diff options
| author | Robert Göhler <github@ghlr.de> | 2022-11-27 21:44:33 +0100 | 
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-11-27 21:44:33 +0100 | 
| commit | c7c838ffa51e958acb31f3c38b504ff301a7c9ba (patch) | |
| tree | 826f9bbc33099e2c6277564be91aa8c463e00405 | |
| parent | a669e2d29353fba82c07d866ae5918f3bd5f6af5 (diff) | |
| parent | 7b7ea78ee2bb7205be1f2a8f817cd29974d73b72 (diff) | |
| download | vyos-documentation-c7c838ffa51e958acb31f3c38b504ff301a7c9ba.tar.gz vyos-documentation-c7c838ffa51e958acb31f3c38b504ff301a7c9ba.zip | |
Merge pull request #895 from nicolas-fort/fwall_update
Firewall update: add groups and note to firewall interface section
| -rw-r--r-- | docs/configuration/firewall/general.rst | 44 | 
1 files changed, 37 insertions, 7 deletions
| diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst index 42387864..a8d5c9c2 100644 --- a/docs/configuration/firewall/general.rst +++ b/docs/configuration/firewall/general.rst @@ -148,11 +148,11 @@ Some firewall settings are global and have an affect on the whole system.  Groups  ****** -Firewall groups represent collections of IP addresses, networks, or -ports. Once created, a group can be referenced by firewall rules as -either a source or destination. Members can be added or removed from a -group without changes to, or the need to reload, individual firewall -rules. +Firewall groups represent collections of IP addresses, networks, ports, +mac addresses or domains. Once created, a group can be referenced by  +firewall, nat and policy route rules as either a source or destination +matcher. Members can be added or removed from a group without changes to, +or the need to reload, individual firewall rules.  Groups need to have unique names. Even though some contain IPv4  addresses and others contain IPv6 addresses, they still need to have @@ -183,7 +183,6 @@ defined.     Provide a IPv4 or IPv6 address group description -  Network Groups  ============== @@ -208,7 +207,6 @@ recommended.     Provide a IPv4 or IPv6 network group description. -  Port Groups  =========== @@ -234,6 +232,34 @@ filtering unnecessary ports. Ranges of ports can be specified by using     Provide a port group description. +MAC Groups +========== + +A **mac group** represents a collection of mac addresses. + +.. cfgcmd::  set firewall group mac-group <name> mac-address <mac-address> + +   Define a mac group. + +.. code-block:: none + +      set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f +      set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81 + + +Domain Groups +============= + +A **domain group** represents a collection of domains. + +.. cfgcmd::  set firewall group domain-group <name> address <domain> + +   Define a domain group. + +.. code-block:: none + +      set firewall group domain-group DOM address example.com +  *********  Rule-Sets @@ -634,11 +660,15 @@ A Rule-Set can be applied to every interface:        set firewall interface eth1.100 out name LANv4-OUT        set firewall interface bond0 in name LANv4-IN        set firewall interface vtun1 in name LANv4-IN +      set firewall interface eth2* in name LANv4-IN     .. note::        As you can see in the example here, you can assign the same rule-set to        several interfaces. An interface can only have one rule-set per chain. +   .. note:: +      You can use wildcard ``*`` to match a group of interfaces. +  ***********************  Operation-mode Firewall  *********************** | 
