diff options
| author | Nicolás Fort <95703796+nicolas-fort@users.noreply.github.com> | 2022-11-29 17:33:13 -0300 | 
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-11-29 21:33:13 +0100 | 
| commit | 683ef473f9a5f3a2d5c56abe36f46b8787d3f0c0 (patch) | |
| tree | 1f1ebc38ca881340e7f4b36d87eb83989f8a7ee3 /docs/configuration | |
| parent | 60686d7ee085e3c570434d9a0e020e1b335598ac (diff) | |
| download | vyos-documentation-683ef473f9a5f3a2d5c56abe36f46b8787d3f0c0.tar.gz vyos-documentation-683ef473f9a5f3a2d5c56abe36f46b8787d3f0c0.zip | |
Fwall doc: update actions and matching criterias (#900)
* Update firewall docs: jump action added, dscp and interface matchers, source/destination fqdn
* Firewall: add dhcp and interface matchers. Add jump actions and fix special characters notation
Diffstat (limited to 'docs/configuration')
| -rw-r--r-- | docs/configuration/firewall/general.rst | 92 | 
1 files changed, 69 insertions, 23 deletions
| diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst index a8d5c9c2..dc087018 100644 --- a/docs/configuration/firewall/general.rst +++ b/docs/configuration/firewall/general.rst @@ -276,24 +276,39 @@ the action of the rule will be executed.     Provide a rule-set description. -.. cfgcmd:: set firewall name <name> default-action [drop | reject | accept] -.. cfgcmd:: set firewall ipv6-name <name> default-action [drop | reject | -   accept] +.. cfgcmd:: set firewall name <name> default-action [accept | drop | jump | +   reject | return] +.. cfgcmd:: set firewall ipv6-name <name> default-action [accept | drop | +   jump | reject | return]     This set the default action of the rule-set if no rule matched a packet -   criteria. +   criteria. If defacult-action is set to ``jump``, then +   ``default-jump-target`` is also needed. + +.. cfgcmd:: set firewall name <name> default-jump-target <text> +.. cfgcmd:: set firewall ipv6-name <name> default-jump-target <text> + +   To be used only when ``defult-action`` is set to ``jump``. Use this +   command to specify jump target for default rule.  .. cfgcmd:: set firewall name <name> enable-default-log  .. cfgcmd:: set firewall ipv6-name <name> enable-default-log     Use this command to enable the logging of the default action. -.. cfgcmd:: set firewall name <name> rule <1-999999> action [drop | reject | -   accept] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [drop | -   reject | accept] +.. cfgcmd:: set firewall name <name> rule <1-999999> action [accept | drop | +   jump | reject | return] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [accept | +   drop | jump | reject | return] -   This required setting defines the action of the current rule. +   This required setting defines the action of the current rule. If action +   is set to ``jump``, then ``jump-target`` is also needed. + +.. cfgcmd:: set firewall name <name> rule <1-999999> jump-target <text> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> jump-target <text> + +   To be used only when ``action`` is set to ``jump``. Use this +   command to specify jump target.  .. cfgcmd:: set firewall name <name> rule <1-999999> description <text>  .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> description <text> @@ -324,9 +339,9 @@ Matching criteria  There are a lot of matching criteria against which the package can be tested.  .. cfgcmd:: set firewall name <name> rule <1-999999> connection-status nat -   [destination | source] +   [destination | source]  .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-status -   nat [destination | source] +   nat [destination | source]     Match criteria based on nat connection status. @@ -380,6 +395,15 @@ There are a lot of matching criteria against which the package can be tested.        set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS        set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff +.. cfgcmd:: set firewall name <name> rule <1-999999> source fqdn <fqdn> +.. cfgcmd:: set firewall name <name> rule <1-999999> destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source fqdn <fqdn> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination fqdn +   <fqdn> + +   Specify a Fully Qualified Domain Name as source/destination matcher. Ensure +   router is able to resolve such dns query. +  .. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code     <country>  .. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match @@ -438,7 +462,7 @@ geoip) to keep database and rules updated.        set firewall name WAN-IN-v4 rule 12 source port 'https'     Multiple source ports can be specified as a comma-separated list. -   The whole list can also be "negated" using '!'