diff options
Diffstat (limited to 'docs/configuration/firewall')
| -rw-r--r-- | docs/configuration/firewall/bridge.rst | 401 | ||||
| -rw-r--r-- | docs/configuration/firewall/flowtables.rst | 188 | ||||
| -rw-r--r-- | docs/configuration/firewall/general.rst | 1047 | ||||
| -rw-r--r-- | docs/configuration/firewall/global-options.rst | 147 | ||||
| -rw-r--r-- | docs/configuration/firewall/groups.rst | 210 | ||||
| -rw-r--r-- | docs/configuration/firewall/index.rst | 171 | ||||
| -rw-r--r-- | docs/configuration/firewall/ipv4.rst | 1179 | ||||
| -rw-r--r-- | docs/configuration/firewall/ipv6.rst | 1195 | ||||
| -rw-r--r-- | docs/configuration/firewall/zone.rst | 40 |
9 files changed, 3527 insertions, 1051 deletions
diff --git a/docs/configuration/firewall/bridge.rst b/docs/configuration/firewall/bridge.rst new file mode 100644 index 00000000..9fb019c5 --- /dev/null +++ b/docs/configuration/firewall/bridge.rst @@ -0,0 +1,401 @@ +:lastproofread: 2023-11-08 + +.. _firewall-configuration: + +############################# +Bridge Firewall Configuration +############################# + +.. note:: **Documentation under development** + +******** +Overview +******** + +In this section there's useful information of all firewall configuration that +can be done regarding bridge, and appropiate op-mode commands. +Configuration commands covered in this section: + +.. cfgcmd:: set firewall bridge ... + +From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * bridge + - forward + + filter + - name + + custom_name + +Traffic which is received by the router on an interface which is member of a +bridge is processed on the **Bridge Layer**. A simplified packet flow diagram +for this layer is shown next: + +.. figure:: /_static/images/firewall-bridge-packet-flow.png + +For traffic that needs to be forwared internally by the bridge, base chain is +is **forward**, and it's base command for filtering is ``set firewall bridge +forward filter ...``, which happens in stage 4, highlightened with red color. + +Custom bridge firewall chains can be create with command ``set firewall bridge +name <name> ...``. In order to use such custom chain, a rule with action jump, +and the appropiate target should be defined in a base chain. + +.. note:: **Layer 3 bridge**: + When an IP address is assigned to the bridge interface, and if traffic + is sent to the router to this IP (for example using such IP as + default gateway), then rules defined for **bridge firewall** won't + match, and firewall analysis continues at **IP layer**. + +************ +Bridge Rules +************ + +For firewall filtering, firewall rules needs to be created. Each rule is +numbered, has an action to apply if the rule is matched, and the ability +to specify multiple criteria matchers. Data packets go through the rules +from 1 - 999999, so order is crucial. At the first match the action of the +rule will be executed. + +Actions +======= + +If a rule is defined, then an action must be defined for it. This tells the +firewall what to do if all criteria matchers defined for such rule do match. + +In firewall bridge rules, the action can be: + + * ``accept``: accept the packet. + + * ``continue``: continue parsing next rule. + + * ``drop``: drop the packet. + + * ``jump``: jump to another custom chain. + + * ``return``: Return from the current chain and continue at the next rule + of the last chain. + + * ``queue``: Enqueue packet to userspace. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> action + [accept | continue | drop | jump | queue | return] +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> action + [accept | continue | drop | jump | queue | return] + + This required setting defines the action of the current rule. If action is + set to jump, then jump-target is also needed. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + jump-target <text> + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + queue <0-65535> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + queue <0-65535> + + To be used only when action is set to ``queue``. Use this command to specify + queue target to use. Queue range is also supported. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + queue-options bypass +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + queue-options bypass + + To be used only when action is set to ``queue``. Use this command to let + packet go through firewall when no userspace software is connected to the + queue. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + queue-options fanout +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + queue-options fanout + + To be used only when action is set to ``queue``. Use this command to + distribute packets between several queues. + +Also, **default-action** is an action that takes place whenever a packet does +not match any rule in it's chain. For base chains, possible options for +**default-action** are **accept** or **drop**. + +.. cfgcmd:: set firewall bridge forward filter default-action + [accept | drop] +.. cfgcmd:: set firewall bridge name <name> default-action + [accept | continue | drop | jump | queue | return] + + This set the default action of the rule-set if no rule matched a packet + criteria. If default-action is set to ``jump``, then + ``default-jump-target`` is also needed. Note that for base chains, default + action can only be set to ``accept`` or ``drop``, while on custom chain, + more actions are available. + +.. cfgcmd:: set firewall bridge name <name> default-jump-target <text> + + To be used only when ``defult-action`` is set to ``jump``. Use this + command to specify jump target for default rule. + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop**. + +Firewall Logs +============= + +Logging can be enable for every single firewall rule. If enabled, other +log options can be defined. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> log +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> log + + Enable logging for the matched packet. If this configuration command is not + present, then log is not enabled. + +.. cfgcmd:: set firewall bridge forward filter enable-default-log +.. cfgcmd:: set firewall bridge name <name> enable-default-log + + Use this command to enable the logging of the default action on + the specified chain. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] + + Define log-level. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + log-options group <0-65535> + + Define log group to send message to. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + log-options snapshot-length <0-9000> + + Define length of packet payload to include in netlink message. Only + applicable if rule log is enable and log group is defined. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + log-options queue-threshold <0-65535> + + Define number of packets to queue inside the kernel before sending them to + userspace. Only applicable if rule log is enable and log group is defined. + +Firewall Description +==================== + +For reference, a description can be defined for every defined custom chain. + +.. cfgcmd:: set firewall bridge name <name> description <text> + + Provide a rule-set description to a custom firewall chain. + +Rule Status +=========== + +When defining a rule, it is enable by default. In some cases, it is useful to +just disable the rule, rather than removing it. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> disable +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> disable + + Command for disabling a rule but keep it in the configuration. + +Matching criteria +================= + +There are a lot of matching criteria against which the packet can be tested. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + destination mac-address <mac-address> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + destination mac-address <mac-address> +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + source mac-address <mac-address> + + Match criteria based on source and/or destination mac-address. