1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
|
:lastproofread: 2021-06-29
.. _firewall:
########
Firewall
########
********
Overview
********
VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet
filtering.
The firewall supports the creation of groups for ports, addresses, and
networks (implemented using netfilter ipset) and the option of interface
or zone based firewall policy.
.. note:: **Important note on usage of terms:**
The firewall makes use of the terms `in`, `out`, and `local`
for firewall policy. Users experienced with netfilter often confuse
`in` to be a reference to the `INPUT` chain, and `out` the `OUTPUT`
chain from netfilter. This is not the case. These instead indicate
the use of the `FORWARD` chain and either the input or output
interface. The `INPUT` chain, which is used for local traffic to the
OS, is a reference to as `local` with respect to its input interface.
***************
Global settings
***************
Some firewall settings are global and have an affect on the whole system.
.. cfgcmd:: set firewall all-ping [enable | disable]
By default, when VyOS receives an ICMP echo request packet destined for
itself, it will answer with an ICMP echo reply, unless you avoid it
through its firewall.
With the firewall you can set rules to accept, drop or reject ICMP in,
out or local traffic. You can also use the general **firewall all-ping**
command. This command affects only to LOCAL (packets destined for your
VyOS system), not to IN or OUT traffic.
.. note:: **firewall all-ping** affects only to LOCAL and it always
behaves in the most restrictive way
.. code-block:: none
set firewall all-ping enable
When the command above is set, VyOS will answer every ICMP echo request
addressed to itself, but that will only happen if no other rule is
applied dropping or rejecting local echo requests. In case of conflict,
VyOS will not answer ICMP echo requests.
.. code-block:: none
set firewall all-ping disable
When the command above is set, VyOS will answer no ICMP echo request
addressed to itself at all, no matter where it comes from or whether
more specific rules are being applied to accept them.
.. cfgcmd:: set firewall broadcast-ping [enable | disable]
This setting enable or disable the response of icmp broadcast
messages. The following system parameter will be altered:
* ``net.ipv4.icmp_echo_ignore_broadcasts``
.. cfgcmd:: set firewall ip-src-route [enable | disable]
.. cfgcmd:: set firewall ipv6-src-route [enable | disable]
This setting handle if VyOS accept packets with a source route
option. The following system parameter will be altered:
* ``net.ipv4.conf.all.accept_source_route``
* ``net.ipv6.conf.all.accept_source_route``
.. cfgcmd:: set firewall receive-redirects [enable | disable]
.. cfgcmd:: set firewall ipv6-receive-redirects [enable | disable]
enable or disable of ICMPv4 or ICMPv6 redirect messages accepted
by VyOS. The following system parameter will be altered:
* ``net.ipv4.conf.all.accept_redirects``
* ``net.ipv6.conf.all.accept_redirects``
.. cfgcmd:: set firewall send-redirects [enable | disable]
enable or disable ICMPv4 redirect messages send by VyOS
The following system parameter will be altered:
* ``net.ipv4.conf.all.send_redirects``
.. cfgcmd:: set firewall log-martians [enable | disable]
enable or disable the logging of martian IPv4 packets.
The following system parameter will be altered:
* ``net.ipv4.conf.all.log_martians``
.. cfgcmd:: set firewall source-validation [strict | loose | disable]
Set the IPv4 source validation mode.
The following system parameter will be altered:
* ``net.ipv4.conf.all.rp_filter``
.. cfgcmd:: set firewall syn-cookies [enable | disable]
Enable or Disable if VyOS use IPv4 TCP SYN Cookies.
The following system parameter will be altered:
* ``net.ipv4.tcp_syncookies``
.. cfgcmd:: set firewall twa-hazards-protection [enable | disable]
Enable or Disable VyOS to be :rfc:`1337` conform.
The following system parameter will be altered:
* ``net.ipv4.tcp_rfc1337``
.. cfgcmd:: set firewall state-policy established action [accept | drop |
reject]
.. cfgcmd:: set firewall state-policy established log enable
Set the global setting for an established connection.
.. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject]
.. cfgcmd:: set firewall state-policy invalid log enable
Set the global setting for invalid packets.
.. cfgcmd:: set firewall state-policy related action [accept | drop | reject]
.. cfgcmd:: set firewall state-policy related log enable
Set the global setting for related connections.
******
Groups
******
Firewall groups represent collections of IP addresses, networks, ports,
mac addresses or domains. Once created, a group can be referenced by
firewall, nat and policy route rules as either a source or destination
matcher. Members can be added or removed from a group without changes to,
or the need to reload, individual firewall rules.
Groups need to have unique names. Even though some contain IPv4
addresses and others contain IPv6 addresses, they still need to have
unique names, so you may want to append "-v4" or "-v6" to your group
names.
Address Groups
==============
In an **address group** a single IP address or IP address ranges are
defined.
.. cfgcmd:: set firewall group address-group <name> address [address |
address range]
.. cfgcmd:: set firewall group ipv6-address-group <name> address <address>
Define a IPv4 or a IPv6 address group
.. code-block:: none
set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1
set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8
set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1
.. cfgcmd:: set firewall group address-group <name> description <text>
.. cfgcmd:: set firewall group ipv6-address-group <name> description <text>
Provide a IPv4 or IPv6 address group description
Network Groups
==============
While **network groups** accept IP networks in CIDR notation, specific
IP addresses can be added as a 32-bit prefix. If you foresee the need
to add a mix of addresses and networks, the network group is
recommended.
.. cfgcmd:: set firewall group network-group <name> network <CIDR>
.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR>
Define a IPv4 or IPv6 Network group.
.. code-block:: none
set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24
set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24
set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64
.. cfgcmd:: set firewall group network-group <name> description <text>
.. cfgcmd:: set firewall group ipv6-network-group <name> description <text>
Provide a IPv4 or IPv6 network group description.
Port Groups
===========
A **port group** represents only port numbers, not the protocol. Port
groups can be referenced for either TCP or UDP. It is recommended that
TCP and UDP groups are created separately to avoid accidentally
filtering unnecessary ports. Ranges of ports can be specified by using
`-`.
.. cfgcmd:: set firewall group port-group <name> port
[portname | portnumber | startport-endport]
Define a port group. A port name can be any name defined in
/etc/services. e.g.: http
.. code-block:: none
set firewall group port-group PORT-TCP-SERVER1 port http
set firewall group port-group PORT-TCP-SERVER1 port 443
set firewall group port-group PORT-TCP-SERVER1 port 5000-5010
.. cfgcmd:: set firewall group port-group <name> description <text>
Provide a port group description.
MAC Groups
==========
A **mac group** represents a collection of mac addresses.
.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address>
Define a mac group.
.. code-block:: none
set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f
set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81
Domain Groups
=============
A **domain group** represents a collection of domains.
.. cfgcmd:: set firewall group domain-group <name> address <domain>
Define a domain group.
.. code-block:: none
set firewall group domain-group DOM address example.com
*********
Rule-Sets
*********
A rule-set is a named collection of firewall rules that can be applied
to an interface or a zone. Each rule is numbered, has an action to apply
if the rule is matched, and the ability to specify the criteria to
match. Data packets go through the rules from 1 - 999999, at the first match
the action of the rule will be executed.
.. cfgcmd:: set firewall name <name> description <text>
.. cfgcmd:: set firewall ipv6-name <name> description <text>
Provide a rule-set description.
.. cfgcmd:: set firewall name <name> default-action [accept | drop | jump |
reject | return]
.. cfgcmd:: set firewall ipv6-name <name> default-action [accept | drop |
jump | reject | return]
This set the default action of the rule-set if no rule matched a packet
criteria. If defacult-action is set to ``jump``, then
``default-jump-target`` is also needed.
.. cfgcmd:: set firewall name <name> default-jump-target <text>
.. cfgcmd:: set firewall ipv6-name <name> default-jump-target <text>
To be used only when ``defult-action`` is set to ``jump``. Use this
command to specify jump target for default rule.
