summaryrefslogtreecommitdiff
path: root/docs/configuration/firewall/ipv4.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/firewall/ipv4.rst')
-rw-r--r--docs/configuration/firewall/ipv4.rst1145
1 files changed, 1145 insertions, 0 deletions
diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst
new file mode 100644
index 00000000..3fd365e1
--- /dev/null
+++ b/docs/configuration/firewall/ipv4.rst
@@ -0,0 +1,1145 @@
+:lastproofread: 2023-11-08
+
+.. _firewall-ipv4-configuration:
+
+###########################
+IPv4 Firewall Configuration
+###########################
+
+********
+Overview
+********
+
+In this section there's useful information of all firewall configuration that
+can be done regarding IPv4, and appropiate op-mode commands.
+Configuration commands covered in this section:
+
+.. cfgcmd:: set firewall ipv4 ...
+
+From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>`
+in this section you can find detailed information only for the next part
+of the general structure:
+
+.. code-block:: none
+
+ - set firewall
+ * ipv4
+ - forward
+ + filter
+ - input
+ + filter
+ - output
+ + filter
+ - name
+ + custom_name
+
+For transit traffic, which is received by the router and forwarded, base chain
+is **forward**. A simplified packet flow diagram for transit traffic is shown
+next:
+
+.. figure:: /_static/images/firewall-fwd-packet-flow.png
+
+Where firewall base chain to configure firewall filtering rules for transit
+traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5,
+highlightened with red color.
+
+For traffic towards the router itself, base chain is **input**, while traffic
+originated by the router, base chain is **output**.
+A new simplified packet flow diagram is shown next, which shows the path
+for traffic destinated to the router itself, and traffic generated by the
+router (starting from circle number 6):
+
+.. figure:: /_static/images/firewall-input-packet-flow.png
+
+Base chain is for traffic toward the router is ``set firewall ipv4 input
+filter ...``
+
+And base chain for traffic generated by the router is ``set firewall ipv4
+output filter ...``
+
+.. note:: **Important note about default-actions:**
+ If default action for any base chain is not defined, then the default
+ action is set to **accept** for that chain. For custom chains, if default
+ action is not defined, then the default-action is set to **drop**
+
+Custom firewall chains can be created, with commands
+``set firewall ipv4 name <name> ...``. In order to use
+such custom chain, a rule with **action jump**, and the appropiate **target**
+should be defined in a base chain.
+
+*********************
+Firewall - IPv4 Rules
+*********************
+
+For firewall filtering, firewall rules needs to be created. Each rule is
+numbered, has an action to apply if the rule is matched, and the ability
+to specify multiple criteria matchers. Data packets go through the rules
+from 1 - 999999, so order is crucial. At the first match the action of the
+rule will be executed.
+
+Actions
+=======
+
+If a rule is defined, then an action must be defined for it. This tells the
+firewall what to do if all criteria matchers defined for such rule do match.
+
+The action can be :
+
+ * ``accept``: accept the packet.
+
+ * ``continue``: continue parsing next rule.
+
+ * ``drop``: drop the packet.
+
+ * ``reject``: reject the packet.
+
+ * ``jump``: jump to another custom chain.
+
+ * ``return``: Return from the current chain and continue at the next rule
+ of the last chain.
+
+ * ``queue``: Enqueue packet to userspace.
+
+ * ``synproxy``: synproxy the packet.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> action
+ [accept | continue | drop | jump | queue | reject | return | synproxy]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> action
+ [accept | continue | drop | jump | queue | reject | return | synproxy]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> action
+ [accept | continue | drop | jump | queue | reject | return]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action
+ [accept | continue | drop | jump | queue | reject | return]
+
+ This required setting defines the action of the current rule. If action is
+ set to jump, then jump-target is also needed.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ jump-target <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ jump-target <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ jump-target <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ jump-target <text>
+
+ To be used only when action is set to jump. Use this command to specify
+ jump target.
+
+Also, **default-action** is an action that takes place whenever a packet does
+not match any rule in it's chain. For base chains, possible options for
+**default-action** are **accept** or **drop**.
