diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-08-04 16:18:11 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-08-04 16:18:11 +0200 |
| commit | 828caaac110b2171071057d8c8039568f5394523 (patch) | |
| tree | 9ccff7e425fbc0471db399a90c4a27e681dfd008 /docs/configuration/firewall/index.rst | |
| parent | 6b2069ebb2ebaa97abe86ad22a4fbbddbb36723b (diff) | |
| parent | 014e88d74f21ec2a6e9ec591c94d56d084f0e3ec (diff) | |
| download | vyos-documentation-828caaac110b2171071057d8c8039568f5394523.tar.gz vyos-documentation-828caaac110b2171071057d8c8039568f5394523.zip | |
Merge pull request #1512 from nicolas-fort/T4072-fwall-bri-docs
Extend firewall bridge documentation
Diffstat (limited to 'docs/configuration/firewall/index.rst')
| -rw-r--r-- | docs/configuration/firewall/index.rst | 30 |
1 files changed, 28 insertions, 2 deletions
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 58e3463b..3d1d1c08 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -92,14 +92,32 @@ packet is processed at the **IP Layer**: destination...``. If the interface where the packet was received is part of a bridge, then -the packet is processed at the **Bridge Layer**, which contains a basic setup for -bridge filtering: +the packet is processed at the **Bridge Layer**: + + * **Prerouting (Bridge)**: all packets that are received by the bridge are + processed in this stage, regardless of the destination of the packet. + First filters can be applied here, and/or also configure rules for + ignoring connection tracking system, and also apply policy routing using + ``set`` option while defining the rule. The relevant configuration that + acts in: + + * ``set firewall bridge prerouting filter ...``. * **Forward (Bridge)**: stage where traffic that is trespassing through the bridge is filtered and controlled: * ``set firewall bridge forward filter ...``. + * **Input (Bridge)**: stage where traffic destined for the bridge itself can + be filtered and controlled: + + * ``set firewall bridge input filter ...``. + + * **Output (Bridge)**: stage where traffic that originates from the bridge + itself can be filtered and controlled: + + * ``set firewall bridge output filter ...``. + The main structure of the VyOS firewall CLI is shown next: .. code-block:: none @@ -108,6 +126,14 @@ The main structure of the VyOS firewall CLI is shown next: * bridge - forward + filter + - input + + filter + - output + + filter + - prerouting + + filter + - name + + custom_name * flowtable - custom_flow_table + ... |