.. cfgcmd:: set firewall name <name> enable-default-log
.. cfgcmd:: set firewall ipv6-name <name> enable-default-log
Use this command to enable the logging of the default action.
.. cfgcmd:: set firewall name <name> rule <1-999999> action [accept | drop |
jump | reject | return]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [accept |
drop | jump | reject | return]
This required setting defines the action of the current rule. If action
is set to ``jump``, then ``jump-target`` is also needed.
.. cfgcmd:: set firewall name <name> rule <1-999999> jump-target <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> jump-target <text>
To be used only when ``action`` is set to ``jump``. Use this
command to specify jump target.
.. cfgcmd:: set firewall name <name> rule <1-999999> description <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> description <text>
Provide a description for each rule.
.. cfgcmd:: set firewall name <name> rule <1-999999> log [disable | enable]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable |
enable]
Enable or disable logging for the matched packet.
.. cfgcmd:: set firewall name <name> rule <1-999999> log-level [emerg |
alert | crit | err | warn | notice | info | debug]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-level [emerg |
alert | crit | err | warn | notice | info | debug]
Define log-level. Only applicable if rule log is enable.
.. cfgcmd:: set firewall name <name> rule <1-999999> disable
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> disable
If you want to disable a rule but let it in the configuration.
Matching criteria
=================
There are a lot of matching criteria against which the package can be tested.
.. cfgcmd:: set firewall name <name> rule <1-999999> connection-status nat
[destination | source]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-status
nat [destination | source]
Match criteria based on nat connection status.
.. cfgcmd:: set firewall name <name> rule <1-999999> source address
[address | addressrange | CIDR]
.. cfgcmd:: set firewall name <name> rule <1-999999> destination address
[address | addressrange | CIDR]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address
[address | addressrange | CIDR]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination address
[address | addressrange | CIDR]
This is similar to the network groups part, but here you are able to negate
the matching addresses.
.. code-block:: none
set firewall name WAN-IN-v4 rule 100 source address 192.0.2.10-192.0.2.11
# with a '!' the rule match everything except the specified subnet
set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24
set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202
.. cfgcmd:: set firewall name <name> rule <1-999999> source address-mask
[address]
.. cfgcmd:: set firewall name <name> rule <1-999999> destination address-mask
[address]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address-mask
[address]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination
address-mask [address]
An arbitrary netmask can be applied to mask addresses to only match against
a specific portion. This is particularly useful with IPv6 and a zone-based
firewall as rules will remain valid if the IPv6 prefix changes and the host
portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses
<https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)
This functions for both individual addresses and address groups.
.. code-block:: none
# Match any IPv6 address with the suffix ::0000:0000:0000:beef
set firewall ipv6-name WAN-LAN-v6 rule 100 destination address ::beef
set firewall ipv6-name WAN-LAN-v6 rule 100 destination address-mask ::ffff:ffff:ffff:ffff
# Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet
set firewall name WAN-LAN-v4 rule 100 destination address 0.11.0.13
set firewall name WAN-LAN-v4 rule 100 destination address-mask 0.255.0.255
# Address groups
set firewall group ipv6-address-group WEBSERVERS address ::1000
set firewall group ipv6-address-group WEBSERVERS address ::2000
set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS
set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff
.. cfgcmd:: set firewall name <name> rule <1-999999> source fqdn <fqdn>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination fqdn <fqdn>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source fqdn <fqdn>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination fqdn
<fqdn>
Specify a Fully Qualified Domain Name as source/destination matcher. Ensure
router is able to resolve such dns query.
.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code
<country>
.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
country-code <country>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
inverse-match
.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
country-code <country>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
inverse-match
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
country-code <country>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
inverse-match
Match IP addresses based on its geolocation.
More info: `geoip matching
<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
Use inverse-match to match anything except the given country-codes.
Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
permits redistribution so we can include a database in images(~3MB
compressed). Includes cron script (manually callable by op-mode update
geoip) to keep database and rules updated.