+
+.. cfgcmd:: set firewall ipv4 forward filter default-action
+ [accept | drop]
+.. cfgcmd:: set firewall ipv4 input filter default-action
+ [accept | drop]
+.. cfgcmd:: set firewall ipv4 output filter default-action
+ [accept | drop]
+.. cfgcmd:: set firewall ipv4 name <name> default-action
+ [accept | drop | jump | queue | reject | return]
+
+ This set the default action of the rule-set if no rule matched a packet
+ criteria. If defacult-action is set to ``jump``, then
+ ``default-jump-target`` is also needed. Note that for base chains, default
+ action can only be set to ``accept`` or ``drop``, while on custom chain,
+ more actions are available.
+
+.. cfgcmd:: set firewall ipv4 name <name> default-jump-target <text>
+
+ To be used only when ``defult-action`` is set to ``jump``. Use this
+ command to specify jump target for default rule.
+
+.. note:: **Important note about default-actions:**
+ If default action for any base chain is not defined, then the default
+ action is set to **accept** for that chain. For custom chains, if default
+ action is not defined, then the default-action is set to **drop**
+
+Firewall Logs
+=============
+
+Logging can be enable for every single firewall rule. If enabled, other
+log options can be defined.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log
+ [disable | enable]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> log
+ [disable | enable]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> log
+ [disable | enable]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log
+ [disable | enable]
+
+ Enable or disable logging for the matched packet.
+
+.. cfgcmd:: set firewall ipv4 forward filter enable-default-log
+.. cfgcmd:: set firewall ipv4 input filter enable-default-log
+.. cfgcmd:: set firewall ipv4 output filter enable-default-log
+.. cfgcmd:: set firewall ipv4 name <name> enable-default-log
+
+ Use this command to enable the logging of the default action on
+ the specified chain.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ log-options level [emerg | alert | crit | err | warn | notice
+ | info | debug]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ log-options level [emerg | alert | crit | err | warn | notice
+ | info | debug]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ log-options level [emerg | alert | crit | err | warn | notice
+ | info | debug]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ log-options level [emerg | alert | crit | err | warn | notice
+ | info | debug]
+
+ Define log-level. Only applicable if rule log is enable.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ log-options group <0-65535>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ log-options group <0-65535>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ log-options group <0-65535>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ log-options group <0-65535>
+
+ Define log group to send message to. Only applicable if rule log is enable.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ log-options snapshot-length <0-9000>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ log-options snapshot-length <0-9000>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ log-options snapshot-length <0-9000>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ log-options snapshot-length <0-9000>
+
+ Define length of packet payload to include in netlink message. Only
+ applicable if rule log is enable and log group is defined.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ log-options queue-threshold <0-65535>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ log-options queue-threshold <0-65535>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ log-options queue-threshold <0-65535>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ log-options queue-threshold <0-65535>
+
+ Define number of packets to queue inside the kernel before sending them to
+ userspace. Only applicable if rule log is enable and log group is defined.
+
+Firewall Description
+====================
+
+For reference, a description can be defined for every single rule, and for
+every defined custom chain.
+
+.. cfgcmd:: set firewall ipv4 name <name> description <text>
+
+ Provide a rule-set description to a custom firewall chain.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ description <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ description <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ description <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> description <text>
+
+ Provide a description for each rule.
+
+Rule Status
+===========
+
+When defining a rule, it is enable by default. In some cases, it is useful to
+just disable the rule, rather than removing it.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> disable
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> disable
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> disable
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> disable
+
+ Command for disabling a rule but keep it in the configuration.
+
+Matching criteria
+=================
+
+There are a lot of matching criteria against which the package can be tested.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ connection-status nat [destination | source]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ connection-status nat [destination | source]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ connection-status nat [destination | source]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ connection-status nat [destination | source]
+
+ Match criteria based on nat connection status.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ connection-mark <1-2147483647>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ connection-mark <1-2147483647>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ connection-mark <1-2147483647>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ connection-mark <1-2147483647>
+
+ Match criteria based on connection mark.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source address [address | addressrange | CIDR]
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination address [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination address [address | addressrange | CIDR]
+
+ Match criteria based on source and/or destination address. This is similar
+ to the network groups part, but here you are able to negate the matching
+ addresses.
