summaryrefslogtreecommitdiff
path: root/docs/configuration/firewall/bridge.rst
blob: 13fd0b42e0ac399e3103967587df25ed929b0dc6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
:lastproofread: 2024-07-03

.. _firewall-configuration:

#############################
Bridge Firewall Configuration
#############################

********
Overview
********

In this section there's useful information on all firewall configuration that
can be done regarding bridges, and appropriate op-mode commands.
Configuration commands covered in this section:

.. cfgcmd:: set firewall bridge ...

From the main structure defined in :doc:`Firewall Overview</configuration/firewall/index>`
in this section you can find detailed information only for the next part
of the general structure:

.. code-block:: none

   - set firewall
       * bridge
            - forward
               + filter
            - input
               + filter
            - output
               + filter
            - prerouting
               + filter
            - name
               + custom_name

Traffic which is received by the router on an interface which is member of a
bridge is processed on the **Bridge Layer**. Before the bridge decision is
made, all packets are analyzed at **Prerouting**. First filters can be applied
here, and also rules for ignoring connection tracking system can be configured.
The relevant configuration that acts in **prerouting** is:

  * ``set firewall bridge prerouting filter ...``.

For traffic that needs to be switched internally by the bridge, base chain is
**forward**, and it's base command for filtering is ``set firewall bridge
forward filter ...``, which happens in stage 4, highlighted with red color.

.. figure:: /_static/images/firewall-bridge-forward.png

For traffic destined to the router itself, or that needs to be routed (assuming
a layer3 bridge is configured), the base chain is **input**, the base command
is ``set firewall bridge input filter ...`` and the path is:

.. figure:: /_static/images/firewall-bridge-input.png

If it's not dropped, then the packet is sent to **IP Layer**, and will be
processed by the **IP Layer** firewall: IPv4 or IPv6 ruleset. Check once again
the :doc:`general packet flow diagram</configuration/firewall/index>` if
needed.

And for traffic that originates from the bridge itself, the base chain is
**output**, base command is ``set firewall bridge output filter ...``, and
the path is:

.. figure:: /_static/images/firewall-bridge-output.png

Custom bridge firewall chains can be created with the command ``set firewall bridge
name <name> ...``. In order to use such custom chain, a rule with action jump,
and the appropriate target should be defined in a base chain.

************
Bridge Rules
************

For firewall filtering, firewall rules need to be created. Each rule is
numbered, has an action to apply if the rule is matched, and the ability
to specify multiple matching criteria. Data packets go through the rules
from 1 - 999999, so order is crucial. At the first match the action of the
rule will be executed.

Actions
=======

If a rule is defined, then an action must be defined for it. This tells the
firewall what to do if all matching criterea in the rule are met.

In firewall bridge rules, the action can be:

   * ``accept``: accept the packet.

   * ``continue``: continue parsing next rule.

   * ``drop``: drop the packet.

   * ``jump``: jump to another custom chain.

   * ``return``: Return from the current chain and continue at the next rule
     of the last chain.

   * ``queue``: Enqueue packet to userspace.

   * ``notrack``: ignore connection tracking system. This action is only
     available in prerouting chain.

.. cfgcmd:: set firewall bridge forward filter rule <1-999999> action
   [accept | continue | drop | jump | queue | return]
.. cfgcmd:: set firewall bridge input filter rule <1-999999> action
   [accept | continue | drop | jump | queue | return]
.. cfgcmd:: set firewall bridge output filter rule <1-999999> action
   [accept | continue | drop | jump | queue | return]
.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> action
   [accept | continue | drop | jump | notrack | queue | return]
.. cfgcmd:: set firewall bridge name <name> rule <1-999999> action
   [accept | continue | drop | jump | queue | return]

   This required setting defines the action of the current rule. If action is
   set to jump, then jump-target is also needed.