.. cfgcmd:: set firewall name <name> rule <1-999999> source mac-address
<mac-address>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source mac-address
<mac-address>
Only in the source criteria, you can specify a mac-address.
.. code-block:: none
set firewall name LAN-IN-v4 rule 100 source mac-address 00:53:00:11:22:33
set firewall name LAN-IN-v4 rule 101 source mac-address !00:53:00:aa:12:34
.. cfgcmd:: set firewall name <name> rule <1-999999> source port
[1-65535 | portname | start-end]
.. cfgcmd:: set firewall name <name> rule <1-999999> destination port
[1-65535 | portname | start-end]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source port
[1-65535 | portname | start-end]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination port
[1-65535 | portname | start-end]
A port can be set with a port number or a name which is here
defined: ``/etc/services``.
.. code-block:: none
set firewall name WAN-IN-v4 rule 10 source port '22'
set firewall name WAN-IN-v4 rule 11 source port '!http'
set firewall name WAN-IN-v4 rule 12 source port 'https'
Multiple source ports can be specified as a comma-separated list.
The whole list can also be "negated" using ``!``. For example:
.. code-block:: none
set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338'
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
address-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
address-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
address-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
address-group <name | !name>
Use a specific address-group. Prepend character ``!`` for inverted matching
criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
network-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
network-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
network-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
network-group <name | !name>
Use a specific network-group. Prepend character ``!`` for inverted matching
criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
port-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
port-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
port-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
port-group <name | !name>
Use a specific port-group. Prepend character ``!`` for inverted matching
criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
domain-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
domain-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
domain-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
domain-group <name | !name>
Use a specific domain-group. Prepend character ``!`` for inverted matching
criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
mac-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
mac-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
mac-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
mac-group <name | !name>
Use a specific mac-group. Prepend character ``!`` for inverted matching
criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> dscp [0-63 | start-end]
.. cfgcmd:: set firewall name <name> rule <1-999999> dscp-exclude [0-63 |
start-end]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp [0-63 |
start-end]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp-exclude [0-63 |
start-end]
Match based on dscp value.
.. cfgcmd:: set firewall name <name> rule <1-999999> fragment [match-frag |
match-non-frag]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> fragment [match-frag
| match-non-frag]
Match based on fragment criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> icmp [code | type]
<0-255>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 [code | type]
<0-255>
Match based on icmp|icmpv6 code and type.
.. cfgcmd:: set firewall name <name> rule <1-999999> icmp type-name <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 type-name
<text>
Match based on icmp|icmpv6 type-name criteria. Use tab for information
about what **type-name** criteria are supported.
.. cfgcmd:: set firewall name <name> rule <1-999999> inbound-interface
<iface>
.. cfgcmd:: set firewall name <name> rule <1-999999> outbound-interface
<iface>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> inbound-interface
<iface>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> outbound-interface
<iface>
Match based on inbound/outbound interface. Wilcard ``*`` can be used.
For example: ``eth2*``
.. cfgcmd:: set firewall name <name> rule <1-999999> ipsec [match-ipsec
| match-none]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> ipsec [match-ipsec
| match-none]
Match based on ipsec criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> limit burst
<0-4294967295>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit burst
<0-4294967295>
Match based on the maximum number of packets to allow in excess of rate.
.. cfgcmd:: set firewall name <name> rule <1-999999> limit rate
<text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit rate
<text>
Match based on the maximum average rate, specified as **integer/unit**.
For example **5/minutes**
.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length
<text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length
<text>
.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length-exclude
<text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length-exclude
<text>
Match based on packet length criteria. Multiple values from 1 to 65535
and ranges are supported.
.. cfgcmd:: set firewall name <name> rule <1-999999> protocol [<text> |
<0-255> | all | tcp_udp]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> protocol [<text> |
<0-255> | all | tcp_udp]
Match a protocol criteria. A protocol number or a name which is here
defined: ``/etc/protocols``.
Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
based packets. The ``!`` negate the selected protocol.