+
+ .. code-block:: none
+
+ set firewall ipv4 name FOO rule 50 source address 192.0.2.10-192.0.2.11
+ # with a '!' the rule match everything except the specified subnet
+ set firewall ipv4 input filter FOO rule 51 source address !203.0.113.0/24
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source address-mask [address]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source address-mask [address]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source address-mask [address]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source address-mask [address]
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination address-mask [address]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination address-mask [address]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination address-mask [address]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination address-mask [address]
+
+ An arbitrary netmask can be applied to mask addresses to only match against
+ a specific portion.
+
+ This functions for both individual addresses and address groups.
+
+ .. code-block:: none
+
+ # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet
+ set firewall ipv4 name FOO rule 100 destination address 0.11.0.13
+ set firewall ipv4 name FOO rule 100 destination address-mask 0.255.0.255
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source fqdn <fqdn>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source fqdn <fqdn>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source fqdn <fqdn>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source fqdn <fqdn>
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination fqdn <fqdn>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination fqdn <fqdn>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination fqdn <fqdn>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination fqdn <fqdn>
+
+ Specify a Fully Qualified Domain Name as source/destination matcher. Ensure
+ router is able to resolve such dns query.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source geoip country-code <country>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source geoip country-code <country>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source geoip country-code <country>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source geoip country-code <country>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination geoip country-code <country>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination geoip country-code <country>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination geoip country-code <country>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination geoip country-code <country>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source geoip inverse-match
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source geoip inverse-match
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source geoip inverse-match
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source geoip inverse-match
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination geoip inverse-match
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination geoip inverse-match
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination geoip inverse-match
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination geoip inverse-match
+
+ Match IP addresses based on its geolocation. More info: `geoip matching
+ <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
+ Use inverse-match to match anything except the given country-codes.
+
+Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
+permits redistribution so we can include a database in images(~3MB
+compressed). Includes cron script (manually callable by op-mode update
+geoip) to keep database and rules updated.
+
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source mac-address <mac-address>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source mac-address <mac-address>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source mac-address <mac-address>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source mac-address <mac-address>
+
+ Only in the source criteria, you can specify a mac-address.
+
+ .. code-block:: none
+
+ set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33
+ set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34
+
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source port [1-65535 | portname | start-end]
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination port [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination port [1-65535 | portname | start-end]
+
+ A port can be set with a port number or a name which is here
+ defined: ``/etc/services``.
+
+ .. code-block:: none
+
+ set firewall ipv4 forward filter rule 10 source port '22'
+ set firewall ipv4 forward filter rule 11 source port '!http'
+ set firewall ipv4 forward filter rule 12 source port 'https'
+
+ Multiple source ports can be specified as a comma-separated list.
+ The whole list can also be "negated" using ``!``. For example:
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source group address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source group address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source group address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source group address-group <name | !name>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination group address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination group address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination group address-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination group address-group <name | !name>
+
+ Use a specific address-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source group network-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source group network-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source group network-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source group network-group <name | !name>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination group network-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination group network-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination group network-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination group network-group <name | !name>
+
+ Use a specific network-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source group port-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source group port-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source group port-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source group port-group <name | !name>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination group port-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination group port-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination group port-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination group port-group <name | !name>
+
+ Use a specific port-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source group domain-group <name | !name>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination group domain-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination group domain-group <name | !name>
+
+ Use a specific domain-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ source group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ source group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ source group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ source group mac-group <name | !name>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ destination group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ destination group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ destination group mac-group <name | !name>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ destination group mac-group <name | !name>
+
+ Use a specific mac-group. Prepend character ``!`` for inverted matching
+ criteria.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ dscp [0-63 | start-end]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ dscp [0-63 | start-end]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ dscp [0-63 | start-end]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ dscp [0-63 | start-end]
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ dscp-exclude [0-63 | start-end]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ dscp-exclude [0-63 | start-end]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ dscp-exclude [0-63 | start-end]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ dscp-exclude [0-63 | start-end]
+
+ Match based on dscp value.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ fragment [match-frag | match-non-frag]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ fragment [match-frag | match-non-frag]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ fragment [match-frag | match-non-frag]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ fragment [match-frag | match-non-frag]
+
+ Match based on fragment criteria.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ icmp [code | type] <0-255>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ icmp [code | type] <0-255>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ icmp [code | type] <0-255>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ icmp [code | type] <0-255>
+
+ Match based on icmp code and type.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ icmp type-name <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ icmp type-name <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ icmp type-name <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ icmp type-name <text>
+
+ Match based on icmp type-name criteria. Use tab for information
+ about what **type-name** criteria are supported.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ inbound-interface name <iface>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ inbound-interface name <iface>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ inbound-interface name <iface>
+
+ Match based on inbound interface. Wilcard ``*`` can be used.