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + inbound-interface name <iface> + + Match based on inbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + inbound-interface group <iface_group> + + Match based on inbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + outbound-interface name <iface> + + Match based on outbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + outbound-interface group <iface_group> + + Match based on outbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + vlan id <0-4096> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + vlan id <0-4096> + + Match based on vlan ID. Range is also supported. + +.. cfgcmd:: set firewall bridge forward filter rule <1-999999> + vlan priority <0-7> +.. cfgcmd:: set firewall bridge name <name> rule <1-999999> + vlan priority <0-7> + + Match based on vlan priority(pcp). Range is also supported. + +*********************** +Operation-mode Firewall +*********************** + +Rule-set overview +================= + +In this section you can find all useful firewall op-mode commands. + +General commands for firewall configuration, counter and statiscits: + +.. opcmd:: show firewall +.. opcmd:: show firewall summary +.. opcmd:: show firewall statistics + +And, to print only bridge firewall information: + +.. opcmd:: show firewall bridge +.. opcmd:: show firewall bridge forward filter +.. opcmd:: show firewall bridge forward filter rule <rule> +.. opcmd:: show firewall bridge name <name> +.. opcmd:: show firewall bridge name <name> rule <rule> + +Show Firewall log +================= + +.. opcmd:: show log firewall +.. opcmd:: show log firewall bridge +.. opcmd:: show log firewall bridge forward +.. opcmd:: show log firewall bridge forward filter +.. opcmd:: show log firewall bridge name <name> +.. opcmd:: show log firewall bridge forward filter rule <rule> +.. opcmd:: show log firewall bridge name <name> rule <rule> + + Show the logs of all firewall; show all bridge firewall logs; show all logs + for forward hook; show all logs for forward hook and priority filter; show + all logs for particular custom chain; show logs for specific Rule-Set. + +Example +======= + +Configuration example: + +.. code-block:: none + + set firewall bridge forward filter default-action 'drop' + set firewall bridge forward filter enable-default-log + set firewall bridge forward filter rule 10 action 'continue' + set firewall bridge forward filter rule 10 inbound-interface name 'eth2' + set firewall bridge forward filter rule 10 vlan id '22' + set firewall bridge forward filter rule 20 action 'drop' + set firewall bridge forward filter rule 20 inbound-interface group 'TRUNK-RIGHT' + set firewall bridge forward filter rule 20 vlan id '60' + set firewall bridge forward filter rule 30 action 'jump' + set firewall bridge forward filter rule 30 jump-target 'TEST' + set firewall bridge forward filter rule 30 outbound-interface name '!eth1' + set firewall bridge forward filter rule 35 action 'accept' + set firewall bridge forward filter rule 35 vlan id '11' + set firewall bridge forward filter rule 40 action 'continue' + set firewall bridge forward filter rule 40 destination mac-address '66:55:44:33:22:11' + set firewall bridge forward filter rule 40 source mac-address '11:22:33:44:55:66' + set firewall bridge name TEST default-action 'accept' + set firewall bridge name TEST enable-default-log + set firewall bridge name TEST rule 10 action 'continue' + set firewall bridge name TEST rule 10 log + set firewall bridge name TEST rule 10 vlan priority '0' + +And op-mode commands: + +.. code-block:: none + + vyos@BRI:~$ show firewall bridge + Rulesets bridge Information + + --------------------------------- + bridge Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- --------------------------------------------------------------------- + 10 continue all 0 0 iifname "eth2" vlan id 22 continue + 20 drop all 0 0 iifname @I_TRUNK-RIGHT vlan id 60 + 30 jump all 2130 170688 oifname != "eth1" jump NAME_TEST + 35 accept all 2080 168616 vlan id 11 accept + 40 continue all 0 0 ether daddr 66:55:44:33:22:11 ether saddr 11:22:33:44:55:66 continue + default drop all 0 0 + + --------------------------------- + bridge Firewall "name TEST" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- -------------------------------------------------- + 10 continue all 2130 170688 vlan pcp 0 prefix "[bri-NAM-TEST-10-C]" continue + default accept all 2130 170688 + + vyos@BRI:~$ + vyos@BRI:~$ show firewall bridge name TEST + Ruleset Information + + --------------------------------- + bridge Firewall "name TEST" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- -------------------------------------------------- + 10 continue all 2130 170688 vlan pcp 0 prefix "[bri-NAM-TEST-10-C]" continue + default accept all 2130 170688 + + vyos@BRI:~$ + +Inspect logs: + +.. code-block:: none + + vyos@BRI:~$ show log firewall bridge + Dec 05 14:37:47 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102 + Dec 05 14:37:48 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102 + Dec 05 14:37:49 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102 + ... + vyos@BRI:~$ show log firewall bridge forward filter + Dec 05 14:42:22 kernel: [bri-FWD-filter-default-D]IN=eth2 OUT=eth1 MAC=33:33:00:00:00:16:50:00:00:06:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 + Dec 05 14:42:22 kernel: [bri-FWD-filter-default-D]IN=eth2 OUT=eth1 MAC=33:33:00:00:00:16:50:00:00:06:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0 diff --git a/docs/configuration/firewall/flowtables.rst b/docs/configuration/firewall/flowtables.rst new file mode 100644 index 00000000..bc7b9212 --- /dev/null +++ b/docs/configuration/firewall/flowtables.rst @@ -0,0 +1,188 @@ +:lastproofread: 2023-12-26 + +.. _firewall-flowtables-configuration: + +################################# +Flowtables Firewall Configuration +################################# + +.. note:: **Documentation under development** + +******** +Overview +******** + +In this section there's useful information of all firewall configuration that +can be done regarding flowtables. + +.. cfgcmd:: set firewall flowtables ... + +From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * flowtable + - custom_flow_table + + ... + + +Flowtables allows you to define a fastpath through the flowtable datapath. +The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP +and UDP protocols. + +.. figure:: /_static/images/firewall-flowtable-packet-flow.png + +Once the first packet of the flow successfully goes through the IP forwarding +path (black circles path), from the second packet on, you might decide to +offload the flow to the flowtable through your ruleset. The flowtable +infrastructure provides a rule action that allows you to specify when to add +a flow to the flowtable (On forward filtering, red circle number 6) + +A packet that finds a matching entry in the flowtable (flowtable hit) is +transmitted to the output netdevice, hence, packets bypass the classic IP +forwarding path and uses the **Fast Path** (orange circles path). The visible +effect is that you do not see these packets from any of the Netfilter +hooks coming after ingress. In case that there is no matching entry in the +flowtable (flowtable miss), the packet follows the classic IP forwarding path. + +.. note:: **Flowtable Reference:** + https://docs.kernel.org/networking/nf_flowtable.html + + +*********************** +Flowtable Configuration +*********************** + +In order to use flowtables, the minimal configuration needed includes: + + * Create flowtable: create flowtable, which includes the interfaces + that are going to be used by the flowtable. + + * Create firewall rule: create a firewall rule, setting action to + ``offload`` and using desired flowtable for ``offload-target``. + +Creating a flow table: + +.. cfgcmd:: set firewall flowtable <flow_table_name> interface <iface> + + Define interfaces to be used in the flowtable. + +.. cfgcmd:: set firewall flowtable <flow_table_name> description <text> + +Provide a description to the flow table. + +.. cfgcmd:: set firewall flowtable <flow_table_name> offload + <hardware | software> + + Define type of offload to be used by the flowtable: ``hardware`` or + ``software``. By default, ``software`` offload is used. + +.. note:: **Hardware offload:** should be supported by the NICs used. + +Creating rules for using flow tables: + +.. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999> + action offload + + Create firewall rule in forward chain, and set action to ``offload``. + +.. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999> + offload-target <flowtable> + + Create firewall rule in forward chain, and define which flowtbale + should be used. Only applicable if action is ``offload``. + +********************* +Configuration Example +********************* + +Things to be considred in this setup: + + * Two interfaces are going to be used in the flowtables: eth0 and eth1 + + * Minumum firewall ruleset is provided, which includes some filtering rules, + and appropiate rules for using flowtable offload capabilities. + +As described, first packet will be evaluated by all the firewall path, so +desired connection should be explicitely accepted. Same thing should be taken +into account for traffic in reverse order. In most cases state policies are +used in order to accept connection in reverse patch. + +We will only accept traffic comming from interface eth0, protocol tcp and +destination port 1122. All other traffic traspassing the router should be +blocked. + +Commands +-------- + +.. code-block:: none + + set firewall flowtable FT01 interface 'eth0' + set firewall flowtable FT01 interface 'eth1' + set firewall ipv4 forward filter default-action 'drop' + set firewall ipv4 forward filter rule 10 action 'offload' + set firewall ipv4 forward filter rule 10 offload-target 'FT01' + set firewall ipv4 forward filter rule 10 state 'established' + set firewall ipv4 forward filter rule 10 state 'related' + set firewall ipv4 forward filter rule 20 action 'accept' + set firewall ipv4 forward filter rule 20 state 'established' + set firewall ipv4 forward filter rule 20 state 'related' + set firewall ipv4 forward filter rule 110 action 'accept' + set firewall ipv4 forward filter rule 110 destination address '192.0.2.100' + set firewall ipv4 forward filter rule 110 destination port '1122' + set firewall ipv4 forward filter rule 110 inbound-interface name 'eth0' + set firewall ipv4 forward filter rule 110 protocol 'tcp' + +Explanation +----------- + +Analysis on what happens for desired connection: + + 1. First packet is received on eht0, with destination address 192.0.2.100, + protocol tcp and destination port 1122. Assume such destination address is + reachable through interface eth1. + + 2. Since this is the first packet, connection status of this connection, + so far is **new**. So neither rule 10 nor 20 are valid. + + 3. Rule 110 is hit, so connection is accepted. + + 4. Once answer from server 192.0.2.100 is seen in opposite direction, + connection state will be triggered to **established**, so this reply is + accepted in rule 10. + + 5. Second packet for this connection is received by the router. Since + connection state is **established**, then rule 10 is hit, and a new entry + in the flowtable FT01 is added for this connection. + + 6. All subsecuent packets will skip traditional path, and will be offloaded + and will use the **Fast Path**. + +Checks +------ + +It's time to check conntrack table, to see if any connection was accepted, +and if was properly offloaded + +.. code-block:: none + + vyos@FlowTables:~$ show firewall ipv4 forward filter + Ruleset Information + + --------------------------------- + ipv4 Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------------------------------- + 10 offload all 8 468 ct state { established, related } flow add @VYOS_FLOWTABLE_FT01 + 20 accept all 8 468 ct state { established, related } accept + 110 accept tcp 2 120 ip daddr 192.0.2.100 tcp dport 1122 iifname "eth0" accept + default drop all 7 420 + + vyos@FlowTables:~$ sudo conntrack -L | grep tcp + conntrack v1.4.6 (conntrack-tools): 5 flow entries have been shown. + tcp 6 src=198.51.100.100 dst=192.0.2.100 sport=41676 dport=1122 src=192.0.2.100 dst=198.51.100.100 sport=1122 dport=41676 [OFFLOAD] mark=0 use=2 + vyos@FlowTables:~$ diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst deleted file mode 100644 index c217ba6c..00000000 --- a/docs/configuration/firewall/general.rst +++ /dev/null @@ -1,1047 +0,0 @@ -:lastproofread: 2021-06-29 - -.. _firewall: - -######## -Firewall -######## - -******** -Overview -******** - -VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet -filtering. - -The firewall supports the creation of groups for ports, addresses, and -networks (implemented using netfilter ipset) and the option of interface -or zone based firewall policy. - -.. note:: **Important note on usage of terms:** - The firewall makes use of the terms `in`, `out`, and `local` - for firewall policy. Users experienced with netfilter often confuse - `in` to be a reference to the `INPUT` chain, and `out` the `OUTPUT` - chain from netfilter. This is not the case. These instead indicate - the use of the `FORWARD` chain and either the input or output - interface. The `INPUT` chain, which is used for local traffic to the - OS, is a reference to as `local` with respect to its input interface. - - -*************** -Global settings -*************** - -Some firewall settings are global and have an affect on the whole system. - -.. cfgcmd:: set firewall all-ping [enable | disable] - - By default, when VyOS receives an ICMP echo request packet destined for - itself, it will answer with an ICMP echo reply, unless you avoid it - through its firewall. - - With the firewall you can set rules to accept, drop or reject ICMP in, - out or local traffic. You can also use the general **firewall all-ping** - command. This command affects only to LOCAL (packets destined for your - VyOS system), not to IN or OUT traffic. - - .. note:: **firewall all-ping** affects only to LOCAL and it always - behaves in the most restrictive way - - .. code-block:: none - - set firewall all-ping enable - - When the command above is set, VyOS will answer every ICMP echo request - addressed to itself, but that will only happen if no other rule is - applied dropping or rejecting local echo requests. In case of conflict, - VyOS will not answer ICMP echo requests. - - .. code-block:: none - - set firewall all-ping disable - - When the command above is set, VyOS will answer no ICMP echo request - addressed to itself at all, no matter where it comes from or whether - more specific rules are being applied to accept them. - -.. cfgcmd:: set firewall broadcast-ping [enable | disable] - - This setting enable or disable the response of icmp broadcast - messages. The following system parameter will be altered: - - * ``net.ipv4.icmp_echo_ignore_broadcasts`` - -.. cfgcmd:: set firewall ip-src-route [enable | disable] -.. cfgcmd:: set firewall ipv6-src-route [enable | disable] - - This setting handle if VyOS accept packets with a source route - option. The following system parameter will be altered: - - * ``net.ipv4.conf.all.accept_source_route`` - * ``net.ipv6.conf.all.accept_source_route`` - -.. cfgcmd:: set firewall receive-redirects [enable | disable] -.. cfgcmd:: set firewall ipv6-receive-redirects [enable | disable] - - enable or disable of ICMPv4 or ICMPv6 redirect messages accepted - by VyOS. The following system parameter will be altered: - - * ``net.ipv4.conf.all.accept_redirects`` - * ``net.ipv6.conf.all.accept_redirects`` - -.. cfgcmd:: set firewall send-redirects [enable | disable] - - enable or disable ICMPv4 redirect messages send by VyOS - The following system parameter will be altered: - - * ``net.ipv4.conf.all.send_redirects`` - -.. cfgcmd:: set firewall log-martians [enable | disable] - - enable or disable the logging of martian IPv4 packets. - The following system parameter will be altered: - - * ``net.ipv4.conf.all.log_martians`` - -.. cfgcmd:: set firewall source-validation [strict | loose | disable] - - Set the IPv4 source validation mode. - The following system parameter will be altered: - - * ``net.ipv4.conf.all.rp_filter`` - -.. cfgcmd:: set firewall syn-cookies [enable | disable] - - Enable or Disable if VyOS use IPv4 TCP SYN Cookies. - The following system parameter will be altered: - - * ``net.ipv4.tcp_syncookies`` - -.. cfgcmd:: set firewall twa-hazards-protection [enable | disable] - - Enable or Disable VyOS to be :rfc:`1337` conform. - The following system parameter will be altered: - - * ``net.ipv4.tcp_rfc1337`` - -.. cfgcmd:: set firewall state-policy established action [accept | drop | - reject] - -.. cfgcmd:: set firewall state-policy established log enable - - Set the global setting for an established connection. - -.. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject] - -.. cfgcmd:: set firewall state-policy invalid log enable - - Set the global setting for invalid packets. - -.. cfgcmd:: set firewall state-policy related action [accept | drop | reject] - -.. cfgcmd:: set firewall state-policy related log enable - - Set the global setting for related connections. - - -****** -Groups -****** - -Firewall groups represent collections of IP addresses, networks, ports, -mac addresses or domains. Once created, a group can be referenced by -firewall, nat and policy route rules as either a source or destination -matcher. Members can be added or removed from a group without changes to, -or the need to reload, individual firewall rules. - -Groups need to have unique names. Even though some contain IPv4 -addresses and others contain IPv6 addresses, they still need to have -unique names, so you may want to append "-v4" or "-v6" to your group -names. - - -Address Groups -============== - -In an **address group** a single IP address or IP address ranges are -defined. - -.. cfgcmd:: set firewall group address-group <name> address [address | - address range] -.. cfgcmd:: set firewall group ipv6-address-group <name> address <address> - - Define a IPv4 or a IPv6 address group - - .. code-block:: none - - set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1 - set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8 - set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1 - -.. cfgcmd:: set firewall group address-group <name> description <text> -.. cfgcmd:: set firewall group ipv6-address-group <name> description <text> - - Provide a IPv4 or IPv6 address group description - -Network Groups -============== - -While **network groups** accept IP networks in CIDR notation, specific -IP addresses can be added as a 32-bit prefix. If you foresee the need -to add a mix of addresses and networks, the network group is -recommended. - -.. cfgcmd:: set firewall group network-group <name> network <CIDR> -.