.. code-block:: none
set firewall name WAN-IN-v4 rule 10 protocol tcp_udp
set firewall name WAN-IN-v4 rule 11 protocol !tcp_udp
set firewall ipv6-name WAN-IN-v6 rule 10 protocol tcp
.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
.. cfgcmd:: set firewall name <name> rule <1-999999> recent time
[second | minute | hour]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time
[second | minute | hour]
Match bases on recently seen sources.
.. cfgcmd:: set firewall name <name> rule <1-999999> tcp flags <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> tcp flags <text>
Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``,
``PSH``, ``ALL`` When specifying more than one flag, flags should be comma
separated. The ``!`` negate the selected protocol.
.. code-block:: none
set firewall name WAN-IN-v4 rule 10 tcp flags 'ACK'
set firewall name WAN-IN-v4 rule 12 tcp flags 'SYN'
set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST'
.. cfgcmd:: set firewall name <name> rule <1-999999> state [established |
invalid | new | related] [enable | disable]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> state [established |
invalid | new | related] [enable | disable]
Match against the state of a packet.
.. cfgcmd:: set firewall name <name> rule <1-999999> time startdate <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time startdate <text>
.. cfgcmd:: set firewall name <name> rule <1-999999> time starttime <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time starttime <text>
.. cfgcmd:: set firewall name <name> rule <1-999999> time stopdate <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stopdate <text>
.. cfgcmd:: set firewall name <name> rule <1-999999> time stoptime <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stoptime <text>
.. cfgcmd:: set firewall name <name> rule <1-999999> time weekdays <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time weekdays <text>
Time to match the defined rule.
.. cfgcmd:: set firewall name <name> rule <1-999999> ttl <eq | gt | lt> <0-255>
Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for
'greater than', and 'lt' stands for 'less than'.
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> hop-limit <eq | gt |
lt> <0-255>
Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
'greater than', and 'lt' stands for 'less than'.
.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second |
minute | hour>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second |
minute | hour>
Match when 'count' amount of connections are seen within 'time'. These
matching criteria can be used to block brute-force attempts.
***********************************
Applying a Rule-Set to an Interface
***********************************
A Rule-Set can be applied to every interface:
* ``in``: Ruleset for forwarded packets on an inbound interface
* ``out``: Ruleset for forwarded packets on an outbound interface
* ``local``: Ruleset for packets destined for this router
.. cfgcmd:: set firewall interface <interface> [in | out | local] [name |
ipv6-name] <rule-set>
Here are some examples for applying a rule-set to an interface
.. code-block:: none
set firewall interface eth1.100 in name LANv4-IN
set firewall interface eth1.100 out name LANv4-OUT
set firewall interface bond0 in name LANv4-IN
set firewall interface vtun1 in name LANv4-IN
set firewall interface eth2* in name LANv4-IN
.. note::
As you can see in the example here, you can assign the same rule-set to
several interfaces. An interface can only have one rule-set per chain.
.. note::
You can use wildcard ``*`` to match a group of interfaces.
***********************
Operation-mode Firewall
***********************
Rule-set overview
=================
.. opcmd:: show firewall
This will show you a basic firewall overview
.. code-block:: none
vyos@vyos:~$ show firewall
------------------------
Firewall Global Settings
------------------------
Firewall state-policy for all IPv4 and Ipv6 traffic
state action log
----- ------ ---
invalid accept disabled
established accept disabled
related accept disabled
-----------------------------
Rulesets Information
-----------------------------
--------------------------------------------------------------------------
IPv4 Firewall "DMZv4-1-IN":
Active on (eth0,IN)
rule action proto packets bytes
---- ------ ----- ------- -----
10 accept icmp 0 0
condition - saddr 10.1.0.0/24 daddr 0.0.0.0/0 LOG enabled
10000 drop all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled
--------------------------------------------------------------------------
IPv4 Firewall "DMZv4-1-OUT":
Active on (eth0,OUT)
rule action proto packets bytes
---- ------ ----- ------- -----
10 accept tcp_udp 1 60
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-DST-PORT-GROUP DMZ-Ports /*
DMZv4-1-OUT-10 */LOG enabled
11 accept icmp 1 84
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* DMZv4-1-OUT-11 */LOG enabled
10000 drop all 6 360
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled
--------------------------------------------------------------------------
IPv4 Firewall "LANv4-IN":
Inactive - Not applied to any interfaces or zones.