+ For example: ``eth2*``. Prepending character ``!`` for inverted matching
+ criteria is also supportd. For example ``!eth2``
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ inbound-interface group <iface_group>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ inbound-interface group <iface_group>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ inbound-interface group <iface_group>
+
+ Match based on inbound interface group. Prepending character ``!`` for
+ inverted matching criteria is also supportd. For example ``!IFACE_GROUP``
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ outbound-interface name <iface>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ outbound-interface name <iface>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ outbound-interface name <iface>
+
+ Match based on outbound interface. Wilcard ``*`` can be used.
+ For example: ``eth2*``. Prepending character ``!`` for inverted matching
+ criteria is also supportd. For example ``!eth2``
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ outbound-interface group <iface_group>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ outbound-interface group <iface_group>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ outbound-interface group <iface_group>
+
+ Match based on outbound interface group. Prepending character ``!`` for
+ inverted matching criteria is also supportd. For example ``!IFACE_GROUP``
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ ipsec [match-ipsec | match-none]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ ipsec [match-ipsec | match-none]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ ipsec [match-ipsec | match-none]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ ipsec [match-ipsec | match-none]
+
+ Match based on ipsec criteria.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ limit burst <0-4294967295>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ limit burst <0-4294967295>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ limit burst <0-4294967295>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ limit burst <0-4294967295>
+
+ Match based on the maximum number of packets to allow in excess of rate.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ limit rate <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ limit rate <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ limit rate <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ limit rate <text>
+
+ Match based on the maximum average rate, specified as **integer/unit**.
+ For example **5/minutes**
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ packet-length <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ packet-length <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ packet-length <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ packet-length <text>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ packet-length-exclude <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ packet-length-exclude <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ packet-length-exclude <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ packet-length-exclude <text>
+
+ Match based on packet length criteria. Multiple values from 1 to 65535
+ and ranges are supported.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ packet-type [broadcast | host | multicast | other]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ packet-type [broadcast | host | multicast | other]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ packet-type [broadcast | host | multicast | other]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ packet-type [broadcast | host | multicast | other]
+
+ Match based on packet type criteria.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ protocol [<text> | <0-255> | all | tcp_udp]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ protocol [<text> | <0-255> | all | tcp_udp]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ protocol [<text> | <0-255> | all | tcp_udp]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ protocol [<text> | <0-255> | all | tcp_udp]
+
+ Match a protocol criteria. A protocol number or a name which is here
+ defined: ``/etc/protocols``.
+ Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
+ based packets. The ``!`` negate the selected protocol.
+
+ .. code-block:: none
+
+ set firewall ipv4 forward fitler rule 10 protocol tcp_udp
+ set firewall ipv4 forward fitler rule 11 protocol !tcp_udp
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ recent count <1-255>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ recent time [second | minute | hour]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ recent time [second | minute | hour]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ recent time [second | minute | hour]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ recent time [second | minute | hour]
+
+ Match bases on recently seen sources.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ tcp flags [not] <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ tcp flags [not] <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ tcp flags [not] <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ tcp flags [not] <text>
+
+ Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``,
+ ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for
+ inverted selection use ``not``, as shown in the example.
+
+ .. code-block:: none
+
+ set firewall ipv4 input filter rule 10 tcp flags 'ack'
+ set firewall ipv4 input filter rule 12 tcp flags 'syn'
+ set firewall ipv4 input filter rule 13 tcp flags not 'fin'
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ state [established | invalid | new | related] [enable | disable]
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ state [established | invalid | new | related] [enable | disable]
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ state [established | invalid | new | related] [enable | disable]
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ state [established | invalid | new | related] [enable | disable]
+
+ Match against the state of a packet.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ time startdate <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ time startdate <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ time startdate <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ time startdate <text>
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ time starttime <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ time starttime <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ time starttime <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ time starttime <text>
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ time stopdate <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ time stopdate <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ time stopdate <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ time stopdate <text>
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ time stoptime <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ time stoptime <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ time stoptime <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ time stoptime <text>
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ time weekdays <text>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ time weekdays <text>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ time weekdays <text>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ time weekdays <text>
+
+ Time to match the defined rule.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ ttl <eq | gt | lt> <0-255>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ ttl <eq | gt | lt> <0-255>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ ttl <eq | gt | lt> <0-255>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ ttl <eq | gt | lt> <0-255>
+
+ Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for
+ 'greater than', and 'lt' stands for 'less than'.