.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
   jump-target <text>
.. cfgcmd:: set firewall bridge input filter rule <1-999999>
   jump-target <text>
.. cfgcmd:: set firewall bridge output filter rule <1-999999>
   jump-target <text>
.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999>
   jump-target <text>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
   jump-target <text>

   If action is set to ``queue``, use next command to specify the queue
   target. Range is also supported:

.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
   queue <0-65535>
.. cfgcmd:: set firewall bridge input filter rule <1-999999>
   queue <0-65535>
.. cfgcmd:: set firewall bridge output filter rule <1-999999>
   queue <0-65535>
.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999>
   queue <0-65535>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
   queue <0-65535>

   Also, if action is set to ``queue``, use next command to specify the queue
   options. Possible options are ``bypass`` and ``fanout``:

.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
   queue-options bypass
.. cfgcmd:: set firewall bridge input filter rule <1-999999>
   queue-options bypass
.. cfgcmd:: set firewall bridge output filter rule <1-999999>
   queue-options bypass
.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999>
   queue-options bypass
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
   queue-options bypass

.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
   queue-options fanout
.. cfgcmd:: set firewall bridge input filter rule <1-999999>
   queue-options fanout
.. cfgcmd:: set firewall bridge output filter rule <1-999999>
   queue-options fanout
.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999>
   queue-options fanout
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
   queue-options fanout

Also, **default-action** is an action that takes place whenever a packet does
not match any rule in its' chain. For base chains, possible options for
**default-action** are **accept** or **drop**.

.. cfgcmd:: set firewall bridge forward filter default-action
   [accept | drop]
.. cfgcmd:: set firewall bridge input filter default-action
   [accept | drop]
.. cfgcmd:: set firewall bridge output filter default-action
   [accept | drop]
.. cfgcmd:: set firewall bridge prerouting filter default-action
   [accept | drop]
.. cfgcmd:: set firewall bridge name <name> default-action
   [accept | continue | drop | jump | reject | return]

   This sets the default action of the rule-set if a packet does not match
   any of the rules in that chain. If default-action is set to ``jump``, then
   ``default-jump-target`` is also needed. Note that for base chains, default
   action can only be set to ``accept`` or ``drop``, while on custom chains
   more actions are available.

.. cfgcmd:: set firewall bridge name <name> default-jump-target <text>

   To be used only when ``default-action`` is set to ``jump``. Use this
   command to specify jump target for default rule.

.. note:: **Important note about default-actions:**
   If the default action for any base chain is not defined, then the default
   action is set to **accept** for that chain. For custom chains, if the 
   default action is not defined, then the default-action is set to **drop**.

Firewall Logs
=============

Logging can be enable for every single firewall rule. If enabled, other
log options can be defined.

.. cfgcmd:: set firewall bridge forward filter rule <1-999999> log
.. cfgcmd:: set firewall bridge input filter rule <1-999999> log
.. cfgcmd:: set firewall bridge output filter rule <1-999999> log
.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> log
.. cfgcmd:: set firewall bridge name <name> rule <1-999999> log

   Enable logging for the matched packet. If this configuration command is not
   present, then the log is not enabled.

.. cfgcmd:: set firewall bridge forward filter default-log
.. cfgcmd:: set firewall bridge input filter default-log
.. cfgcmd:: set firewall bridge output filter default-log
.. cfgcmd:: set firewall bridge prerouting filter default-log
.. cfgcmd:: set firewall bridge name <name> default-log

   Use this command to enable the logging of the default action on
   the specified chain.

.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
   log-options level [emerg | alert | crit | err | warn | notice
   | info | debug]
.. cfgcmd:: set firewall bridge input filter rule <1-999999>
   log-options level [emerg | alert | crit | err | warn | notice
   | info | debug]
.. cfgcmd:: set firewall bridge output filter rule <1-999999>
   log-options level [emerg | alert | crit | err | warn | notice
   | info | debug]
.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999>
   log-options level [emerg | alert | crit | err | warn | notice
   | info | debug]
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
   log-options level [emerg | alert | crit | err | warn | notice
   | info | debug]

   Define log-level. Only applicable if rule log is enabled.

.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
   log-options group <0-65535>
.. cfgcmd:: set firewall bridge input filter rule <1-999999>
   log-options group <0-65535>
.. cfgcmd:: set firewall bridge output filter rule <1-999999>
   log-options group <0-65535>
.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999>
   log-options group <0-65535>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
   log-options group <0-65535>

   Define the log group to send messages to. Only applicable if rule log is
   enabled.