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR> - - Define a IPv4 or IPv6 Network group. - - .. code-block:: none - - set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24 - set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24 - set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64 - -.. cfgcmd:: set firewall group network-group <name> description <text> -.. cfgcmd:: set firewall group ipv6-network-group <name> description <text> - - Provide a IPv4 or IPv6 network group description. - -Port Groups -=========== - -A **port group** represents only port numbers, not the protocol. Port -groups can be referenced for either TCP or UDP. It is recommended that -TCP and UDP groups are created separately to avoid accidentally -filtering unnecessary ports. Ranges of ports can be specified by using -`-`. - -.. cfgcmd:: set firewall group port-group <name> port - [portname | portnumber | startport-endport] - - Define a port group. A port name can be any name defined in - /etc/services. e.g.: http - - .. code-block:: none - - set firewall group port-group PORT-TCP-SERVER1 port http - set firewall group port-group PORT-TCP-SERVER1 port 443 - set firewall group port-group PORT-TCP-SERVER1 port 5000-5010 - -.. cfgcmd:: set firewall group port-group <name> description <text> - - Provide a port group description. - -MAC Groups -========== - -A **mac group** represents a collection of mac addresses. - -.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address> - - Define a mac group. - -.. code-block:: none - - set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f - set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81 - - -Domain Groups -============= - -A **domain group** represents a collection of domains. - -.. cfgcmd:: set firewall group domain-group <name> address <domain> - - Define a domain group. - -.. code-block:: none - - set firewall group domain-group DOM address example.com - - -********* -Rule-Sets -********* - -A rule-set is a named collection of firewall rules that can be applied -to an interface or a zone. Each rule is numbered, has an action to apply -if the rule is matched, and the ability to specify the criteria to -match. Data packets go through the rules from 1 - 999999, at the first match -the action of the rule will be executed. - -.. cfgcmd:: set firewall name <name> description <text> -.. cfgcmd:: set firewall ipv6-name <name> description <text> - - Provide a rule-set description. - -.. cfgcmd:: set firewall name <name> default-action [accept |Â drop | jump | - reject | return] -.. cfgcmd:: set firewall ipv6-name <name> default-action [accept |Â drop | - jump | reject | return] - - This set the default action of the rule-set if no rule matched a packet - criteria. If defacult-action is set to ``jump``, then - ``default-jump-target`` is also needed. - -.. cfgcmd:: set firewall name <name> default-jump-target <text> -.. cfgcmd:: set firewall ipv6-name <name> default-jump-target <text> - - To be used only when ``defult-action`` is set to ``jump``. Use this - command to specify jump target for default rule. - -.. cfgcmd:: set firewall name <name> enable-default-log -.. cfgcmd:: set firewall ipv6-name <name> enable-default-log - - Use this command to enable the logging of the default action. - -.. cfgcmd:: set firewall name <name> rule <1-999999> action [accept |Â drop | - jump | queue | reject | return] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [accept | - drop | jump | queue | reject | return] - - This required setting defines the action of the current rule. If action - is set to ``jump``, then ``jump-target`` is also needed. - -.. cfgcmd:: set firewall name <name> rule <1-999999> jump-target <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> jump-target <text> - - To be used only when ``action`` is set to ``jump``. Use this - command to specify jump target. - -.. cfgcmd:: set firewall name <name> rule <1-999999> queue <0-65535> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> queue <0-65535> - - Use this command to set the target to use. Action queue must be defined - to use this setting - -.. cfgcmd:: set firewall name <name> rule <1-999999> queue-options - <bypass-fanout> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> queue-options - <bypass-fanout> - - Options used for queue target. Action queue must be defined to use this - setting - -.. cfgcmd:: set firewall name <name> rule <1-999999> description <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> description <text> - - Provide a description for each rule. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log [disable | enable] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable | - enable] - - Enable or disable logging for the matched packet. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log-options level - [emerg | alert | crit | err | warn | notice | info | debug] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options level - [emerg | alert | crit | err | warn | notice | info | debug] - - Define log-level. Only applicable if rule log is enable. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log-options group - <0-65535> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options group - <0-65535> - - Define log group to send message to. Only applicable if rule log is enable. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log-options snaplen - <0-9000> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options snaplen - <0-9000> - - Define length of packet payload to include in netlink message. Only - applicable if rule log is enable and log group is defined. - -.. cfgcmd:: set firewall name <name> rule <1-999999> log-options - queue-threshold <0-65535> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-options - queue-threshold <0-65535> - - Define number of packets to queue inside the kernel before sending them to - userspace. Only applicable if rule log is enable and log group is defined. - -.. cfgcmd:: set firewall name <name> rule <1-999999> disable -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> disable - - If you want to disable a rule but let it in the configuration. - -Matching criteria -================= - -There are a lot of matching criteria against which the package can be tested. - -.. cfgcmd:: set firewall name <name> rule <1-999999> connection-status nat - [destination | source] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-status - nat [destination | source] - - Match criteria based on nat connection status. - -.. cfgcmd:: set firewall name <name> rule <1-999999> connection-mark - <1-2147483647> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-mark - <1-2147483647> - - Match criteria based on connection mark. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source address - [address | addressrange | CIDR] -.. cfgcmd:: set firewall name <name> rule <1-999999> destination address - [address | addressrange | CIDR] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address - [address | addressrange | CIDR] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination address - [address | addressrange | CIDR] - - This is similar to the network groups part, but here you are able to negate - the matching addresses. - - .. code-block:: none - - set firewall name WAN-IN-v4 rule 100 source address 192.0.2.10-192.0.2.11 - # with a '!' the rule match everything except the specified subnet - set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24 - set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202 - -.. cfgcmd:: set firewall name <name> rule <1-999999> source address-mask - [address] -.. cfgcmd:: set firewall name <name> rule <1-999999> destination address-mask - [address] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address-mask - [address] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination - address-mask [address] - - An arbitrary netmask can be applied to mask addresses to only match against - a specific portion. This is particularly useful with IPv6 and a zone-based - firewall as rules will remain valid if the IPv6 prefix changes and the host - portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses - <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_) - - This functions for both individual addresses and address groups. - - .. code-block:: none - - # Match any IPv6 address with the suffix ::0000:0000:0000:beef - set firewall ipv6-name WAN-LAN-v6 rule 100 destination address ::beef - set firewall ipv6-name WAN-LAN-v6 rule 100 destination address-mask ::ffff:ffff:ffff:ffff - # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet - set firewall name WAN-LAN-v4 rule 100 destination address 0.11.0.13 - set firewall name WAN-LAN-v4 rule 100 destination address-mask 0.255.0.255 - # Address groups - set firewall group ipv6-address-group WEBSERVERS address ::1000 - set firewall group ipv6-address-group WEBSERVERS address ::2000 - set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS - set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff - -.. cfgcmd:: set firewall name <name> rule <1-999999> source fqdn <fqdn> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination fqdn <fqdn> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source fqdn <fqdn> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination fqdn - <fqdn> - - Specify a Fully Qualified Domain Name as source/destination matcher. Ensure - router is able to resolve such dns query. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code - <country> -.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip - country-code <country> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip - inverse-match -.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip - country-code <country> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip - inverse-match -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip - country-code <country> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip - inverse-match - -Match IP addresses based on its geolocation. -More info: `geoip matching -<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. - -Use inverse-match to match anything except the given country-codes. - -Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, -permits redistribution so we can include a database in images(~3MB -compressed). Includes cron script (manually callable by op-mode update -geoip) to keep database and rules updated. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source mac-address - <mac-address> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source mac-address - <mac-address> - - Only in the source criteria, you can specify a mac-address. - - .. code-block:: none - - set firewall name LAN-IN-v4 rule 100 source mac-address 00:53:00:11:22:33 - set firewall name LAN-IN-v4 rule 101 source mac-address !00:53:00:aa:12:34 - -.. cfgcmd:: set firewall name <name> rule <1-999999> source port - [1-65535 | portname | start-end] -.. cfgcmd:: set firewall name <name> rule <1-999999> destination port - [1-65535 | portname | start-end] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source port - [1-65535 | portname | start-end] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination port - [1-65535 | portname | start-end] - - A port can be set with a port number or a name which is here - defined: ``/etc/services``. - - .. code-block:: none - - set firewall name WAN-IN-v4 rule 10 source port '22' - set firewall name WAN-IN-v4 rule 11 source port '!http' - set firewall name WAN-IN-v4 rule 12 source port 'https' - - Multiple source ports can be specified as a comma-separated list. - The whole list can also be "negated" using ``!``. For example: - - .. code-block:: none - - set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338' - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - address-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - address-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - address-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - address-group <name | !name> - - Use a specific address-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - network-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - network-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - network-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - network-group <name | !name> - - Use a specific network-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - port-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - port-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - port-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - port-group <name | !name> - - Use a specific port-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - domain-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - domain-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - domain-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - domain-group <name | !name> - - Use a specific domain-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> source group - mac-group <name | !name> -.. cfgcmd:: set firewall name <name> rule <1-999999> destination group - mac-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group - mac-group <name | !name> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group - mac-group <name | !name> - - Use a specific mac-group. Prepend character ``!`` for inverted matching - criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> dscp [0-63 | start-end] -.. cfgcmd:: set firewall name <name> rule <1-999999> dscp-exclude [0-63 | - start-end] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp [0-63 | - start-end] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> dscp-exclude [0-63 | - start-end] - - Match based on dscp value. - -.. cfgcmd:: set firewall name <name> rule <1-999999> fragment [match-frag | - match-non-frag] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> fragment [match-frag - | match-non-frag] - - Match based on fragment criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> icmp [code | type] - <0-255> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 [code | type] - <0-255> - - Match based on icmp|icmpv6 code and type. - -.. cfgcmd:: set firewall name <name> rule <1-999999> icmp type-name <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 type-name - <text> - - Match based on icmp|icmpv6 type-name criteria. Use tab for information - about what **type-name** criteria are supported. - -.. cfgcmd:: set firewall name <name> rule <1-999999> inbound-interface - <iface> -.. cfgcmd:: set firewall name <name> rule <1-999999> outbound-interface - <iface> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> inbound-interface - <iface> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> outbound-interface - <iface> - - Match based on inbound/outbound interface. Wilcard ``*`` can be used. - For example: ``eth2*`` - -.. cfgcmd:: set firewall name <name> rule <1-999999> ipsec [match-ipsec - | match-none] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> ipsec [match-ipsec - | match-none] - - Match based on ipsec criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> limit burst - <0-4294967295> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit burst - <0-4294967295> - - Match based on the maximum number of packets to allow in excess of rate. - -.. cfgcmd:: set firewall name <name> rule <1-999999> limit rate - <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit rate - <text> - - Match based on the maximum average rate, specified as **integer/unit**. - For example **5/minutes** - -.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length - <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length - <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length-exclude - <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length-exclude - <text> - - Match based on packet length criteria. Multiple values from 1 to 65535 - and ranges are supported. - -.. cfgcmd:: set firewall name <name> rule <1-999999> packet-type - [broadcast | host | multicast | other] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-type - [broadcast | host | multicast | other] - - Match based on packet type criteria. - -.. cfgcmd:: set firewall name <name> rule <1-999999> protocol [<text> | - <0-255> | all | tcp_udp] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> protocol [<text> | - <0-255> | all | tcp_udp] - - Match a protocol criteria. A protocol number or a name which is here - defined: ``/etc/protocols``. - Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp - based packets. The ``!`` negate the selected protocol. - - .. code-block:: none - - set firewall name WAN-IN-v4 rule 10 protocol tcp_udp - set firewall name WAN-IN-v4 rule 11 protocol !tcp_udp - set firewall ipv6-name WAN-IN-v6 rule 10 protocol tcp - -.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255> -.. cfgcmd:: set firewall name <name> rule <1-999999> recent time - [second | minute | hour] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time - [second | minute | hour] - - Match bases on recently seen sources. - -.. cfgcmd:: set firewall name <name> rule <1-999999> tcp flags <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> tcp flags <text> - - Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``, - ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma - separated. The ``!