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ recent count <1-255>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ recent count <1-255>
+
+.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
+ recent time <second | minute | hour>
+.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
+ recent time <second | minute | hour>
+.. cfgcmd:: set firewall ipv4 output filter rule <1-999999>
+ recent time <second | minute | hour>
+.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
+ recent time <second | minute | hour>
+
+ Match when 'count' amount of connections are seen within 'time'. These
+ matching criteria can be used to block brute-force attempts.
+
+********
+Synproxy
+********
+Synproxy connections
+
+.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> action synproxy
+.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> protocol tcp
+.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535>
+
+ Set TCP-MSS (maximum segment size) for the connection
+
+.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14>
+
+ Set the window scale factor for TCP window scaling
+
+Example synproxy
+================
+Requirements to enable synproxy:
+
+ * Traffic must be symmetric
+ * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled
+ * Disable conntrack loose track option
+
+.. code-block:: none
+
+ set system sysctl parameter net.ipv4.tcp_timestamps value '1'
+
+ set system conntrack tcp loose disable
+ set system conntrack ignore ipv4 rule 10 destination port '8080'
+ set system conntrack ignore ipv4 rule 10 protocol 'tcp'
+ set system conntrack ignore ipv4 rule 10 tcp flags syn
+
+ set firewall global-options syn-cookies 'enable'
+ set firewall ipv4 input filter rule 10 action 'synproxy'
+ set firewall ipv4 input filter rule 10 destination port '8080'
+ set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1'
+ set firewall ipv4 input filter rule 10 protocol 'tcp'
+ set firewall ipv4 input filter rule 10 synproxy tcp mss '1460'
+ set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
+ set firewall ipv4 input filter rule 1000 action 'drop'
+ set firewall ipv4 input filter rule 1000 state invalid 'enable'
+
+
+***********************
+Operation-mode Firewall
+***********************
+
+Rule-set overview
+=================
+
+.. opcmd:: show firewall
+
+ This will show you a basic firewall overview, for all ruleset, and not
+ only for ipv4
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show firewall
+ Rulesets Information
+
+ ---------------------------------
+ ipv4 Firewall "forward filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- -----------------------------
+ 20 accept all 0 0 ip saddr @N_TRUSTEDv4 accept
+ 21 jump all 0 0 jump NAME_AUX
+ default accept all 0 0
+
+ ---------------------------------
+ ipv4 Firewall "input filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- -------------------------
+ 10 accept all 156 14377 iifname != @I_LAN accept
+ default accept all 0 0
+
+ ---------------------------------
+ ipv4 Firewall "name AUX"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------ -------- ---------- --------- ------- --------------------------------------------
+ 10 accept icmp 0 0 meta l4proto icmp accept
+ 20 accept udp 0 0 meta l4proto udp ip saddr @A_SERVERS accept
+ 30 drop all 0 0 ip saddr != @A_SERVERS iifname "eth2"
+
+ ---------------------------------
+ ipv4 Firewall "output filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- ----------------------------------------
+ 10 reject all 0 0 oifname @I_LAN
+ 20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept
+ default accept all 72 9258
+
+ ---------------------------------
+ ipv6 Firewall "input filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- -------------------------------
+ 10 accept all 0 0 ip6 saddr @N6_TRUSTEDv6 accept
+ default accept all 2 112
+
+ vyos@vyos:~$
+
+.. opcmd:: show firewall summary
+
+ This will show you a summary of rule-sets and groups
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show firewall summary