.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
   log-options snapshot-length <0-9000>
.. cfgcmd:: set firewall bridge input filter rule <1-999999>
   log-options snapshot-length <0-9000>
.. cfgcmd:: set firewall bridge output filter rule <1-999999>
   log-options snapshot-length <0-9000>
.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999>
   log-options snapshot-length <0-9000>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
   log-options snapshot-length <0-9000>

   Define length of packet payload to include in netlink message. Only
   applicable if rule log is enabled and the log group is defined.

.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
   log-options queue-threshold <0-65535>
.. cfgcmd:: set firewall bridge input filter rule <1-999999>
   log-options queue-threshold <0-65535>
.. cfgcmd:: set firewall bridge output filter rule <1-999999>
   log-options queue-threshold <0-65535>
.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999>
   log-options queue-threshold <0-65535>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
   log-options queue-threshold <0-65535>

   Define the number of packets to queue inside the kernel before sending them
   to userspace. Only applicable if rule log is enabled and the log group is 
   defined.

Firewall Description
====================

For reference, a description can be defined for every defined custom chain.

.. cfgcmd:: set firewall bridge name <name> description <text>

   Provide a rule-set description to a custom firewall chain.

.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
   description <text>
.. cfgcmd:: set firewall bridge input filter rule <1-999999>
   description <text>
.. cfgcmd:: set firewall bridge output filter rule <1-999999>
   description <text>
.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999>
   description <text>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
   description <text>

   Provide a description for each rule.

Rule Status
===========

When defining a rule, it is enabled by default. In some cases, it is useful to
just disable the rule, rather than removing it.

.. cfgcmd:: set firewall bridge forward filter rule <1-999999> disable
.. cfgcmd:: set firewall bridge input filter rule <1-999999> disable
.. cfgcmd:: set firewall bridge output filter rule <1-999999> disable
.. cfgcmd:: set firewall bridge prerouting filter rule <1-999999> disable
.. cfgcmd:: set firewall bridge name <name> rule <1-999999> disable

   Command for disabling a rule but keep it in the configuration.

Matching criteria
=================

There are a lot of matching criteria against which the packet can be tested.
Please refer to :doc:`IPv4</configuration/firewall/ipv4>` and
:doc:`IPv6</configuration/firewall/ipv6>` matching criteria for more details.

Since bridges operates at layer 2, both matchers for IPv4 and IPv6 are
supported in bridge firewall configuration. Same applies for firewall groups.

Use IP firewall
===============

By default, for switched traffic, only the rules defined under ``set firewall
bridge`` are applied. There are two global-options that can be configured in
order to force deeper analysis of the packet on the IP layer. These options
are:

.. cfgcmd:: set firewall global-options apply-to-bridged-traffic ipv4

   This command enables the IPv4 firewall for bridged traffic. If this
   options is used, then packet will also be parsed by rules defined in ``set
   firewall ipv4 ...`` 

.. cfgcmd:: set firewall global-options apply-to-bridged-traffic ipv6

   This command enables the IPv6 firewall for bridged traffic. If this
   options is used, then packet will also be parsed by rules defined in ``set
   firewall ipv6 ...`` 

***********************
Operation-mode Firewall
***********************

Rule-set overview
=================

In this section you can find all useful firewall op-mode commands.

General commands for firewall configuration, counter and statistics:

.. opcmd:: show firewall
.. opcmd:: show firewall summary
.. opcmd:: show firewall statistics

And, to print only bridge firewall information:

.. opcmd:: show firewall bridge
.. opcmd:: show firewall bridge forward filter
.. opcmd:: show firewall bridge forward filter rule <rule>
.. opcmd:: show firewall bridge name <name>
.. opcmd:: show firewall bridge name <name> rule <rule>

Show Firewall log
=================

.. opcmd:: show log firewall
.. opcmd:: show log firewall bridge
.. opcmd:: show log firewall bridge forward
.. opcmd:: show log firewall bridge forward filter
.. opcmd:: show log firewall bridge name <name>
.. opcmd:: show log firewall bridge forward filter rule <rule>
.. opcmd:: show log firewall bridge name <name> rule <rule>

   Show the logs of all firewall; show all bridge firewall logs; show all logs
   for forward hook; show all logs for forward hook and priority filter; show
   all logs for particular custom chain; show logs for specific Rule-Set.

