-03 +========== + +* :vytask:`T5753` ``(feature): Add VXLAN vnifilter support`` +* :vytask:`T5759` ``(feature): Change VXLAN default MTU to 1500 bytes`` + + +2023-11-30 +========== + +* :vytask:`T4601` ``(bug): dhcp : relay agent IP address issue.`` + + +2023-11-28 +========== + +* :vytask:`T4276` ``(bug): IPsec peers dh-group negotiation issue with pfs enabled and multiple proposals configured with IKEv1`` + + +2023-11-27 +========== + +* :vytask:`T5763` ``(bug): Fix imprecise check for remote file name in vyos-load-config.py`` +* :vytask:`T5783` ``(feature): frr: smoketests must notice any daemon crash`` + + +2023-11-26 +========== + +* :vytask:`T5760` ``(feature): DHCP client custom dhcp-options`` +* :vytask:`T2405` ``(feature): archive to GIT or other platform`` + + +2023-11-25 +========== + +* :vytask:`T5655` ``(bug): commit-archive: Ctrl+C should not eror out with stack trace, signal should be cought`` +* :vytask:`T4946` ``(default): Rewrite "add system image" in the new op-mode`` +* :vytask:`T4454` ``(default): `install-image` should check free storage`` + + +2023-11-24 +========== + +* :vytask:`T5776` ``(feature): Enable VFIO support`` +* :vytask:`T5402` ``(bug): VRRP router with rfc3768-compatibility sends multiple ARP replies`` +* :vytask:`T3895` ``(default): VYOS firewall rules do not adhere to time schedule unless placed in UTC mode.`` + + +2023-11-23 +========== + +* :vytask:`T4891` ``(bug): BFD flapping loop`` +* :vytask:`T4867` ``(bug): "show bgp neighbors ... advertised-routes" and some other commands fail for IPv4 neighbors`` + + +2023-11-22 +========== + +* :vytask:`T5767` ``(feature): Add reboot and poweroff the system via API`` +* :vytask:`T5729` ``(bug): Firewall, nat and policy route - Switch to valueless`` +* :vytask:`T5681` ``(feature): Interface match - Simplified and unified cli`` +* :vytask:`T4877` ``(bug): Need verification in using import vrf and import vpn, export vpn commands`` +* :vytask:`T4021` ``(bug): Long commit time on bridge interface with 1-4094 allowed VLAN tags`` +* :vytask:`T5338` ``(feature): Add 'mpls bgp forwarding' feature`` +* :vytask:`T3818` ``(bug): BGP export route-map only works after bgpd restart`` +* :vytask:`T5590` ``(default): Firewall "log enable" logs every packet`` +* :vytask:`T5426` ``(default): Add exceptions in vici functions calls`` + + +2023-11-21 +========== + +* :vytask:`T5762` ``(bug): http: api: smoketests fail as they can not establish IPv6 connection to uvicorn backend server`` + + +2023-11-20 +========== + +* :vytask:`T2816` ``(default): Rewrite IPsec scripts with the new XML/Python approach`` + + +2023-11-18 +========== + +* :vytask:`T1354` ``(feature): Add support for VLAN-Aware bridges`` + + +2023-11-16 +========== + +* :vytask:`T5726` ``(bug): HTTPS API image cannot be updated`` +* :vytask:`T5738` ``(feature): Extend XML building blocks`` +* :vytask:`T5736` ``(feature): igmp: migrate "protocols igmp" to "protocols pim"`` +* :vytask:`T5733` ``(feature): pim(6): rewrite FRR PIM daemon configuration to get_config_dict() and add missing IGMP features`` +* :vytask:`T5689` ``(default): FRR 9.0.1 in VyOS current segfaults on show rpki prefix $prefix`` +* :vytask:`T5595` ``(feature): Multicast - PIM bfd feature enable`` +* :vytask:`T3638` ``(bug): Passwords With Dollar Sign Set Incorrectly`` + + +2023-11-15 +========== + +* :vytask:`T5695` ``(feature): Build FRR with LUA scripts --enable-scripting option`` +* :vytask:`T5665` ``(bug): radius user not working`` +* :vytask:`T5728` ``(bug): Improve compatibility between OpenVPN on VyOS 1.5 and OpenVPN Connect Client`` +* :vytask:`T5732` ``(bug): generate firewall rule-resequence drops geoip country-code from output`` +* :vytask:`T5661` ``(enhancment): Add show show ssh dynamic-protection attacker and show log ssh dynamic-protection`` +* :vytask:`T1276` ``(bug): dhcp relay + VLAN fails`` + + +2023-11-13 +========== + +* :vytask:`T5698` ``(feature): EVPN ESI Multihoming`` +* :vytask:`T5563` ``(bug): container: Container environment variable cannot be set`` +* :vytask:`T5706` ``(bug): Systemd-udevd high CPU utilization for multiple dynamic ppp/l2tp/ipoe interfaces`` + + +2023-11-10 +========== + +* :vytask:`T5727` ``(bug): validator: Use native URL validator instead of regex-based validator`` + + +2023-11-08 +========== + +* :vytask:`T5720` ``(bug): PPPoE-server adding new interface does not work`` +* :vytask:`T5716` ``(bug): PPPoE-server shaper template bug down-limiter option does not rely on fwmark`` +* :vytask:`T5702` ``(feature): Add ability to set include_ifmib_iface_prefix and ifmib_max_num_ifaces for SNMP`` +* :vytask:`T5648` ``(bug): ldpd neighbour template errors`` +* :vytask:`T5564` ``(bug): Both show firewall group and show firewall summary fails`` +* :vytask:`T5559` ``(feature): Selective proxy-arp/proxy-ndp when doing SNAT/DNAT`` +* :vytask:`T5541` ``(bug): Zone-Based Firewalling in VyOS Sagitta 1.4`` +* :vytask:`T5513` ``(bug): Anomalies in show firewall command after refactoring`` +* :vytask:`T4864` ``(bug): `show firewall` command errors`` + + +2023-11-07 +========== + +* :vytask:`T5586` ``(feature): Disable by default SNMP for Keepalived VRRP`` + + +2023-11-06 +========== + +* :vytask:`T5705` ``(bug): rsyslog - Not working when using facility=all`` +* :vytask:`T5704` ``(feature): PPPoE-server add max-starting option`` +* :vytask:`T5707` ``(bug): Wireguard peer public key update leaves redundant peers and breaks connectivity`` +* :vytask:`T4269` ``(feature): node.def generator should automatically add default values`` + + +2023-11-05 +========== + +* :vytask:`T4020` ``(feature): Add ability to control FRR daemons options`` + + +2023-11-03 +========== + +* :vytask:`T5700` ``(bug): Monitoring telegraf deprecated plugins inputs outputs`` +* :vytask:`T5018` ``(bug): Redirect to IFB removed after change in qos policy`` + + +2023-11-02 +========== + +* :vytask:`T5701` ``(feature): Update telegraf package`` + + +2023-11-01 +========== + +* :vytask:`T5690` ``(bug): Change to definition of environment variable 'vyos_rootfs_dir' is incorrect`` + + +2023-10-31 +========== + +* :vytask:`T5699` ``(feature): vxlan: migrate "external" CLI know to "parameters external"`` +* :vytask:`T5668` ``(feature): Disable VXLAN bridge learning and enable neigh_suppress when using EVPN`` + + +2023-10-27 +========== + +* :vytask:`T5652` ``(bug): Config migrate to image upgrade does not properly generate home directory`` +* :vytask:`T4057` ``(bug): Commit time for deleting sflow configuration ~1.5 min`` + + +2023-10-26 +========== + +* :vytask:`T5683` ``(bug): reverse-proxy pki filenames mismatch`` +* :vytask:`T4903` ``(bug): conntrack ignore does not suppotr IPv6 addresses`` +* :vytask:`T4309` ``(feature): Support network/address-groups and ipv6-network/ipv6-address-groups in conntrack ignore`` +* :vytask:`T5606` ``(feature): IPSec VPN: Allow multiple CAs certificates`` +* :vytask:`T5650` ``(default): Progressbars suffer from staircasing effect`` +* :vytask:`T5568` ``(default): Install image from live ISO always defaults boot to KVM entry`` +* :vytask:`T3509` ``(default): No BCP38 for IPv6 on VyOS`` + + +2023-10-23 +========== + +* :vytask:`T5299` ``(bug): QoS shaper ceiling does not work`` +* :vytask:`T5667` ``(feature): BGP label-unicast - enable ecmp`` +* :vytask:`T5337` ``(bug): MPLS/BGP: Route leak does not happen from the VPNv4 table to specific vrf`` + + +2023-10-22 +========== + +* :vytask:`T5254` ``(bug): Modification of any interface setting sets MTU back to default when MTU has been inherited from a bond`` +* :vytask:`T5671` ``(feature): vxlan: change port to IANA assigned default port`` + + +2023-10-21 +========== + +* :vytask:`T5670` ``(bug): bridge: missing member interface validator`` +* :vytask:`T5617` ``(feature): Add an option to exclude single values to the numeric validator`` +* :vytask:`T5414` ``(bug): dhcp-server does not allow valid bootfile-names`` +* :vytask:`T5261` ``(feature): Add AWS gateway load-balanceing tunnel handler (gwlbtun)`` +* :vytask:`T5260` ``(bug): Python3 module crypt is deprecated`` +* :vytask:`T5191` ``(default): Replace underscores with hyphens in command-line options generated by vyos.opmode`` +* :vytask:`T5172` ``(default): Set Python3 version dependency for vyos-1x to 3.10`` +* :vytask:`T4956` ``(default): 'show hardware cpu' issue on arm64`` +* :vytask:`T4837` ``(default): Expose "show ip route summary" in the op mode API`` +* :vytask:`T4770` ``(feature): Rewrite OpenVPN op-mode to vyos.opmode format`` +* :vytask:`T4657` ``(bug): op-mode scripts with type hints in `return` do not work`` +* :vytask:`T4604` ``(bug): bgpd eats huge amount of memory (about 500Megs a day)`` +* :vytask:`T4432` ``(default): Display load average normalized according to the number of CPU cores`` +* :vytask:`T4416` ``(default): Convert 'traceroute' operation to the new syntax and expand available options using python`` +* :vytask:`T4402` ``(bug): OpenVPN client-ip-pool option is broken`` +* :vytask:`T3433` ``(default): A review of the use of racist language in VyOS`` +* :vytask:`T2719` ``(feature): Standardized op mode script structure`` + + +2023-10-20 +========== + +* :vytask:`T5233` ``(bug): Op-mode flow-accounting netflow with disable-imt errors`` +* :vytask:`T5232` ``(bug): Flow-accounting uacctd.service cannot restart correctly`` + + +2023-10-19 +========== + +* :vytask:`T4913` ``(default): Rewrite the wireless op mode in the new style`` + + +2023-10-18 +========== + +* :vytask:`T5642` ``(bug): op cmd: generate tech-support archive: does not work`` +* :vytask:`T5521` ``(bug): Home owner directory changed to vyos for the user after reboot`` + + +2023-10-17 +========== + +* :vytask:`T5662` ``(bug): Fix indexing error in configdep script organization`` +* :vytask:`T5235` ``(bug): SSH keys with special characters cannot be applied via Cloud-init`` + + +2023-10-16 +========== + +* :vytask:`T5165` ``(feature): Policy local-route ability set protocol and port`` + + +2023-10-14 +========== + +* :vytask:`T5629` ``(bug): Policy local-route bug after migration to destination node address`` + + +2023-10-13 +========== + +* :vytask:`T5227` ``(feature): mDNS reflector should allow additional domains to browse and allow filtering services`` +* :vytask:`T5166` ``(feature): Remove local minisign package from build repo for 1.4`` +* :vytask:`T5118` ``(bug): Cleanup vestigial ntp completion script`` +* :vytask:`T5115` ``(default): Support custom port for name servers for forwarding zones`` +* :vytask:`T5113` ``(default): PDNS: Support custom port for DNS forwarders`` +* :vytask:`T5112` ``(feature): Enable support for Network Time Security (NTS) for chrony`` +* :vytask:`T5143` ``(enhancment): Apply constraint on powerdns forward-zones configuration`` + + +2023-10-12 +========== + +* :vytask:`T5649` ``(bug): vyos-1x should generate XML cache after building command templates for less cryptic error on typo`` + + +2023-10-10 +========== + +* :vytask:`T5489` ``(feature): Change to BBR as TCP congestion control, or at least make it an config option`` +* :vytask:`T5479` ``(bug): Helper leftovers found in nftables (firewall) even with all helpers disabled`` +* :vytask:`T5436` ``(bug): vyos-preconfig-bootup.script is missing`` +* :vytask:`T5014` ``(feature): Destination NAT - Add Load Balancing capabilities`` + + 2023-10-08 ========== diff --git a/docs/changelog/1.5.rst b/docs/changelog/1.5.rst index a91af953..00f105e6 100644 --- a/docs/changelog/1.5.rst +++ b/docs/changelog/1.5.rst @@ -8,6 +8,251 @@ _ext/releasenotes.py +2023-12-03 +========== + +* :vytask:`T5753` ``(feature): Add VXLAN vnifilter support`` +* :vytask:`T5759` ``(feature): Change VXLAN default MTU to 1500 bytes`` + + +2023-11-27 +========== + +* :vytask:`T5763` ``(bug): Fix imprecise check for remote file name in vyos-load-config.py`` +* :vytask:`T5783` ``(feature): frr: smoketests must notice any daemon crash`` + + +2023-11-26 +========== + +* :vytask:`T5760` ``(feature): DHCP client custom dhcp-options`` +* :vytask:`T2405` ``(feature): archive to GIT or other platform`` + + +2023-11-25 +========== + +* :vytask:`T5655` ``(bug): commit-archive: Ctrl+C should not eror out with stack trace, signal should be cought`` + + +2023-11-24 +========== + +* :vytask:`T5776` ``(feature): Enable VFIO support`` +* :vytask:`T5402` ``(bug): VRRP router with rfc3768-compatibility sends multiple ARP replies`` + + +2023-11-23 +========== + +* :vytask:`T5659` ``(bug): VPP cannot add interface to dataplane if it already has an address configured`` + + +2023-11-22 +========== + +* :vytask:`T5767` ``(feature): Add reboot and poweroff the system via API`` +* :vytask:`T5729` ``(bug): Firewall, nat and policy route - Switch to valueless`` +* :vytask:`T5681` ``(feature): Interface match - Simplified and unified cli`` +* :vytask:`T5643` ``(feature): NAT - Allow interface groups on nat rules`` +* :vytask:`T5616` ``(feature): Firewall mark - Add capabilities for matching firewall mark`` +* :vytask:`T5590` ``(default): Firewall "log enable" logs every packet`` + + +2023-11-21 +========== + +* :vytask:`T5762` ``(bug): http: api: smoketests fail as they can not establish IPv6 connection to uvicorn backend server`` + + +2023-11-18 +========== + +* :vytask:`T1354` ``(feature): Add support for VLAN-Aware bridges`` + + +2023-11-16 +========== + +* :vytask:`T5726` ``(bug): HTTPS API image cannot be updated`` +* :vytask:`T5738` ``(feature): Extend XML building blocks`` +* :vytask:`T5736` ``(feature): igmp: migrate "protocols igmp" to "protocols pim"`` +* :vytask:`T5733` ``(feature): pim(6): rewrite FRR PIM daemon configuration to get_config_dict() and add missing IGMP features`` +* :vytask:`T5689` ``(default): FRR 9.0.1 in VyOS current segfaults on show rpki prefix $prefix`` +* :vytask:`T5595` ``(feature): Multicast - PIM bfd feature enable`` + + +2023-11-15 +========== + +* :vytask:`T5695` ``(feature): Build FRR with LUA scripts --enable-scripting option`` +* :vytask:`T5677` ``(bug): show lldp neighbors generates TypeError when neighbor has no `descr``` +* :vytask:`T5728` ``(bug): Improve compatibility between OpenVPN on VyOS 1.5 and OpenVPN Connect Client`` +* :vytask:`T5732` ``(bug): generate firewall rule-resequence drops geoip country-code from output`` +* :vytask:`T5661` ``(enhancment): Add show show ssh dynamic-protection attacker and show log ssh dynamic-protection`` + + +2023-11-13 +========== + +* :vytask:`T5698` ``(feature): EVPN ESI Multihoming`` +* :vytask:`T5563` ``(bug): container: Container environment variable cannot be set`` +* :vytask:`T5706` ``(bug): Systemd-udevd high CPU utilization for multiple dynamic ppp/l2tp/ipoe interfaces`` + + +2023-11-10 +========== + +* :vytask:`T5727` ``(bug): validator: Use native URL validator instead of regex-based validator`` + + +2023-11-08 +========== + +* :vytask:`T5720` ``(bug): PPPoE-server adding new interface does not work`` +* :vytask:`T5716` ``(bug): PPPoE-server shaper template bug down-limiter option does not rely on fwmark`` +* :vytask:`T5702` ``(feature): Add ability to set include_ifmib_iface_prefix and ifmib_max_num_ifaces for SNMP`` +* :vytask:`T5693` ``(feature): Adding variable vyos_persistence_dir (and improve variable vyos_rootfs_dir)`` +* :vytask:`T5648` ``(bug): ldpd neighbour template errors`` +* :vytask:`T5564` ``(bug): Both show firewall group and show firewall summary fails`` +* :vytask:`T5559` ``(feature): Selective proxy-arp/proxy-ndp when doing SNAT/DNAT`` +* :vytask:`T5541` ``(bug): Zone-Based Firewalling in VyOS Sagitta 1.4`` + + +2023-11-07 +========== + +* :vytask:`T5586` ``(feature): Disable by default SNMP for Keepalived VRRP`` + + +2023-11-06 +========== + +* :vytask:`T5705` ``(bug): rsyslog - Not working when using facility=all`` +* :vytask:`T5704` ``(feature): PPPoE-server add max-starting option`` +* :vytask:`T5707` ``(bug): Wireguard peer public key update leaves redundant peers and breaks connectivity`` + + +2023-11-03 +========== + +* :vytask:`T5700` ``(bug): Monitoring telegraf deprecated plugins inputs outputs`` + + +2023-11-02 +========== + +* :vytask:`T5701` ``(feature): Update telegraf package`` + + +2023-11-01 +========== + +* :vytask:`T5690` ``(bug): Change to definition of environment variable 'vyos_rootfs_dir' is incorrect`` + + +2023-10-31 +========== + +* :vytask:`T5699` ``(feature): vxlan: migrate "external" CLI know to "parameters external"`` +* :vytask:`T5668` ``(feature): Disable VXLAN bridge learning and enable neigh_suppress when using EVPN`` + + +2023-10-27 +========== + +* :vytask:`T5663` ``(bug): pmacct package contains unwanted data`` +* :vytask:`T5652` ``(bug): Config migrate to image upgrade does not properly generate home directory`` + + +2023-10-26 +========== + +* :vytask:`T5683` ``(bug): reverse-proxy pki filenames mismatch`` +* :vytask:`T5600` ``(bug): Firewall - Remove or extend constraint on 'interface-name'`` +* :vytask:`T5598` ``(bug): unknown parameter 'nf_conntrack_helper' ignored`` +* :vytask:`T5571` ``(bug): Firewall does not delete networks from the table raw`` +* :vytask:`T4903` ``(bug): conntrack ignore does not suppotr IPv6 addresses`` +* :vytask:`T4309` ``(feature): Support network/address-groups and ipv6-network/ipv6-address-groups in conntrack ignore`` +* :vytask:`T5594` ``(bug): VRRP - Error if using IPv6 Link Local as hello source address`` +* :vytask:`T5606` ``(feature): IPSec VPN: Allow multiple CAs certificates`` +* :vytask:`T5568` ``(default): Install image from live ISO always defaults boot to KVM entry`` +* :vytask:`T5558` ``(default): Update config test to check resulting migrations`` + + +2023-10-23 +========== + +* :vytask:`T5299` ``(bug): QoS shaper ceiling does not work`` +* :vytask:`T5667` ``(feature): BGP label-unicast - enable ecmp`` + + +2023-10-22 +========== + +* :vytask:`T5254` ``(bug): Modification of any interface setting sets MTU back to default when MTU has been inherited from a bond`` +* :vytask:`T5671` ``(feature): vxlan: change port to IANA assigned default port`` + + +2023-10-21 +========== + +* :vytask:`T5670` ``(bug): bridge: missing member interface validator`` +* :vytask:`T5617` ``(feature): Add an option to exclude single values to the numeric validator`` + + +2023-10-20 +========== + +* :vytask:`T5233` ``(bug): Op-mode flow-accounting netflow with disable-imt errors`` +* :vytask:`T5232` ``(bug): Flow-accounting uacctd.service cannot restart correctly`` + + +2023-10-19 +========== + +* :vytask:`T4913` ``(default): Rewrite the wireless op mode in the new style`` + + +2023-10-18 +========== + +* :vytask:`T5642` ``(bug): op cmd: generate tech-support archive: does not work`` +* :vytask:`T5521` ``(bug): Home owner directory changed to vyos for the user after reboot`` + + +2023-10-17 +========== + +* :vytask:`T5662` ``(bug): Fix indexing error in configdep script organization`` +* :vytask:`T5644` ``(bug): Firewall groups deletion can break config`` + + +2023-10-16 +========== + +* :vytask:`T5165` ``(feature): Policy local-route ability set protocol and port`` + + +2023-10-14 +========== + +* :vytask:`T5629` ``(bug): Policy local-route bug after migration to destination node address`` + + +2023-10-12 +========== + +* :vytask:`T5649` ``(bug): vyos-1x should generate XML cache after building command templates for less cryptic error on typo`` + + +2023-10-10 +========== + +* :vytask:`T5589` ``(bug): Nonstripped binaries exists in VyOS`` +* :vytask:`T5489` ``(feature): Change to BBR as TCP congestion control, or at least make it an config option`` + + 2023-10-08 ========== @@ -73,7 +318,6 @@ * :vytask:`T5588` ``(bug): Add kernel conntrack_bridge module`` * :vytask:`T5241` ``(feature): Support veth interfaces to working with netns`` * :vytask:`T5592` ``(feature): salt: upgrade minion to 3005.2`` -* :vytask:`T5590` ``(default): Firewall "log enable" logs every packet`` 2023-09-19 diff --git a/docs/cli.rst b/docs/cli.rst index 0a5fddf9..ee9c49ed 100644 --- a/docs/cli.rst +++ b/docs/cli.rst @@ -369,7 +369,7 @@ command. You are now in a sublevel relative to ``interfaces ethernet eth0``, all commands executed from this point on are relative to this sublevel. Use -eithe the :cfgcmd:`top` or :cfgcmd:`exit` command to go back to the top +either the :cfgcmd:`top` or :cfgcmd:`exit` command to go back to the top of the hierarchy. You can also use the :cfgcmd:`up` command to move only one level up at a time. @@ -410,7 +410,7 @@ working configuration indicating line changes with ``+`` for additions, loopback lo { } -It is also possible to display all `set` commands within configuration +It is also possible to display all :cfgcmd:`set` commands within configuration mode using :cfgcmd:`show | commands` .. code-block:: none @@ -858,24 +858,27 @@ be ``config.boot-hostname.YYYYMMDD_HHMMSS``. .. cfgcmd:: set system config-management commit-archive location <URI> - Specify remote location of commit archive as any of the below - :abbr:`URI (Uniform Resource Identifier)` + Specify remote location of commit archive as any of the below + :abbr:`URI (Uniform Resource Identifier)` - * ``scp://<user>:<passwd>@<host>:/<dir>`` - * ``sftp://<user>:<passwd>@<host>/<dir>`` - * ``ftp://<user>:<passwd>@<host>/<dir>`` - * ``tftp://<host>/<dir>`` + * ``http://<user>:<passwd>@<host>:/<dir>`` + * ``https://<user>:<passwd>@<host>:/<dir>`` + * ``ftp://<user>:<passwd>@<host>/<dir>`` + * ``sftp://<user>:<passwd>@<host>/<dir>`` + * ``scp://<user>:<passwd>@<host>:/<dir>`` + * ``tftp://<host>/<dir>`` + * ``git+https://<user>:<passwd>@<host>/<path>`` -.. note:: The number of revisions don't affect the commit-archive. + .. note:: The number of revisions don't affect the commit-archive. -.. note:: You may find VyOS not allowing the secure connection because - it cannot verify the legitimacy of the remote server. You can use - the workaround below to quickly add the remote host's SSH - fingerprint to your ``~/.ssh/known_hosts`` file: + .. note:: You may find VyOS not allowing the secure connection because + it cannot verify the legitimacy of the remote server. You can use + the workaround below to quickly add the remote host's SSH + fingerprint to your ``~/.ssh/known_hosts`` file: - .. code-block:: none + .. code-block:: none - vyos@vyos# ssh-keyscan <host> >> ~/.ssh/known_hosts + vyos@vyos# ssh-keyscan <host> >> ~/.ssh/known_hosts Saving and loading manually --------------------------- diff --git a/docs/conf.py b/docs/conf.py index 4807472e..3fe1c6e1 100644 --- a/docs/conf.py +++ b/docs/conf.py @@ -22,14 +22,14 @@ from docutils.parsers.rst.roles import set_classes # -- Project information ----------------------------------------------------- project = u'VyOS' -copyright = u'2021, VyOS maintainers and contributors' +copyright = u'2023, VyOS maintainers and contributors' author = u'VyOS maintainers and contributors' # The short X.Y version -version = u'1.4' +version = u'1.5' # The full version, including alpha/beta/rc tags -release = u'1.4.x (sagitta)' +release = u'1.5.x (circinus)' # -- General configuration --------------------------------------------------- diff --git a/docs/configexamples/ansible.rst b/docs/configexamples/ansible.rst new file mode 100644 index 00000000..fc243c44 --- /dev/null +++ b/docs/configexamples/ansible.rst @@ -0,0 +1,216 @@ +:lastproofread: 2023-10-18 + +.. _examples-ansible: + +############### +Ansible example +############### + +Setting up Ansible on a server running the Debian operating system. +=================================================================== + +In this example, we will set up a simple use of Ansible to configure multiple VyoS routers. +We have four pre-configured routers with this configuration: + +Using the general schema for example: + +.. image:: /_static/images/ansible.png + :width: 80% + :align: center + :alt: Network Topology Diagram + +We have four pre-configured routers with this configuration: + +.. code-block:: none + + set interfaces ethernet eth0 address dhcp + set service ssh + commit + save + +* vyos7 - 192.0.2.105 +* vyos8 - 192.0.2.106 +* vyos9 - 192.0.2.107 +* vyos10 - 192.0.2.108 + +Install the Ansible: +==================== +.. code-block:: none + + # apt-get install ansible + Do you want to continue? [Y/n] y + +Install the paramiko: +===================== + +.. code-block:: none + + #apt-get install -y python3-paramiko + +Check the version: +================== + +.. code-block:: none + + # ansible --version + ansible 2.10.8 + config file = None + configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] + ansible python module location = /usr/lib/python3/dist-packages/ansible + executable location = /usr/bin/ansible + python version = 3.9.2 (default, Feb 28 2021, 17:03:44) [GCC 10.2.1 20210110] + +Basik configuration of the ansible.cfg: +======================================= + +.. code-block:: none + + # nano /root/ansible.cfg + [defaults] + host_key_checking = no + +Add all the hosts of VyOS: +========================== + +.. code-block:: none + + # nano /root/hosts + [vyos_hosts] + vyos7 ansible_ssh_host=192.0.2.105 + vyos8 ansible_ssh_host=192.0.2.106 + vyos9 ansible_ssh_host=192.0.2.107 + vyos10 ansible_ssh_host=192.0.2.108 + +Add general variables: +====================== + +.. code-block:: none + + # mkdir /root/group_vars/ + # nano /root/group_vars/vyos_hosts + ansible_python_interpreter: /usr/bin/python3 + ansible_network_os: vyos + ansible_connection: network_cli + ansible_user: vyos + ansible_ssh_pass: vyos + + +Add the simple playbook with the tasks for each router: +======================================================= + +.. code-block:: none + + # nano /root/main.yml + + --- + - hosts: vyos_hosts + gather_facts: 'no' + tasks: + - name: Configure general settings for the vyos hosts group + vyos_config: + lines: + - set system name-server 8.8.8.8 + - set interfaces ethernet eth0 description '#WAN#' + - set interfaces ethernet eth1 description '#LAN#' + - set interfaces ethernet eth2 disable + - set interfaces ethernet eth3 disable + - set system host-name {{ inventory_hostname }} + save: + true + +Start the playbook: +=================== + +.. code-block:: none + + ansible-playbook -i hosts main.yml + PLAY [vyos_hosts] ************************************************************** + + TASK [Configure general settings for the vyos hosts group] ********************* + ok: [vyos9] + ok: [vyos10] + ok: [vyos7] + ok: [vyos8] + + PLAY RECAP ********************************************************************* + vyos10 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 + vyos7 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 + vyos8 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 + vyos9 : ok=2 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 + +Check the result on the vyos10 router: +====================================== + +.. code-block:: none + + vyos@vyos10:~$ show interfaces + Codes: S - State, L - Link, u - Up, D - Down, A - Admin Down + Interface IP Address S/L Description + --------- ---------- --- ----------- + eth0 192.0.2.108/24 u/u WAN + eth1 - u/u LAN + eth2 - A/D + eth3 - A/D + lo 127.0.0.1/8 u/u + ::1/128 + + vyos@vyos10:~$ sh configuration commands | grep 8.8.8.8 + set system name-server '8.8.8.8' + +The simple way without configuration of the hostname (one task for all routers): +================================================================================ + +.. code-block:: none + + # nano /root/hosts_v2 + [vyos_hosts_group] + vyos7 ansible_ssh_host=192.0.2.105 + vyos8 ansible_ssh_host=192.0.2.106 + vyos9 ansible_ssh_host=192.0.2.107 + vyos10 ansible_ssh_host=192.0.2.108 + [vyos_hosts_group:vars] + ansible_python_interpreter=/usr/bin/python3 + ansible_user=vyos + ansible_ssh_pass=vyos + ansible_network_os=vyos + ansible_connection=network_cli + + # nano /root/main_v2.yml + --- + - hosts: vyos_hosts_group + + connection: network_cli + gather_facts: 'no' + + tasks: + - name: Configure remote vyos_hosts_group + vyos_config: + lines: + - set system name-server 8.8.8.8 + - set interfaces ethernet eth0 description WAN + - set interfaces ethernet eth1 description LAN + - set interfaces ethernet eth2 disable + - set interfaces ethernet eth3 disable + save: + true + +.. code-block:: none + + # ansible-playbook -i hosts_v2 main_v2.yml + + PLAY [vyos_hosts_group] ******************************************************** + + TASK [Configure remote vyos_hosts_group] *************************************** + ok: [vyos8] + ok: [vyos7] + ok: [vyos9] + ok: [vyos10] + + PLAY RECAP ********************************************************************* + vyos10 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 + vyos7 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 + vyos8 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 + vyos9 : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 + + +In the next chapter of the example, we'll use the Ansible with jinja2 templates and variables. diff --git a/docs/configexamples/autotest/Wireguard/Wireguard.rst b/docs/configexamples/autotest/Wireguard/Wireguard.rst index 93092afe..7e287bcf 100644 --- a/docs/configexamples/autotest/Wireguard/Wireguard.rst +++ b/docs/configexamples/autotest/Wireguard/Wireguard.rst @@ -44,7 +44,7 @@ After this, the public key can be displayed, to save for later. .. code-block:: none - vyos@central:~$ generate pki wireguard + vyos@central:~$ generate pki wireguard key-pair Private key: cMNGHtb5dW92ORG3HS8JJlvQF8pmVGt2Ydny8hTBLnY= Public key: WyfLCTXi31gL+YbYOwoAHCl2RgS+y56cYHEK6pQsTQ8= diff --git a/docs/configexamples/ha.rst b/docs/configexamples/ha.rst index 1ceda8e9..1badf231 100644 --- a/docs/configexamples/ha.rst +++ b/docs/configexamples/ha.rst @@ -303,7 +303,7 @@ public interface. .. code-block:: none set nat source rule 10 destination address '!192.0.2.0/24' - set nat source rule 10 outbound-interface 'eth0.50' + set nat source rule 10 outbound-interface name 'eth0.50' set nat source rule 10 source address '10.200.201.0/24' set nat source rule 10 translation address '203.0.113.1' diff --git a/docs/configexamples/index.rst b/docs/configexamples/index.rst index 5528d280..7134e14c 100644 --- a/docs/configexamples/index.rst +++ b/docs/configexamples/index.rst @@ -21,6 +21,7 @@ This chapter contains various configuration examples: qos segment-routing-isis nmp + ansible policy-based-ipsec-and-firewall site-2-site-cisco diff --git a/docs/configexamples/policy-based-ipsec-and-firewall.rst b/docs/configexamples/policy-based-ipsec-and-firewall.rst index 1f969453..9b7ba73a 100644 --- a/docs/configexamples/policy-based-ipsec-and-firewall.rst +++ b/docs/configexamples/policy-based-ipsec-and-firewall.rst @@ -194,9 +194,9 @@ And NAT Configuration: set nat source rule 10 destination group network-group 'REMOTE-NETS' set nat source rule 10 exclude - set nat source rule 10 outbound-interface 'eth0' + set nat source rule 10 outbound-interface name 'eth0' set nat source rule 10 source group network-group 'LOCAL-NETS' - set nat source rule 20 outbound-interface 'eth0' + set nat source rule 20 outbound-interface name 'eth0' set nat source rule 20 source group network-group 'LOCAL-NETS' set nat source rule 20 translation address 'masquerade' diff --git a/docs/configuration/firewall/bridge.rst b/docs/configuration/firewall/bridge.rst new file mode 100644 index 00000000..4a0dc3bb --- /dev/null +++ b/docs/configuration/firewall/bridge.rst @@ -0,0 +1,42 @@ +:lastproofread: 2023-11-08 + +.. _firewall-configuration: + +############################# +Bridge Firewall Configuration +############################# + +.. note:: **Documentation under development** + +******** +Overview +******** + +In this section there's useful information of all firewall configuration that +can be done regarding bridge, and appropiate op-mode commands. +Configuration commands covered in this section: + +.. cfgcmd:: set firewall bridge ... + +From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * bridge + - forward + + filter + - name + + custom_name + +Traffic which is received by the router on an interface which is member of a +bridge is processed on the **Bridge Layer**. A simplified packet flow diagram +for this layer is shown next: + +.. figure:: /_static/images/firewall-bridge-packet-flow.png + +For traffic that needs to be forwared internally by the bridge, base chain is +is **forward**, and it's base command for filtering is ``set firewall bridge +forward filter ...