+ Ruleset Summary
+
+ IPv6 Ruleset:
+
+ Ruleset Hook Ruleset Priority Description
+ -------------- -------------------- -------------------------
+ forward filter
+ input filter
+ ipv6_name IPV6-VyOS_MANAGEMENT
+ ipv6_name IPV6-WAN_IN PUBLIC_INTERNET
+
+ IPv4 Ruleset:
+
+ Ruleset Hook Ruleset Priority Description
+ -------------- ------------------ -------------------------
+ forward filter
+ input filter
+ name VyOS_MANAGEMENT
+ name WAN_IN PUBLIC_INTERNET
+
+ Firewall Groups
+
+ Name Type References Members
+ ----------------------- ------------------ ----------------------- ----------------
+ PBX address_group WAN_IN-100 198.51.100.77
+ SERVERS address_group WAN_IN-110 192.0.2.10
+ WAN_IN-111 192.0.2.11
+ WAN_IN-112 192.0.2.12
+ WAN_IN-120
+ WAN_IN-121
+ WAN_IN-122
+ SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2
+ WAN_IN-20
+ PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2
+ PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2
+ WAN_IN-171
+ PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1
+ SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2
+ IPV6-WAN_IN-111 2001:db8::3
+ IPV6-WAN_IN-112 2001:db8::4
+ IPV6-WAN_IN-120
+ IPV6-WAN_IN-121
+ IPV6-WAN_IN-122
+ SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5
+ IPV6-WAN_IN-20
+
+
+.. opcmd:: show firewall ipv4 [forward | input | output] filter
+
+.. opcmd:: show firewall ipv4 name <name>
+
+ This command will give an overview of a single rule-set.
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show firewall ipv4 input filter
+ Ruleset Information
+
+ ---------------------------------
+ IPv4 Firewall "input filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- -----------------------------------------
+ 5 jump all 0 0 iifname "eth2" jump NAME_VyOS_MANAGEMENT
+ default accept all
+
+.. opcmd:: show firewall ipv4 [forward | input | output]
+ filter rule <1-999999>
+.. opcmd:: show firewall ipv4 name <name> rule <1-999999>
+
+ This command will give an overview of a rule in a single rule-set, plus
+ information for default action.
+
+.. code-block:: none
+
+ vyos@vyos:~$show firewall ipv4 output filter rule 20
+ Rule Information
+
+ ---------------------------------
+ ipv4 Firewall "output filter"
+
+ Rule Action Protocol Packets Bytes Conditions
+ ------- -------- ---------- --------- ------- ----------------------------------------
+ 20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept
+ default accept all 286 47614
+
+ vyos@vyos:~$
+
+
+.. opcmd:: show firewall statistics
+
+ This will show you a statistic of all rule-sets since the last boot.
+
+Show Firewall log
+=================
+
+.. opcmd:: show log firewall
+.. opcmd:: show log firewall ipv4
+.. opcmd:: show log firewall ipv4 [forward | input | output | name]
+.. opcmd:: show log firewall ipv4 [forward | input | output] filter
+.. opcmd:: show log firewall ipv4 name <name>
+.. opcmd:: show log firewall ipv4 [forward | input | output] filter rule <rule>
+.. opcmd:: show log firewall ipv4 name <name> rule <rule>
+
+ Show the logs of all firewall; show all ipv4 firewall logs; show all logs
+ for particular hook; show all logs for particular hook and priority; show all logs
+ for particular custom chain; show logs for specific Rule-Set.
+
+Example Partial Config
+======================
+
+.. code-block:: none
+
+ firewall {
+ group {
+ network-group BAD-NETWORKS {
+ network 198.51.100.0/24
+ network 203.0.113.0/24
+ }
+ network-group GOOD-NETWORKS {
+ network 192.0.2.0/24
+ }
+ port-group BAD-PORTS {
+ port 65535
+ }
+ }
+ ipv4 {
+ forward {
+ filter {
+ default-action accept
+ rule 5 {
+ action accept
+ source {
+ group {
+ network-group GOOD-NETWORKS
+ }
+ }
+ }
+ rule 10 {
+ action drop
+ description "Bad Networks"
+ protocol all
+ source {
+ group {
+ network-group BAD-NETWORKS
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+Update geoip database
+=====================
+
+.. opcmd:: update geoip
+
+ Command used to update GeoIP database and firewall sets.
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-21 04:41:52 +0000