Example
=======

Configuration example:

.. code-block:: none

   set firewall bridge forward filter default-action 'drop'
   set firewall bridge forward filter default-log
   set firewall bridge forward filter rule 10 action 'continue'
   set firewall bridge forward filter rule 10 inbound-interface name 'eth2'
   set firewall bridge forward filter rule 10 vlan id '22'
   set firewall bridge forward filter rule 20 action 'drop'
   set firewall bridge forward filter rule 20 inbound-interface group 'TRUNK-RIGHT'
   set firewall bridge forward filter rule 20 vlan id '60'
   set firewall bridge forward filter rule 30 action 'jump'
   set firewall bridge forward filter rule 30 jump-target 'TEST'
   set firewall bridge forward filter rule 30 outbound-interface name '!eth1'
   set firewall bridge forward filter rule 35 action 'accept'
   set firewall bridge forward filter rule 35 vlan id '11'
   set firewall bridge forward filter rule 40 action 'continue'
   set firewall bridge forward filter rule 40 destination mac-address '66:55:44:33:22:11'
   set firewall bridge forward filter rule 40 source mac-address '11:22:33:44:55:66'
   set firewall bridge name TEST default-action 'accept'
   set firewall bridge name TEST default-log
   set firewall bridge name TEST rule 10 action 'continue'
   set firewall bridge name TEST rule 10 log
   set firewall bridge name TEST rule 10 vlan priority '0'

And op-mode commands:

.. code-block:: none

      vyos@BRI:~$ show firewall bridge
      Rulesets bridge Information

      ---------------------------------
      bridge Firewall "forward filter"

      Rule     Action    Protocol      Packets    Bytes  Conditions
      -------  --------  ----------  ---------  -------  ---------------------------------------------------------------------
      10       continue  all                 0        0  iifname "eth2" vlan id 22  continue
      20       drop      all                 0        0  iifname @I_TRUNK-RIGHT vlan id 60
      30       jump      all              2130   170688  oifname != "eth1"  jump NAME_TEST
      35       accept    all              2080   168616  vlan id 11  accept
      40       continue  all                 0        0  ether daddr 66:55:44:33:22:11 ether saddr 11:22:33:44:55:66  continue
      default  drop      all                 0        0

      ---------------------------------
      bridge Firewall "name TEST"

      Rule     Action    Protocol      Packets    Bytes  Conditions
      -------  --------  ----------  ---------  -------  --------------------------------------------------
      10       continue  all              2130   170688  vlan pcp 0  prefix "[bri-NAM-TEST-10-C]"  continue
      default  accept    all              2130   170688

      vyos@BRI:~$
      vyos@BRI:~$ show firewall bridge name TEST
      Ruleset Information

      ---------------------------------
      bridge Firewall "name TEST"

      Rule     Action    Protocol      Packets    Bytes  Conditions
      -------  --------  ----------  ---------  -------  --------------------------------------------------
      10       continue  all              2130   170688  vlan pcp 0  prefix "[bri-NAM-TEST-10-C]"  continue
      default  accept    all              2130   170688

      vyos@BRI:~$

Inspect logs:

.. code-block:: none

      vyos@BRI:~$ show log firewall bridge
      Dec 05 14:37:47 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102
      Dec 05 14:37:48 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102
      Dec 05 14:37:49 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102
      ...
      vyos@BRI:~$ show log firewall bridge forward filter
      Dec 05 14:42:22 kernel: [bri-FWD-filter-default-D]IN=eth2 OUT=eth1 MAC=33:33:00:00:00:16:50:00:00:06:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0
      Dec 05 14:42:22 kernel: [bri-FWD-filter-default-D]IN=eth2 OUT=eth1 MAC=33:33:00:00:00:16:50:00:00:06:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0