summaryrefslogtreecommitdiff
path: root/docs/configuration/firewall/ipv6.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/configuration/firewall/ipv6.rst')
-rw-r--r--docs/configuration/firewall/ipv6.rst90
1 files changed, 60 insertions, 30 deletions
diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst
index 0aa8a137..cbf18a7d 100644
--- a/docs/configuration/firewall/ipv6.rst
+++ b/docs/configuration/firewall/ipv6.rst
@@ -11,12 +11,13 @@ Overview
********
In this section there's useful information of all firewall configuration that
-can be done regarding IPv6, and appropiate op-mode commands.
+can be done regarding IPv6, and appropriate op-mode commands.
Configuration commands covered in this section:
.. cfgcmd:: set firewall ipv6 ...
-From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>`
+From main structure defined in
+:doc:`Firewall Overview</configuration/firewall/index>`
in this section you can find detailed information only for the next part
of the general structure:
@@ -41,12 +42,12 @@ next:
Where firewall base chain to configure firewall filtering rules for transit
traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5,
-highlightened with red color.
+highlighted with red color.
For traffic towards the router itself, base chain is **input**, while traffic
originated by the router, base chain is **output**.
A new simplified packet flow diagram is shown next, which shows the path
-for traffic destinated to the router itself, and traffic generated by the
+for traffic destined to the router itself, and traffic generated by the
router (starting from circle number 6):
.. figure:: /_static/images/firewall-input-packet-flow.png
@@ -64,7 +65,7 @@ output filter ...``
Custom firewall chains can be created, with commands
``set firewall ipv6 name <name> ...``. In order to use
-such custom chain, a rule with **action jump**, and the appropiate **target**
+such custom chain, a rule with **action jump**, and the appropriate **target**
should be defined in a base chain.
******************************
@@ -184,7 +185,7 @@ not match any rule in it's chain. For base chains, possible options for
.. cfgcmd:: set firewall ipv6 name <name> default-jump-target <text>
- To be used only when ``defult-action`` is set to ``jump``. Use this
+ To be used only when ``default-action`` is set to ``jump``. Use this
command to specify jump target for default rule.
.. note:: **Important note about default-actions:**
@@ -206,10 +207,10 @@ log options can be defined.
Enable logging for the matched packet. If this configuration command is not
present, then log is not enabled.
-.. cfgcmd:: set firewall ipv6 forward filter enable-default-log
-.. cfgcmd:: set firewall ipv6 input filter enable-default-log
-.. cfgcmd:: set firewall ipv6 output filter enable-default-log
-.. cfgcmd:: set firewall ipv6 name <name> enable-default-log
+.. cfgcmd:: set firewall ipv6 forward filter default-log
+.. cfgcmd:: set firewall ipv6 input filter default-log
+.. cfgcmd:: set firewall ipv6 output filter default-log
+.. cfgcmd:: set firewall ipv6 name <name> default-log
Use this command to enable the logging of the default action on
the specified chain.
@@ -373,10 +374,12 @@ There are a lot of matching criteria against which the packet can be tested.
remain valid if the IPv6 prefix changes and the host
portion of systems IPv6 address is static (for example, with SLAAC or
`tokenised IPv6 addresses
- <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)
+ <https://datatracker.ietf.org
+ /doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)
This functions for both individual addresses and address groups.
+ .. stop_vyoslinter
.. code-block:: none
# Match any IPv6 address with the suffix ::0000:0000:0000:beef
@@ -388,6 +391,8 @@ There are a lot of matching criteria against which the packet can be tested.
set firewall ipv6 forward filter rule 200 source group address-group WEBSERVERS
set firewall ipv6 forward filter rule 200 source address-mask ::ffff:ffff:ffff:ffff
+ .. start_vyoslinter
+
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
source fqdn <fqdn>
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
@@ -526,6 +531,27 @@ geoip) to keep database and rules updated.
criteria.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ source group dynamic-address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ source group dynamic-address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ source group dynamic-address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ source group dynamic-address-group <name | !name>
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
+ destination group dynamic-address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
+ destination group dynamic-address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
+ destination group dynamic-address-group <name | !name>
+.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
+ destination group dynamic-address-group <name | !name>
+
+ Use a specific dynamic-address-group. Prepend character ``!`` for inverted
+ matching criteria.