. For example: +   The whole list can also be "negated" using ``!``. For example:     .. code-block:: none @@ -453,7 +477,7 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group     address-group <name | !name> -   Use a specific address-group. Prepend character '!' for inverted matching +   Use a specific address-group. Prepend character ``!`` for inverted matching     criteria.  .. cfgcmd:: set firewall name <name> rule <1-999999> source group @@ -465,7 +489,7 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group     network-group <name | !name> -   Use a specific network-group. Prepend character '!' for inverted matching +   Use a specific network-group. Prepend character ``!`` for inverted matching     criteria.  .. cfgcmd:: set firewall name <name> rule <1-999999> source group @@ -477,7 +501,7 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group     port-group <name | !name> -   Use a specific port-group. Prepend character '!' for inverted matching +   Use a specific port-group. Prepend character ``!`` for inverted matching     criteria.  .. cfgcmd:: set firewall name <name> rule <1-999999> source group @@ -489,7 +513,7 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group     domain-group <name | !name> -   Use a specific domain-group. Prepend character '!' for inverted matching +   Use a specific domain-group. Prepend character ``!`` for inverted matching     criteria.  .. cfgcmd:: set firewall name <name> rule <1-999999> source group @@ -501,9 +525,19 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group     mac-group <name | !name> -   Use a specific mac-group. Prepend character '!' for inverted matching +   Use a specific mac-group. Prepend character ``!`` for inverted matching     criteria. +.. cfgcmd:: set firewall name <name> rule <1-999999> dscp [0-63 | start-end] +.. cfgcmd:: set firewall name <name> rule <1-999999> dscp-exclude [0-63 | +   start-end] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp [0-63 | +   start-end] +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp-exclude [0-63 | +   start-end] + +   Match based on dscp value. +  .. cfgcmd:: set firewall name <name> rule <1-999999> fragment [match-frag |     match-non-frag]  .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> fragment [match-frag @@ -525,6 +559,18 @@ geoip) to keep database and rules updated.     Match based on icmp|icmpv6 type-name criteria. Use tab for information     about what **type-name** criteria are supported. +.. cfgcmd:: set firewall name <name> rule <1-999999> inbound-interface +   <iface> +.. cfgcmd:: set firewall name <name> rule <1-999999> outbound-interface +   <iface> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> inbound-interface +   <iface> +.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> outbound-interface +   <iface> + +   Match based on inbound/outbound interface. Wilcard ``*`` can be used. +   For example: ``eth2*`` +  .. cfgcmd:: set firewall name <name> rule <1-999999> ipsec [match-ipsec     | match-none]  .. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> ipsec [match-ipsec @@ -795,7 +841,7 @@ Rule-set overview     This will show you a statistic of all rule-sets since the last boot. -.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999> +.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999>     This command will give an overview of a rule in a single rule-set @@ -823,15 +869,15 @@ Rule-set overview        Members    :                    10.10.0.0/16 -.. opcmd:: show firewall [name | ipv6name] <name> +.. opcmd:: show firewall [name | ipv6name] <name>     This command will give an overview of a single rule-set. -.. opcmd:: show firewall [name | ipv6name] <name> statistics +.. opcmd:: show firewall [name | ipv6name] <name> statistics     This will show you a rule-set statistic since the last boot. -.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999> +.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999>     This command will give an overview of a rule in a single rule-set. @@ -860,7 +906,7 @@ Zone-Policy Overview  Show Firewall log  ================= -.. opcmd:: show log firewall [name | ipv6name] <name> +.. opcmd:: show log firewall [name | ipv6name] <name>     Show the logs of a specific Rule-Set. @@ -947,4 +993,4 @@ Update geoip database  .. opcmd:: update geoip -   Command used to update GeoIP database and firewall sets. +   Command used to update GeoIP database and firewall sets.
\ No newline at end of file | 