`` diff --git a/docs/configuration/firewall/flowtables.rst b/docs/configuration/firewall/flowtables.rst new file mode 100644 index 00000000..8b44a9b9 --- /dev/null +++ b/docs/configuration/firewall/flowtables.rst @@ -0,0 +1,52 @@ +:lastproofread: 2023-11-08 + +.. _firewall-flowtables-configuration: + +################################# +Flowtables Firewall Configuration +################################# + +.. note:: **Documentation under development** + +******** +Overview +******** + +In this section there's useful information of all firewall configuration that +can be done regarding flowtables + +.. cfgcmd:: set firewall flowtables ... + +From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * flowtable + - custom_flow_table + + ... + + +Flowtables allows you to define a fastpath through the flowtable datapath. +The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP +and UDP protocols. + +.. figure:: /_static/images/firewall-flowtable-packet-flow.png + +Once the first packet of the flow successfully goes through the IP forwarding +path (black circles path), from the second packet on, you might decide to +offload the flow to the flowtable through your ruleset. The flowtable +infrastructure provides a rule action that allows you to specify when to add +a flow to the flowtable (On forward filtering, red circle number 6) + +A packet that finds a matching entry in the flowtable (flowtable hit) is +transmitted to the output netdevice, hence, packets bypass the classic IP +forwarding path and uses the **Fast Path** (orange circles path). The visible +effect is that you do not see these packets from any of the Netfilter +hooks coming after ingress. In case that there is no matching entry in the +flowtable (flowtable miss), the packet follows the classic IP forwarding path. + +.. note:: **Flowtable Reference:** + https://docs.kernel.org/networking/nf_flowtable.html diff --git a/docs/configuration/firewall/general-legacy.rst b/docs/configuration/firewall/general-legacy.rst deleted file mode 100644 index 5d235eb8..00000000 --- a/docs/configuration/firewall/general-legacy.rst +++ /dev/null @@ -1,1054 +0,0 @@ -:lastproofread: 2021-06-29 - -.. _legacy-firewall: - -################################### -Firewall Configuration (Deprecated) -################################### - -.. note:: **Important note:** - This documentation is valid only for VyOS Sagitta prior to - 1.4-rolling-202308040557 - -******** -Overview -******** - -VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet -filtering. - -The firewall supports the creation of groups for ports, addresses, and -networks (implemented using netfilter ipset) and the option of interface -or zone based firewall policy. - -.. note:: **Important note on usage of terms:** - The firewall makes use of the terms `in`, `out`, and `local` - for firewall policy. Users experienced with netfilter often confuse - `in` to be a reference to the `INPUT` chain, and `out` the `OUTPUT` - chain from netfilter. This is not the case. These instead indicate - the use of the `FORWARD` chain and either the input or output - interface. The `INPUT` chain, which is used for local traffic to the - OS, is a reference to as `local` with respect to its input interface. - - -*************** -Global settings -*************** - -Some firewall settings are global and have an affect on the whole system. - -.. cfgcmd:: set firewall all-ping [enable | disable] - - By default, when VyOS receives an ICMP echo request packet destined for - itself, it will answer with an ICMP echo reply, unless you avoid it - through its firewall. - - With the firewall you can set rules to accept, drop or reject ICMP in, - out or local traffic. You can also use the general **firewall all-ping** - command. This command affects only to LOCAL (packets destined for your - VyOS system), not to IN or OUT traffic. - - .. note:: **firewall all-ping** affects only to LOCAL and it always - behaves in the most restrictive way - - .. code-block:: none - - set firewall all-ping enable - - When the command above is set, VyOS will answer every ICMP echo request - addressed to itself, but that will only happen if no other rule is - applied dropping or rejecting local echo requests. In case of conflict, - VyOS will not answer ICMP echo requests. - - .. code-block:: none - - set firewall all-ping disable - - When the command above is set, VyOS will answer no ICMP echo request - addressed to itself at all, no matter where it comes from or whether - more specific rules are being applied to accept them. - -.. cfgcmd:: set firewall broadcast-ping [enable | disable] - - This setting enable or disable the response of icmp broadcast - messages. The following system parameter will be altered: - - * ``net.ipv4.icmp_echo_ignore_broadcasts`` - -.. cfgcmd:: set firewall ip-src-route [enable | disable] -.. cfgcmd:: set firewall ipv6-src-route [enable | disable] - - This setting handle if VyOS accept packets with a source route - option. The following system parameter will be altered: - - * ``net.ipv4.conf.all.accept_source_route`` - * ``net.ipv6.conf.all.accept_source_route`` - -.. cfgcmd:: set firewall receive-redirects [enable | disable] -.. cfgcmd:: set firewall ipv6-receive-redirects [enable | disable] - - enable or disable of ICMPv4 or ICMPv6 redirect messages accepted - by VyOS. The following system parameter will be altered: - - * ``net.ipv4.conf.all.accept_redirects`` - * ``net.ipv6.conf.all.accept_redirects`` - -.. cfgcmd:: set firewall send-redirects [enable | disable] - - enable or disable ICMPv4 redirect messages send by VyOS - The following system parameter will be altered: - - * ``net.ipv4.conf.all.send_redirects`` - -.. cfgcmd:: set firewall log-martians [enable | disable] - - enable or disable the logging of martian IPv4 packets. - The following system parameter will be altered: - - * ``net.ipv4.conf.all.log_martians`` - -.. cfgcmd:: set firewall source-validation [strict | loose | disable] - - Set the IPv4 source validation mode. - The following system parameter will be altered: - - * ``net.ipv4.conf.all.rp_filter`` - -.. cfgcmd:: set firewall syn-cookies [enable | disable] - - Enable or Disable if VyOS use IPv4 TCP SYN Cookies. - The following system parameter will be altered: - - * ``net.ipv4.tcp_syncookies`` - -.. cfgcmd:: set firewall twa-hazards-protection [enable | disable] - - Enable or Disable VyOS to be :rfc:`1337` conform. - The following system parameter will be altered: - - * ``net.ipv4.tcp_rfc1337`` - -.. cfgcmd:: set firewall state-policy established action [accept | drop | - reject] - -.. cfgcmd:: set firewall state-policy established log enable - - Set the global setting for an established connection. - -.. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject] - -.. cfgcmd:: set firewall state-policy invalid log enable - - Set the global setting for invalid packets. - -.. cfgcmd:: set firewall state-policy related action [accept | drop | reject] - -.. cfgcmd:: set firewall state-policy related log enable - - Set the global setting for related connections. - - -****** -Groups -****** - -Firewall groups represent collections of IP addresses, networks, ports, -mac addresses or domains. Once created, a group can be referenced by -firewall, nat and policy route rules as either a source or destination -matcher. Members can be added or removed from a group without changes to, -or the need to reload, individual firewall rules. - -Groups need to have unique names. Even though some contain IPv4 -addresses and others contain IPv6 addresses, they still need to have -unique names, so you may want to append "-v4" or "-v6" to your group -names. - - -Address Groups -============== - -In an **address group** a single IP address or IP address ranges are -defined. - -.. cfgcmd:: set firewall group address-group <name> address [address | - address range] -.. cfgcmd:: set firewall group ipv6-address-group <name> address <address> - - Define a IPv4 or a IPv6 address group - - .. code-block:: none - - set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1 - set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8 - set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1 - -.. cfgcmd:: set firewall group address-group <name> description <text> -.. cfgcmd:: set firewall group ipv6-address-group <name> description <text> - - Provide a IPv4 or IPv6 address group description - -Network Groups -============== - -While **network groups** accept IP networks in CIDR notation, specific -IP addresses can be added as a 32-bit prefix. If you foresee the need -to add a mix of addresses and networks, the network group is -recommended. - -.. cfgcmd:: set firewall group network-group <name> network <CIDR> -.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR> - - Define a IPv4 or IPv6 Network group. - - .. code-block:: none - - set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24 - set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24 - set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64 - -.. cfgcmd:: set firewall group network-group <name> description <text> -.. cfgcmd:: set firewall group ipv6-network-group <name> description <text> - - Provide a IPv4 or IPv6 network group description. - -Port Groups -=========== - -A **port group** represents only port numbers, not the protocol. Port -groups can be referenced for either TCP or UDP. It is recommended that -TCP and UDP groups are created separately to avoid accidentally -filtering unnecessary ports. Ranges of ports can be specified by using -`-`. - -.. cfgcmd:: set firewall group port-group <name> port - [portname | portnumber | startport-endport] - - Define a port group. A port name can be any name defined in - /etc/services. e.g.: http - - .. code-block:: none - - set firewall group port-group PORT-TCP-SERVER1 port http - set firewall group port-group PORT-TCP-SERVER1 port 443 - set firewall group port-group PORT-TCP-SERVER1 port 5000-5010 - -.. cfgcmd:: set firewall group port-group <name> description <text> - - Provide a port group description. - -MAC Groups -========== - -A **mac group** represents a collection of mac addresses. - -.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address> - - Define a mac group. - -.. code-block:: none - - set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f - set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81 - - -Domain Groups -============= - -A **domain group** represents a collection of domains. - -.. cfgcmd:: set firewall group domain-group <name> address <domain> - - Define a domain group. - -.. code-block:: none - - set firewall group domain-group DOM address example.com - - -********* -Rule-Sets -********* - -A rule-set is a named collection of firewall rules that can be applied -to an interface or a zone. Each rule is numbered, has an action to apply -if the rule is matched, and the ability to specify the criteria to -match. Data packets go through the rules from 1 - 999999, at the first match -the action of the rule will be executed. - -.. cfgcmd:: set firewall name <name> description <text> -.. cfgcmd:: set firewall ipv6-name <name> description <text> - - Provide a rule-set description. - -.. cfgcmd:: set firewall name <name> default-action [accept | drop | jump | - reject | return] -.. cfgcmd:: set firewall ipv6-name <name> default-action [accept | drop | - jump | reject | return] - - This set the default action of the rule-set if no rule matched a packet - criteria. If defacult-action is set to ``jump``, then - ``default-jump-target`` is also needed. - -.. cfgcmd:: set firewall name <name> default-jump-target <text> -.. cfgcmd:: set firewall ipv6-name <name> default-jump-target <text> - - To be used only when ``defult-action`` is set to ``jump``. Use this - command to specify jump target for default rule. - -.. cfgcmd:: set firewall name <name> enable-default-log -.. cfgcmd:: set firewall ipv6-name <name> enable-default-log - - Use this command to enable the logging of the default action. - -.. cfgcmd:: set firewall name <name> rule <1-999999> action [accept | drop | - jump | queue | reject | return] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [accept | - drop | jump | queue | reject | return] - - This required setting defines the action of the current rule. If action - is set to ``jump``, then ``jump-target`` is also needed. - -.. cfgcmd:: set firewall name <name> rule <1-999999> jump-target <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> jump-target <text> - - To be used only when ``action`` is set to ``jump``. Use this - command to specify jump target. - -.. cfgcmd:: set firewall name <name> rule <1-999999> queue <0-65535> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> queue <0-65535> - - Use this command to set the target to use. Action queue must be defined - to use this setting - -.. cfgcmd:: set firewall name <name> rule <1-999999> queue-options - <bypass-fanout> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> queue-options - <bypass-fanout> - - Options used for queue target. Action queue must be defined to use this - setting - -.. cfgcmd:: set firewall name <name> rule <1-999999> description <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> description <text> - - Provide a description for each rule. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log [disable | enable] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable | - enable] - - Enable or disable logging for the matched packet. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log-options level - [emerg | alert | crit | err | warn | notice | info | debug] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options level - [emerg | alert | crit | err | warn | notice | info | debug] - - Define log-level. Only applicable if rule log is enable. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log-options group - <0-65535> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options group - <0-65535> - - Define log group to send message to. Only applicable if rule log is enable. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log-options snaplen - <0-9000> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options snaplen - <0-9000> - - Define length of packet payload to include in netlink message. Only - applicable if rule log is enable and log group is defined. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log-options - queue-threshold <0-65535> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options - queue-threshold <0-65535> - - Define number of packets to queue inside the kernel before sending them to - userspace. Only applicable if rule log is enable and log group is defined. - -.. cfgcmd:: set firewall name <name> rule <1-999999> disable -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> disable - - If you want to disable a rule but let it in the configuration. - -Matching criteria -================= - -There are a lot of matching criteria against which the package can be tested. - -.. cfgcmd:: set firewall name <name> rule <1-999999> connection-status nat - [destination | source] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-status - nat [destination | source] - - Match criteria based on nat connection status. - -.. cfgcmd:: set firewall name <name> rule <1-999999> connection-mark - <1-2147483647> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-mark - <1-2147483647> - - Match criteria based on connection mark. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source address - [address | addressrange | CIDR] -.. cfgcmd:: set firewall name <name> rule <1-999999> destination address - [address | addressrange | CIDR] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address - [address | addressrange | CIDR] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination address - [address | addressrange | CIDR] - - This is similar to the network groups part, but here you are able to negate - the matching addresses. - - .. code-block:: none - - set firewall name WAN-IN-v4 rule 100 source address 192.0.2.10-192.0.2.11 - # with a '!' the rule match everything except the specified subnet - set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24 - set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202 - -.. cfgcmd:: set firewall name <name> rule <1-999999> source address-mask - [address] -.. cfgcmd:: set firewall name <name> rule <1-999999> destination address-mask - [address] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address-mask - [address] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination - address-mask [address] - - An arbitrary netmask can be applied to mask addresses to only match against - a specific portion. This is particularly useful with IPv6 and a zone-based - firewall as rules will remain valid if the IPv6 prefix changes and the host - portion of systems IPv6 address is static (for example, with SLAAC or - `tokenised IPv6 addresses - <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_). - - This functions for both individual addresses and address groups. - - .. stop_vyoslinter - .. code-block:: none - - # Match any IPv6 address with the suffix ::0000:0000:0000:beef - set firewall ipv6-name WAN-LAN-v6 rule 100 destination address ::beef - set firewall ipv6-name WAN-LAN-v6 rule 100 destination address-mask ::ffff:ffff:ffff:ffff - # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet - set firewall name WAN-LAN-v4 rule 100 destination address 0.11.0.13 - set firewall name WAN-LAN-v4 rule 100 destination address-mask 0.255.0.255 - # Address groups - set firewall group ipv6-address-group WEBSERVERS address ::1000 - set firewall group ipv6-address-group WEBSERVERS address ::2000 - set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS - set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff - .. start_vyoslinter - -.. cfgcmd:: set firewall name <name> rule <1-999999> source fqdn <fqdn> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination fqdn <fqdn> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source fqdn <fqdn> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination fqdn - <fqdn> - - Specify a Fully Qualified Domain Name as source/destination matcher. Ensure - router is able to resolve such dns query. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code - <country> -.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip - country-code <country> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip - inverse-match -.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip - country-code <country> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip - inverse-match -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip - country-code <country> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip - inverse-match - -Match IP addresses based on its geolocation. -More info: `geoip matching -<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. - -Use inverse-match to match anything except the given country-codes. - -Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, -permits redistribution so we can include a database in images(~3MB -compressed). Includes cron script (manually callable by op-mode update -geoip) to keep database and rules updated. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source mac-address - <mac-address> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source mac-address - <mac-address> - - Only in the source criteria, you can specify a mac-address. - - .. code-block:: none - - set firewall name LAN-IN-v4 rule 100 source mac-address 00:53:00:11:22:33 - set firewall name LAN-IN-v4 rule 101 source mac-address !00:53:00:aa:12:34 - -.. cfgcmd:: set firewall name <name> rule <1-999999> source port - [1-65535 | portname | start-end] -.. cfgcmd:: set firewall name <name> rule <1-999999> destination port - [1-65535 | portname | start-end] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source port - [1-65535 | portname | start-end] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination port - [1-65535 | portname | start-end] - - A port can be set with a port number or a name which is here - defined: ``/etc/services``. - - .. code-block:: none - - set firewall name WAN-IN-v4 rule 10 source port '22' - set firewall name WAN-IN-v4 rule 11 source port '!http' - set firewall name WAN-IN-v4 rule 12 source port 'https' - - Multiple source ports can be specified as a comma-separated list. - The whole list can also be "negated" using ``!``. For example: - - .. code-block:: none - - set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338' - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - address-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - address-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - address-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - address-group <name | !name> - - Use a specific address-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - network-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - network-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - network-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - network-group <name | !name> - - Use a specific network-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - port-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - port-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - port-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - port-group <name | !name> - - Use a specific port-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - domain-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - domain-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - domain-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - domain-group <name | !name> - - Use a specific domain-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - mac-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - mac-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - mac-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - mac-group <name | !name> - - Use a specific mac-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> dscp [0-63 | start-end] -.. cfgcmd:: set firewall name <name> rule <1-999999> dscp-exclude [0-63 | - start-end] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp [0-63 | - start-end] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp-exclude [0-63 | - start-end] - - Match based on dscp value. - -.. cfgcmd:: set firewall name <name> rule <1-999999> fragment [match-frag | - match-non-frag] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> fragment [match-frag - | match-non-frag] - - Match based on fragment criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> icmp [code | type] - <0-255> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 [code | type] - <0-255> - - Match based on icmp|icmpv6 code and type. - -.. cfgcmd:: set firewall name <name> rule <1-999999> icmp type-name <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 type-name - <text> - - Match based on icmp|icmpv6 type-name criteria. Use tab for information - about what **type-name** criteria are supported. - -.. cfgcmd:: set firewall name <name> rule <1-999999> inbound-interface - <iface> -.. cfgcmd:: set firewall name <name> rule <1-999999> outbound-interface - <iface> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> inbound-interface - <iface> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> outbound-interface - <iface> - - Match based on inbound/outbound interface. Wilcard ``*`` can be used. - For example: ``eth2*`` - -.. cfgcmd:: set firewall name <name> rule <1-999999> ipsec [match-ipsec - | match-none] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> ipsec [match-ipsec - | match-none] - - Match based on ipsec criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> limit burst - <0-4294967295> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit burst - <0-4294967295> - - Match based on the maximum number of packets to allow in excess of rate. - -.. cfgcmd:: set firewall name <name> rule <1-999999> limit rate - <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit rate - <text> - - Match based on the maximum average rate, specified as **integer/unit**. - For example **5/minutes** - -.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length - <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length - <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length-exclude - <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length-exclude - <text> - - Match based on packet length criteria. Multiple values from 1 to 65535 - and ranges are supported. - -.. cfgcmd:: set firewall name <name> rule <1-999999> packet-type - [broadcast | host | multicast | other] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-type - [broadcast | host | multicast | other] - - Match based on packet type criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> protocol [<text> | - <0-255> | all | tcp_udp] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> protocol [<text> | - <0-255> | all | tcp_udp] - - Match a protocol criteria. A protocol number or a name which is here - defined: ``/etc/protocols``. - Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp - based packets. The ``!`` negate the selected protocol. - - .. code-block:: none - - set firewall name WAN-IN-v4 rule 10 protocol tcp_udp - set firewall name WAN-IN-v4 rule 11 protocol !tcp_udp - set firewall ipv6-name WAN-IN-v6 rule 10 protocol tcp - -.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255> -.. cfgcmd:: set firewall name <name> rule <1-999999> recent time - [second | minute | hour] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time - [second | minute | hour] - - Match bases on recently seen sources. - -.. cfgcmd:: set firewall name <name> rule <1-999999> tcp flags <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> tcp flags <text> - - Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``, - ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma - separated. The ``!`` negate the selected protocol. - - .. code-block:: none - - set firewall name WAN-IN-v4 rule 10 tcp flags 'ACK' - set firewall name WAN-IN-v4 rule 12 tcp flags 'SYN' - set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST' - -.. cfgcmd:: set firewall name <name> rule <1-999999> state [established | - invalid | new | related] [enable | disable] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> state [established | - invalid | new | related] [enable | disable] - - Match against the state of a packet. - -.. cfgcmd:: set firewall name <name> rule <1-999999> time startdate <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time startdate <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> time starttime <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time starttime <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> time stopdate <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stopdate <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> time stoptime <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stoptime <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> time weekdays <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time weekdays <text> - - Time to match the defined rule. - -.. cfgcmd:: set firewall name <name> rule <1-999999> ttl <eq | gt | lt> <0-255> - - Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for - 'greater than', and 'lt' stands for 'less than'. - -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> hop-limit <eq | gt | - lt> <0-255> - - Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for - 'greater than', and 'lt' stands for 'less than'. - -.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255> -.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second | - minute | hour> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second | - minute | hour> - - Match when 'count' amount of connections are seen within 'time'. These - matching criteria can be used to block brute-force attempts. - -*********************************** -Applying a Rule-Set to an Interface -*********************************** - -A Rule-Set can be applied to every interface: - -* ``in``: Ruleset for forwarded packets on an inbound interface -* ``out``: Ruleset for forwarded packets on an outbound interface -* ``local``: Ruleset for packets destined for this router - -.. cfgcmd:: set firewall interface <interface> [in | out | local] [name | - ipv6-name] <rule-set> - - - Here are some examples for applying a rule-set to an interface - - .. code-block:: none - - set firewall interface eth1.100 in name LANv4-IN - set firewall interface eth1.100 out name LANv4-OUT - set firewall interface bond0 in name LANv4-IN - set firewall interface vtun1 in name LANv4-IN - set firewall interface eth2* in name LANv4-IN - - .. note:: - As you can see in the example here, you can assign the same rule-set to - several interfaces. An interface can only have one rule-set per chain. - - .. note:: - You can use wildcard ``*`` to match a group of interfaces. - -*********************** -Operation-mode Firewall -*********************** - -Rule-set overview -================= - -.. opcmd:: show firewall - - This will show you a basic firewall overview - - .. code-block:: none - - vyos@vyos:~$ show firewall - - ------------------------ - Firewall Global Settings - ------------------------ - - Firewall state-policy for all IPv4 and Ipv6 traffic - - state action log - ----- ------ --- - invalid accept disabled - established accept disabled - related accept disabled - - ----------------------------- - Rulesets Information - ----------------------------- - -------------------------------------------------------------------------- - IPv4 Firewall "DMZv4-1-IN": - - Active on (eth0,IN) - - rule action proto packets bytes - ---- ------ ----- ------- ----- - 10 accept icmp 0 0 - condition - saddr 10.1.0.0/24 daddr 0.0.0.0/0 LOG enabled - - 10000 drop all 0 0 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled - - -------------------------------------------------------------------------- - IPv4 Firewall "DMZv4-1-OUT": - - Active on (eth0,OUT) - - rule action proto packets bytes - ---- ------ ----- ------- ----- - 10 accept tcp_udp 1 60 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-DST-PORT-GROUP DMZ-Ports /* - DMZv4-1-OUT-10 */LOG enabled - - 11 accept icmp 1 84 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* DMZv4-1-OUT-11 */LOG enabled - - 10000 drop all 6 360 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled - - -------------------------------------------------------------------------- - IPv4 Firewall "LANv4-IN": - - Inactive - Not applied to any interfaces or zones. - - rule action proto packets bytes - ---- ------ ----- ------- ----- - 10 accept all 0 0 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* LANv4-IN-10 */ - - 10000 drop all 0 0 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 - -.. opcmd:: show firewall summary - - This will show you a summary of rule-sets and groups - - .. code-block:: none - - vyos@vyos:~$ show firewall summary - - ------------------------ - Firewall Global Settings - ------------------------ - - Firewall state-policy for all IPv4 and Ipv6 traffic - - state action log - ----- ------ --- - invalid accept disabled - related accept disabled - established accept disabled - - ------------------------ - Firewall Rulesets - ------------------------ - - IPv4 name: - - Rule-set name Description References - ------------- ----------- ---------- - DMZv4-1-OUT (eth0,OUT) - DMZv4-1-IN (eth0,IN) - - ------------------------ - Firewall Groups - ------------------------ - - Port Groups: - - Group name Description References - ---------- ----------- ---------- - DMZ-Ports DMZv4-1-OUT-10-destination - - Network Groups: - - Group name Description References - ---------- ----------- ---------- - LANv4 LANv4-IN-10-source, - DMZv4-1-OUT-10-source, - DMZv4-1-OUT-11-source - -.. opcmd:: show firewall statistics - - This will show you a statistic of all rule-sets since the last boot. - -.