+
+.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
source group network-group <name | !name>
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
source group network-group <name | !name>
@@ -670,9 +696,9 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
inbound-interface name <iface>
- Match based on inbound interface. Wilcard ``*`` can be used.
+ Match based on inbound interface. Wildcard ``*`` can be used.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
- criteria is also supportd. For example ``!eth2``
+ criteria is also supported. For example ``!eth2``
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
inbound-interface group <iface_group>
@@ -682,7 +708,7 @@ geoip) to keep database and rules updated.
inbound-interface group <iface_group>
Match based on inbound interface group. Prepending character ``!`` for
- inverted matching criteria is also supportd. For example ``!IFACE_GROUP``
+ inverted matching criteria is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
outbound-interface name <iface>
@@ -691,9 +717,9 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
outbound-interface name <iface>
- Match based on outbound interface. Wilcard ``*`` can be used.
+ Match based on outbound interface. Wildcard ``*`` can be used.
For example: ``eth2*``. Prepending character ``!`` for inverted matching
- criteria is also supportd. For example ``!eth2``
+ criteria is also supported. For example ``!eth2``
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
outbound-interface group <iface_group>
@@ -703,7 +729,7 @@ geoip) to keep database and rules updated.
outbound-interface group <iface_group>
Match based on outbound interface group. Prepending character ``!`` for
- inverted matching criteria is also supportd. For example ``!IFACE_GROUP``
+ inverted matching criteria is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
ipsec [match-ipsec | match-none]
@@ -829,13 +855,13 @@ geoip) to keep database and rules updated.
set firewall ipv6 input filter rule 13 tcp flags not 'fin'
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
- state [established | invalid | new | related] [enable | disable]
+ state [established | invalid | new | related]
.. cfgcmd:: set firewall ipv6 input filter rule <1-999999>
- state [established | invalid | new | related] [enable | disable]
+ state [established | invalid | new | related]
.. cfgcmd:: set firewall ipv6 output filter rule <1-999999>
- state [established | invalid | new | related] [enable | disable]
+ state [established | invalid | new | related]
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
- state [established | invalid | new | related] [enable | disable]
+ state [established | invalid | new | related]
Match against the state of a packet.
@@ -920,13 +946,17 @@ Synproxy
********
Synproxy connections
-.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> action synproxy
-.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> protocol tcp
-.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535>
+.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>
+ action synproxy
+.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>
+ protocol tcp
+.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>
+ synproxy tcp mss <501-65535>
Set TCP-MSS (maximum segment size) for the connection
-.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14>
+.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>
+ synproxy tcp window-scale <1-14>
Set the window scale factor for TCP window scaling
@@ -950,12 +980,12 @@ Requirements to enable synproxy:
set firewall global-options syn-cookies 'enable'
set firewall ipv6 input filter rule 10 action 'synproxy'
set firewall ipv6 input filter rule 10 destination port '8080'
- set firewall ipv6 input filter rule 10 inbound-interface interface-name 'eth1'
+ set firewall ipv6 input filter rule 10 inbound-interface name 'eth1'
set firewall ipv6 input filter rule 10 protocol 'tcp'
set firewall ipv6 input filter rule 10 synproxy tcp mss '1460'
set firewall ipv6 input filter rule 10 synproxy tcp window-scale '7'
set firewall ipv6 input filter rule 1000 action 'drop'
- set firewall ipv6 input filter rule 1000 state invalid 'enable'
+ set firewall ipv6 input filter rule 1000 state invalid
***********************
Operation-mode Firewall
@@ -1146,8 +1176,8 @@ Show Firewall log
.. opcmd:: show log firewall ipv6 name <name> rule <rule>
Show the logs of all firewall; show all ipv6 firewall logs; show all logs
- for particular hook; show all logs for particular hook and priority; show all logs
- for particular custom chain; show logs for specific Rule-Set.
+ for particular hook; show all logs for particular hook and priority;
+ show all logs for particular custom chain; show logs for specific Rule-Set.
Example Partial Config
======================
@@ -1177,7 +1207,7 @@ Example Partial Config
}
name INP-ETH1 {
default-action drop
- enable-default-log
+ default-log
rule 10 {
action accept
protocol tcp_udp