summaryrefslogtreecommitdiff
path: root/docs/configuration/firewall
diff options
context:
space:
mode:
authorNicolas Fort <nicolasfort1988@gmail.com>2022-06-14 09:46:50 -0300
committerNicolas Fort <nicolasfort1988@gmail.com>2022-06-14 10:20:40 -0300
commit49008adbef48b10e404b307309fc330b241022cf (patch)
tree8a9b640101c98fac2c7feae3cbccc3a315e7f132 /docs/configuration/firewall
parent72be7f58b240a0b364b2bd4a54b5e73a6da7fda3 (diff)
downloadvyos-documentation-49008adbef48b10e404b307309fc330b241022cf.tar.gz
vyos-documentation-49008adbef48b10e404b307309fc330b241022cf.zip
Firewall: Add firewall documentation
Diffstat (limited to 'docs/configuration/firewall')
-rw-r--r--docs/configuration/firewall/index.rst54
1 files changed, 37 insertions, 17 deletions
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index 55881b1b..0cbc60c8 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -264,7 +264,7 @@ the action of the rule will be executed.
.. cfgcmd:: set firewall name <name> rule <1-999999> action [drop | reject |
accept]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [drop | 
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [drop |
reject | accept]
This required setting defines the action of the current rule.
@@ -275,11 +275,18 @@ the action of the rule will be executed.
Provide a description for each rule.
.. cfgcmd:: set firewall name <name> rule <1-999999> log [disable | enable]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable |
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable |
enable]
Enable or disable logging for the matched packet.
+.. cfgcmd:: set firewall name <name> rule <1-999999> log-level [emerg |
+ alert | crit | err | warn | notice | info | debug]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-level [emerg |
+ alert | crit | err | warn | notice | info | debug]
+
+ Define log-level. Only applicable if rule log is enable.
+
.. cfgcmd:: set firewall name <name> rule <1-999999> disable
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> disable
@@ -355,37 +362,40 @@ There are a lot of matching criteria against which the package can be tested.
set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338'
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
- address-group <name>
+ address-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
- address-group <name>
+ address-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
- address-group <name>
+ address-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
- address-group <name>
+ address-group <name | !name>
- Use a specific address-group
+ Use a specific address-group. Prepend character '!' for inverted matching
+ criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
- network-group <name>
+ network-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
- network-group <name>
+ network-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
- network-group <name>
+ network-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
- network-group <name>
+ network-group <name | !name>
- Use a specific network-group
+ Use a specific network-group. Prepend character '!' for inverted matching
+ criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> source group
- port-group <name>
+ port-group <name | !name>
.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
- port-group <name>
+ port-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
- port-group <name>
+ port-group <name | !name>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
- port-group <name>
+ port-group <name | !name>
- Use a specific port-group
+ Use a specific port-group. Prepend character '!' for inverted matching
+ criteria.
.. cfgcmd:: set firewall name <name> rule <1-999999> protocol [<text> |
<0-255> | all | tcp_udp]
@@ -423,6 +433,16 @@ There are a lot of matching criteria against which the package can be tested.
Match against the state of a packet.
+.. cfgcmd:: set firewall name <name> rule <1-999999> ttl <eq | gt | lt> <0-255>
+
+ Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for
+ 'greater than', and 'lt' stands for 'less than'.
+
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> hop-limit <eq | gt |
+ lt> <0-255>
+
+ Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
+ 'greater than', and 'lt' stands for 'less than'.
***********************************
Applying a Rule-Set to an Interface