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999> - - This command will give an overview of a rule in a single rule-set - -.. opcmd:: show firewall group <name> - - Overview of defined groups. You see the type, the members, and where the - group is used. - - .. code-block:: none - - vyos@vyos:~$ show firewall group DMZ-Ports - Name : DMZ-Ports - Type : port - References : none - Members : - 80 - 443 - 8080 - 8443 - - vyos@vyos:~$ show firewall group LANv4 - Name : LANv4 - Type : network - References : LANv4-IN-10-source - Members : - 10.10.0.0/16 - -.. opcmd:: show firewall [name | ipv6name] <name> - - This command will give an overview of a single rule-set. - -.. opcmd:: show firewall [name | ipv6name] <name> statistics - - This will show you a rule-set statistic since the last boot. - -.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999> - - This command will give an overview of a rule in a single rule-set. - - -Zone-Policy Overview -==================== - -.. opcmd:: show zone-policy zone <name> - - Use this command to get an overview of a zone. - - .. code-block:: none - - vyos@vyos:~$ show zone-policy zone DMZ - ------------------- - Name: DMZ - - Interfaces: eth0 eth1 - - From Zone: - name firewall - ---- -------- - LAN DMZv4-1-OUT - - -Show Firewall log -================= - -.. opcmd:: show log firewall [name | ipv6name] <name> - - Show the logs of a specific Rule-Set. - -.. note:: - At the moment it not possible to look at the whole firewall log with VyOS - operational commands. All logs will save to ``/var/logs/messages``. - For example: ``grep '10.10.0.10' /var/log/messages`` - - - -Example Partial Config -====================== - -.. code-block:: none - - firewall { - interface eth0 { - in { - name FROM-INTERNET - } - } - all-ping enable - broadcast-ping disable - config-trap disable - group { - network-group BAD-NETWORKS { - network 198.51.100.0/24 - network 203.0.113.0/24 - } - network-group GOOD-NETWORKS { - network 192.0.2.0/24 - } - port-group BAD-PORTS { - port 65535 - } - } - name FROM-INTERNET { - default-action accept - description "From the Internet" - rule 10 { - action accept - description "Authorized Networks" - protocol all - source { - group { - network-group GOOD-NETWORKS - } - } - } - rule 11 { - action drop - description "Bad Networks" - protocol all - source { - group { - network-group BAD-NETWORKS - } - } - } - rule 30 { - action drop - description "BAD PORTS" - destination { - group { - port-group BAD-PORTS - } - } - log enable - protocol all - } - } - } - interfaces { - ethernet eth1 { - address dhcp - description OUTSIDE - duplex auto - } - } - - -Update geoip database -===================== - -.. opcmd:: update geoip - - Command used to update GeoIP database and firewall sets. diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst deleted file mode 100644 index 3fe876f2..00000000 --- a/docs/configuration/firewall/general.rst +++ /dev/null @@ -1,1544 +0,0 @@ -:lastproofread: 2023-09-17 - -.. _firewall-configuration: - -###################### -Firewall Configuration -###################### - -******** -Overview -******** - -VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet -filtering. - -The firewall supports the creation of groups for addresses, domains, -interfaces, mac-addresses, networks and port groups. This groups can be used -later in firewall ruleset as desired. - -Main structure is shown next: - -.. code-block:: none - - - set firewall - * global-options - + all-ping - + broadcast-ping - + ... - * group - - address-group - - ipv6-address-group - - network-group - - ipv6-network-group - - interface-group - - mac-group - - port-group - - domain-group - * ipv4 - - forward - + filter - - input - + filter - - output - + filter - - name - + custom_name - * ipv6 - - forward - + filter - - input - + filter - - output - + filter - - ipv6-name - + custom_name - -Where, main key words and configuration paths that needs to be understood: - - * For firewall filtering, configuration should be done in ``set firewall - [ipv4 | ipv6] ...`` - - * For transit traffic, which is received by the router and forwarded, - base chain is **forward filter**: ``set firewall [ipv4 | ipv6] - forward filter ...`` - - * For traffic originated by the router, base chain is **output filter**: - ``set firewall [ipv4 | ipv6] output filter ...`` - - * For traffic towards the router itself, base chain is **input filter**: - ``set firewall [ipv4 | ipv6] input filter ...`` - -.. note:: **Important note about default-actions:** - If default action for any chain is not defined, then the default - action is set to **accept** for that chain. Only for custom chains, - the default action is set to **drop**. - -Custom firewall chains can be created, with commands -``set firewall [ipv4 | ipv6] [name | ipv6-name] <name> ...``. In order to use -such custom chain, a rule with **action jump**, and the appropiate **target** -should be defined in a base chain. - -************** -Global Options -************** - -Some firewall settings are global and have an affect on the whole system. - -.. cfgcmd:: set firewall global-options all-ping [enable | disable] - - By default, when VyOS receives an ICMP echo request packet destined for - itself, it will answer with an ICMP echo reply, unless you avoid it - through its firewall. - - With the firewall you can set rules to accept, drop or reject ICMP in, - out or local traffic. You can also use the general **firewall all-ping** - command. This command affects only to LOCAL (packets destined for your - VyOS system), not to IN or OUT traffic. - - .. note:: **firewall global-options all-ping** affects only to LOCAL - and it always behaves in the most restrictive way - - .. code-block:: none - - set firewall global-options all-ping enable - - When the command above is set, VyOS will answer every ICMP echo request - addressed to itself, but that will only happen if no other rule is - applied dropping or rejecting local echo requests. In case of conflict, - VyOS will not answer ICMP echo requests. - - .. code-block:: none - - set firewall global-options all-ping disable - - When the command above is set, VyOS will answer no ICMP echo request - addressed to itself at all, no matter where it comes from or whether - more specific rules are being applied to accept them. - -.. cfgcmd:: set firewall global-options broadcast-ping [enable | disable] - - This setting enable or disable the response of icmp broadcast - messages. The following system parameter will be altered: - - * ``net.ipv4.icmp_echo_ignore_broadcasts`` - -.. cfgcmd:: set firewall global-options ip-src-route [enable | disable] -.. cfgcmd:: set firewall global-options ipv6-src-route [enable | disable] - - This setting handle if VyOS accept packets with a source route - option. The following system parameter will be altered: - - * ``net.ipv4.conf.all.accept_source_route`` - * ``net.ipv6.conf.all.accept_source_route`` - -.. cfgcmd:: set firewall global-options receive-redirects [enable | disable] -.. cfgcmd:: set firewall global-options ipv6-receive-redirects - [enable | disable] - - enable or disable of ICMPv4 or ICMPv6 redirect messages accepted - by VyOS. The following system parameter will be altered: - - * ``net.ipv4.conf.all.accept_redirects`` - * ``net.ipv6.conf.all.accept_redirects`` - -.. cfgcmd:: set firewall global-options send-redirects [enable | disable] - - enable or disable ICMPv4 redirect messages send by VyOS - The following system parameter will be altered: - - * ``net.ipv4.conf.all.send_redirects`` - -.. cfgcmd:: set firewall global-options log-martians [enable | disable] - - enable or disable the logging of martian IPv4 packets. - The following system parameter will be altered: - - * ``net.ipv4.conf.all.log_martians`` - -.. cfgcmd:: set firewall global-options source-validation - [strict | loose | disable] - - Set the IPv4 source validation mode. - The following system parameter will be altered: - - * ``net.ipv4.conf.all.rp_filter`` - -.. cfgcmd:: set firewall global-options syn-cookies [enable | disable] - - Enable or Disable if VyOS use IPv4 TCP SYN Cookies. - The following system parameter will be altered: - - * ``net.ipv4.tcp_syncookies`` - -.. cfgcmd:: set firewall global-options twa-hazards-protection - [enable | disable] - - Enable or Disable VyOS to be :rfc:`1337` conform. - The following system parameter will be altered: - - * ``net.ipv4.tcp_rfc1337`` - -****** -Groups -****** - -Firewall groups represent collections of IP addresses, networks, ports, -mac addresses, domains or interfaces. Once created, a group can be referenced -by firewall, nat and policy route rules as either a source or destination -matcher, and as inbpund/outbound in the case of interface group. - -Address Groups -============== - -In an **address group** a single IP address or IP address ranges are -defined. - -.. cfgcmd:: set firewall group address-group <name> address [address | - address range] -.. cfgcmd:: set firewall group ipv6-address-group <name> address <address> - - Define a IPv4 or a IPv6 address group - - .. code-block:: none - - set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1 - set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8 - set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1 - -.. cfgcmd:: set firewall group address-group <name> description <text> -.. cfgcmd:: set firewall group ipv6-address-group <name> description <text> - - Provide a IPv4 or IPv6 address group description - -Network Groups -============== - -While **network groups** accept IP networks in CIDR notation, specific -IP addresses can be added as a 32-bit prefix. If you foresee the need -to add a mix of addresses and networks, the network group is -recommended. - -.. cfgcmd:: set firewall group network-group <name> network <CIDR> -.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR> - - Define a IPv4 or IPv6 Network group. - - .. code-block:: none - - set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24 - set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24 - set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64 - -.. cfgcmd:: set firewall group network-group <name> description <text> -.. cfgcmd:: set firewall group ipv6-network-group <name> description <text> - - Provide an IPv4 or IPv6 network group description. - -Interface Groups -================ - -An **interface group** represents a collection of interfaces. - -.. cfgcmd:: set firewall group interface-group <name> interface <text> - - Define an interface group. Wildcard are accepted too. - -.. code-block:: none - - set firewall group interface-group LAN interface bond1001 - set firewall group interface-group LAN interface eth3* - -.. cfgcmd:: set firewall group interface-group <name> description <text> - - Provide an interface group description - -Port Groups -=========== - -A **port group** represents only port numbers, not the protocol. Port -groups can be referenced for either TCP or UDP. It is recommended that -TCP and UDP groups are created separately to avoid accidentally -filtering unnecessary ports. Ranges of ports can be specified by using -`-`. - -.. cfgcmd:: set firewall group port-group <name> port - [portname | portnumber | startport-endport] - - Define a port group. A port name can be any name defined in - /etc/services. e.g.: http - - .. code-block:: none - - set firewall group port-group PORT-TCP-SERVER1 port http - set firewall group port-group PORT-TCP-SERVER1 port 443 - set firewall group port-group PORT-TCP-SERVER1 port 5000-5010 - -.. cfgcmd:: set firewall group port-group <name> description <text> - - Provide a port group description. - -MAC Groups -========== - -A **mac group** represents a collection of mac addresses. - -.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address> - - Define a mac group. - -.. code-block:: none - - set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f - set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81 - -.. cfgcmd:: set firewall group mac-group <name> description <text> - - Provide a mac group description. - -Domain Groups -============= - -A **domain group** represents a collection of domains. - -.. cfgcmd:: set firewall group domain-group <name> address <domain> - - Define a domain group. - -.. code-block:: none - - set firewall group domain-group DOM address example.com - -.. cfgcmd:: set firewall group domain-group <name> description <text> - - Provide a domain group description. - -************** -Firewall Rules -************** - -For firewall filtering, firewall rules needs to be created. Each rule is -numbered, has an action to apply if the rule is matched, and the ability -to specify multiple criteria matchers. Data packets go through the rules -from 1 - 999999, so order is crucial. At the first match the action of the -rule will be executed. - -Actions -======= - -If a rule is defined, then an action must be defined for it. This tells the -firewall what to do if all criteria matchers defined for such rule do match. - -The action can be : - - * ``accept``: accept the packet. - - * ``drop``: drop the packet. - - * ``reject``: reject the packet. - - * ``jump``: jump to another custom chain. - - * ``return``: Return from the current chain and continue at the next rule - of the last chain. - - * ``queue``: Enqueue packet to userspace. - - * ``synproxy``: synproxy the packet. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> action - [accept | drop | jump | queue | reject | return | synproxy] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> action - [accept | drop | jump | queue | reject | return | synproxy] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> action - [accept | drop | jump | queue | reject | return] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action - [accept | drop | jump | queue | reject | return] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> action - [accept | drop | jump | queue | reject | return] - - This required setting defines the action of the current rule. If action is - set to jump, then jump-target is also needed. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - jump-target <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - jump-target <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - jump-target <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - jump-target <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - jump-target <text> - - To be used only when action is set to jump. Use this command to specify - jump target. - -Also, **default-action** is an action that takes place whenever a packet does -not match any rule in it's chain. For base chains, possible options for -**default-action** are **accept** or **drop**. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter default-action - [accept | drop] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter default-action - [accept | drop] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter default-action - [accept | drop] -.. cfgcmd:: set firewall ipv4 name <name> default-action - [accept | drop | jump | queue | reject | return] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> default-action - [accept | drop | jump | queue | reject | return] - - This set the default action of the rule-set if no rule matched a packet - criteria. If defacult-action is set to ``jump``, then - ``default-jump-target`` is also needed. Note that for base chains, default - action can only be set to ``accept`` or ``drop``, while on custom chain, - more actions are available. - -.. cfgcmd:: set firewall name <name> default-jump-target <text> -.. cfgcmd:: set firewall ipv6-name <name> default-jump-target <text> - - To be used only when ``defult-action`` is set to ``jump``. Use this - command to specify jump target for default rule. - -.. note:: **Important note about default-actions:** - If default action for any chain is not defined, then the default - action is set to **drop** for that chain. - - -Firewall Logs -============= - -Logging can be enable for every single firewall rule. If enabled, other -log options can be defined. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> log - [disable | enable] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> log - [disable | enable] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> log - [disable | enable] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log - [disable | enable] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> log - [disable | enable] - - Enable or disable logging for the matched packet. - -.. cfgcmd:: set firewall ipv4 name <name> enable-default-log -.. cfgcmd:: set firewall ipv6 ipv6-name <name> enable-default-log - - Use this command to enable the logging of the default action on - custom chains. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - log-options level [emerg | alert | crit | err | warn | notice - | info | debug] - - Define log-level. Only applicable if rule log is enable. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - log-options group <0-65535> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - log-options group <0-65535> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - log-options group <0-65535> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - log-options group <0-65535> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - log-options group <0-65535> - - Define log group to send message to. Only applicable if rule log is enable. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - log-options snapshot-length <0-9000> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - log-options snapshot-length <0-9000> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - log-options snapshot-length <0-9000> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - log-options snapshot-length <0-9000> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - log-options snapshot-length <0-9000> - - Define length of packet payload to include in netlink message. Only - applicable if rule log is enable and log group is defined. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - log-options queue-threshold <0-65535> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - log-options queue-threshold <0-65535> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - log-options queue-threshold <0-65535> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - log-options queue-threshold <0-65535> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - log-options queue-threshold <0-65535> - - Define number of packets to queue inside the kernel before sending them to - userspace. Only applicable if rule log is enable and log group is defined. - - -Firewall Description -==================== - -For reference, a description can be defined for every single rule, and for -every defined custom chain. - -.. cfgcmd:: set firewall ipv4 name <name> description <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> description <text> - - Provide a rule-set description to a custom firewall chain. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - description <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - description <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - description <text> - -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> description <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> description <text> - - Provide a description for each rule. - - -Rule Status -=========== - -When defining a rule, it is enable by default. In some cases, it is useful to -just disable the rule, rather than removing it. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> disable -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> disable -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> disable -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> disable -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> disable - - Command for disabling a rule but keep it in the configuration. - - -Matching criteria -================= - -There are a lot of matching criteria against which the package can be tested. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - connection-status nat [destination | source] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - connection-status nat [destination | source] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - connection-status nat [destination | source] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - connection-status nat [destination | source] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - connection-status nat [destination | source] - - Match criteria based on nat connection status. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - connection-mark <1-2147483647> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - connection-mark <1-2147483647> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - connection-mark <1-2147483647> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - connection-mark <1-2147483647> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - connection-mark <1-2147483647> - - Match criteria based on connection mark. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source address [address | addressrange | CIDR] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source address [address | addressrange | CIDR] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source address [address | addressrange | CIDR] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source address [address | addressrange | CIDR] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source address [address | addressrange | CIDR] - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination address [address | addressrange | CIDR] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination address [address | addressrange | CIDR] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination address [address | addressrange | CIDR] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination address [address | addressrange | CIDR] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination address [address | addressrange | CIDR] - - Match criteria based on source and/or destination address. This is similar - to the network groups part, but here you are able to negate the matching - addresses. - - .. code-block:: none - - set firewall ipv4 name FOO rule 50 source address 192.0.2.10-192.0.2.11 - # with a '!' the rule match everything except the specified subnet - set firewall ipv4 input filter FOO rule 51 source address !203.0.113.0/24 - set firewall ipv6 ipv6-name FOO rule 100 source address 2001:db8::202 - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source address-mask [address] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source address-mask [address] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source address-mask [address] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source address-mask [address] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source address-mask [address] - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination address-mask [address] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination address-mask [address] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination address-mask [address] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination address-mask [address] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination address-mask [address] - - An arbitrary netmask can be applied to mask addresses to only match against - a specific portion. This is particularly useful with IPv6 as rules will - remain valid if the IPv6 prefix changes and the host - portion of systems IPv6 address is static (for example, with SLAAC or - `tokenised IPv6 addresses - <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_) - - This functions for both individual addresses and address groups. - - .. code-block:: none - - # Match any IPv6 address with the suffix ::0000:0000:0000:beef - set firewall ipv6 forward filter rule 100 destination address ::beef - set firewall ipv6 forward filter rule 100 destination address-mask ::ffff:ffff:ffff:ffff - # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet - set firewall ipv4 name FOO rule 100 destination address 0.11.0.13 - set firewall ipv4 name FOO rule 100 destination address-mask 0.255.0.255 - # Address groups - set firewall group ipv6-address-group WEBSERVERS address ::1000 - set firewall group ipv6-address-group WEBSERVERS address ::2000 - set firewall ipv6 forward filter rule 200 source group address-group WEBSERVERS - set firewall ipv6 forward filter rule 200 source address-mask ::ffff:ffff:ffff:ffff - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source fqdn <fqdn> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source fqdn <fqdn> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source fqdn <fqdn> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source fqdn <fqdn> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source fqdn <fqdn> -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination fqdn <fqdn> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination fqdn <fqdn> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination fqdn <fqdn> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination fqdn <fqdn> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination fqdn <fqdn> - - Specify a Fully Qualified Domain Name as source/destination matcher. Ensure - router is able to resolve such dns query. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source geoip country-code <country> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source geoip country-code <country> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source geoip country-code <country> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source geoip country-code <country> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source geoip country-code <country> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination geoip country-code <country> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination geoip country-code <country> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination geoip country-code <country> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination geoip country-code <country> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination geoip country-code <country> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source geoip inverse-match -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source geoip inverse-match -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source geoip inverse-match -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source geoip inverse-match -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source geoip inverse-match - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination geoip inverse-match -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination geoip inverse-match -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination geoip inverse-match -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination geoip inverse-match -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination geoip inverse-match - - Match IP addresses based on its geolocation. More info: `geoip matching - <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. - Use inverse-match to match anything except the given country-codes. - -Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, -permits redistribution so we can include a database in images(~3MB -compressed). Includes cron script (manually callable by op-mode update -geoip) to keep database and rules updated. - - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source mac-address <mac-address> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source mac-address <mac-address> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source mac-address <mac-address> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source mac-address <mac-address> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source mac-address <mac-address> - - Only in the source criteria, you can specify a mac-address. - - .. code-block:: none - - set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33 - set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34 - - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source port [1-65535 | portname | start-end] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source port [1-65535 | portname | start-end] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source port [1-65535 | portname | start-end] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source port [1-65535 | portname | start-end] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source port [1-65535 | portname | start-end] - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination port [1-65535 | portname | start-end] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination port [1-65535 | portname | start-end] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination port [1-65535 | portname | start-end] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination port [1-65535 | portname | start-end] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination port [1-65535 | portname | start-end] - - A port can be set with a port number or a name which is here - defined: ``/etc/services``. - - .. code-block:: none - - set firewall ipv4 forward filter rule 10 source port '22' - set firewall ipv4 forward filter rule 11 source port '!http' - set firewall ipv4 forward filter rule 12 source port 'https' - - Multiple source ports can be specified as a comma-separated list. - The whole list can also be "negated" using ``!``. For example: - - .. code-block:: none - - set firewall ipv6 forward filter rule 10 source port '!22,https,3333-3338' - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source group address-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source group address-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source group address-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source group address-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source group address-group <name | !name> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination group address-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination group address-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination group address-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination group address-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination group address-group <name | !name> - - Use a specific address-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source group network-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source group network-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source group network-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source group network-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source group network-group <name | !name> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination group network-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination group network-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination group network-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination group network-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination group network-group <name | !name> - - Use a specific network-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source group port-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source group port-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source group port-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source group port-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source group port-group <name | !name> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination group port-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination group port-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination group port-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination group port-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination group port-group <name | !name> - - Use a specific port-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source group domain-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source group domain-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source group domain-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source group domain-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source group domain-group <name | !name> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination group domain-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination group domain-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination group domain-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination group domain-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination group domain-group <name | !name> - - Use a specific domain-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - source group mac-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - source group mac-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - source group mac-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - source group mac-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - source group mac-group <name | !name> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - destination group mac-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - destination group mac-group <name | !name> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - destination group mac-group <name | !name> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - destination group mac-group <name | !name> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - destination group mac-group <name | !name> - - Use a specific mac-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - dscp [0-63 | start-end] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - dscp [0-63 | start-end] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - dscp [0-63 | start-end] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - dscp [0-63 | start-end] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - dscp [0-63 | start-end] - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - dscp-exclude [0-63 | start-end] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - dscp-exclude [0-63 | start-end] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - dscp-exclude [0-63 | start-end] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - dscp-exclude [0-63 | start-end] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - dscp-exclude [0-63 | start-end] - - Match based on dscp value. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - fragment [match-frag | match-non-frag] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - fragment [match-frag | match-non-frag] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - fragment [match-frag | match-non-frag] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - fragment [match-frag | match-non-frag] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - fragment [match-frag | match-non-frag] - - Match based on fragment criteria. - -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - icmp [code | type] <0-255> -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - icmp [code | type] <0-255> -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - icmp [code | type] <0-255> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - icmp [code | type] <0-255> -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - icmpv6 [code | type] <0-255> -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - icmpv6 [code | type] <0-255> -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - icmpv6 [code | type] <0-255> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - icmpv6 [code | type] <0-255> - - Match based on icmp|icmpv6 code and type. - -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - icmp type-name <text> -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - icmp type-name <text> -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - icmp type-name <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - icmp type-name <text> -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - icmpv6 type-name <text> -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - icmpv6 type-name <text> -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - icmpv6 type-name <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - icmpv6 type-name <text> - - Match based on icmp|icmpv6 type-name criteria. Use tab for information - about what **type-name** criteria are supported. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - inbound-interface <iface> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - inbound-interface <iface> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - inbound-interface <iface> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - inbound-interface <iface> - - Match based on inbound interface. Wilcard ``*`` can be used. - For example: ``eth2*`` - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - outbound-interface <iface> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - outbound-interface <iface> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - outbound-interface <iface> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - outbound-interface <iface> - - Match based on outbound interface. Wilcard ``*`` can be used. - For example: ``eth2*`` - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - ipsec [match-ipsec | match-none] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - ipsec [match-ipsec | match-none] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - ipsec [match-ipsec | match-none] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - ipsec [match-ipsec | match-none] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - ipsec [match-ipsec | match-none] - - Match based on ipsec criteria. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - limit burst <0-4294967295> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - limit burst <0-4294967295> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - limit burst <0-4294967295> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - limit burst <0-4294967295> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - limit burst <0-4294967295> - - Match based on the maximum number of packets to allow in excess of rate. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - limit rate <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - limit rate <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - limit rate <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - limit rate <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - limit rate <text> - - Match based on the maximum average rate, specified as **integer/unit**. - For example **5/minutes** - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - packet-length <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - packet-length <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - packet-length <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - packet-length <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - packet-length <text> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - packet-length-exclude <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - packet-length-exclude <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - packet-length-exclude <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - packet-length-exclude <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - packet-length-exclude <text> - - Match based on packet length criteria. Multiple values from 1 to 65535 - and ranges are supported. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - packet-type [broadcast | host | multicast | other] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - packet-type [broadcast | host | multicast | other] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - packet-type [broadcast | host | multicast | other] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - packet-type [broadcast | host | multicast | other] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - packet-type [broadcast | host | multicast | other] - - Match based on packet type criteria. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - protocol [<text> | <0-255> | all | tcp_udp] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - protocol [<text> | <0-255> | all | tcp_udp] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - protocol [<text> | <0-255> | all | tcp_udp] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - protocol [<text> | <0-255> | all | tcp_udp] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - protocol [<text> | <0-255> | all | tcp_udp] - - Match a protocol criteria. A protocol number or a name which is here - defined: ``/etc/protocols``. - Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp - based packets. The ``!`` negate the selected protocol. - - .. code-block:: none - - set firewall ipv4 forward fitler rule 10 protocol tcp_udp - set firewall ipv4 forward fitler rule 11 protocol !tcp_udp - set firewall ipv6 input filter rule 10 protocol tcp - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - recent count <1-255> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - recent count <1-255> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - recent count <1-255> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - recent count <1-255> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - recent count <1-255> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - recent time [second | minute | hour] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - recent time [second | minute | hour] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - recent time [second | minute | hour] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - recent time [second | minute | hour] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - recent time [second | minute | hour] - - Match bases on recently seen sources. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - tcp flags <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - tcp flags <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - tcp flags <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - tcp flags <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - tcp flags <text> - - Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``, - ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma - separated. The ``!`` negate the selected protocol. - - .. code-block:: none - - set firewall ipv4 input filter rule 10 tcp flags 'ACK' - set firewall ipv4 input filter rule 12 tcp flags 'SYN' - set firewall ipv4 input filter rule 13 tcp flags 'SYN,!ACK,!FIN,!RST' - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - state [established | invalid | new | related] [enable | disable] -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - state [established | invalid | new | related] [enable | disable] -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - state [established | invalid | new | related] [enable | disable] -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - state [established | invalid | new | related] [enable | disable] -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - state [established | invalid | new | related] [enable | disable] - - Match against the state of a packet. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - time startdate <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - time startdate <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - time startdate <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - time startdate <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - time startdate <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - time starttime <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - time starttime <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - time starttime <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - time starttime <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - time starttime <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - time stopdate <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - time stopdate <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - time stopdate <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - time stopdate <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - time stopdate <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - time stoptime <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - time stoptime <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - time stoptime <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - time stoptime <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - time stoptime <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - time weekdays <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - time weekdays <text> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - time weekdays <text> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - time weekdays <text> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - time weekdays <text> - - Time to match the defined rule. - -.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - ttl <eq | gt | lt> <0-255> -.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - ttl <eq | gt | lt> <0-255> -.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - ttl <eq | gt | lt> <0-255> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - ttl <eq | gt | lt> <0-255> - - Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for - 'greater than', and 'lt' stands for 'less than'. - -.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - hop-limit <eq | gt | lt> <0-255> -.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - hop-limit <eq | gt | lt> <0-255> -.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - hop-limit <eq | gt | lt> <0-255> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - hop-limit <eq | gt | lt> <0-255> - - Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for - 'greater than', and 'lt' stands for 'less than'. - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - recent count <1-255> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - recent count <1-255> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - recent count <1-255> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - recent count <1-255> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - recent count <1-255> - -.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> - recent time <second | minute | hour> -.. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> - recent time <second | minute | hour> -.. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> - recent time <second | minute | hour> -.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - recent time <second | minute | hour> -.. cfgcmd:: set firewall ipv6 ipv6-name <name> rule <1-999999> - recent time <second | minute | hour> - - Match when 'count' amount of connections are seen within 'time'. These - matching criteria can be used to block brute-force attempts. - -******** -Synproxy -******** -Synproxy connections - -.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> action synproxy -.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> protocol tcp -.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535> - - Set TCP-MSS (maximum segment size) for the connection - -.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14> - - Set the window scale factor for TCP window scaling - -Example synproxy -================ -Requirements to enable synproxy: - - * Traffic must be symmetric - * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled - * Disable conntrack loose track option - -.. code-block:: none - - set system sysctl parameter net.ipv4.tcp_timestamps value '1' - - set system conntrack tcp loose disable - set system conntrack ignore ipv4 rule 10 destination port '8080' - set system conntrack ignore ipv4 rule 10 protocol 'tcp' - set system conntrack ignore ipv4 rule 10 tcp flags syn - - set firewall global-options syn-cookies 'enable' - set firewall ipv4 input filter rule 10 action 'synproxy' - set firewall ipv4 input filter rule 10 destination port '8080' - set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1' - set firewall ipv4 input filter rule 10 protocol 'tcp' - set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' - set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7' - set firewall ipv4 input filter rule 1000 action 'drop' - set firewall ipv4 input filter rule 1000 state invalid 'enable' - - -*********************** -Operation-mode Firewall -*********************** - -Rule-set overview -================= - -.. opcmd:: show firewall - - This will show you a basic firewall overview - - .. code-block:: none - - vyos@vyos:~$ show firewall - Rulesets Information - - --------------------------------- - IPv4 Firewall "forward filter" - - Rule Action Protocol Packets Bytes Conditions - ------- -------- ---------- --------- ------- ----------------------------------------- - 5 jump all 0 0 iifname "eth1" jump NAME_VyOS_MANAGEMENT - 10 jump all 0 0 oifname "eth1" jump NAME_WAN_IN - 15 jump all 0 0 iifname "eth3" jump NAME_WAN_IN - default accept all - - --------------------------------- - IPv4 Firewall "name VyOS_MANAGEMENT" - - Rule Action Protocol Packets Bytes Conditions - ------- -------- ---------- --------- ------- -------------------------------- - 5 accept all 0 0 ct state established accept - 10 drop all 0 0 ct state invalid - 20 accept all 0 0 ip saddr @A_GOOD_GUYS accept - 30 accept all 0 0 ip saddr @N_ENTIRE_RANGE accept - 40 accept all 0 0 ip saddr @A_VyOS_SERVERS accept - 50 accept icmp 0 0 meta l4proto icmp accept - default drop all 0 0 - - --------------------------------- - IPv6 Firewall "forward filter" - - Rule Action Protocol - ------- -------- ---------- - 5 jump all - 10 jump all - 15 jump all - default accept all - - --------------------------------- - IPv6 Firewall "input filter" - - Rule Action Protocol - ------- -------- ---------- - 5 jump all - default accept all - - --------------------------------- - IPv6 Firewall "ipv6_name IPV6-VyOS_MANAGEMENT" - - Rule Action Protocol - ------- -------- ---------- - 5 accept all - 10 drop all - 20 accept all - 30 accept all - 40 accept all - 50 accept ipv6-icmp - default drop all - -.. opcmd:: show firewall summary - - This will show you a summary of rule-sets and groups - - .. code-block:: none - - vyos@vyos:~$ show firewall summary - Ruleset Summary - - IPv6 Ruleset: - - Ruleset Hook Ruleset Priority Description - -------------- -------------------- ------------------------- - forward filter - input filter - ipv6_name IPV6-VyOS_MANAGEMENT - ipv6_name IPV6-WAN_IN PUBLIC_INTERNET - - IPv4 Ruleset: - - Ruleset Hook Ruleset Priority Description - -------------- ------------------ ------------------------- - forward filter - input filter - name VyOS_MANAGEMENT - name WAN_IN PUBLIC_INTERNET - - Firewall Groups - - Name Type References Members - ----------------------- ------------------ ----------------------- ---------------- - PBX address_group WAN_IN-100 198.51.100.77 - SERVERS address_group WAN_IN-110 192.0.2.10 - WAN_IN-111 192.0.2.11 - WAN_IN-112 192.0.2.12 - WAN_IN-120 - WAN_IN-121 - WAN_IN-122 - SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2 - WAN_IN-20 - PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2 - PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2 - WAN_IN-171 - PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1 - SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2 - IPV6-WAN_IN-111 2001:db8::3 - IPV6-WAN_IN-112 2001:db8::4 - IPV6-WAN_IN-120 - IPV6-WAN_IN-121 - IPV6-WAN_IN-122 - SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5 - IPV6-WAN_IN-20 - - -.. opcmd:: show firewall [ipv4 | ipv6] [forward | input | output] filter - -.. opcmd:: show firewall ipv4 name <name> - -.. opcmd:: show firewall ipv6 ipv6-name <name> - - This command will give an overview of a single rule-set. - - .. code-block:: none - - vyos@vyos:~$ show firewall ipv4 input filter - Ruleset Information - - --------------------------------- - IPv4 Firewall "input filter" - - Rule Action Protocol Packets Bytes Conditions - ------- -------- ---------- --------- ------- ----------------------------------------- - 5 jump all 0 0 iifname "eth2" jump NAME_VyOS_MANAGEMENT - default accept all - -.. opcmd:: show firewall [ipv4 | ipv6] [forward | input | output] - filter rule <1-999999> - -.. opcmd:: show firewall ipv4 name <name> rule <1-999999> - -.. opcmd:: show firewall ipv6 ipv6-name <name> rule <1-999999> - - This command will give an overview of a rule in a single rule-set - -.. opcmd:: show firewall group <name> - - Overview of defined groups. You see the type, the members, and where the - group is used. - - .. code-block:: none - - vyos@vyos:~$ show firewall group LAN - Firewall Groups - - Name Type References Members - ------------ ------------------ ----------------------- ---------------- - LAN ipv6_network_group IPV6-VyOS_MANAGEMENT-30 2001:db8::0/64 - IPV6-WAN_IN-30 - LAN network_group VyOS_MANAGEMENT-30 192.168.200.0/24 - WAN_IN-30 - - -.. opcmd:: show firewall statistics - - This will show you a statistic of all rule-sets since the last boot. - -Show Firewall log -================= - -.. opcmd:: show log firewall [name | ipv6name] <name> - - Show the logs of a specific Rule-Set. - -.. note:: - At the moment it not possible to look at the whole firewall log with VyOS - operational commands. All logs will save to ``/var/logs/messages``. - For example: ``grep '10.10.0.10' /var/log/messages`` - - -Example Partial Config -====================== - -.. code-block:: none - - firewall { - group { - network-group BAD-NETWORKS { - network 198.51.100.0/24 - network 203.0.113.0/24 - } - network-group GOOD-NETWORKS { - network 192.0.2.0/24 - } - port-group BAD-PORTS { - port 65535 - } - } - ipv4 { - forward { - filter { - default-action accept - rule 5 { - action accept - source { - group { - network-group GOOD-NETWORKS - } - } - } - rule 10 { - action drop - description "Bad Networks" - protocol all - source { - group { - network-group BAD-NETWORKS - } - } - } - } - } - } - } - -Update geoip database -===================== - -.. opcmd:: update geoip - - Command used to update GeoIP database and firewall sets. diff --git a/docs/configuration/firewall/global-options.rst b/docs/configuration/firewall/global-options.rst new file mode 100644 index 00000000..316e0802 --- /dev/null +++ b/docs/configuration/firewall/global-options.rst @@ -0,0 +1,117 @@ +:lastproofread: 2023-11-07 + +.. _firewall-global-options-configuration: + +##################################### +Global Options Firewall Configuration +##################################### + +******** +Overview +******** + +Some firewall settings are global and have an affect on the whole system. +In this section there's useful information about these global-options that can +be configured using vyos cli. + +Configuration commands covered in this section: + +.. cfgcmd:: set firewall global-options ... + +************* +Configuration +************* + +.. cfgcmd:: set firewall global-options all-ping [enable | disable] + + By default, when VyOS receives an ICMP echo request packet destined for + itself, it will answer with an ICMP echo reply, unless you avoid it + through its firewall. + + With the firewall you can set rules to accept, drop or reject ICMP in, + out or local traffic. You can also use the general **firewall all-ping** + command. This command affects only to LOCAL (packets destined for your + VyOS system), not to IN or OUT traffic. + + .. note:: **firewall global-options all-ping** affects only to LOCAL + and it always behaves in the most restrictive way + + .. code-block:: none + + set firewall global-options all-ping enable + + When the command above is set, VyOS will answer every ICMP echo request + addressed to itself, but that will only happen if no other rule is + applied dropping or rejecting local echo requests. In case of conflict, + VyOS will not answer ICMP echo requests. + + .. code-block:: none + + set firewall global-options all-ping disable + + When the command above is set, VyOS will answer no ICMP echo request + addressed to itself at all, no matter where it comes from or whether + more specific rules are being applied to accept them. + +.. cfgcmd:: set firewall global-options broadcast-ping [enable | disable] + + This setting enable or disable the response of icmp broadcast + messages. The following system parameter will be altered: + + * ``net.ipv4.icmp_echo_ignore_broadcasts`` + +.. cfgcmd:: set firewall global-options ip-src-route [enable | disable] +.. cfgcmd:: set firewall global-options ipv6-src-route [enable | disable] + + This setting handle if VyOS accept packets with a source route + option. The following system parameter will be altered: + + * ``net.ipv4.conf.all.accept_source_route`` + * ``net.ipv6.conf.all.accept_source_route`` + +.. cfgcmd:: set firewall global-options receive-redirects [enable | disable] +.. cfgcmd:: set firewall global-options ipv6-receive-redirects + [enable | disable] + + enable or disable of ICMPv4 or ICMPv6 redirect messages accepted + by VyOS. The following system parameter will be altered: + + * ``net.ipv4.conf.all.accept_redirects`` + * ``net.ipv6.conf.all.accept_redirects`` + +.. cfgcmd:: set firewall global-options send-redirects [enable | disable] + + enable or disable ICMPv4 redirect messages send by VyOS + The following system parameter will be altered: + + * ``net.ipv4.conf.all.send_redirects`` + +.. cfgcmd:: set firewall global-options log-martians [enable | disable] + + enable or disable the logging of martian IPv4 packets. + The following system parameter will be altered: + + * ``net.ipv4.conf.all.log_martians`` + +.. cfgcmd:: set firewall global-options source-validation + [strict | loose | disable] + + Set the IPv4 source validation mode. + The following system parameter will be altered: + + * ``net.ipv4.conf.all.rp_filter`` + +.. cfgcmd:: set firewall global-options syn-cookies [enable | disable] + + Enable or Disable if VyOS use IPv4 TCP SYN Cookies. + The following system parameter will be altered: + + * ``net.ipv4.tcp_syncookies`` + +.. cfgcmd:: set firewall global-options twa-hazards-protection + [enable | disable] + + Enable or Disable VyOS to be :rfc:`1337` conform. + The following system parameter will be altered: + + * ``net.ipv4.tcp_rfc1337``
\ No newline at end of file diff --git a/docs/configuration/firewall/groups.rst b/docs/configuration/firewall/groups.rst new file mode 100644 index 00000000..aee68793 --- /dev/null +++ b/docs/configuration/firewall/groups.rst @@ -0,0 +1,210 @@ +:lastproofread: 2023-11-08 + +.. _firewall-groups-configuration: + +############### +Firewall groups +############### + +************* +Configuration +************* + +Firewall groups represent collections of IP addresses, networks, ports, +mac addresses, domains or interfaces. Once created, a group can be referenced +by firewall, nat and policy route rules as either a source or destination +matcher, and/or as inbound/outbound in the case of interface group. + +Address Groups +============== + +In an **address group** a single IP address or IP address ranges are +defined. + +.. cfgcmd:: set firewall group address-group <name> address [address | + address range] +.. cfgcmd:: set firewall group ipv6-address-group <name> address <address> + + Define a IPv4 or a IPv6 address group + + .. code-block:: none + + set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1 + set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8 + set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1 + +.. cfgcmd:: set firewall group address-group <name> description <text> +.. cfgcmd:: set firewall group ipv6-address-group <name> description <text> + + Provide a IPv4 or IPv6 address group description + +Network Groups +============== + +While **network groups** accept IP networks in CIDR notation, specific +IP addresses can be added as a 32-bit prefix. If you foresee the need +to add a mix of addresses and networks, the network group is +recommended. + +.. cfgcmd:: set firewall group network-group <name> network <CIDR> +.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR> + + Define a IPv4 or IPv6 Network group. + + .. code-block:: none + + set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24 + set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24 + set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64 + +.. cfgcmd:: set firewall group network-group <name> description <text> +.. cfgcmd:: set firewall group ipv6-network-group <name> description <text> + + Provide an IPv4 or IPv6 network group description. + +Interface Groups +================ + +An **interface group** represents a collection of interfaces. + +.. cfgcmd:: set firewall group interface-group <name> interface <text> + + Define an interface group. Wildcard are accepted too. + +.. code-block:: none + + set firewall group interface-group LAN interface bond1001 + set firewall group interface-group LAN interface eth3* + +.. cfgcmd:: set firewall group interface-group <name> description <text> + + Provide an interface group description + +Port Groups +=========== + +A **port group** represents only port numbers, not the protocol. Port +groups can be referenced for either TCP or UDP. It is recommended that +TCP and UDP groups are created separately to avoid accidentally +filtering unnecessary ports. Ranges of ports can be specified by using +`-`. + +.. cfgcmd:: set firewall group port-group <name> port + [portname | portnumber | startport-endport] + + Define a port group. A port name can be any name defined in + /etc/services. e.g.: http + + .. code-block:: none + + set firewall group port-group PORT-TCP-SERVER1 port http + set firewall group port-group PORT-TCP-SERVER1 port 443 + set firewall group port-group PORT-TCP-SERVER1 port 5000-5010 + +.. cfgcmd:: set firewall group port-group <name> description <text> + + Provide a port group description. + +MAC Groups +========== + +A **mac group** represents a collection of mac addresses. + +.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address> + + Define a mac group. + +.. code-block:: none + + set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f + set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81 + +.. cfgcmd:: set firewall group mac-group <name> description <text> + + Provide a mac group description. + +Domain Groups +============= + +A **domain group** represents a collection of domains. + +.. cfgcmd:: set firewall group domain-group <name> address <domain> + + Define a domain group. + +.. code-block:: none + + set firewall group domain-group DOM address example.com + +.. cfgcmd:: set firewall group domain-group <name> description <text> + + Provide a domain group description. + +******** +Examples +******** + +As said before, once firewall groups are created, they can be referenced +either in firewall, nat, nat66 and/or policy-route rules. + +Here is an example were multiple groups are created: + + .. code-block:: none + + set firewall group address-group SERVERS address 198.51.100.101 + set firewall group address-group SERVERS address 198.51.100.102 + set firewall group network-group TRUSTEDv4 network 192.0.2.0/30 + set firewall group network-group TRUSTEDv4 network 203.0.113.128/25 + set firewall group ipv6-network-group TRUSTEDv6 network 2001:db8::/64 + set firewall group interface-group LAN interface eth2.2001 + set firewall group interface-group LAN interface bon0 + set firewall group port-group PORT-SERVERS port http + set firewall group port-group PORT-SERVERS port 443 + set firewall group port-group PORT-SERVERS port 5000-5010 + +And next, some configuration example where groups are used: + + .. code-block:: none + + set firewall ipv4 input filter rule 10 action accept + set firewall ipv4 input filter rule 10 inbound-interface group !LAN + set firewall ipv4 forward filter rule 20 action accept + set firewall ipv4 forward filter rule 20 source group network-group TRUSTEDv4 + set firewall ipv6 input filter rule 10 action accept + set firewall ipv6 input filter rule 10 source-group network-group TRUSTEDv6 + set nat destination rule 101 inbound-interface group LAN + set nat destination rule 101 destination group address-group SERVERS + set nat destination rule 101 protocol tcp + set nat destination rule 101 destination group port-group PORT-SERVERS + set nat destination rule 101 translation address 203.0.113.250 + set policy route PBR rule 201 destination group port-group PORT-SERVERS + set policy route PBR rule 201 protocol tcp + set policy route PBR rule 201 set table 15 + +************** +Operation-mode +************** + +.. opcmd:: show firewall group <name> + + Overview of defined groups. You see the type, the members, and where the + group is used. + + .. code-block:: none + + vyos@ZBF-15-CLean:~$ show firewall group + Firewall Groups + + Name Type References Members + ------------ ------------------ ---------------------- ---------------- + SERVERS address_group nat-destination-101 198.51.100.101 + 198.51.100.102 + LAN interface_group ipv4-input-filter-10 bon0 + nat-destination-101 eth2.2001 + TRUSTEDv6 ipv6_network_group ipv6-input-filter-10 2001:db8::/64 + TRUSTEDv4 network_group ipv4-forward-filter-20 192.0.2.0/30 + 203.0.113.128/25 + PORT-SERVERS port_group route-PBR-201 443 + nat-destination-101 5000-5010 + http + vyos@ZBF-15-CLean:~$ diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 4b923143..3887e26a 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -1,66 +1,158 @@ -:lastproofread: 2023-09-17 +:lastproofread: 2023-11-23 ######## Firewall ######## -.. attention:: - Starting from VyOS 1.4-rolling-202308040557, a new firewall structure - can be found on all vyos installations. +With VyOS being based on top of Linux and its kernel, the Netfilter project +created the iptables and now the successor nftables for the Linux kernel to +work directly on the data flows. This now extends the concept of zone-based +security to allow for manipulating the data at multiple stages once accepted +by the network interface and the driver before being handed off to the +destination (e.g. a web server OR another device). -.. note:: - The legacy and zone-based firewall configuration options is not longer - supported. They are here for reference purposes only. +A simplified traffic flow, based on Netfilter packet flow, is shown next, in +order to have a full view and understanding of how packets are processed, and +what possible paths can take. + +.. figure:: /_static/images/firewall-gral-packet-flow.png + +Main notes regarding this packet flow and terminology used in VyOS firewall: + + * **Bridge Port?