`` negate the selected protocol. - - .. code-block:: none - - set firewall name WAN-IN-v4 rule 10 tcp flags 'ACK' - set firewall name WAN-IN-v4 rule 12 tcp flags 'SYN' - set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST' - -.. cfgcmd:: set firewall name <name> rule <1-999999> state [established | - invalid | new | related] [enable | disable] -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> state [established | - invalid | new | related] [enable | disable] - - Match against the state of a packet. - -.. cfgcmd:: set firewall name <name> rule <1-999999> time startdate <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time startdate <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> time starttime <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time starttime <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> time stopdate <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stopdate <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> time stoptime <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stoptime <text> -.. cfgcmd:: set firewall name <name> rule <1-999999> time weekdays <text> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time weekdays <text> - - Time to match the defined rule. - -.. cfgcmd:: set firewall name <name> rule <1-999999> ttl <eq | gt | lt> <0-255> - - Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for - 'greater than', and 'lt' stands for 'less than'. - -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> hop-limit <eq | gt | - lt> <0-255> - - Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for - 'greater than', and 'lt' stands for 'less than'. - -.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255> -.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second | - minute | hour> -.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second | - minute | hour> - - Match when 'count' amount of connections are seen within 'time'. These - matching criteria can be used to block brute-force attempts. - -*********************************** -Applying a Rule-Set to an Interface -*********************************** - -A Rule-Set can be applied to every interface: - -* ``in``: Ruleset for forwarded packets on an inbound interface -* ``out``: Ruleset for forwarded packets on an outbound interface -* ``local``: Ruleset for packets destined for this router - -.. cfgcmd:: set firewall interface <interface> [in | out | local] [name | - ipv6-name] <rule-set> - - - Here are some examples for applying a rule-set to an interface - - .. code-block:: none - - set firewall interface eth1.100 in name LANv4-IN - set firewall interface eth1.100 out name LANv4-OUT - set firewall interface bond0 in name LANv4-IN - set firewall interface vtun1 in name LANv4-IN - set firewall interface eth2* in name LANv4-IN - - .. note:: - As you can see in the example here, you can assign the same rule-set to - several interfaces. An interface can only have one rule-set per chain. - - .. note:: - You can use wildcard ``*`` to match a group of interfaces. - -*********************** -Operation-mode Firewall -*********************** - -Rule-set overview -================= - -.. opcmd:: show firewall - - This will show you a basic firewall overview - - .. code-block:: none - - vyos@vyos:~$ show firewall - - ------------------------ - Firewall Global Settings - ------------------------ - - Firewall state-policy for all IPv4 and Ipv6 traffic - - state action log - ----- ------ --- - invalid accept disabled - established accept disabled - related accept disabled - - ----------------------------- - Rulesets Information - ----------------------------- - -------------------------------------------------------------------------- - IPv4 Firewall "DMZv4-1-IN": - - Active on (eth0,IN) - - rule action proto packets bytes - ---- ------ ----- ------- ----- - 10 accept icmp 0 0 - condition - saddr 10.1.0.0/24 daddr 0.0.0.0/0 LOG enabled - - 10000 drop all 0 0 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled - - -------------------------------------------------------------------------- - IPv4 Firewall "DMZv4-1-OUT": - - Active on (eth0,OUT) - - rule action proto packets bytes - ---- ------ ----- ------- ----- - 10 accept tcp_udp 1 60 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-DST-PORT-GROUP DMZ-Ports /* - DMZv4-1-OUT-10 */LOG enabled - - 11 accept icmp 1 84 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* DMZv4-1-OUT-11 */LOG enabled - - 10000 drop all 6 360 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled - - -------------------------------------------------------------------------- - IPv4 Firewall "LANv4-IN": - - Inactive - Not applied to any interfaces or zones. - - rule action proto packets bytes - ---- ------ ----- ------- ----- - 10 accept all 0 0 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* LANv4-IN-10 */ - - 10000 drop all 0 0 - condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 - -.. opcmd:: show firewall summary - - This will show you a summary of rule-sets and groups - - .. code-block:: none - - vyos@vyos:~$ show firewall summary - - ------------------------ - Firewall Global Settings - ------------------------ - - Firewall state-policy for all IPv4 and Ipv6 traffic - - state action log - ----- ------ --- - invalid accept disabled - related accept disabled - established accept disabled - - ------------------------ - Firewall Rulesets - ------------------------ - - IPv4 name: - - Rule-set name Description References - ------------- ----------- ---------- - DMZv4-1-OUT (eth0,OUT) - DMZv4-1-IN (eth0,IN) - - ------------------------ - Firewall Groups - ------------------------ - - Port Groups: - - Group name Description References - ---------- ----------- ---------- - DMZ-Ports DMZv4-1-OUT-10-destination - - Network Groups: - - Group name Description References - ---------- ----------- ---------- - LANv4 LANv4-IN-10-source, - DMZv4-1-OUT-10-source, - DMZv4-1-OUT-11-source - -.. opcmd:: show firewall statistics - - This will show you a statistic of all rule-sets since the last boot. - -.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999> - - This command will give an overview of a rule in a single rule-set - -.. opcmd:: show firewall group <name> - - Overview of defined groups. You see the type, the members, and where the - group is used. - - .. code-block:: none - - vyos@vyos:~$ show firewall group DMZ-Ports - Name : DMZ-Ports - Type : port - References : none - Members : - 80 - 443 - 8080 - 8443 - - vyos@vyos:~$ show firewall group LANv4 - Name : LANv4 - Type : network - References : LANv4-IN-10-source - Members : - 10.10.0.0/16 - -.. opcmd:: show firewall [name | ipv6name] <name> - - This command will give an overview of a single rule-set. - -.. opcmd:: show firewall [name | ipv6name] <name> statistics - - This will show you a rule-set statistic since the last boot. - -.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999> - - This command will give an overview of a rule in a single rule-set. - - -Zone-Policy Overview -==================== - -.. opcmd:: show zone-policy zone <name> - - Use this command to get an overview of a zone. - - .. code-block:: none - - vyos@vyos:~$ show zone-policy zone DMZ - ------------------- - Name: DMZ - - Interfaces: eth0 eth1 - - From Zone: - name firewall - ---- -------- - LAN DMZv4-1-OUT - - -Show Firewall log -================= - -.. opcmd:: show log firewall [name | ipv6name] <name> - - Show the logs of a specific Rule-Set. - -.. note:: - At the moment it not possible to look at the whole firewall log with VyOS - operational commands. All logs will save to ``/var/logs/messages``. - For example: ``grep '10.10.0.10' /var/log/messages`` - - - -Example Partial Config -====================== - -.. code-block:: none - - firewall { - interface eth0 { - in { - name FROM-INTERNET - } - } - all-ping enable - broadcast-ping disable - config-trap disable - group { - network-group BAD-NETWORKS { - network 198.51.100.0/24 - network 203.0.113.0/24 - } - network-group GOOD-NETWORKS { - network 192.0.2.0/24 - } - port-group BAD-PORTS { - port 65535 - } - } - name FROM-INTERNET { - default-action accept - description "From the Internet" - rule 10 { - action accept - description "Authorized Networks" - protocol all - source { - group { - network-group GOOD-NETWORKS - } - } - } - rule 11 { - action drop - description "Bad Networks" - protocol all - source { - group { - network-group BAD-NETWORKS - } - } - } - rule 30 { - action drop - description "BAD PORTS" - destination { - group { - port-group BAD-PORTS - } - } - log enable - protocol all - } - } - } - interfaces { - ethernet eth1 { - address dhcp - description OUTSIDE - duplex auto - } - } - - -Update geoip database -===================== - -.. opcmd:: update geoip - - Command used to update GeoIP database and firewall sets.