rule action proto packets bytes
---- ------ ----- ------- -----
10 accept all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* LANv4-IN-10 */
10000 drop all 0 0
condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0
.. opcmd:: show firewall summary
This will show you a summary of rule-sets and groups
.. code-block:: none
vyos@vyos:~$ show firewall summary
------------------------
Firewall Global Settings
------------------------
Firewall state-policy for all IPv4 and Ipv6 traffic
state action log
----- ------ ---
invalid accept disabled
related accept disabled
established accept disabled
------------------------
Firewall Rulesets
------------------------
IPv4 name:
Rule-set name Description References
------------- ----------- ----------
DMZv4-1-OUT (eth0,OUT)
DMZv4-1-IN (eth0,IN)
------------------------
Firewall Groups
------------------------
Port Groups:
Group name Description References
---------- ----------- ----------
DMZ-Ports DMZv4-1-OUT-10-destination
Network Groups:
Group name Description References
---------- ----------- ----------
LANv4 LANv4-IN-10-source,
DMZv4-1-OUT-10-source,
DMZv4-1-OUT-11-source
.. opcmd:: show firewall statistics
This will show you a statistic of all rule-sets since the last boot.
.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999>
This command will give an overview of a rule in a single rule-set
.. opcmd:: show firewall group <name>
Overview of defined groups. You see the type, the members, and where the
group is used.
.. code-block:: none
vyos@vyos:~$ show firewall group DMZ-Ports
Name : DMZ-Ports
Type : port
References : none
Members :
80
443
8080
8443
vyos@vyos:~$ show firewall group LANv4
Name : LANv4
Type : network
References : LANv4-IN-10-source
Members :
10.10.0.0/16
.. opcmd:: show firewall [name | ipv6name] <name>
This command will give an overview of a single rule-set.
.. opcmd:: show firewall [name | ipv6name] <name> statistics
This will show you a rule-set statistic since the last boot.
.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999>
This command will give an overview of a rule in a single rule-set.
Zone-Policy Overview
====================
.. opcmd:: show zone-policy zone <name>
Use this command to get an overview of a zone.
.. code-block:: none
vyos@vyos:~$ show zone-policy zone DMZ
-------------------
Name: DMZ
Interfaces: eth0 eth1
From Zone:
name firewall
---- --------
LAN DMZv4-1-OUT
Show Firewall log
=================
.. opcmd:: show log firewall [name | ipv6name] <name>
Show the logs of a specific Rule-Set.
.. note::
At the moment it not possible to look at the whole firewall log with VyOS
operational commands. All logs will save to ``/var/logs/messages``.
For example: ``grep '10.10.0.10' /var/log/messages``
Example Partial Config
======================
.. code-block:: none
firewall {
interface eth0 {
in {
name FROM-INTERNET
}
}
all-ping enable
broadcast-ping disable
config-trap disable
group {
network-group BAD-NETWORKS {
network 198.51.100.0/24
network 203.0.113.0/24
}
network-group GOOD-NETWORKS {
network 192.0.2.0/24
}
port-group BAD-PORTS {
port 65535
}
}
name FROM-INTERNET {
default-action accept
description "From the Internet"
rule 10 {
action accept
description "Authorized Networks"
protocol all
source {
group {
network-group GOOD-NETWORKS
}
}
}
rule 11 {
action drop
description "Bad Networks"
protocol all
source {
group {
network-group BAD-NETWORKS
}
}
}
rule 30 {
action drop
description "BAD PORTS"
destination {
group {
port-group BAD-PORTS
}
}
log enable
protocol all
}
}
}
interfaces {
ethernet eth1 {
address dhcp
description OUTSIDE
duplex auto
}
}
Update geoip database
=====================
.. opcmd:: update geoip
Command used to update GeoIP database and firewall sets.
|