**: choose appropiate path based on if interface were the + packet was received is part of a bridge, or not. + +If interface were the packet was received isn't part of a bridge, then packet +is processed at the **IP Layer**: + + * **Prerouting**: several actions can be done in this stage, and currently + these actions are defined in different parts in vyos configuration. Order + is important, and all these actions are performed before any actions + define under ``firewall`` section. Relevant configuration that acts in + this stage are: + + * **Conntrack Ignore**: rules defined under ``set system conntrack ignore + [ipv4 | ipv6] ...``. + + * **Policy Route**: rules defined under ``set policy [route | route6] + ...``. + + * **Destination NAT**: rules defined under ``set [nat | nat66] + destination...``. + + * **Destination is the router?**: choose appropiate path based on + destination IP address. Transit forward continunes to **forward**, + while traffic that destination IP address is configured on the router + continues to **input**. + + * **Input**: stage where traffic destinated to the router itself can be + filtered and controlled. This is where all rules for securing the router + should take place. This includes ipv4 and ipv6 filtering rules, defined + in: + + * ``set firewall ipv4 input filter ...``. + + * ``set firewall ipv6 input filter ...``. + + * **Forward**: stage where transit traffic can be filtered and controlled. + This includes ipv4 and ipv6 filtering rules, defined in: + + * ``set firewall ipv4 forward filter ...``. + + * ``set firewall ipv6 forward filter ...``. + + * **Output**: stage where traffic that is originated by the router itself + can be filtered and controlled. Bare in mind that this traffic can be a + new connection originted by a internal process running on VyOS router, + such as NTP, or can be a response to traffic received externaly through + **inputt** (for example response to an ssh login attempt to the router). + This includes ipv4 and ipv6 filtering rules, defined in: + + * ``set firewall ipv4 input filter ...``. + + * ``set firewall ipv6 output filter ...``. + + * **Postrouting**: as in **Prerouting**, several actions defined in + different parts of VyOS configuration are performed in this + stage. This includes: + + * **Source NAT**: rules defined under ``set [nat | nat66] + destination...``. + +If interface were the packet was received is part of a bridge, then packet +is processed at the **Bridge Layer**, which contains a ver basic setup where +for bridge filtering: + + * **Forward (Bridge)**: stage where traffic that is trasspasing through the + bridge is filtered and controlled: + + * ``set firewall bridge forward filter ...``. + +Main structure VyOS firewall cli is shown next: + +.. code-block:: none + + - set firewall + * bridge + - forward + + filter + * flowtable + - custom_flow_table + + ... + * global-options + + all-ping + + broadcast-ping + + ... + * group + - address-group + - ipv6-address-group + - network-group + - ipv6-network-group + - interface-group + - mac-group + - port-group + - domain-group + * ipv4 + - forward + + filter + - input + + filter + - output + + filter + - name + + custom_name + * ipv6 + - forward + + filter + - input + + filter + - output + + filter + - ipv6-name + + custom_name + * zone + - custom_zone_name + + ... + +Please, refer to appropiate section for more information about firewall +configuration: -Netfilter based -^^^^^^^^^^^^^^^ .. toctree:: :maxdepth: 1 :includehidden: - general - -With VyOS being based on top of Linux and its kernel, the Netfilter project created -the iptables and now the successor nftables for the Linux kernel to work directly -on the data flows. This now extends the concept of zone-based security to allow -for manipulating the data at multiple stages once accepted by the network interface -and the driver before being handed off to the destination (e.g. a web server OR -another device). - -To configure VyOS with the new :doc:`firewall configuration </configuration/firewall/general>` - -The only stages VyOS will process as part of the firewall configuration is the -`forward` (F4 stage), `input` (L4 stage), and `output` (L5 stage). All the other -stages and steps are for reference and cant be manipulated through VyOS. - -In this example image, a simplifed traffic flow is shown to help provide context -to the terms of `forward`, `input`, and `output` for the new firewall CLI format. - -.. figure:: /_static/images/firewall-netfilter.png + global-options + groups + bridge + ipv4 + ipv6 + flowtables .. note:: **For more information** of Netfilter hooks and Linux networking packet flows can be found in `Netfilter-Hooks <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_ -Legacy Firewall -^^^^^^^^^^^^^^^ -.. toctree:: - :maxdepth: 1 - :includehidden: - - general-legacy - -Traditionally firewalls weere configured with the concept of data going in and -out of an interface. The router just listened to the data flowing through and -responding as required if it was directed at the router itself. - -To configure VyOS with the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>` - -As the example image below shows, the device was configured with rules blocking -inbound or outbound traffic on each interface. - -.. figure:: /_static/images/firewall-traditional.png Zone-based firewall ^^^^^^^^^^^^^^^^^^^ @@ -70,16 +162,18 @@ Zone-based firewall zone -With zone-based firewalls a new concept was implemented, in addtion to the standard -in and out traffic flows, a local flow was added. This local was for traffic -originating and destined to the router itself. Which means additional rules were -required to secure the firewall itself from the network, in addition to the existing -inbound and outbound rules from the traditional concept above. +With zone-based firewalls a new concept was implemented, in addtion to the +standard in and out traffic flows, a local flow was added. This local was for +traffic originating and destined to the router itself. Which means additional +rules were required to secure the firewall itself from the network, in +addition to the existing inbound and outbound rules from the traditional +concept above. -To configure VyOS with the :doc:`zone-based firewall configuration </configuration/firewall/zone>` +To configure VyOS with the +:doc:`zone-based firewall configuration </configuration/firewall/zone>` -As the example image below shows, the device now needs rules to allow/block traffic -to or from the services running on the device that have open connections on that -interface. +As the example image below shows, the device now needs rules to allow/block +traffic to or from the services running on the device that have open +connections on that interface. .. figure:: /_static/images/firewall-zonebased.png diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst new file mode 100644 index 00000000..3fd365e1 --- /dev/null +++ b/docs/configuration/firewall/ipv4.rst @@ -0,0 +1,1145 @@ +:lastproofread: 2023-11-08 + +.. _firewall-ipv4-configuration: + +########################### +IPv4 Firewall Configuration +########################### + +******** +Overview +******** + +In this section there's useful information of all firewall configuration that +can be done regarding IPv4, and appropiate op-mode commands. +Configuration commands covered in this section: + +.. cfgcmd:: set firewall ipv4 ... + +From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * ipv4 + - forward + + filter + - input + + filter + - output + + filter + - name + + custom_name + +For transit traffic, which is received by the router and forwarded, base chain +is **forward**. A simplified packet flow diagram for transit traffic is shown +next: + +.. figure:: /_static/images/firewall-fwd-packet-flow.png + +Where firewall base chain to configure firewall filtering rules for transit +traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, +highlightened with red color. + +For traffic towards the router itself, base chain is **input**, while traffic +originated by the router, base chain is **output**. +A new simplified packet flow diagram is shown next, which shows the path +for traffic destinated to the router itself, and traffic generated by the +router (starting from circle number 6): + +.. figure:: /_static/images/firewall-input-packet-flow.png + +Base chain is for traffic toward the router is ``set firewall ipv4 input +filter ...`` + +And base chain for traffic generated by the router is ``set firewall ipv4 +output filter ...`` + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop** + +Custom firewall chains can be created, with commands +``set firewall ipv4 name <name> ...``. In order to use +such custom chain, a rule with **action jump**, and the appropiate **target** +should be defined in a base chain. + +********************* +Firewall - IPv4 Rules +********************* + +For firewall filtering, firewall rules needs to be created. Each rule is +numbered, has an action to apply if the rule is matched, and the ability +to specify multiple criteria matchers. Data packets go through the rules +from 1 - 999999, so order is crucial. At the first match the action of the +rule will be executed. + +Actions +======= + +If a rule is defined, then an action must be defined for it. This tells the +firewall what to do if all criteria matchers defined for such rule do match. + +The action can be : + + * ``accept``: accept the packet. + + * ``continue``: continue parsing next rule. + + * ``drop``: drop the packet. + + * ``reject``: reject the packet. + + * ``jump``: jump to another custom chain. + + * ``return``: Return from the current chain and continue at the next rule + of the last chain. + + * ``queue``: Enqueue packet to userspace. + + * ``synproxy``: synproxy the packet. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return | synproxy] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return | synproxy] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return] + + This required setting defines the action of the current rule. If action is + set to jump, then jump-target is also needed. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + jump-target <text> + + To be used only when action is set to jump. Use this command to specify + jump target. + +Also, **default-action** is an action that takes place whenever a packet does +not match any rule in it's chain. For base chains, possible options for +**default-action** are **accept** or **drop**. + +.. cfgcmd:: set firewall ipv4 forward filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv4 input filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv4 output filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv4 name <name> default-action + [accept | drop | jump | queue | reject | return] + + This set the default action of the rule-set if no rule matched a packet + criteria. If defacult-action is set to ``jump``, then + ``default-jump-target`` is also needed. Note that for base chains, default + action can only be set to ``accept`` or ``drop``, while on custom chain, + more actions are available. + +.. cfgcmd:: set firewall ipv4 name <name> default-jump-target <text> + + To be used only when ``defult-action`` is set to ``jump``. Use this + command to specify jump target for default rule. + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop** + +Firewall Logs +============= + +Logging can be enable for every single firewall rule. If enabled, other +log options can be defined. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log + [disable | enable] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> log + [disable | enable] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> log + [disable | enable] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log + [disable | enable] + + Enable or disable logging for the matched packet. + +.. cfgcmd:: set firewall ipv4 forward filter enable-default-log +.. cfgcmd:: set firewall ipv4 input filter enable-default-log +.. cfgcmd:: set firewall ipv4 output filter enable-default-log +.. cfgcmd:: set firewall ipv4 name <name> enable-default-log + + Use this command to enable the logging of the default action on + the specified chain. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] + + Define log-level. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options group <0-65535> + + Define log group to send message to. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options snapshot-length <0-9000> + + Define length of packet payload to include in netlink message. Only + applicable if rule log is enable and log group is defined. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options queue-threshold <0-65535> + + Define number of packets to queue inside the kernel before sending them to + userspace. Only applicable if rule log is enable and log group is defined. + +Firewall Description +==================== + +For reference, a description can be defined for every single rule, and for +every defined custom chain. + +.. cfgcmd:: set firewall ipv4 name <name> description <text> + + Provide a rule-set description to a custom firewall chain. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> description <text> + + Provide a description for each rule. + +Rule Status +=========== + +When defining a rule, it is enable by default. In some cases, it is useful to +just disable the rule, rather than removing it. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> disable + + Command for disabling a rule but keep it in the configuration. + +Matching criteria +================= + +There are a lot of matching criteria against which the package can be tested. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + connection-status nat [destination | source] + + Match criteria based on nat connection status. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + connection-mark <1-2147483647> + + Match criteria based on connection mark. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source address [address | addressrange | CIDR] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination address [address | addressrange | CIDR] + + Match criteria based on source and/or destination address. This is similar + to the network groups part, but here you are able to negate the matching + addresses. + + .. code-block:: none + + set firewall ipv4 name FOO rule 50 source address 192.0.2.10-192.0.2.11 + # with a '!' the rule match everything except the specified subnet + set firewall ipv4 input filter FOO rule 51 source address !203.0.113.0/24 + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source address-mask [address] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination address-mask [address] + + An arbitrary netmask can be applied to mask addresses to only match against + a specific portion. + + This functions for both individual addresses and address groups. + + .. code-block:: none + + # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet + set firewall ipv4 name FOO rule 100 destination address 0.11.0.13 + set firewall ipv4 name FOO rule 100 destination address-mask 0.255.0.255 + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination fqdn <fqdn> + + Specify a Fully Qualified Domain Name as source/destination matcher. Ensure + router is able to resolve such dns query. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source geoip country-code <country> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination geoip country-code <country> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source geoip inverse-match + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination geoip inverse-match + + Match IP addresses based on its geolocation. More info: `geoip matching + <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. + Use inverse-match to match anything except the given country-codes. + +Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, +permits redistribution so we can include a database in images(~3MB +compressed). Includes cron script (manually callable by op-mode update +geoip) to keep database and rules updated. + + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source mac-address <mac-address> + + Only in the source criteria, you can specify a mac-address. + + .. code-block:: none + + set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33 + set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34 + + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source port [1-65535 | portname | start-end] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination port [1-65535 | portname | start-end] + + A port can be set with a port number or a name which is here + defined: ``/etc/services``. + + .. code-block:: none + + set firewall ipv4 forward filter rule 10 source port '22' + set firewall ipv4 forward filter rule 11 source port '!http' + set firewall ipv4 forward filter rule 12 source port 'https' + + Multiple source ports can be specified as a comma-separated list. + The whole list can also be "negated" using ``!``. For example: + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group address-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group address-group <name | !name> + + Use a specific address-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group network-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group network-group <name | !name> + + Use a specific network-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group port-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group port-group <name | !name> + + Use a specific port-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group domain-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group domain-group <name | !name> + + Use a specific domain-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group mac-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group mac-group <name | !name> + + Use a specific mac-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + dscp [0-63 | start-end] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + dscp-exclude [0-63 | start-end] + + Match based on dscp value. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + fragment [match-frag | match-non-frag] + + Match based on fragment criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + icmp [code | type] <0-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + icmp [code | type] <0-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + icmp [code | type] <0-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + icmp [code | type] <0-255> + + Match based on icmp code and type. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + icmp type-name <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + icmp type-name <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + icmp type-name <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + icmp type-name <text> + + Match based on icmp type-name criteria. Use tab for information + about what **type-name** criteria are supported. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + inbound-interface name <iface> + + Match based on inbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + inbound-interface group <iface_group> + + Match based on inbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + outbound-interface name <iface> + + Match based on outbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + outbound-interface group <iface_group> + + Match based on outbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + ipsec [match-ipsec | match-none] + + Match based on ipsec criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + limit burst <0-4294967295> + + Match based on the maximum number of packets to allow in excess of rate. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + limit rate <text> + + Match based on the maximum average rate, specified as **integer/unit**. + For example **5/minutes** + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + packet-length <text> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + packet-length-exclude <text> + + Match based on packet length criteria. Multiple values from 1 to 65535 + and ranges are supported. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + packet-type [broadcast | host | multicast | other] + + Match based on packet type criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] + + Match a protocol criteria. A protocol number or a name which is here + defined: ``/etc/protocols``. + Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp + based packets. The ``!`` negate the selected protocol. + + .. code-block:: none + + set firewall ipv4 forward fitler rule 10 protocol tcp_udp + set firewall ipv4 forward fitler rule 11 protocol !tcp_udp + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent count <1-255> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent time [second | minute | hour] + + Match bases on recently seen sources. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + tcp flags [not] <text> + + Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, + ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for + inverted selection use ``not``, as shown in the example. + + .. code-block:: none + + set firewall ipv4 input filter rule 10 tcp flags 'ack' + set firewall ipv4 input filter rule 12 tcp flags 'syn' + set firewall ipv4 input filter rule 13 tcp flags not 'fin' + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + state [established | invalid | new | related] [enable | disable] + + Match against the state of a packet. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time weekdays <text> + + Time to match the defined rule. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + ttl <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + ttl <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + ttl <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + ttl <eq | gt | lt> <0-255> + + Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for + 'greater than', and 'lt' stands for 'less than'. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent count <1-255> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent time <second | minute | hour> + + Match when 'count' amount of connections are seen within 'time'. These + matching criteria can be used to block brute-force attempts. + +******** +Synproxy +******** +Synproxy connections + +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> action synproxy +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> protocol tcp +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535> + + Set TCP-MSS (maximum segment size) for the connection + +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14> + + Set the window scale factor for TCP window scaling + +Example synproxy +================ +Requirements to enable synproxy: + + * Traffic must be symmetric + * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled + * Disable conntrack loose track option + +.. code-block:: none + + set system sysctl parameter net.ipv4.tcp_timestamps value '1' + + set system conntrack tcp loose disable + set system conntrack ignore ipv4 rule 10 destination port '8080' + set system conntrack ignore ipv4 rule 10 protocol 'tcp' + set system conntrack ignore ipv4 rule 10 tcp flags syn + + set firewall global-options syn-cookies 'enable' + set firewall ipv4 input filter rule 10 action 'synproxy' + set firewall ipv4 input filter rule 10 destination port '8080' + set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1' + set firewall ipv4 input filter rule 10 protocol 'tcp' + set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' + set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7' + set firewall ipv4 input filter rule 1000 action 'drop' + set firewall ipv4 input filter rule 1000 state invalid 'enable' + + +*********************** +Operation-mode Firewall +*********************** + +Rule-set overview +================= + +.. opcmd:: show firewall + + This will show you a basic firewall overview, for all ruleset, and not + only for ipv4 + + .. code-block:: none + + vyos@vyos:~$ show firewall + Rulesets Information + + --------------------------------- + ipv4 Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ----------------------------- + 20 accept all 0 0 ip saddr @N_TRUSTEDv4 accept + 21 jump all 0 0 jump NAME_AUX + default accept all 0 0 + + --------------------------------- + ipv4 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ------------------------- + 10 accept all 156 14377 iifname != @I_LAN accept + default accept all 0 0 + + --------------------------------- + ipv4 Firewall "name AUX" + + Rule Action Protocol Packets Bytes Conditions + ------ -------- ---------- --------- ------- -------------------------------------------- + 10 accept icmp 0 0 meta l4proto icmp accept + 20 accept udp 0 0 meta l4proto udp ip saddr @A_SERVERS accept + 30 drop all 0 0 ip saddr != @A_SERVERS iifname "eth2" + + --------------------------------- + ipv4 Firewall "output filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------- + 10 reject all 0 0 oifname @I_LAN + 20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept + default accept all 72 9258 + + --------------------------------- + ipv6 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ------------------------------- + 10 accept all 0 0 ip6 saddr @N6_TRUSTEDv6 accept + default accept all 2 112 + + vyos@vyos:~$ + +.. opcmd:: show firewall summary + + This will show you a summary of rule-sets and groups + + .. code-block:: none + + vyos@vyos:~$ show firewall summary + Ruleset Summary + + IPv6 Ruleset: + + Ruleset Hook Ruleset Priority Description + -------------- -------------------- ------------------------- + forward filter + input filter + ipv6_name IPV6-VyOS_MANAGEMENT + ipv6_name IPV6-WAN_IN PUBLIC_INTERNET + + IPv4 Ruleset: + + Ruleset Hook Ruleset Priority Description + -------------- ------------------ ------------------------- + forward filter + input filter + name VyOS_MANAGEMENT + name WAN_IN PUBLIC_INTERNET + + Firewall Groups + + Name Type References Members + ----------------------- ------------------ ----------------------- ---------------- + PBX address_group WAN_IN-100 198.51.100.77 + SERVERS address_group WAN_IN-110 192.0.2.10 + WAN_IN-111 192.0.2.11 + WAN_IN-112 192.0.2.12 + WAN_IN-120 + WAN_IN-121 + WAN_IN-122 + SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2 + WAN_IN-20 + PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2 + PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2 + WAN_IN-171 + PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1 + SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2 + IPV6-WAN_IN-111 2001:db8::3 + IPV6-WAN_IN-112 2001:db8::4 + IPV6-WAN_IN-120 + IPV6-WAN_IN-121 + IPV6-WAN_IN-122 + SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5 + IPV6-WAN_IN-20 + + +.. opcmd:: show firewall ipv4 [forward | input | output] filter + +.. opcmd:: show firewall ipv4 name <name> + + This command will give an overview of a single rule-set. + + .. code-block:: none + + vyos@vyos:~$ show firewall ipv4 input filter + Ruleset Information + + --------------------------------- + IPv4 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ----------------------------------------- + 5 jump all 0 0 iifname "eth2" jump NAME_VyOS_MANAGEMENT + default accept all + +.. opcmd:: show firewall ipv4 [forward | input | output] + filter rule <1-999999> +.. opcmd:: show firewall ipv4 name <name> rule <1-999999> + + This command will give an overview of a rule in a single rule-set, plus + information for default action. + +.. code-block:: none + + vyos@vyos:~$show firewall ipv4 output filter rule 20 + Rule Information + + --------------------------------- + ipv4 Firewall "output filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------- + 20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept + default accept all 286 47614 + + vyos@vyos:~$ + + +.. opcmd:: show firewall statistics + + This will show you a statistic of all rule-sets since the last boot. + +Show Firewall log +================= + +.. opcmd:: show log firewall +.. opcmd:: show log firewall ipv4 +.. opcmd:: show log firewall ipv4 [forward | input | output | name] +.. opcmd:: show log firewall ipv4 [forward | input | output] filter +.. opcmd:: show log firewall ipv4 name <name> +.. opcmd:: show log firewall ipv4 [forward | input | output] filter rule <rule> +.. opcmd:: show log firewall ipv4 name <name> rule <rule> + + Show the logs of all firewall; show all ipv4 firewall logs; show all logs + for particular hook; show all logs for particular hook and priority; show all logs + for particular custom chain; show logs for specific Rule-Set. + +Example Partial Config +====================== + +.. code-block:: none + + firewall { + group { + network-group BAD-NETWORKS { + network 198.51.100.0/24 + network 203.0.113.0/24 + } + network-group GOOD-NETWORKS { + network 192.0.2.0/24 + } + port-group BAD-PORTS { + port 65535 + } + } + ipv4 { + forward { + filter { + default-action accept + rule 5 { + action accept + source { + group { + network-group GOOD-NETWORKS + } + } + } + rule 10 { + action drop + description "Bad Networks" + protocol all + source { + group { + network-group BAD-NETWORKS + } + } + } + } + } + } + } + +Update geoip database +===================== + +.. opcmd:: update geoip + + Command used to update GeoIP database and firewall sets. diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst new file mode 100644 index 00000000..83a5f694 --- /dev/null +++ b/docs/configuration/firewall/ipv6.rst @@ -0,0 +1,1167 @@ +:lastproofread: 2023-11-08 + +.. _firewall-ipv6-configuration: + +########################### +IPv6 Firewall Configuration +########################### + +******** +Overview +******** + +In this section there's useful information of all firewall configuration that +can be done regarding IPv6, and appropiate op-mode commands. +Configuration commands covered in this section: + +.. cfgcmd:: set firewall ipv6 ... + +From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * ipv6 + - forward + + filter + - input + + filter + - output + + filter + - name + + custom_name + +For transit traffic, which is received by the router and forwarded, base chain +is **forward**. A simplified packet flow diagram for transit traffic is shown +next: + +.. figure:: /_static/images/firewall-fwd-packet-flow.png + +Where firewall base chain to configure firewall filtering rules for transit +traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, +highlightened with red color. + +For traffic towards the router itself, base chain is **input**, while traffic +originated by the router, base chain is **output**. +A new simplified packet flow diagram is shown next, which shows the path +for traffic destinated to the router itself, and traffic generated by the +router (starting from circle number 6): + +.. figure:: /_static/images/firewall-input-packet-flow.png + +Base chain is for traffic toward the router is ``set firewall ipv6 input +filter ...