\ No newline at end of file diff --git a/docs/configuration/firewall/global-options.rst b/docs/configuration/firewall/global-options.rst new file mode 100644 index 00000000..455e530b --- /dev/null +++ b/docs/configuration/firewall/global-options.rst @@ -0,0 +1,147 @@ +:lastproofread: 2023-12-026 + +.. _firewall-global-options-configuration: + +##################################### +Global Options Firewall Configuration +##################################### + +******** +Overview +******** + +Some firewall settings are global and have an affect on the whole system. +In this section there's useful information about these global-options that can +be configured using vyos cli. + +Configuration commands covered in this section: + +.. cfgcmd:: set firewall global-options ... + +************* +Configuration +************* + +.. cfgcmd:: set firewall global-options all-ping [enable | disable] + + By default, when VyOS receives an ICMP echo request packet destined for + itself, it will answer with an ICMP echo reply, unless you avoid it + through its firewall. + + With the firewall you can set rules to accept, drop or reject ICMP in, + out or local traffic. You can also use the general **firewall all-ping** + command. This command affects only to LOCAL (packets destined for your + VyOS system), not to IN or OUT traffic. + + .. note:: **firewall global-options all-ping** affects only to LOCAL + and it always behaves in the most restrictive way + + .. code-block:: none + + set firewall global-options all-ping enable + + When the command above is set, VyOS will answer every ICMP echo request + addressed to itself, but that will only happen if no other rule is + applied dropping or rejecting local echo requests. In case of conflict, + VyOS will not answer ICMP echo requests. + + .. code-block:: none + + set firewall global-options all-ping disable + + When the command above is set, VyOS will answer no ICMP echo request + addressed to itself at all, no matter where it comes from or whether + more specific rules are being applied to accept them. + +.. cfgcmd:: set firewall global-options broadcast-ping [enable | disable] + + This setting enable or disable the response of icmp broadcast + messages. The following system parameter will be altered: + + * ``net.ipv4.icmp_echo_ignore_broadcasts`` + +.. cfgcmd:: set firewall global-options ip-src-route [enable | disable] +.. cfgcmd:: set firewall global-options ipv6-src-route [enable | disable] + + This setting handle if VyOS accept packets with a source route + option. The following system parameter will be altered: + + * ``net.ipv4.conf.all.accept_source_route`` + * ``net.ipv6.conf.all.accept_source_route`` + +.. cfgcmd:: set firewall global-options receive-redirects [enable | disable] +.. cfgcmd:: set firewall global-options ipv6-receive-redirects + [enable | disable] + + enable or disable of ICMPv4 or ICMPv6 redirect messages accepted + by VyOS. The following system parameter will be altered: + + * ``net.ipv4.conf.all.accept_redirects`` + * ``net.ipv6.conf.all.accept_redirects`` + +.. cfgcmd:: set firewall global-options send-redirects [enable | disable] + + enable or disable ICMPv4 redirect messages send by VyOS + The following system parameter will be altered: + + * ``net.ipv4.conf.all.send_redirects`` + +.. cfgcmd:: set firewall global-options log-martians [enable | disable] + + enable or disable the logging of martian IPv4 packets. + The following system parameter will be altered: + + * ``net.ipv4.conf.all.log_martians`` + +.. cfgcmd:: set firewall global-options source-validation + [strict | loose | disable] + + Set the IPv4 source validation mode. + The following system parameter will be altered: + + * ``net.ipv4.conf.all.rp_filter`` + +.. cfgcmd:: set firewall global-options syn-cookies [enable | disable] + + Enable or Disable if VyOS use IPv4 TCP SYN Cookies. + The following system parameter will be altered: + + * ``net.ipv4.tcp_syncookies`` + +.. cfgcmd:: set firewall global-options twa-hazards-protection + [enable | disable] + + Enable or Disable VyOS to be :rfc:`1337` conform. + The following system parameter will be altered: + + * ``net.ipv4.tcp_rfc1337`` + +.. cfgcmd:: set firewall global-options state-policy established action + [accept | drop | reject] + +.. cfgcmd:: set firewall global-options state-policy established log + +.. cfgcmd:: set firewall global-options state-policy established log-level + [emerg | alert | crit | err | warn | notice | info | debug] + + Set the global setting for an established connection. + +.. cfgcmd:: set firewall global-options state-policy invalid action + [accept | drop | reject] + +.. cfgcmd:: set firewall global-options state-policy invalid log + +.. cfgcmd:: set firewall global-options state-policy invalid log-level + [emerg | alert | crit | err | warn | notice | info | debug] + + Set the global setting for invalid packets. + +.. cfgcmd:: set firewall global-options state-policy related action + [accept | drop | reject] + +.. cfgcmd:: set firewall global-options state-policy related log + +.. cfgcmd:: set firewall global-options state-policy related log-level + [emerg | alert | crit | err | warn | notice | info | debug] + + Set the global setting for related connections. diff --git a/docs/configuration/firewall/groups.rst b/docs/configuration/firewall/groups.rst new file mode 100644 index 00000000..aee68793 --- /dev/null +++ b/docs/configuration/firewall/groups.rst @@ -0,0 +1,210 @@ +:lastproofread: 2023-11-08 + +.. _firewall-groups-configuration: + +############### +Firewall groups +############### + +************* +Configuration +************* + +Firewall groups represent collections of IP addresses, networks, ports, +mac addresses, domains or interfaces. Once created, a group can be referenced +by firewall, nat and policy route rules as either a source or destination +matcher, and/or as inbound/outbound in the case of interface group. + +Address Groups +============== + +In an **address group** a single IP address or IP address ranges are +defined. + +.. cfgcmd:: set firewall group address-group <name> address [address | + address range] +.. cfgcmd:: set firewall group ipv6-address-group <name> address <address> + + Define a IPv4 or a IPv6 address group + + .. code-block:: none + + set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1 + set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8 + set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1 + +.. cfgcmd:: set firewall group address-group <name> description <text> +.. cfgcmd:: set firewall group ipv6-address-group <name> description <text> + + Provide a IPv4 or IPv6 address group description + +Network Groups +============== + +While **network groups** accept IP networks in CIDR notation, specific +IP addresses can be added as a 32-bit prefix. If you foresee the need +to add a mix of addresses and networks, the network group is +recommended. + +.. cfgcmd:: set firewall group network-group <name> network <CIDR> +.