diff options
| author | Christian Breunig <christian@breunig.cc> | 2024-01-12 17:25:32 +0100 | 
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-12 17:25:32 +0100 | 
| commit | bbf1ecdef25c9ee12d89ed7a1644bfaa067b9034 (patch) | |
| tree | 52541968f9d8bd7f5d55a33d1509cba9cceb1463 /docs | |
| parent | 9ccf8010addb66b825463a58cc5547aad2ee6301 (diff) | |
| parent | 85ef13b14fa37b8780f6e6c8220bc54366c72741 (diff) | |
| download | vyos-documentation-bbf1ecdef25c9ee12d89ed7a1644bfaa067b9034.tar.gz vyos-documentation-bbf1ecdef25c9ee12d89ed7a1644bfaa067b9034.zip | |
Merge pull request #1238 from nicolas-fort/fwall-multiple-updates
Add opmode commands for firewall zones, and add global state-policies…
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/configuration/firewall/zone.rst | 38 | ||||
| -rw-r--r-- | docs/quick-start.rst | 31 | 
2 files changed, 61 insertions, 8 deletions
| diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst index 1ab9c630..059b029d 100644 --- a/docs/configuration/firewall/zone.rst +++ b/docs/configuration/firewall/zone.rst @@ -123,3 +123,41 @@ written from the perspective of: *Source Zone*-to->*Destination Zone*        set firewall zone DMZ from LAN firewall name LANv4-to-DMZv4        set firewall zone LAN from DMZ firewall name DMZv4-to-LANv4 +************** +Operation-mode +************** + +.. opcmd:: show firewall zone-policy + +   This will show you a basic summary of zones configuration. + +   .. code-block:: none + +      vyos@vyos:~$ show firewall zone-policy +      Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6 +      ------  ------------  -----------  ---------------  --------------- +      LAN     eth1          WAN          WAN_to_LAN +              eth2 +      LOCAL   LOCAL         LAN          LAN_to_LOCAL +                            WAN          WAN_to_LOCAL     WAN_to_LOCAL_v6 +      WAN     eth3          LAN          LAN_to_WAN +              eth0          LOCAL        LOCAL_to_WAN +      vyos@vyos:~$ + +.. opcmd:: show firewall zone-policy zone <zone> + +   This will show you a basic summary of a particular zone. + +   .. code-block:: none + +      vyos@vyos:~$ show firewall zone-policy zone WAN +      Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6 +      ------  ------------  -----------  ---------------  --------------- +      WAN     eth3          LAN          LAN_to_WAN +              eth0          LOCAL        LOCAL_to_WAN +      vyos@vyos:~$ show firewall zone-policy zone LOCAL +      Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6 +      ------  ------------  -----------  ---------------  --------------- +      LOCAL   LOCAL         LAN          LAN_to_LOCAL +                            WAN          WAN_to_LOCAL     WAN_to_LOCAL_v6 +      vyos@vyos:~$ diff --git a/docs/quick-start.rst b/docs/quick-start.rst index 05e278ad..cf930bdd 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -142,7 +142,7 @@ networks, addresses, ports, and domains that describe different parts of  our network. We can then use them for filtering within our firewall rulesets,  allowing for more concise and readable configuration. -In this case, we will create two interface groups—a ``WAN`` group for our +In this case, we will create two interface groups — a ``WAN`` group for our  interfaces connected to the public internet and a ``LAN`` group for the  interfaces connected to our internal network. Additionally, we will create a  network group, ``NET-INSIDE-v4``, that contains our internal subnet. @@ -157,10 +157,26 @@ Configure Stateful Packet Filtering  -----------------------------------  With the new firewall structure, we have have a lot of flexibility in how we -group and order our rules, as shown by the two alternative approaches below. +group and order our rules, as shown by the three alternative approaches below. -Option 1: Common Chain -^^^^^^^^^^^^^^^^^^^^^^ +Option 1: Global State Policies +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Using options defined in ``set firewall global-options state-policy``, state +policy rules that applies for both IPv4 and IPv6 are created. These global +state policies also applies for all traffic that passes through the router +(transit) and for traffic originated/destinated to/from the router itself, and +will be avaluated before any other rule defined in the firewall. + +Most installations would choose this option, and will contain: + +.. code-block:: none + +  set firewall global-options state-policy established action accept +  set firewall global-options state-policy related action accept +  set firewall global-options state-policy invalid action drop + +Option 2: Common/Custom Chain +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^  We can create a common chain for stateful connection filtering of multiple  interfaces (or multiple netfilter hooks on one interface). Those individual @@ -197,12 +213,11 @@ hooks as the first filtering rule in the respective chains:    set firewall ipv4 input filter rule 10 action 'jump'    set firewall ipv4 input filter rule 10 jump-target CONN_FILTER -Option 2: Per-Hook Chain +Option 3: Per-Hook Chain  ^^^^^^^^^^^^^^^^^^^^^^^^ -Alternatively, instead of configuring the ``CONN_FILTER`` chain described above, -you can take the more traditional stateful connection filtering approach by -creating rules on each hook's chain: +Alternatively, you can take the more traditional stateful connection +filtering approach by creating rules on each base hook's chain:  .. code-block:: none | 