`` + +And base chain for traffic generated by the router is ``set firewall ipv6 +output filter ...`` + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop** + +Custom firewall chains can be created, with commands +``set firewall ipv6 name <name> ...``. In order to use +such custom chain, a rule with **action jump**, and the appropiate **target** +should be defined in a base chain. + +****************************** +Firewall - IPv6 Rules +****************************** + +For firewall filtering, firewall rules needs to be created. Each rule is +numbered, has an action to apply if the rule is matched, and the ability +to specify multiple criteria matchers. Data packets go through the rules +from 1 - 999999, so order is crucial. At the first match the action of the +rule will be executed. + +Actions +======= + +If a rule is defined, then an action must be defined for it. This tells the +firewall what to do if all criteria matchers defined for such rule do match. + +The action can be : + + * ``accept``: accept the packet. + + * ``continue``: continue parsing next rule. + + * ``drop``: drop the packet. + + * ``reject``: reject the packet. + + * ``jump``: jump to another custom chain. + + * ``return``: Return from the current chain and continue at the next rule + of the last chain. + + * ``queue``: Enqueue packet to userspace. + + * ``synproxy``: synproxy the packet. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return | synproxy] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return | synproxy] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return] + + This required setting defines the action of the current rule. If action is + set to jump, then jump-target is also needed. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + jump-target <text> + + To be used only when action is set to jump. Use this command to specify + jump target. + +Also, **default-action** is an action that takes place whenever a packet does +not match any rule in it's chain. For base chains, possible options for +**default-action** are **accept** or **drop**. + +.. cfgcmd:: set firewall ipv6 forward filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv6 input filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv6 output filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv6 name <name> default-action + [accept | drop | jump | queue | reject | return] + + This set the default action of the rule-set if no rule matched a packet + criteria. If defacult-action is set to ``jump``, then + ``default-jump-target`` is also needed. Note that for base chains, default + action can only be set to ``accept`` or ``drop``, while on custom chain, + more actions are available. + +.. cfgcmd:: set firewall ipv6 name <name> default-jump-target <text> + + To be used only when ``defult-action`` is set to ``jump``. Use this + command to specify jump target for default rule. + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop** + +Firewall Logs +============= + +Logging can be enable for every single firewall rule. If enabled, other +log options can be defined. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> log + [disable | enable] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> log + [disable | enable] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> log + [disable | enable] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> log + [disable | enable] + + Enable or disable logging for the matched packet. + +.. cfgcmd:: set firewall ipv6 forward filter enable-default-log +.. cfgcmd:: set firewall ipv6 input filter enable-default-log +.. cfgcmd:: set firewall ipv6 output filter enable-default-log +.. cfgcmd:: set firewall ipv6 name <name> enable-default-log + + Use this command to enable the logging of the default action on + the specified chain. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] + + Define log-level. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + log-options group <0-65535> + + Define log group to send message to. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + log-options snapshot-length <0-9000> + + Define length of packet payload to include in netlink message. Only + applicable if rule log is enable and log group is defined. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + log-options queue-threshold <0-65535> + + Define number of packets to queue inside the kernel before sending them to + userspace. Only applicable if rule log is enable and log group is defined. + +Firewall Description +==================== + +For reference, a description can be defined for every single rule, and for +every defined custom chain. + +.. cfgcmd:: set firewall ipv6 name <name> description <text> + + Provide a rule-set description to a custom firewall chain. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> description <text> + + Provide a description for each rule. + +Rule Status +=========== + +When defining a rule, it is enable by default. In some cases, it is useful to +just disable the rule, rather than removing it. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> disable + + Command for disabling a rule but keep it in the configuration. + +Matching criteria +================= + +There are a lot of matching criteria against which the package can be tested. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + connection-status nat [destination | source] + + Match criteria based on nat connection status. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + connection-mark <1-2147483647> + + Match criteria based on connection mark. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source address [address | addressrange | CIDR] + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination address [address | addressrange | CIDR] + + Match criteria based on source and/or destination address. This is similar + to the network groups part, but here you are able to negate the matching + addresses. + + .. code-block:: none + + set firewall ipv6 name FOO rule 100 source address 2001:db8::202 + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source address-mask [address] + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination address-mask [address] + + An arbitrary netmask can be applied to mask addresses to only match against + a specific portion. This is particularly useful with IPv6 as rules will + remain valid if the IPv6 prefix changes and the host + portion of systems IPv6 address is static (for example, with SLAAC or + `tokenised IPv6 addresses + <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_) + + This functions for both individual addresses and address groups. + + .. code-block:: none + + # Match any IPv6 address with the suffix ::0000:0000:0000:beef + set firewall ipv6 forward filter rule 100 destination address ::beef + set firewall ipv6 forward filter rule 100 destination address-mask ::ffff:ffff:ffff:ffff + # Address groups + set firewall group ipv6-address-group WEBSERVERS address ::1000 + set firewall group ipv6-address-group WEBSERVERS address ::2000 + set firewall ipv6 forward filter rule 200 source group address-group WEBSERVERS + set firewall ipv6 forward filter rule 200 source address-mask ::ffff:ffff:ffff:ffff + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination fqdn <fqdn> + + Specify a Fully Qualified Domain Name as source/destination matcher. Ensure + router is able to resolve such dns query. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source geoip country-code <country> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination geoip country-code <country> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source geoip inverse-match + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination geoip inverse-match + + Match IP addresses based on its geolocation. More info: `geoip matching + <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. + Use inverse-match to match anything except the given country-codes. + +Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, +permits redistribution so we can include a database in images(~3MB +compressed). Includes cron script (manually callable by op-mode update +geoip) to keep database and rules updated. + + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source mac-address <mac-address> + + Only in the source criteria, you can specify a mac-address. + + .. code-block:: none + + set firewall ipv6 input filter rule 100 source mac-address 00:53:00:11:22:33 + set firewall ipv6 input filter rule 101 source mac-address !00:53:00:aa:12:34 + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source port [1-65535 | portname | start-end] + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination port [1-65535 | portname | start-end] + + A port can be set with a port number or a name which is here + defined: ``/etc/services``. + + .. code-block:: none + + set firewall ipv6 forward filter rule 10 source port '22' + set firewall ipv6 forward filter rule 11 source port '!http' + set firewall ipv6 forward filter rule 12 source port 'https' + + Multiple source ports can be specified as a comma-separated list. + The whole list can also be "negated" using ``!``. For example: + + .. code-block:: none + + set firewall ipv6 forward filter rule 10 source port '!22,https,3333-3338' + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group address-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group address-group <name | !name> + + Use a specific address-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group network-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group network-group <name | !name> + + Use a specific network-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group port-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group port-group <name | !name> + + Use a specific port-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group domain-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group domain-group <name | !name> + + Use a specific domain-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group mac-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group mac-group <name | !name> + + Use a specific mac-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + dscp [0-63 | start-end] + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + dscp-exclude [0-63 | start-end] + + Match based on dscp value. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + fragment [match-frag | match-non-frag] + + Match based on fragment criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + icmpv6 [code | type] <0-255> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + icmpv6 [code | type] <0-255> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + icmpv6 [code | type] <0-255> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + icmpv6 [code | type] <0-255> + + Match based on icmp|icmpv6 code and type. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + icmpv6 type-name <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + icmpv6 type-name <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + icmpv6 type-name <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + icmpv6 type-name <text> + + Match based on icmpv6 type-name criteria. Use tab for information + about what **type-name** criteria are supported. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + inbound-interface name <iface> + + Match based on inbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + inbound-interface group <iface_group> + + Match based on inbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + outbound-interface name <iface> + + Match based on outbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + outbound-interface group <iface_group> + + Match based on outbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + ipsec [match-ipsec | match-none] + + Match based on ipsec criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + limit burst <0-4294967295> + + Match based on the maximum number of packets to allow in excess of rate. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + limit rate <text> + + Match based on the maximum average rate, specified as **integer/unit**. + For example **5/minutes** + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + packet-length <text> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + packet-length-exclude <text> + + Match based on packet length criteria. Multiple values from 1 to 65535 + and ranges are supported. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + packet-type [broadcast | host | multicast | other] + + Match based on packet type criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] + + Match a protocol criteria. A protocol number or a name which is here + defined: ``/etc/protocols``. + Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp + based packets. The ``!`` negate the selected protocol. + + .. code-block:: none + + set firewall ipv6 input filter rule 10 protocol tcp + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + recent count <1-255> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + recent time [second | minute | hour] + + Match bases on recently seen sources. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + tcp flags [not] <text> + + Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, + ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for + inverted selection use ``not``, as shown in the example. + + .. code-block:: none + + set firewall ipv6 input filter rule 10 tcp flags 'ack' + set firewall ipv6 input filter rule 12 tcp flags 'syn' + set firewall ipv6 input filter rule 13 tcp flags not 'fin' + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + state [established | invalid | new | related] [enable | disable] + + Match against the state of a packet. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time weekdays <text> + + Time to match the defined rule. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + hop-limit <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + hop-limit <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + hop-limit <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + hop-limit <eq | gt | lt> <0-255> + + Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for + 'greater than', and 'lt' stands for 'less than'. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + recent count <1-255> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + recent time <second | minute | hour> + + Match when 'count' amount of connections are seen within 'time'. These + matching criteria can be used to block brute-force attempts. + +******** +Synproxy +******** +Synproxy connections + +.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> action synproxy +.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> protocol tcp +.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535> + + Set TCP-MSS (maximum segment size) for the connection + +.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14> + + Set the window scale factor for TCP window scaling + +Example synproxy +================ +Requirements to enable synproxy: + + * Traffic must be symmetric + * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled + * Disable conntrack loose track option + +.. code-block:: none + + set system sysctl parameter net.ipv4.tcp_timestamps value '1' + + set system conntrack tcp loose disable + set system conntrack ignore ipv6 rule 10 destination port '8080' + set system conntrack ignore ipv6 rule 10 protocol 'tcp' + set system conntrack ignore ipv6 rule 10 tcp flags syn + + set firewall global-options syn-cookies 'enable' + set firewall ipv6 input filter rule 10 action 'synproxy' + set firewall ipv6 input filter rule 10 destination port '8080' + set firewall ipv6 input filter rule 10 inbound-interface interface-name 'eth1' + set firewall ipv6 input filter rule 10 protocol 'tcp' + set firewall ipv6 input filter rule 10 synproxy tcp mss '1460' + set firewall ipv6 input filter rule 10 synproxy tcp window-scale '7' + set firewall ipv6 input filter rule 1000 action 'drop' + set firewall ipv6 input filter rule 1000 state invalid 'enable' + +*********************** +Operation-mode Firewall +*********************** + +Rule-set overview +================= + +.. opcmd:: show firewall + + This will show you a basic firewall overview + + .. code-block:: none + + vyos@vyos:~$ show firewall + Rulesets Information + + --------------------------------- + IPv4 Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ----------------------------------------- + 5 jump all 0 0 iifname "eth1" jump NAME_VyOS_MANAGEMENT + 10 jump all 0 0 oifname "eth1" jump NAME_WAN_IN + 15 jump all 0 0 iifname "eth3" jump NAME_WAN_IN + default accept all + + --------------------------------- + IPv4 Firewall "name VyOS_MANAGEMENT" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- -------------------------------- + 5 accept all 0 0 ct state established accept + 10 drop all 0 0 ct state invalid + 20 accept all 0 0 ip saddr @A_GOOD_GUYS accept + 30 accept all 0 0 ip saddr @N_ENTIRE_RANGE accept + 40 accept all 0 0 ip saddr @A_VyOS_SERVERS accept + 50 accept icmp 0 0 meta l4proto icmp accept + default drop all 0 0 + + --------------------------------- + IPv6 Firewall "forward filter" + + Rule Action Protocol + ------- -------- ---------- + 5 jump all + 10 jump all + 15 jump all + default accept all + + --------------------------------- + IPv6 Firewall "input filter" + + Rule Action Protocol + ------- -------- ---------- + 5 jump all + default accept all + + --------------------------------- + IPv6 Firewall "ipv6_name IPV6-VyOS_MANAGEMENT" + + Rule Action Protocol + ------- -------- ---------- + 5 accept all + 10 drop all + 20 accept all + 30 accept all + 40 accept all + 50 accept ipv6-icmp + default drop all + +.. opcmd:: show firewall summary + + This will show you a summary of rule-sets and groups + + .. code-block:: none + + vyos@vyos:~$ show firewall summary + Ruleset Summary + + IPv6 Ruleset: + + Ruleset Hook Ruleset Priority Description + -------------- -------------------- ------------------------- + forward filter + input filter + ipv6_name IPV6-VyOS_MANAGEMENT + ipv6_name IPV6-WAN_IN PUBLIC_INTERNET + + IPv4 Ruleset: + + Ruleset Hook Ruleset Priority Description + -------------- ------------------ ------------------------- + forward filter + input filter + name VyOS_MANAGEMENT + name WAN_IN PUBLIC_INTERNET + + Firewall Groups + + Name Type References Members + ----------------------- ------------------ ----------------------- ---------------- + PBX address_group WAN_IN-100 198.51.100.77 + SERVERS address_group WAN_IN-110 192.0.2.10 + WAN_IN-111 192.0.2.11 + WAN_IN-112 192.0.2.12 + WAN_IN-120 + WAN_IN-121 + WAN_IN-122 + SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2 + WAN_IN-20 + PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2 + PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2 + WAN_IN-171 + PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1 + SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2 + IPV6-WAN_IN-111 2001:db8::3 + IPV6-WAN_IN-112 2001:db8::4 + IPV6-WAN_IN-120 + IPV6-WAN_IN-121 + IPV6-WAN_IN-122 + SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5 + IPV6-WAN_IN-20 + + +.. opcmd:: show firewall ipv6 [forward | input | output] filter + +.. opcmd:: show firewall ipv4 name <name> + +.. opcmd:: show firewall ipv6 ipv6-name <name> + + This command will give an overview of a single rule-set. + + .. code-block:: none + + vyos@vyos:~$ show firewall ipv4 input filter + Ruleset Information + + --------------------------------- + IPv4 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ----------------------------------------- + 5 jump all 0 0 iifname "eth2" jump NAME_VyOS_MANAGEMENT + default accept all + +.. opcmd:: show firewall ipv6 [forward | input | output] + filter rule <1-999999> + +.. opcmd:: show firewall ipv4 name <name> rule <1-999999> + +.. opcmd:: show firewall ipv6 ipv6-name <name> rule <1-999999> + + This command will give an overview of a rule in a single rule-set + +.. opcmd:: show firewall group <name> + + Overview of defined groups. You see the type, the members, and where the + group is used. + + .. code-block:: none + + vyos@vyos:~$ show firewall group LAN + Firewall Groups + + Name Type References Members + ------------ ------------------ ----------------------- ---------------- + LAN ipv6_network_group IPV6-VyOS_MANAGEMENT-30 2001:db8::0/64 + IPV6-WAN_IN-30 + LAN network_group VyOS_MANAGEMENT-30 192.168.200.0/24 + WAN_IN-30 + + +.. opcmd:: show firewall statistics + + This will show you a statistic of all rule-sets since the last boot. + +Show Firewall log +================= + +.. opcmd:: show log firewall +.. opcmd:: show log firewall ipv6 +.. opcmd:: show log firewall ipv6 [forward | input | output | name] +.. opcmd:: show log firewall ipv6 [forward | input | output] filter +.. opcmd:: show log firewall ipv6 name <name> +.. opcmd:: show log firewall ipv6 [forward | input | output] filter rule <rule> +.. opcmd:: show log firewall ipv6 name <name> rule <rule> + + Show the logs of all firewall; show all ipv6 firewall logs; show all logs + for particular hook; show all logs for particular hook and priority; show all logs + for particular custom chain; show logs for specific Rule-Set. + +Example Partial Config +====================== + +.. code-block:: none + + firewall { + group { + network-group BAD-NETWORKS { + network 198.51.100.0/24 + network 203.0.113.0/24 + } + network-group GOOD-NETWORKS { + network 192.0.2.0/24 + } + port-group BAD-PORTS { + port 65535 + } + } + ipv4 { + forward { + filter { + default-action accept + rule 5 { + action accept + source { + group { + network-group GOOD-NETWORKS + } + } + } + rule 10 { + action drop + description "Bad Networks" + protocol all + source { + group { + network-group BAD-NETWORKS + } + } + } + } + } + } + } + +Update geoip database +===================== + +.. opcmd:: update geoip + + Command used to update GeoIP database and firewall sets. diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst index 38869c32..1ab9c630 100644 --- a/docs/configuration/firewall/zone.rst +++ b/docs/configuration/firewall/zone.rst @@ -1,25 +1,44 @@ -:lastproofread: 2022-09-14 +:lastproofread: 2023-11-01 .. _firewall-zone: -################################ -Zone Based Firewall (Deprecated) -################################ +################### +Zone Based Firewall +################### + +******** +Overview +******** .. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall - structure can be found on all vyos instalations, and zone based firewall is - no longer supported. Documentation for most of the new firewall CLI can be + structure can be found on all vyos instalations. Zone based firewall was + removed in that version, but re introduced in VyOS 1.4 and 1.5. All + versions built after 2023-10-22 has this feature. + Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before - 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` - chapter. The examples in this section use the legacy firewall configuration - commands, since this feature has been removed in earlier releases. - -.. note:: For latest releases, refer the `firewall (interface-groups) - <https://docs.vyos.io/en/latest/configuration/firewall/general.html#interface-groups>`_ - main page to configure zone based rules. New syntax was introduced here - :vytask:`T5160` + 1.4-rolling-202308040557 and can be found in the + :doc:`legacy firewall configuration </configuration/firewall/general-legacy>` + chapter. + +In this section there's useful information of all firewall configuration that +is needed for zone-based firewall. +Configuration commands covered in this section: + +.. cfgcmd:: set firewall zone ... + +From main structure defined in +:doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * zone + - custom_zone_name + + ... In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to diff --git a/docs/configuration/highavailability/index.rst b/docs/configuration/highavailability/index.rst index 2f20e783..7f06faa8 100644 --- a/docs/configuration/highavailability/index.rst +++ b/docs/configuration/highavailability/index.rst @@ -450,7 +450,7 @@ Port "0" is required if multiple ports are used. set high-availability virtual-server vyos real-server 192.0.2.12 health-check script '/config/scripts/check-real-server-second.sh' set high-availability virtual-server vyos real-server 192.0.2.12 port '0' - set nat source rule 100 outbound-interface 'eth0' + set nat source rule 100 outbound-interface name 'eth0' set nat source rule 100 source address '192.0.2.0/24' set nat source rule 100 translation address 'masquerade' diff --git a/docs/configuration/interfaces/openvpn.rst b/docs/configuration/interfaces/openvpn.rst index 70161e1e..d92ac080 100644 --- a/docs/configuration/interfaces/openvpn.rst +++ b/docs/configuration/interfaces/openvpn.rst @@ -71,7 +71,7 @@ In both cases, we will use the following settings: dynamic IP for our remote router. Setting up certificates ------------------------ +======================= Setting up a full-blown PKI with a CA certificate would arguably defeat the purpose of site-to-site OpenVPN, since its main goal is supposed to be configuration simplicity, @@ -129,7 +129,7 @@ Note: certificate names don't matter, we use 'openvpn-local' and 'openvpn-remote Repeat the procedure on the other router. Setting up OpenVPN ------------------- +================== Local Configuration: @@ -166,7 +166,7 @@ Remote Configuration: on the local router Pre-shared keys ---------------- +=============== Until VyOS 1.4, the only option for site-to-site OpenVPN without PKI was to use pre-shared keys. That option is still available but it is deprecated and will be removed in the future. diff --git a/docs/configuration/interfaces/vxlan.rst b/docs/configuration/interfaces/vxlan.rst index 2cb0b2f1..af00fdec 100644 --- a/docs/configuration/interfaces/vxlan.rst +++ b/docs/configuration/interfaces/vxlan.rst @@ -67,15 +67,36 @@ VXLAN specific options Source IP address used for VXLAN underlay. This is mandatory when using VXLAN via L2VPN/EVPN. -.. cfgcmd:: set interfaces vxlan <interface> external +.. cfgcmd:: set interfaces vxlan <interface> gpe + + Enables the Generic Protocol extension (VXLAN-GPE). Currently, this is only + supported together with the external keyword. + +.. cfgcmd:: set interfaces vxlan <interface> parameters external Specifies whether an external control plane (e.g. BGP L2VPN/EVPN) or the internal FDB should be used. -.. cfgcmd:: set interfaces vxlan <interface> gpe +.. cfgcmd:: set interfaces vxlan <interface> parameters neighbor-suppress - Eenables the Generic Protocol extension (VXLAN-GPE). Currently, this is only - supported together with the external keyword. + In order to minimize the flooding of ARP and ND messages in the VXLAN network, + EVPN includes provisions :rfc:`7432#section-10` that allow participating VTEPs + to suppress such messages in case they know the MAC-IP binding and can reply + on behalf of the remote host. + +.. cfgcmd:: set interfaces vxlan <interface> parameters nolearning + + Specifies if unknown source link layer addresses and IP addresses are entered + into the VXLAN device forwarding database. + +.. cfgcmd:: set interfaces vxlan <interface> parameters vni-filter + + Specifies whether the VXLAN device is capable of vni filtering. + + Only works with a VXLAN device with external flag set. + + .. note:: The device can only receive packets with VNIs configured in + the VNI filtering table. Unicast ^^^^^^^ @@ -155,7 +176,7 @@ interface is no longer required for each VNI. .. code-block:: none set interfaces bridge br0 member interface vxlan0 - set interfaces vxlan vxlan0 external + set interfaces vxlan vxlan0 parameters external set interfaces vxlan vxlan0 source-interface 'dum0' set interfaces vxlan vxlan0 vlan-to-vni 10 vni '10010' set interfaces vxlan vxlan0 vlan-to-vni 11 vni '10011' diff --git a/docs/configuration/interfaces/wireguard.rst b/docs/configuration/interfaces/wireguard.rst index 8b829b64..885720e1 100644 --- a/docs/configuration/interfaces/wireguard.rst +++ b/docs/configuration/interfaces/wireguard.rst @@ -222,7 +222,7 @@ firewall exception. set firewall ipv4 name OUTSIDE_LOCAL rule 20 protocol udp set firewall ipv4 name OUTSIDE_LOCAL rule 20 source -You should also ensure that the OUTISDE_LOCAL firewall group is applied to the +You should also ensure that the OUTSIDE_LOCAL firewall group is applied to the WAN interface and a direction (local). .. code-block:: none @@ -413,7 +413,7 @@ the VyOS CLI. into the VyOS CLI if needed. The supplied ``<name>`` on the CLI will become the peer name in the snippet. - In addition you will specifiy the IP address or FQDN for the client where it + In addition you will specify the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address. diff --git a/docs/configuration/interfaces/wireless.rst b/docs/configuration/interfaces/wireless.rst index e853a1ec..df153763 100644 --- a/docs/configuration/interfaces/wireless.rst +++ b/docs/configuration/interfaces/wireless.rst @@ -562,6 +562,7 @@ The WAP in this example has the following characteristics: set interfaces wireless wlan0 security wpa mode wpa2 set interfaces wireless wlan0 security wpa cipher CCMP set interfaces wireless wlan0 security wpa passphrase '12345678' + set interfaces wireless wlan0 country-code de Resulting in @@ -572,6 +573,7 @@ Resulting in wireless wlan0 { address 192.168.2.1/24 channel 1 + country-code de mode n security { wpa { diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst index c660f8f4..98b230a9 100644 --- a/docs/configuration/nat/nat44.rst +++ b/docs/configuration/nat/nat44.rst @@ -148,23 +148,35 @@ rule. * **outbound-interface** - applicable only to :ref:`source-nat`. It configures the interface which is used for the outside traffic that - this translation rule applies to. + this translation rule applies to. Interface groups, inverted + selection and wildcard, are also supported. - Example: + Examples: .. code-block:: none - set nat source rule 20 outbound-interface eth0 + set nat source rule 20 outbound-interface name eth0 + set nat source rule 30 outbound-interface name bond1* + set nat source rule 20 outbound-interface name !vtun2 + set nat source rule 20 outbound-interface group GROUP1 + set nat source rule 20 outbound-interface group !GROUP2 + * **inbound-interface** - applicable only to :ref:`destination-nat`. It configures the interface which is used for the inside traffic the - translation rule applies to. + translation rule applies to. Interface groups, inverted + selection and wildcard, are also supported. Example: .. code-block:: none - set nat destination rule 20 inbound-interface eth1 + set nat destination rule 20 inbound-interface name eth0 + set nat destination rule 30 inbound-interface name bond1* + set nat destination rule 20 inbound-interface name !vtun2 + set nat destination rule 20 inbound-interface group GROUP1 + set nat destination rule 20 inbound-interface group !GROUP2 + * **protocol** - specify which types of protocols this translation rule applies to. Only packets matching the specified protocol are NATed. @@ -323,7 +335,7 @@ demonstrate the following configuration: .. code-block:: none - set nat source rule 100 outbound-interface 'eth0' + set nat source rule 100 outbound-interface name 'eth0' set nat source rule 100 source address '192.168.0.0/24' set nat source rule 100 translation address 'masquerade' @@ -332,7 +344,9 @@ Which generates the following configuration: .. code-block:: none rule 100 { - outbound-interface eth0 + outbound-interface { + name eth0 + } source { address 192.168.0.0/24 } @@ -424,19 +438,19 @@ Example: set nat destination rule 100 description 'Regular destination NAT from external' set nat destination rule 100 destination port '3389' - set nat destination rule 100 inbound-interface 'pppoe0' + set nat destination rule 100 inbound-interface name 'pppoe0' set nat destination rule 100 protocol 'tcp' set nat destination rule 100 translation address '192.0.2.40' set nat destination rule 110 description 'NAT Reflection: INSIDE' set nat destination rule 110 destination port '3389' - set nat destination rule 110 inbound-interface 'eth0.10' + set nat destination rule 110 inbound-interface name 'eth0.10' set nat destination rule 110 protocol 'tcp' set nat destination rule 110 translation address '192.0.2.40' set nat source rule 110 description 'NAT Reflection: INSIDE' set nat source rule 110 destination address '192.0.2.0/24' - set nat source rule 110 outbound-interface 'eth0.10' + set nat source rule 110 outbound-interface name 'eth0.10' set nat source rule 110 protocol 'tcp' set nat source rule 110 source address '192.0.2.0/24' set nat source rule 110 translation address 'masquerade' @@ -452,7 +466,9 @@ Which results in a configuration of: destination { port 3389 } - inbound-interface pppoe0 + inbound-interface { + name pppoe0 + } protocol tcp translation { address 192.0.2.40 @@ -463,7 +479,9 @@ Which results in a configuration of: destination { port 3389 } - inbound-interface eth0.10 + inbound-interface { + name eth0.10 + } protocol tcp translation { address 192.0.2.40 @@ -476,7 +494,9 @@ Which results in a configuration of: destination { address 192.0.2.0/24 } - outbound-interface eth0.10 + outbound-interface { + name eth0.10 + } protocol tcp source { address 192.0.2.0/24 @@ -515,7 +535,7 @@ Our configuration commands would be: set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100' set nat destination rule 10 destination port '80' - set nat destination rule 10 inbound-interface 'eth0' + set nat destination rule 10 inbound-interface name 'eth0' set nat destination rule 10 protocol 'tcp' set nat destination rule 10 translation address '192.168.0.100' @@ -530,7 +550,9 @@ Which would generate the following NAT destination configuration: destination { port 80 } - inbound-interface eth0 + inbound-interface { + name eth0 + } protocol tcp translation { address 192.168.0.100 @@ -546,43 +568,45 @@ Which would generate the following NAT destination configuration: This establishes our Port Forward rule, but if we created a firewall policy it will likely block the traffic. -It is important to note that when creating firewall rules that the DNAT +Firewall rules for Destination NAT +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +It is important to note that when creating firewall rules, the DNAT translation occurs **before** traffic traverses the firewall. In other words, the destination address has already been translated to 192.168.0.100. -So in our firewall policy, we want to allow traffic coming in on the -outside interface, destined for TCP port 80 and the IP address of -192.168.0.100. +So in our firewall ruleset, we want to allow traffic which previously matched +a destination nat rule. In order to avoid creating many rules, one for each +destination nat rule, we can accept all **'dnat'** connections with one simple +rule, using ``connection-status`` matcher: .. code-block:: none - set firewall name OUTSIDE-IN rule 20 action 'accept' - set firewall name OUTSIDE-IN rule 20 destination address '192.168.0.100' - set firewall name OUTSIDE-IN rule 20 destination port '80' - set firewall name OUTSIDE-IN rule 20 protocol 'tcp' - set firewall name OUTSIDE-IN rule 20 state new 'enable' + set firewall ipv4 forward filter rule 10 action accept + set firewall ipv4 forward filter rule 10 connection-status nat destination + set firewall ipv4 forward filter rule 10 state new enable This would generate the following configuration: .. code-block:: none - rule 20 { - action accept - destination { - address 192.168.0.100 - port 80 - } - protocol tcp - state { - new enable + ipv4 { + forward { + filter { + rule 10 { + action accept + connection-status { + nat destination + } + state { + new enable + } + } + } } } -.. note:: - - If you have configured the `INSIDE-OUT` policy, you will need to add - additional rules to permit inbound NAT traffic. 