diff options
| author | Nicolás Fort <95703796+nicolas-fort@users.noreply.github.com> | 2022-11-29 17:33:13 -0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-11-29 21:33:13 +0100 |
| commit | 683ef473f9a5f3a2d5c56abe36f46b8787d3f0c0 (patch) | |
| tree | 1f1ebc38ca881340e7f4b36d87eb83989f8a7ee3 /docs/configuration/firewall | |
| parent | 60686d7ee085e3c570434d9a0e020e1b335598ac (diff) | |
| download | vyos-documentation-683ef473f9a5f3a2d5c56abe36f46b8787d3f0c0.tar.gz vyos-documentation-683ef473f9a5f3a2d5c56abe36f46b8787d3f0c0.zip | |
Fwall doc: update actions and matching criterias (#900)
* Update firewall docs: jump action added, dscp and interface matchers, source/destination fqdn
* Firewall: add dhcp and interface matchers. Add jump actions and fix special characters notation
Diffstat (limited to 'docs/configuration/firewall')
| -rw-r--r-- | docs/configuration/firewall/general.rst | 92 |
1 files changed, 69 insertions, 23 deletions
diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst index a8d5c9c2..dc087018 100644 --- a/docs/configuration/firewall/general.rst +++ b/docs/configuration/firewall/general.rst @@ -276,24 +276,39 @@ the action of the rule will be executed. Provide a rule-set description. -.. cfgcmd:: set firewall name <name> default-action [drop | reject | accept] -.. cfgcmd:: set firewall ipv6-name <name> default-action [drop | reject | - accept] +.. cfgcmd:: set firewall name <name> default-action [accept | drop | jump | + reject | return] +.. cfgcmd:: set firewall ipv6-name <name> default-action [accept | drop | + jump | reject | return] This set the default action of the rule-set if no rule matched a packet - criteria. + criteria. If defacult-action is set to ``jump``, then + ``default-jump-target`` is also needed. + +.. cfgcmd:: set firewall name <name> default-jump-target <text> +.. cfgcmd:: set firewall ipv6-name <name> default-jump-target <text> + + To be used only when ``defult-action`` is set to ``jump``. Use this + command to specify jump target for default rule. .. cfgcmd:: set firewall name <name> enable-default-log .. cfgcmd:: set firewall ipv6-name <name> enable-default-log Use this command to enable the logging of the default action. -.. cfgcmd:: set firewall name <name> rule <1-999999> action [drop | reject | - accept] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [drop | - reject | accept] +.. cfgcmd:: set firewall name <name> rule <1-999999> action [accept | drop | + jump | reject | return] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [accept | + drop | jump | reject | return] - This required setting defines the action of the current rule. + This required setting defines the action of the current rule. If action + is set to ``jump``, then ``jump-target`` is also needed. + +.. cfgcmd:: set firewall name <name> rule <1-999999> jump-target <text> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> jump-target <text> + + To be used only when ``action`` is set to ``jump``. Use this + command to specify jump target. .. cfgcmd:: set firewall name <name> rule <1-999999> description <text> .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> description <text> @@ -324,9 +339,9 @@ Matching criteria There are a lot of matching criteria against which the package can be tested. .. cfgcmd:: set firewall name <name> rule <1-999999> connection-status nat - [destination | source] + [destination | source] .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-status - nat [destination | source] + nat [destination | source] Match criteria based on nat connection status. @@ -380,6 +395,15 @@ There are a lot of matching criteria against which the package can be tested. set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff +.. cfgcmd:: set firewall name <name> rule <1-999999> source fqdn <fqdn> +.. cfgcmd:: set firewall name <name> rule <1-999999> destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source fqdn <fqdn> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination fqdn + <fqdn> + + Specify a Fully Qualified Domain Name as source/destination matcher. Ensure + router is able to resolve such dns query. + .. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code <country> .. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match @@ -438,7 +462,7 @@ geoip) to keep database and rules updated. set firewall name WAN-IN-v4 rule 12 source port 'https' Multiple source ports can be specified as a comma-separated list. - The whole list can also be "negated" using '!'. For example: + The whole list can also be "negated" using ``!``. For example: .. code-block:: none @@ -453,7 +477,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group address-group <name | !name> - Use a specific address-group. Prepend character '!' for inverted matching + Use a specific address-group. Prepend character ``!`` for inverted matching criteria. .. cfgcmd:: set firewall name <name> rule <1-999999> source group @@ -465,7 +489,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group network-group <name | !name> - Use a specific network-group. Prepend character '!' for inverted matching + Use a specific network-group. Prepend character ``!`` for inverted matching criteria. .. cfgcmd:: set firewall name <name> rule <1-999999> source group @@ -477,7 +501,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group port-group <name | !name> - Use a specific port-group. Prepend character '!' for inverted matching + Use a specific port-group. Prepend character ``!`` for inverted matching criteria. .. cfgcmd:: set firewall name <name> rule <1-999999> source group @@ -489,7 +513,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group domain-group <name | !name> - Use a specific domain-group. Prepend character '!' for inverted matching + Use a specific domain-group. Prepend character ``!`` for inverted matching criteria. .. cfgcmd:: set firewall name <name> rule <1-999999> source group @@ -501,9 +525,19 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group mac-group <name | !name> - Use a specific mac-group. Prepend character '!' for inverted matching + Use a specific mac-group. Prepend character ``!`` for inverted matching criteria. +.. cfgcmd:: set firewall name <name> rule <1-999999> dscp [0-63 | start-end] +.. cfgcmd:: set firewall name <name> rule <1-999999> dscp-exclude [0-63 | + start-end] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp [0-63 | + start-end] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp-exclude [0-63 | + start-end] + + Match based on dscp value. + .. cfgcmd:: set firewall name <name> rule <1-999999> fragment [match-frag | match-non-frag] .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> fragment [match-frag @@ -525,6 +559,18 @@ geoip) to keep database and rules updated. Match based on icmp|icmpv6 type-name criteria. Use tab for information about what **type-name** criteria are supported. +.. cfgcmd:: set firewall name <name> rule <1-999999> inbound-interface + <iface> +.. cfgcmd:: set firewall name <name> rule <1-999999> outbound-interface + <iface> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> inbound-interface + <iface> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> outbound-interface + <iface> + + Match based on inbound/outbound interface. Wilcard ``*`` can be used. + For example: ``eth2*`` + .. cfgcmd:: set firewall name <name> rule <1-999999> ipsec [match-ipsec | match-none] .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> ipsec [match-ipsec @@ -795,7 +841,7 @@ Rule-set overview This will show you a statistic of all rule-sets since the last boot. -.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999> +.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999> This command will give an overview of a rule in a single rule-set @@ -823,15 +869,15 @@ Rule-set overview Members : 10.10.0.0/16 -.. opcmd:: show firewall [name | ipv6name] <name> +.. opcmd:: show firewall [name | ipv6name] <name> This command will give an overview of a single rule-set. -.. opcmd:: show firewall [name | ipv6name] <name> statistics +.. opcmd:: show firewall [name | ipv6name] <name> statistics This will show you a rule-set statistic since the last boot. -.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999> +.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999> This command will give an overview of a rule in a single rule-set. @@ -860,7 +906,7 @@ Zone-Policy Overview Show Firewall log ================= -.. opcmd:: show log firewall [name | ipv6name] <name> +.. opcmd:: show log firewall [name | ipv6name] <name> Show the logs of a specific Rule-Set. @@ -947,4 +993,4 @@ Update geoip database .. opcmd:: update geoip - Command used to update GeoIP database and firewall sets. + Command used to update GeoIP database and firewall sets.
\ No newline at end of file |