1-to-1 NAT ---------- @@ -610,10 +634,10 @@ and one external interface: set interfaces ethernet eth1 description 'Outside interface' set nat destination rule 2000 description '1-to-1 NAT example' set nat destination rule 2000 destination address '192.0.2.30' - set nat destination rule 2000 inbound-interface 'eth1' + set nat destination rule 2000 inbound-interface name 'eth1' set nat destination rule 2000 translation address '192.168.1.10' set nat source rule 2000 description '1-to-1 NAT example' - set nat source rule 2000 outbound-interface 'eth1' + set nat source rule 2000 outbound-interface name 'eth1' set nat source rule 2000 source address '192.168.1.10' set nat source rule 2000 translation address '192.0.2.30' @@ -639,7 +663,7 @@ We will use source and destination address for hash generation. .. code-block:: none - set nat destination rule 10 inbound-interface eth0 + set nat destination rule 10 inbound-interface name eth0 set nat destination rule 10 protocol tcp set nat destination rule 10 destination port 80 set nat destination rule 10 load-balance hash source-address @@ -655,7 +679,7 @@ We will generate the hash randomly. .. code-block:: none - set nat source rule 10 outbound-interface eth0 + set nat source rule 10 outbound-interface name eth0 set nat source rule 10 source address 10.0.0.0/8 set nat source rule 10 load-balance hash random set nat source rule 10 load-balance backend 192.0.2.251 weight 33 @@ -709,12 +733,10 @@ NAT Configuration set nat source rule 110 description 'Internal to ASP' set nat source rule 110 destination address '172.27.1.0/24' - set nat source rule 110 outbound-interface 'any' set nat source rule 110 source address '192.168.43.0/24' set nat source rule 110 translation address '172.29.41.89' set nat source rule 120 description 'Internal to ASP' set nat source rule 120 destination address '10.125.0.0/16' - set nat source rule 120 outbound-interface 'any' set nat source rule 120 source address '192.168.43.0/24' set nat source rule 120 translation address '172.29.41.89' diff --git a/docs/configuration/nat/nat66.rst b/docs/configuration/nat/nat66.rst index 93dd3353..66cceb0a 100644 --- a/docs/configuration/nat/nat66.rst +++ b/docs/configuration/nat/nat66.rst @@ -82,7 +82,7 @@ Example: .. code-block:: none - set nat66 source rule 1 outbound-interface 'eth0' + set nat66 source rule 1 outbound-interface name 'eth0' set nat66 source rule 1 source prefix 'fc01::/64' set nat66 source rule 1 translation address 'fc00::/64' @@ -101,7 +101,7 @@ Example: .. code-block:: none - set nat66 destination rule 1 inbound-interface 'eth0' + set nat66 destination rule 1 inbound-interface name 'eth0' set nat66 destination rule 1 destination address 'fc00::/64' set nat66 destination rule 1 translation address 'fc01::/64' @@ -122,9 +122,9 @@ R1: set interfaces ethernet eth0 ipv6 address autoconf set interfaces ethernet eth1 address 'fc01::1/64' set nat66 destination rule 1 destination address 'fc00:470:f1cd:101::/64' - set nat66 destination rule 1 inbound-interface 'eth0' + set nat66 destination rule 1 inbound-interface name 'eth0' set nat66 destination rule 1 translation address 'fc01::/64' - set nat66 source rule 1 outbound-interface 'eth0' + set nat66 source rule 1 outbound-interface name 'eth0' set nat66 source rule 1 source prefix 'fc01::/64' set nat66 source rule 1 translation address 'fc00:470:f1cd:101::/64' diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst index e83272f5..66ad84a3 100644 --- a/docs/configuration/pki/index.rst +++ b/docs/configuration/pki/index.rst @@ -148,11 +148,11 @@ WireGuard ``interface`` is used for the VyOS CLI command to identify the WireGuard interface where this private key is to be used. -.. opcmd:: generate pki wireguard pre-shared-key +.. opcmd:: generate pki wireguard preshared-key Generate a WireGuard pre-shared secret used for peers to communicate. -.. opcmd:: generate pki wireguard pre-shared-key install <peer> +.. opcmd:: generate pki wireguard preshared-key install <peer> Generate a WireGuard pre-shared secret used for peers to communicate. diff --git a/docs/configuration/policy/route-map.rst b/docs/configuration/policy/route-map.rst index 9fe1eef7..07cfcf02 100644 --- a/docs/configuration/policy/route-map.rst +++ b/docs/configuration/policy/route-map.rst @@ -318,10 +318,12 @@ Route Map Set BGP local preference attribute. .. cfgcmd:: set policy route-map <text> rule <1-65535> set metric - <+/-metric|0-4294967295> + <+/-metric|0-4294967295|rtt|+rtt|-rtt> - Set destination routing protocol metric. Add or subtract metric, or set - metric value. + Set the route metric. When used with BGP, set the BGP attribute MED + to a specific value. Use ``+/-`` to add or subtract the specified value + to/from the existing/MED. Use ``rtt`` to set the MED to the round trip + time or ``+rtt/-rtt`` to add/subtract the round trip time to/from the MED. .. cfgcmd:: set policy route-map <text> rule <1-65535> set metric-type <type-1|type-2> diff --git a/docs/configuration/protocols/igmp-proxy.rst b/docs/configuration/protocols/igmp-proxy.rst new file mode 100644 index 00000000..f62a289e --- /dev/null +++ b/docs/configuration/protocols/igmp-proxy.rst @@ -0,0 +1,77 @@ +:lastproofread: 2023-11-13 + +.. _igmp_proxy: + +########## +IGMP Proxy +########## + +:abbr:`IGMP (Internet Group Management Protocol)` proxy sends IGMP host messages +on behalf of a connected client. The configuration must define one, and only one +upstream interface, and one or more downstream interfaces. + +Configuration +============= + +.. cfgcmd:: set protocols igmp-proxy interface <interface> role + <upstream | downstream> + + * **upstream:** The upstream network interface is the outgoing interface + which is responsible for communicating to available multicast data sources. + There can only be one upstream interface. + + * **downstream:** Downstream network interfaces are the distribution + interfaces to the destination networks, where multicast clients can join + groups and receive multicast data. One or more downstream interfaces must + be configured. + +.. cfgcmd:: set protocols igmp-proxy interface <interface> alt-subnet <network> + + Defines alternate sources for multicasting and IGMP data. The network address + must be on the following format 'a.b.c.d/n'. By default, the router will + accept data from sources on the same network as configured on an interface. + If the multicast source lies on a remote network, one must define from where + traffic should be accepted. + + This is especially useful for the upstream interface, since the source for + multicast traffic is often from a remote location. + + This option can be supplied multiple times. + +.. cfgcmd:: set protocols igmp-proxy disable-quickleave + + Disables quickleave mode. In this mode the daemon will not send a Leave IGMP + message upstream as soon as it receives a Leave message for any downstream + interface. The daemon will not ask for Membership reports on the downstream + interfaces, and if a report is received the group is not joined again the + upstream. + + If it's vital that the daemon should act exactly like a real multicast client + on the upstream interface, this function should be enabled. + + Enabling this function increases the risk of bandwidth saturation. + +.. cfgcmd:: set protocols igmp-proxy disable + + Disable this service. + +.. _igmp:proxy_example: + +Example +------- + +Interface `eth1` LAN is behind NAT. In order to subscribe `10.0.0.0/23` subnet +multicast which is in `eth0` WAN we need to configure igmp-proxy. + +.. code-block:: none + + set protocols igmp-proxy interface eth0 role upstream + set protocols igmp-proxy interface eth0 alt-subnet 10.0.0.0/23 + set protocols igmp-proxy interface eth1 role downstream + +Operation +========= + +.. opcmd:: restart igmp-proxy + + Restart the IGMP proxy process. diff --git a/docs/configuration/protocols/igmp.rst b/docs/configuration/protocols/igmp.rst deleted file mode 100644 index d3492632..00000000 --- a/docs/configuration/protocols/igmp.rst +++ /dev/null @@ -1,249 +0,0 @@ -:lastproofread: 2023-01-27 - -.. _multicast: - -######### -Multicast -######### - -VyOS facilitates IP Multicast by supporting **PIM Sparse Mode**, -**IGMP** and **IGMP-Proxy**. - -************ -PIM and IGMP -************ - -PIM (Protocol Independent Multicast) must be configured in every -interface of every participating router. Every router must also have the -location of the Rendevouz Point manually configured. Then, -unidirectional shared trees rooted at the Rendevouz Point will -automatically be built for multicast distribution. - -Traffic from multicast sources will go to the Rendezvous Point, and -receivers will pull it from a shared tree using IGMP (Internet Group -Management Protocol). - -Multicast receivers will talk IGMP to their local router, so, besides -having PIM configured in every router, IGMP must also be configured in -any router where there could be a multicast receiver locally connected. - -VyOS supports both IGMP version 2 and version 3 (which allows -source-specific multicast). - - -Example -======= - -In the following example we can see a basic multicast setup: - -.. image:: /_static/images/multicast-basic.png - :width: 90% - :align: center - :alt: Network Topology Diagram - - - -**Router 1** - -.. code-block:: none - - set interfaces ethernet eth2 address '172.16.0.2/24' - set interfaces ethernet eth1 address '100.64.0.1/24' - set protocols ospf area 0 network '172.16.0.0/24' - set protocols ospf area 0 network '100.64.0.0/24' - set protocols igmp interface eth1 - set protocols pim interface eth1 - set protocols pim interface eth2 - set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' - -**Router 3** - -.. code-block:: none - - set interfaces dummy dum0 address '172.16.255.1/24' - set interfaces ethernet eth0 address '172.16.0.1/24' - set interfaces ethernet eth1 address '172.16.1.1/24' - set protocols ospf area 0 network '172.16.0.0/24' - set protocols ospf area 0 network '172.16.255.0/24' - set protocols ospf area 0 network '172.16.1.0/24' - set protocols pim interface dum0 - set protocols pim interface eth0 - set protocols pim interface eth1 - set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' - -**Router 2** - -.. code-block:: none - - set interfaces ethernet eth1 address '10.0.0.1/24' - set interfaces ethernet eth2 address '172.16.1.2/24' - set protocols ospf area 0 network '10.0.0.0/24' - set protocols ospf area 0 network '172.16.1.0/24' - set protocols pim interface eth1 - set protocols pim interface eth2 - set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' - - - - - -Basic commands -============== - -These are the commands for a basic setup. - -.. cfgcmd:: set protocols pim interface <interface-name> - - Use this command to enable PIM in the selected interface so that it - can communicate with PIM neighbors. - - -.. cfgcmd:: set protocols pim rp address <address> group - <multicast-address/mask-bits> - - Use this command to manually configure a Rendezvous Point for PIM so - that join messages can be sent there. Set the Rendevouz Point address - and the matching prefix of group ranges covered. These values must - be shared with every router participating in the PIM network. - - -.. cfgcmd:: set protocols igmp interface eth1 - - Use this command to configure an interface with IGMP so that PIM can - receive IGMP reports and query on the selected interface. By default - IGMP version 3 will be used. - - - -Tuning commands -=============== - -You can also tune multicast with the following commands. - -.. cfgcmd:: set protocols pim interface <interface> dr-priority <value> - - Use this PIM command in the selected interface to set the priority - (1-4294967295) you want to influence in the election of a node to - become the Designated Router for a LAN segment. The default priority - is 1, set a higher value to give the router more preference in the - DR election process. - - -.. cfgcmd:: set protocols pim int <interface> hello <seconds> - - Use this command to configure the PIM hello interval in seconds - (1-180) for the selected interface. - - -.. cfgcmd:: set protocols pim rp keep-alive-timer <seconds> - - Use this PIM command to modify the time out value (31-60000 - seconds) for an `(S,G) <https://tools.ietf.org/html/rfc7761#section-4.1>`_ - flow. 31 seconds is chosen for a lower bound as some hardware - platforms cannot see data flowing in better than 30 seconds chunks. - - -.. cfgcmd:: set protocols igmp interface <interface> join <multicast-address> - source <IP-address> - - Use this command to allow the selected interface to join a multicast - group defining the multicast address you want to join and the source - IP address too. - - -.. cfgcmd:: set protocols igmp interface <interface> query-interval <seconds> - - Use this command to configure in the selected interface the IGMP - host query interval (1-1800) in seconds that PIM will use. - - -.. cfgcmd:: set protocols igmp interface <interface> query-max-response-time - <deciseconds> - - Use this command to configure in the selected interface the IGMP - query response timeout value (10-250) in deciseconds. If a report is - not returned in the specified time, it will be assumed the `(S,G) or - (*,G) state <https://tools.ietf.org/html/rfc7761#section-4.1>`_ has - timed out. - - -.. cfgcmd:: set protocols igmp interface <interface> version <version-number> - - Use this command to define in the selected interface whether you - choose IGMP version 2 or 3. The default value is 3. - - - -********** -IGMP Proxy -********** - -:abbr:`IGMP (Internet Group Management Protocol)` proxy sends IGMP host messages -on behalf of a connected client. The configuration must define one, and only one -upstream interface, and one or more downstream interfaces. - -Configuration -============= - -.. cfgcmd:: set protocols igmp-proxy interface <interface> role - <upstream | downstream> - - * **upstream:** The upstream network interface is the outgoing interface - which is responsible for communicating to available multicast data sources. - There can only be one upstream interface. - - * **downstream:** Downstream network interfaces are the distribution - interfaces to the destination networks, where multicast clients can join - groups and receive multicast data. One or more downstream interfaces must - be configured. - -.. cfgcmd:: set protocols igmp-proxy interface <interface> alt-subnet <network> - - Defines alternate sources for multicasting and IGMP data. The network address - must be on the following format 'a.b.c.d/n'. By default, the router will - accept data from sources on the same network as configured on an interface. - If the multicast source lies on a remote network, one must define from where - traffic should be accepted. - - This is especially useful for the upstream interface, since the source for - multicast traffic is often from a remote location. - - This option can be supplied multiple times. - -.. cfgcmd:: set protocols igmp-proxy disable-quickleave - - Disables quickleave mode. In this mode the daemon will not send a Leave IGMP - message upstream as soon as it receives a Leave message for any downstream - interface. The daemon will not ask for Membership reports on the downstream - interfaces, and if a report is received the group is not joined again the - upstream. - - If it's vital that the daemon should act exactly like a real multicast client - on the upstream interface, this function should be enabled. - - Enabling this function increases the risk of bandwidth saturation. - -.. cfgcmd:: set protocols igmp-proxy disable - - Disable this service. - -.. _igmp:proxy_example: - -Example -------- - -Interface `eth1` LAN is behind NAT. In order to subscribe `10.0.0.0/23` subnet -multicast which is in `eth0` WAN we need to configure igmp-proxy. - -.. code-block:: none - - set protocols igmp-proxy interface eth0 role upstream - set protocols igmp-proxy interface eth0 alt-subnet 10.0.0.0/23 - set protocols igmp-proxy interface eth1 role downstream - -Operation -========= - -.. opcmd:: restart igmp-proxy - - Restart the IGMP proxy process. diff --git a/docs/configuration/protocols/index.rst b/docs/configuration/protocols/index.rst index 237608a1..ea217d3c 100644 --- a/docs/configuration/protocols/index.rst +++ b/docs/configuration/protocols/index.rst @@ -2,7 +2,6 @@ Protocols ######### - .. toctree:: :maxdepth: 1 :includehidden: @@ -11,11 +10,12 @@ Protocols bfd bgp failover - igmp + igmp-proxy isis mpls segment-routing ospf + pim pim6 rip rpki diff --git a/docs/configuration/protocols/isis.rst b/docs/configuration/protocols/isis.rst index 18a7c166..1f779d0a 100644 --- a/docs/configuration/protocols/isis.rst +++ b/docs/configuration/protocols/isis.rst @@ -302,6 +302,34 @@ Timers control the timing of the execution of SPF calculations in response to IGP events. The process described in :rfc:`8405`. +Loop Free Alternate (LFA) +------------------------- + +.. cfgcmd:: set protocols isis fast-reroute lfa remote prefix-list <name> + <level-1|level-2> + + This command enables IP fast re-routing that is part of :rfc:`5286`. + Specifically this is a prefix list which references a prefix in which + will select eligible PQ nodes for remote LFA backups. + +.. cfgcmd:: set protocols isis fast-reroute lfa local load-sharing disable + <level-1|level-2> + + This command disables the load sharing across multiple LFA backups. + +.. cfgcmd:: set protocols isis fast-reroute lfa local tiebreaker + <downstream|lowest-backup-metric|node-protecting> index <number> + <level-1|level-2> + + This command will configure a tie-breaker for multiple local LFA backups. + The lower index numbers will be processed first. + +.. cfgcmd:: set protocols isis fast-reroute lfa local priority-limit + <medium|high|critical> <level-1|level-2> + + This command will limit LFA backup computation up to the specified + prefix priority. + ******** Examples diff --git a/docs/configuration/protocols/ospf.rst b/docs/configuration/protocols/ospf.rst index e360d86a..9891c77d 100644 --- a/docs/configuration/protocols/ospf.rst +++ b/docs/configuration/protocols/ospf.rst @@ -1204,7 +1204,7 @@ Interface Configuration synchronizing process of the router's database with all neighbors. The default value is 1 seconds. The interval range is 3 to 65535. -.. _ospf:v3_redistribution_config: +.. _ospf:v3_graceful_restart: Graceful Restart ---------------- @@ -1245,6 +1245,8 @@ Graceful Restart By default, it supports both planned and unplanned outages. +.. _ospf:v3_redistribution_config: + Redistribution Configuration ---------------------------- diff --git a/docs/configuration/protocols/pim.disable b/docs/configuration/protocols/pim.disable deleted file mode 100644 index 1dd373d8..00000000 --- a/docs/configuration/protocols/pim.disable +++ /dev/null @@ -1,2 +0,0 @@ -PIM -###
\ No newline at end of file diff --git a/docs/configuration/protocols/pim.rst b/docs/configuration/protocols/pim.rst new file mode 100644 index 00000000..2e881943 --- /dev/null +++ b/docs/configuration/protocols/pim.rst @@ -0,0 +1,266 @@ +:lastproofread: 2023-11-13 + +.. _pim: + +#################################### +PIM – Protocol Independent Multicast +#################################### + +VyOS supports :abbr:`PIM-SM (PIM Sparse Mode)` as well as +:abbr:`IGMP (Internet Group Management Protocol)` v2 and v3 + +:abbr:`PIM (Protocol Independent Multicast)` must be configured in every +interface of every participating router. Every router must also have the +location of the Rendevouz Point manually configured. Then, unidirectional +shared trees rooted at the Rendevouz Point will automatically be built +for multicast distribution. + +Traffic from multicast sources will go to the Rendezvous Point, and +receivers will pull it from a shared tree using :abbr:`IGMP (Internet +Group Management Protocol)`. + +Multicast receivers will talk IGMP to their local router, so, besides +having PIM configured in every router, IGMP must also be configured in +any router where there could be a multicast receiver locally connected. + +VyOS supports both IGMP version 2 and version 3 (which allows +source-specific multicast). + +************************ +PIM-SM - PIM Sparse Mode +************************ + +.. cfgcmd:: set protocols pim ecmp + + If PIM has the a choice of ECMP nexthops for a particular + :abbr:`RPF (Reverse Path Forwarding)`, PIM will cause S,G flows to be + spread out amongst the nexthops. If this command is not specified then + the first nexthop found will be used. + +.. cfgcmd:: set protocols pim ecmp rebalance + + If PIM is using ECMP and an interface goes down, cause PIM to rebalance all + S,G flows across the remaining nexthops. If this command is not configured + PIM only modifies those S,G flows that were using the interface that went + down. + +.. cfgcmd:: set protocols pim join-prune-interval <n> + + Modify the join/prune interval that PIM uses to the new value. Time is + specified in seconds. + + The default time is 60 seconds. + + If you enter a value smaller than 60 seconds be aware that this can and + will affect convergence at scale. + +.. cfgcmd:: set protocols pim keep-alive-timer <n> + + Modify the time out value for a S,G flow from 1-65535 seconds. If choosing + a value below 31 seconds be aware that some hardware platforms cannot see + data flowing in better than 30 second chunks. + +.. cfgcmd:: set protocols pim packets <n> + + When processing packets from a neighbor process the number of packets + incoming at one time before moving on to the next task. + + The default value is 3 packets. + + This command is only useful at scale when you can possibly have a large + number of PIM control packets flowing. + +.. cfgcmd:: set protocols pim register-accept-list <prefix-list> + + When PIM receives a register packet the source of the packet will be compared + to the prefix-list specified, and if a permit is received normal processing + continues. If a deny is returned for the source address of the register packet + a register stop message is sent to the source. + +.. cfgcmd:: set protocols pim register-suppress-time <n> + + Modify the time that pim will register suppress a FHR will send register + notifications to the kernel. + +.. cfgcmd:: set protocols pim rp <address> group <group> + + In order to use PIM, it is necessary to configure a :abbr:`RP (Rendezvous Point)` + for join messages to be sent to. Currently the only methodology to do this is + via static rendezvous point commands. + + All routers in the PIM network must agree on these values. + + The first ip address is the RP's address and the second value is the matching + prefix of group ranges covered. + +.. cfgcmd:: set protocols pim rp keep-alive-timer <n> + + Modify the time out value for a S,G flow from 1-65535 seconds at + :abbr:`RP (Rendezvous Point)`. The normal keepalive period for the KAT(S,G) + defaults to 210 seconds. However, at the :abbr:`RP (Rendezvous Point)`, the + keepalive period must be at least the Register_Suppression_Time, or the RP + may time out the (S,G) state before the next Null-Register arrives. + Thus, the KAT(S,G) is set to max(Keepalive_Period, RP_Keepalive_Period) + when a Register-Stop is sent. + + If choosing a value below 31 seconds be aware that some hardware platforms + cannot see data flowing in better than 30 second chunks. + + See :rfc:`7761#section-4.1` for details. + +.. cfgcmd:: set protocols pim no-v6-secondary + + When sending PIM hello packets tell PIM to not send any v6 secondary + addresses on the interface. This information is used to allow PIM to use v6 + nexthops in it's decision for :abbr:`RPF (Reverse Path Forwarding)` lookup + if this option is not set (default). + +.. cfgcmd:: set protocols pim spt-switchover infinity-and-beyond [prefix-list <list>] + + On the last hop router if it is desired to not switch over to the SPT tree + configure this command. + + Optional parameter prefix-list can be use to control which groups to switch or + not switch. If a group is PERMIT as per the prefix-list, then the SPT switchover + does not happen for it and if it is DENY, then the SPT switchover happens. + +.. cfgcmd:: set protocols pim ssm prefix-list <list> + + Specify a range of group addresses via a prefix-list that forces PIM to never + do :abbr:`SSM (Source-Specific Multicast)` over. + +Interface specific commands +=========================== + +.. cfgcmd:: set protocols pim interface <interface> bfd [profile <name>] + + Automatically create BFD session for each RIP peer discovered in this + interface. When the BFD session monitor signalize that the link is down + the RIP peer is removed and all the learned routes associated with that + peer are removed. + + If optional profile parameter is used, select a BFD profile for the BFD + sessions created via this interface. + +.. cfgcmd:: set protocols pim interface <interface> dr-priority <n> + + Set the :abbr:`DR (Designated Router)` Priority for the interface. + This command is useful to allow the user to influence what node becomes + the DR for a LAN segment. + +.. cfgcmd:: set protocols pim interface <interface> hello <n> + + Set the PIM hello and hold interval for a interface. + +.. cfgcmd:: set protocols pim interface <interface> no-bsm + + Tell PIM that we would not like to use this interface to process + bootstrap messages. + +.. cfgcmd:: set protocols pim interface <interface> no-unicast-bsm + + Tell PIM that we would not like to use this interface to process + unicast bootstrap messages. + +.. cfgcmd:: set protocols pim interface <interface> passive + + Disable sending and receiving PIM control packets on the interface. + + .. cfgcmd:: set protocols pim interface <interface> source-address <ip-address> + + If you have multiple addresses configured on a particular interface and would + like PIM to use a specific source address associated with that interface. + +****************************************** +IGMP - Internet Group Management Protocol) +****************************************** + +.. cfgcmd:: set protocols pim igmp watermark-warning <n> + + Configure watermark warning generation for an IGMP group limit. Generates + warning once the configured group limit is reached while adding new groups. + +.. _pim:igmp_interface_commands: + +Interface specific commands +=========================== + +.. cfgcmd:: set protocols pim interface <interface> igmp + join <multicast-address> source-address <IP-address> + + Use this command to allow the selected interface to join a multicast + group defining the multicast address you want to join and the source + IP address too. + +.. cfgcmd:: set protocols pim interface <interface> igmp + query-interval <seconds> + + Use this command to configure in the selected interface the IGMP + host query interval (1-1800) in seconds that PIM will use. + +.. cfgcmd:: set protocols pim interface <interface> igmp + query-max-response-time <n> + + Use this command to configure in the selected interface the IGMP + query response timeout value (10-250) in deciseconds. If a report is + not returned in the specified time, it will be assumed the (S,G) or + (\*,G) state :rfc:`7761#section-4.1` has timed out. + +.. cfgcmd:: set protocols pim interface <interface> igmp version <version-number> + + Use this command to define in the selected interface whether you + choose IGMP version 2 or 3. + + The default value is 3. + +Example +------- + +In the following example we can see a basic multicast setup: + +.. image:: /_static/images/multicast-basic.png + :width: 90% + :align: center + :alt: Network Topology Diagram + + + +**Router 1** + +.. code-block:: none + + set interfaces ethernet eth2 address '172.16.0.2/24' + set interfaces ethernet eth1 address '100.64.0.1/24' + set protocols ospf area 0 network '172.16.0.0/24' + set protocols ospf area 0 network '100.64.0.0/24' + set protocols igmp interface eth1 + set protocols pim interface eth1 + set protocols pim interface eth2 + set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' + +**Router 3** + +.. code-block:: none + + set interfaces dummy dum0 address '172.16.255.1/24' + set interfaces ethernet eth0 address '172.16.0.1/24' + set interfaces ethernet eth1 address '172.16.1.1/24' + set protocols ospf area 0 network '172.16.0.0/24' + set protocols ospf area 0 network '172.16.255.0/24' + set protocols ospf area 0 network '172.16.1.0/24' + set protocols pim interface dum0 + set protocols pim interface eth0 + set protocols pim interface eth1 + set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' + +**Router 2** + +.. code-block:: none + + set interfaces ethernet eth1 address '10.0.0.1/24' + set interfaces ethernet eth2 address '172.16.1.2/24' + set protocols ospf area 0 network '10.0.0.0/24' + set protocols ospf area 0 network '172.16.1.0/24' + set protocols pim interface eth1 + set protocols pim interface eth2 + set protocols pim rp address 172.16.255.1 group '224.0.0.0/4' diff --git a/docs/configuration/protocols/pim6.rst b/docs/configuration/protocols/pim6.rst index 1d316cfb..2b2276a7 100644 --- a/docs/configuration/protocols/pim6.rst +++ b/docs/configuration/protocols/pim6.rst @@ -1,8 +1,8 @@ .. _pim6: -############## -IPv6 Multicast -############## +############################################## +PIM6 - Protocol Independent Multicast for IPv6 +############################################## VyOS facilitates IPv6 Multicast by supporting **PIMv6** and **MLD**. diff --git a/docs/configuration/service/dhcp-relay.rst b/docs/configuration/service/dhcp-relay.rst index e1fbe1d2..dc45d071 100644 --- a/docs/configuration/service/dhcp-relay.rst +++ b/docs/configuration/service/dhcp-relay.rst @@ -154,6 +154,8 @@ Configuration Disable dhcpv6-relay service. +.. _dhcp_relay:v6_options: + Options ------- diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst index 08b16575..eb2e30eb 100644 --- a/docs/configuration/service/https.rst +++ b/docs/configuration/service/https.rst @@ -20,28 +20,19 @@ Configuration .. cfgcmd:: set service https api debug - To enable debug messages. Available via :opcmd:`show log` or + To enable debug messages. Available via :opcmd:`show log` or :opcmd:`monitor log` -.. cfgcmd:: set service https api port - - Set the listen port of the local API, this has no effect on the - webserver. The default is port 8080 - -.. cfgcmd:: set service https api socket - - Use local socket for API - .. cfgcmd:: set service https api strict Enforce strict path checking -.. cfgcmd:: set service https virtual-host <vhost> listen-address +.. cfgcmd:: set service https virtual-host <vhost> listen-address <ipv4 or ipv6 address> Address to listen for HTTPS requests -.. cfgcmd:: set service https virtual-host <vhost> listen-port <1-65535> +.. cfgcmd:: set service https virtual-host <vhost> port <1-65535> Port to listen for HTTPS requests; default 443 @@ -91,6 +82,6 @@ To use this full configuration we asume a public accessible hostname. set service https certificates certbot domain-name rtr01.example.com set service https certificates certbot email mail@example.com set service https virtual-host rtr01 listen-address 198.51.100.2 - set service https virtual-host rtr01 listen-port 11443 + set service https virtual-host rtr01 port 11443 set service https virtual-host rtr01 server-name rtr01.example.com set service https api-restrict virtual-host rtr01 diff --git a/docs/configuration/service/mdns.rst b/docs/configuration/service/mdns.rst index 9d6a292a..51fbf1a1 100644 --- a/docs/configuration/service/mdns.rst +++ b/docs/configuration/service/mdns.rst @@ -5,28 +5,44 @@ Starting with VyOS 1.2 a :abbr:`mDNS (Multicast DNS)` repeater functionality is provided. Additional information can be obtained from https://en.wikipedia.org/wiki/Multicast_DNS. -Multicast DNS uses the 224.0.0.251 address, which is "administratively scoped" -and does not leave the subnet. It retransmits mDNS packets from one interface -to other interfaces. This enables support for e.g. Apple Airplay devices across -multiple VLANs. +Multicast DNS uses the reserved address ``224.0.0.251``, which is +`"administratively scoped"` and does not leave the subnet. mDNS repeater +retransmits mDNS packets from one interface to other interfaces. This enables +support for devices using mDNS discovery (like network printers, Apple Airplay, +Chromecast, various IP based home-automation devices etc) across multiple VLANs. -Since the mDNS protocol sends the AA records in the packet itself, the repeater -does not need to forge the source address. Instead, the source address is of -the interface that repeats the packet. +Since the mDNS protocol sends the :abbr:`AA(Authoritative Answer)` records in +the packet itself, the repeater does not need to forge the source address. +Instead, the source address is of the interface that repeats the packet. Configuration ============= .. cfgcmd:: set service mdns repeater interface <interface> - To enable mDNS repeater you need to configure at least two interfaces. To - re-broadcast all incoming mDNS packets from any interface configured here to - any other interface configured under this section. + To enable mDNS repeater you need to configure at least two interfaces so that + all incoming mDNS packets from one interface configured here can be + re-broadcasted to any other interface(s) configured under this section. .. cfgcmd:: set service mdns repeater disable mDNS repeater can be temporarily disabled without deleting the service using +.. cfgcmd:: set service mdns repeater ip-version <ipv4 | ipv6 | both> + + mDNS repeater can be enabled either on IPv4 socket or on IPv6 socket or both + to re-broadcast. By default, mDNS repeater will listen on both IPv4 and IPv6. + +.. cfgcmd:: set service mdns repeater allow-service <service> + + mDNS repeater can be configured to re-broadcast only specific services. By + default, all services are re-broadcasted. + +.. cfgcmd:: set service mdns repeater browse-domain <domain> + + Allow listing additional custom domains to be browsed (in addition to the + default ``local``) so that they can be reflected. + .. note:: You can not run this in a VRRP setup, if multiple mDNS repeaters are launched in a subnet you will experience the mDNS packet storm death! @@ -41,4 +57,35 @@ received on `eth0` to `eth1` (and vice-versa) use the following commands: set service mdns repeater interface 'eth0' set service mdns repeater interface 'eth1' +To allow only specific services, for example ``_airplay._tcp`` or ``_ipp._tcp``, +(instead of all services) to be re-broadcasted, use the following command: + +.. code-block:: none + + set service mdns repeater allow-service '_airplay._tcp' + set service mdns repeater allow-service '_ipp._tcp' + +To allow listing additional custom domain, for example +``openthread.thread.home.arpa``, so that it can reflected in addition to the +default ``local``, use the following command: + +.. code-block:: none + + set service mdns repeater browse-domain 'openthread.thread.home.arpa' + .. _`Multicast DNS`: https://en.wikipedia.org/wiki/Multicast_DNS + +Operation +========= + +.. opcmd:: restart mdns repeater + + Restart mDNS repeater service. + +.. opcmd:: show log mdns repeater + + Show logs for mDNS repeater service. + +.. opcmd:: monitor log mdns repeater + + Follow the logs for mDNS repeater service. diff --git a/docs/configuration/service/ssh.rst b/docs/configuration/service/ssh.rst index 15c2390c..efdbc651 100644 --- a/docs/configuration/service/ssh.rst +++ b/docs/configuration/service/ssh.rst @@ -218,3 +218,31 @@ Operation commit save exit + +.. opcmd:: show log ssh + + Show SSH server log. + +.. opcmd:: monitor log ssh + + Follow the SSH server log. + +.. opcmd:: show log ssh dynamic-protection + + Show SSH dynamic-protection log. + +.. opcmd:: monitor log ssh dynamic-protection + + Follow the SSH dynamic-protection log. + +.. opcmd:: show ssh dynamic-protection + + Show list of IPs currently blocked by SSH dynamic-protection. + +.. opcmd:: show ssh fingerprints + + Show SSH server public key fingerprints. + +.. opcmd:: show ssh fingerprints ascii + + Show SSH server public key fingerprints, including a visual ASCII art representation. diff --git a/docs/configuration/system/login.rst b/docs/configuration/system/login.rst index 0cbcecde..98e05cdd 100644 --- a/docs/configuration/system/login.rst +++ b/docs/configuration/system/login.rst @@ -344,6 +344,8 @@ Configuration Source all connections to the TACACS servers from given VRF `<name>`. +.. _login:tacacs_example: + Configuration Example --------------------- diff --git a/docs/configuration/vpn/dmvpn.rst b/docs/configuration/vpn/dmvpn.rst index a85e03b4..7a4b81f7 100644 --- a/docs/configuration/vpn/dmvpn.rst +++ b/docs/configuration/vpn/dmvpn.rst @@ -190,7 +190,7 @@ Hub set interfaces tunnel tun100 address '172.16.253.134/29' set interfaces tunnel tun100 encapsulation 'gre' - set interfaces tunnel tun100 local-ip '192.0.2.1' + set interfaces tunnel tun100 source-address '192.0.2.1' set interfaces tunnel tun100 enable-multicast set interfaces tunnel tun100 parameters ip key '1' @@ -294,7 +294,7 @@ VyOS can also run in DMVPN spoke mode. set interfaces ethernet eth0 address 'dhcp' set interfaces tunnel tun100 address '172.16.253.133/29' - set interfaces tunnel tun100 local-ip 0.0.0.0 + set interfaces tunnel tun100 source-address 0.0.0.0 set interfaces tunnel tun100 encapsulation 'gre' set interfaces tunnel tun100 enable-multicast set interfaces tunnel tun100 parameters ip key '1' diff --git a/docs/configuration/vpn/ipsec.rst b/docs/configuration/vpn/ipsec.rst index ece06fa2..b6ee86af 100644 --- a/docs/configuration/vpn/ipsec.rst +++ b/docs/configuration/vpn/ipsec.rst @@ -221,8 +221,8 @@ On the LEFT: On the RIGHT, setup by analogy and swap local and remote addresses. -Source tunnel from loopbacks -^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Source tunnel from dummy interface +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The scheme above doesn't work when one of the routers has a dynamic external address though. The classic workaround for this is to setup an address on a @@ -240,7 +240,7 @@ On the LEFT: .. code-block:: none - set interfaces loopback lo address 192.168.99.1/32 + set interfaces dummy dum0 address 192.168.99.1/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 address 10.10.10.1/30 @@ -251,7 +251,7 @@ On the RIGHT: .. code-block:: none - set interfaces loopback lo address 192.168.99.2/32 + set interfaces dummy dum0 address 192.168.99.2/32 set interfaces tunnel tun0 encapsulation gre set interfaces tunnel tun0 address 10.10.10.2/30 diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst index 6ea1cc7d..26de47b3 100644 --- a/docs/configuration/vpn/l2tp.rst +++ b/docs/configuration/vpn/l2tp.rst @@ -60,7 +60,7 @@ To allow VPN-clients access via your external address, a NAT rule is required: .. code-block:: none - set nat source rule 110 outbound-interface 'eth0' + set nat source rule 110 outbound-interface name 'eth0' set nat source rule 110 source address '192.168.255.0/24' set nat source rule 110 translation address masquerade diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 5f8e5263..23df1b76 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -10,8 +10,8 @@ connected/routed networks. To configure site-to-site connection you need to add peers with the ``set vpn ipsec site-to-site peer <name>`` command. -The peer name must be an alphanumeric and can have hypen or underscore as -special characters. It is purely informational. +The peer name must be an alphanumeric and can have hypen or underscore as +special characters. It is purely informational. Each site-to-site peer has the next options: @@ -20,11 +20,11 @@ Each site-to-site peer has the next options: * ``psk`` - Preshared secret key name: - * ``dhcp-interface`` - ID for authentication generated from DHCP address + * ``dhcp-interface`` - ID for authentication generated from DHCP address dynamically; - * ``id`` - static ID's for authentication. In general local and remote + * ``id`` - static ID's for authentication. In general local and remote address ``<x.x.x.x>``, ``<h:h:h:h:h:h:h:h>`` or ``%any``; - * ``secret`` - predefined shared secret. Used if configured mode + * ``secret`` - predefined shared secret. Used if configured mode ``pre-shared-secret``; @@ -110,7 +110,7 @@ Each site-to-site peer has the next options: * ``remote-address`` - remote IP address or hostname for IPSec connection. IPv4 or IPv6 address is used when a peer has a public static IP address. - Hostname is a DNS name which could be used when a peer has a public IP + Hostname is a DNS name which could be used when a peer has a public IP address and DNS name, but an IP address could be changed from time to time. * ``tunnel`` - define criteria for traffic to be matched for encrypting and send @@ -149,9 +149,9 @@ Each site-to-site peer has the next options: * ``esp-group`` - define ESP group for encrypt traffic, passed this VTI interface. -* ``virtual-address`` - Defines a virtual IP address which is requested by the - initiator and one or several IPv4 and/or IPv6 addresses are assigned from - multiple pools by the responder. +* ``virtual-address`` - Defines a virtual IP address which is requested by the + initiator and one or several IPv4 and/or IPv6 addresses are assigned from + multiple pools by the responder. Examples: ------------------ @@ -245,13 +245,13 @@ If there is SNAT rules on eth1, need to add exclude rule # server side set nat source rule 10 destination address '10.0.0.0/24' set nat source rule 10 'exclude' - set nat source rule 10 outbound-interface 'eth1' + set nat source rule 10 outbound-interface name 'eth1' set nat source rule 10 source address '192.168.0.0/24' # remote office side set nat source rule 10 destination address '192.168.0.0/24' set nat source rule 10 'exclude' - set nat source rule 10 outbound-interface 'eth1' + set nat source rule 10 outbound-interface name 'eth1' set nat source rule 10 source address '10.0.0.0/24' To allow traffic to pass through to clients, you need to add the following @@ -284,118 +284,144 @@ Imagine the following topology IPSec IKEv2 site2site VPN (source ./draw.io/vpn_s2s_ikev2.drawio) +**LEFT:** +* WAN interface on `eth0.201` +* `eth0.201` interface IP: `172.18.201.10/24` +* `vti10` interface IP: `10.0.0.2/31` +* `dum0` interface IP: `10.0.11.1/24` (for testing purposes) + +**RIGHT:** +* WAN interface on `eth0.202` +* `eth0.201` interface IP: `172.18.202.10/24` +* `vti10` interface IP: `10.0.0.3/31` +* `dum0` interface IP: `10.0.12.1/24` (for testing purposes) .. note:: Don't get confused about the used /31 tunnel subnet. :rfc:`3021` gives you additional information for using /31 subnets on point-to-point links. -**left** +**LEFT** .. code-block:: none + set interfaces ethernet eth0 vif 201 address '172.18.201.10/24' + set interfaces dummy dum0 address '10.0.11.1/24' set interfaces vti vti10 address '10.0.0.2/31' - set vpn ipsec authentication psk OFFICE-B id '172.18.201.10' - set vpn ipsec authentication psk OFFICE-B id '172.18.202.10' - set vpn ipsec authentication psk OFFICE-B secret 'secretkey' + set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.201.10' + set vpn ipsec authentication psk peer_172-18-202-10 id '172.18.202.10' + set vpn ipsec authentication psk peer_172-18-202-10 secret 'secretkey' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' + set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' + set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' - set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' set vpn ipsec interface 'eth0.201' - set vpn ipsec site-to-site peer OFFICE-B authentication local-id '172.18.201.10' - set vpn ipsec site-to-site peer OFFICE-B authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-B authentication remote-id '172.18.202.10' - set vpn ipsec site-to-site peer OFFICE-B connection-type 'respond' - set vpn ipsec site-to-site peer OFFICE-B ike-group 'IKEv2_DEFAULT' - set vpn ipsec site-to-site peer OFFICE-B local-address '192.168.0.10' - set vpn ipsec site-to-site peer OFFICE-B remote-address '172.18.202.10' - set vpn ipsec site-to-site peer OFFICE-B vti bind 'vti10' - set vpn ipsec site-to-site peer OFFICE-B vti esp-group 'ESP_DEFAULT' + set vpn ipsec site-to-site peer peer_172-18-202-10 authentication local-id '172.18.201.10' + set vpn ipsec site-to-site peer peer_172-18-202-10 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer peer_172-18-202-10 authentication remote-id '172.18.202.10' + set vpn ipsec site-to-site peer peer_172-18-202-10 connection-type 'initiate' + set vpn ipsec site-to-site peer peer_172-18-202-10 ike-group 'IKEv2_DEFAULT' + set vpn ipsec site-to-site peer peer_172-18-202-10 ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer peer_172-18-202-10 local-address '172.18.201.10' + set vpn ipsec site-to-site peer peer_172-18-202-10 remote-address '172.18.202.10' + set vpn ipsec site-to-site peer peer_172-18-202-10 vti bind 'vti10' + set vpn ipsec site-to-site peer peer_172-18-202-10 vti esp-group 'ESP_DEFAULT' + + set protocols static interface-route 10.0.12.0/24 next-hop-interface vti10 -**right** +**RIGHT** .. code-block:: none + set interfaces ethernet eth0 vif 202 address '172.18.202.10/24' + set interfaces dummy dum0 address '10.0.12.1/24' set interfaces vti vti10 address '10.0.0.3/31' - set vpn ipsec authentication psk OFFICE-A id '172.18.201.10' - set vpn ipsec authentication psk OFFICE-A id '172.18.202.10' - set vpn ipsec authentication psk OFFICE-A secret 'secretkey' + set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.202.10' + set vpn ipsec authentication psk peer_172-18-201-10 id '172.18.201.10' + set vpn ipsec authentication psk peer_172-18-201-10 secret 'secretkey' set vpn ipsec esp-group ESP_DEFAULT lifetime '3600' set vpn ipsec esp-group ESP_DEFAULT mode 'tunnel' set vpn ipsec esp-group ESP_DEFAULT pfs 'dh-group19' set vpn ipsec esp-group ESP_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec esp-group ESP_DEFAULT proposal 10 hash 'sha256' - set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'restart' + set vpn ipsec ike-group IKEv2_DEFAULT close-action 'none' + set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection action 'hold' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection interval '30' set vpn ipsec ike-group IKEv2_DEFAULT dead-peer-detection timeout '120' + set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike set vpn ipsec ike-group IKEv2_DEFAULT key-exchange 'ikev2' set vpn ipsec ike-group IKEv2_DEFAULT lifetime '10800' - set vpn ipsec ike-group IKEv2_DEFAULT disable-mobike set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 dh-group '19' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 encryption 'aes256gcm128' set vpn ipsec ike-group IKEv2_DEFAULT proposal 10 hash 'sha256' set vpn ipsec interface 'eth0.202' - set vpn ipsec site-to-site peer OFFICE-A authentication local-id '172.18.202.10' - set vpn ipsec site-to-site peer OFFICE-A authentication mode 'pre-shared-secret' - set vpn ipsec site-to-site peer OFFICE-A authentication remote-id '172.18.201.10' - set vpn ipsec site-to-site peer OFFICE-A connection-type 'initiate' - set vpn ipsec site-to-site peer OFFICE-A ike-group 'IKEv2_DEFAULT' - set vpn ipsec site-to-site peer OFFICE-A local-address '172.18.202.10' - set vpn ipsec site-to-site peer OFFICE-A remote-address '172.18.201.10' - set vpn ipsec site-to-site peer OFFICE-A vti bind 'vti10' - set vpn ipsec site-to-site peer OFFICE-A vti esp-group 'ESP_DEFAULT' + set vpn ipsec site-to-site peer peer_172-18-201-10 authentication local-id '172.18.202.10' + set vpn ipsec site-to-site peer peer_172-18-201-10 authentication mode 'pre-shared-secret' + set vpn ipsec site-to-site peer peer_172-18-201-10 authentication remote-id '172.18.201.10' + set vpn ipsec site-to-site peer peer_172-18-201-10 connection-type 'initiate' + set vpn ipsec site-to-site peer peer_172-18-201-10 ike-group 'IKEv2_DEFAULT' + set vpn ipsec site-to-site peer peer_172-18-201-10 ikev2-reauth 'inherit' + set vpn ipsec site-to-site peer peer_172-18-201-10 local-address '172.18.202.10' + set vpn ipsec site-to-site peer peer_172-18-201-10 remote-address '172.18.201.10' + set vpn ipsec site-to-site peer peer_172-18-201-10 vti bind 'vti10' + set vpn ipsec site-to-site peer peer_172-18-201-10 vti esp-group 'ESP_DEFAULT' + + set protocols static interface-route 10.0.11.0/24 next-hop-interface vti10 Key Parameters: * ``authentication local-id/remote-id`` - IKE identification is used for validation of VPN peer devices during IKE negotiation. If you do not configure - local/remote-identity, the device uses the IPv4 or IPv6 address that + local/remote-identity, the device uses the IPv4 or IPv6 address that corresponds to the local/remote peer by default. - In certain network setups (like ipsec interface with dynamic address, or - behind the NAT ), the IKE ID received from the peer does not match the IKE - gateway configured on the device. This can lead to a Phase 1 validation + In certain network setups (like ipsec interface with dynamic address, or + behind the NAT ), the IKE ID received from the peer does not match the IKE + gateway configured on the device. This can lead to a Phase 1 validation failure. - So, make sure to configure the local/remote id explicitly and ensure that the + So, make sure to configure the local/remote id explicitly and ensure that the IKE ID is the same as the remote-identity configured on the peer device. * ``disable-route-autoinstall`` - This option when configured disables the routes installed in the default table 220 for site-to-site ipsec. It is mostly used with VTI configuration. -* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE - notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) - are periodically sent in order to check the liveliness of the IPsec peer. The - values clear, hold, and restart all activate DPD and determine the action to +* ``dead-peer-detection action = clear | hold | restart`` - R_U_THERE + notification messages(IKEv1) or empty INFORMATIONAL messages (IKEv2) + are periodically sent in order to check the liveliness of the IPsec peer. The + values clear, hold, and restart all activate DPD and determine the action to perform on a timeout. - With ``clear`` the connection is closed with no further actions taken. - ``hold`` installs a trap policy, which will catch matching traffic and tries - to re-negotiate the connection on demand. - ``restart`` will immediately trigger an attempt to re-negotiate the + With ``clear`` the connection is closed with no further actions taken. + ``hold`` installs a trap policy, which will catch matching traffic and tries + to re-negotiate the connection on demand. + ``restart`` will immediately trigger an attempt to re-negotiate the connection. -* ``close-action = none | clear | hold | restart`` - defines the action to take - if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of +* ``close-action = none | clear | hold | restart`` - defines the action to take + if the remote peer unexpectedly closes a CHILD_SA (see above for meaning of values). A closeaction should not be used if the peer uses reauthentication or uniqueids. - - When the close-action option is set on the peers, the connection-type + + When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set - on both peers, then both would attempt to initiate and hold open multiple - copies of each child SA. This might lead to instability of the device or - cpu/memory utilization. - - Below flow-chart could be a quick reference for the close-action - combination depending on how the peer is configured. + on both peers, then both would attempt to initiate and hold open multiple + copies of each child SA. This might lead to instability of the device or + cpu/memory utilization. + + Below flow-chart could be a quick reference for the close-action + combination depending on how the peer is configured. .. figure:: /_static/images/IPSec_close_action_settings.jpg - + Similar combinations are applicable for the dead-peer-detection. diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst index dea53321..bd482cd9 100644 --- a/docs/configuration/vrf/index.rst +++ b/docs/configuration/vrf/index.rst @@ -282,6 +282,8 @@ Configuration VRF and NAT ----------- +.. _vrf:nat_configuration: + Configuration ^^^^^^^^^^^^^ @@ -295,11 +297,11 @@ Configuration set nat destination rule 110 description 'NAT ssh- INSIDE' set nat destination rule 110 destination port '2022' - set nat destination rule 110 inbound-interface 'eth0' + set nat destination rule 110 inbound-interface name 'eth0' set nat destination rule 110 protocol 'tcp' set nat destination rule 110 translation address '192.168.130.40' - set nat source rule 100 outbound-interface 'eth0' + set nat source rule 100 outbound-interface name 'eth0' set nat source rule 100 protocol 'all' set nat source rule 100 source address '192.168.130.0/24' set nat source rule 100 translation address 'masquerade' diff --git a/docs/contributing/build-vyos.rst b/docs/contributing/build-vyos.rst index 80f800c2..bb212e2f 100644 --- a/docs/contributing/build-vyos.rst +++ b/docs/contributing/build-vyos.rst @@ -92,8 +92,8 @@ The container can also be built directly from source: $ git clone -b crux --single-branch https://github.com/vyos/vyos-build # For VyOS 1.3 (equuleus) $ git clone -b equuleus --single-branch https://github.com/vyos/vyos-build - # For VyOS 1.4 (sagitta, current) - $ git clone -b current --single-branch https://github.com/vyos/vyos-build + # For VyOS 1.4 (sagitta) + $ git clone -b sagitta --single-branch https://github.com/vyos/vyos-build $ cd vyos-build $ docker build -t vyos/vyos-build:crux docker # For VyOS 1.2 @@ -151,7 +151,7 @@ following Debian versions installed: - Debian Jessie for VyOS 1.2 (crux) - Debian Buster for VyOS 1.3 (equuleus) -- Debian Bullseye for VyOS 1.4 (sagitta, current) - aka the rolling release +- Debian Bullseye for VyOS 1.4 (sagitta) To start, clone the repository to your local machine: @@ -163,8 +163,8 @@ To start, clone the repository to your local machine: # For VyOS 1.3 (equuleus) $ git clone -b equuleus --single-branch https://github.com/vyos/vyos-build - # For VyOS 1.4 (sagitta, current) - $ git clone -b current --single-branch https://github.com/vyos/vyos-build + # For VyOS 1.4 (sagitta) + $ git clone -b sagitta --single-branch https://github.com/vyos/vyos-build For the packages required, you can refer to the ``docker/Dockerfile`` file @@ -193,8 +193,8 @@ Please note as this will differ for both `current` and `crux`. # For VyOS 1.3 (equuleus) $ git clone -b equuleus --single-branch https://github.com/vyos/vyos-build - # For VyOS 1.4 (sagitta, current) - $ git clone -b current --single-branch https://github.com/vyos/vyos-build + # For VyOS 1.4 (sagitta) + $ git clone -b sagitta --single-branch https://github.com/vyos/vyos-build Now a fresh build of the VyOS ISO can begin. Change directory to the ``vyos-build`` directory and run: @@ -208,8 +208,8 @@ Now a fresh build of the VyOS ISO can begin. Change directory to the # For VyOS 1.3 (equuleus) $ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:equuleus bash - # For VyOS 1.4 (sagitta, current) - $ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:current bash + # For VyOS 1.4 (sagitta) + $ docker run --rm -it --privileged -v $(pwd):/vyos -w /vyos vyos/vyos-build:sagitta bash .. code-block:: none diff --git a/docs/quick-start.rst b/docs/quick-start.rst index a3927560..c8bb3f04 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -114,7 +114,7 @@ network via IP masquerade. .. code-block:: none - set nat source rule 100 outbound-interface 'eth0' + set nat source rule 100 outbound-interface name 'eth0' set nat source rule 100 source address '192.168.0.0/24' set nat source rule 100 translation address masquerade @@ -128,12 +128,6 @@ interlinked chains for each `Netfilter hook <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_ and allows for more granular control over the packet filtering process. -.. note:: Documentation for most of the new firewall CLI can be found in - the :ref:`firewall` chapter.The legacy firewall is still available - for versions before ``1.4-rolling-202308040557`` and can be found in the - :ref:`firewall-legacy` chapter. The examples in this section use the - new configuration. - The firewall begins with the base ``filter`` tables you define for each of the ``forward``, ``input``, and ``output`` Netfiter hooks. Each of these tables is populated with rules that are processed in order and can jump to other chains @@ -185,11 +179,11 @@ The chain we will create is called ``CONN_FILTER`` and has three rules: set firewall ipv4 name CONN_FILTER default-action 'return' set firewall ipv4 name CONN_FILTER rule 10 action 'accept' - set firewall ipv4 name CONN_FILTER rule 10 state established 'enable' - set firewall ipv4 name CONN_FILTER rule 10 state related 'enable' + set firewall ipv4 name CONN_FILTER rule 10 state established + set firewall ipv4 name CONN_FILTER rule 10 state related set firewall ipv4 name CONN_FILTER rule 20 action 'drop' - set firewall ipv4 name CONN_FILTER rule 20 state invalid 'enable' + set firewall ipv4 name CONN_FILTER rule 20 state invalid Then, we can jump to the common chain from both the ``forward`` and ``input`` hooks as the first filtering rule in the respective chains: @@ -212,16 +206,16 @@ creating rules on each hook's chain: .. code-block:: none set firewall ipv4 forward filter rule 5 action 'accept' - set firewall ipv4 forward filter rule 5 state established 'enable' - set firewall ipv4 forward filter rule 5 state related 'enable' + set firewall ipv4 forward filter rule 5 state established + set firewall ipv4 forward filter rule 5 state related set firewall ipv4 forward filter rule 10 action 'drop' - set firewall ipv4 forward filter rule 10 state invalid 'enable' + set firewall ipv4 forward filter rule 10 state invalid set firewall ipv4 input filter rule 5 action 'accept' - set firewall ipv4 input filter rule 5 state established 'enable' - set firewall ipv4 input filter rule 5 state related 'enable' + set firewall ipv4 input filter rule 5 state established + set firewall ipv4 input filter rule 5 state related set firewall ipv4 input filter rule 10 action 'drop' - set firewall ipv4 input filter rule 10 state invalid 'enable' + set firewall ipv4 input filter rule 10 state invalid Block Incoming Traffic ---------------------- @@ -241,7 +235,7 @@ group and is addressed to our local network. set firewall ipv4 forward filter rule 100 action jump set firewall ipv4 forward filter rule 100 jump-target OUTSIDE-IN - set firewall ipv4 forward filter rule 100 inbound-interface interface-group WAN + set firewall ipv4 forward filter rule 100 inbound-interface group WAN set firewall ipv4 forward filter rule 100 destination group network-group NET-INSIDE-v4 We should also block all traffic destinated to the router itself that isn't @@ -285,17 +279,17 @@ interface group to 4 per minute: .. code-block:: none set firewall ipv4 name VyOS_MANAGEMENT rule 15 action 'accept' - set firewall ipv4 name VyOS_MANAGEMENT rule 15 inbound-interface interface-group 'LAN' + set firewall ipv4 name VyOS_MANAGEMENT rule 15 inbound-interface group 'LAN' set firewall ipv4 name VyOS_MANAGEMENT rule 20 action 'drop' set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent count 4 set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent time minute - set firewall ipv4 name VyOS_MANAGEMENT rule 20 state new enable - set firewall ipv4 name VyOS_MANAGEMENT rule 20 inbound-interface interface-group 'WAN' + set firewall ipv4 name VyOS_MANAGEMENT rule 20 state new + set firewall ipv4 name VyOS_MANAGEMENT rule 20 inbound-interface group 'WAN' set firewall ipv4 name VyOS_MANAGEMENT rule 21 action 'accept' - set firewall ipv4 name VyOS_MANAGEMENT rule 21 state new enable - set firewall ipv4 name VyOS_MANAGEMENT rule 21 inbound-interface interface-group 'WAN' + set firewall ipv4 name VyOS_MANAGEMENT rule 21 state new + set firewall ipv4 name VyOS_MANAGEMENT rule 21 inbound-interface group 'WAN' Allow Access to Services ------------------------ @@ -309,7 +303,7 @@ all hosts on the ``NET-INSIDE-v4`` network: set firewall ipv4 input filter rule 30 action 'accept' set firewall ipv4 input filter rule 30 icmp type-name 'echo-request' set firewall ipv4 input filter rule 30 protocol 'icmp' - set firewall ipv4 input filter rule 30 state new 'enable' + set firewall ipv4 input filter rule 30 state new set firewall ipv4 input filter rule 40 action 'accept' set firewall ipv4 input filter rule 40 destination port '53' |