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR> + + Define a IPv4 or IPv6 Network group. + + .. code-block:: none + + set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24 + set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24 + set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64 + +.. cfgcmd:: set firewall group network-group <name> description <text> +.. cfgcmd:: set firewall group ipv6-network-group <name> description <text> + + Provide an IPv4 or IPv6 network group description. + +Interface Groups +================ + +An **interface group** represents a collection of interfaces. + +.. cfgcmd:: set firewall group interface-group <name> interface <text> + + Define an interface group. Wildcard are accepted too. + +.. code-block:: none + + set firewall group interface-group LAN interface bond1001 + set firewall group interface-group LAN interface eth3* + +.. cfgcmd:: set firewall group interface-group <name> description <text> + + Provide an interface group description + +Port Groups +=========== + +A **port group** represents only port numbers, not the protocol. Port +groups can be referenced for either TCP or UDP. It is recommended that +TCP and UDP groups are created separately to avoid accidentally +filtering unnecessary ports. Ranges of ports can be specified by using +`-`. + +.. cfgcmd:: set firewall group port-group <name> port + [portname | portnumber | startport-endport] + + Define a port group. A port name can be any name defined in + /etc/services. e.g.: http + + .. code-block:: none + + set firewall group port-group PORT-TCP-SERVER1 port http + set firewall group port-group PORT-TCP-SERVER1 port 443 + set firewall group port-group PORT-TCP-SERVER1 port 5000-5010 + +.. cfgcmd:: set firewall group port-group <name> description <text> + + Provide a port group description. + +MAC Groups +========== + +A **mac group** represents a collection of mac addresses. + +.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address> + + Define a mac group. + +.. code-block:: none + + set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f + set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81 + +.. cfgcmd:: set firewall group mac-group <name> description <text> + + Provide a mac group description. + +Domain Groups +============= + +A **domain group** represents a collection of domains. + +.. cfgcmd:: set firewall group domain-group <name> address <domain> + + Define a domain group. + +.. code-block:: none + + set firewall group domain-group DOM address example.com + +.. cfgcmd:: set firewall group domain-group <name> description <text> + + Provide a domain group description. + +******** +Examples +******** + +As said before, once firewall groups are created, they can be referenced +either in firewall, nat, nat66 and/or policy-route rules. + +Here is an example were multiple groups are created: + + .. code-block:: none + + set firewall group address-group SERVERS address 198.51.100.101 + set firewall group address-group SERVERS address 198.51.100.102 + set firewall group network-group TRUSTEDv4 network 192.0.2.0/30 + set firewall group network-group TRUSTEDv4 network 203.0.113.128/25 + set firewall group ipv6-network-group TRUSTEDv6 network 2001:db8::/64 + set firewall group interface-group LAN interface eth2.2001 + set firewall group interface-group LAN interface bon0 + set firewall group port-group PORT-SERVERS port http + set firewall group port-group PORT-SERVERS port 443 + set firewall group port-group PORT-SERVERS port 5000-5010 + +And next, some configuration example where groups are used: + + .. code-block:: none + + set firewall ipv4 input filter rule 10 action accept + set firewall ipv4 input filter rule 10 inbound-interface group !LAN + set firewall ipv4 forward filter rule 20 action accept + set firewall ipv4 forward filter rule 20 source group network-group TRUSTEDv4 + set firewall ipv6 input filter rule 10 action accept + set firewall ipv6 input filter rule 10 source-group network-group TRUSTEDv6 + set nat destination rule 101 inbound-interface group LAN + set nat destination rule 101 destination group address-group SERVERS + set nat destination rule 101 protocol tcp + set nat destination rule 101 destination group port-group PORT-SERVERS + set nat destination rule 101 translation address 203.0.113.250 + set policy route PBR rule 201 destination group port-group PORT-SERVERS + set policy route PBR rule 201 protocol tcp + set policy route PBR rule 201 set table 15 + +************** +Operation-mode +************** + +.. opcmd:: show firewall group <name> + + Overview of defined groups. You see the type, the members, and where the + group is used. + + .. code-block:: none + + vyos@ZBF-15-CLean:~$ show firewall group + Firewall Groups + + Name Type References Members + ------------ ------------------ ---------------------- ---------------- + SERVERS address_group nat-destination-101 198.51.100.101 + 198.51.100.102 + LAN interface_group ipv4-input-filter-10 bon0 + nat-destination-101 eth2.2001 + TRUSTEDv6 ipv6_network_group ipv6-input-filter-10 2001:db8::/64 + TRUSTEDv4 network_group ipv4-forward-filter-20 192.0.2.0/30 + 203.0.113.128/25 + PORT-SERVERS port_group route-PBR-201 443 + nat-destination-101 5000-5010 + http + vyos@ZBF-15-CLean:~$ diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index dfafa606..3887e26a 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -1,10 +1,179 @@ +:lastproofread: 2023-11-23 + ######## Firewall ######## +With VyOS being based on top of Linux and its kernel, the Netfilter project +created the iptables and now the successor nftables for the Linux kernel to +work directly on the data flows. This now extends the concept of zone-based +security to allow for manipulating the data at multiple stages once accepted +by the network interface and the driver before being handed off to the +destination (e.g. a web server OR another device). + +A simplified traffic flow, based on Netfilter packet flow, is shown next, in +order to have a full view and understanding of how packets are processed, and +what possible paths can take. + +.. figure:: /_static/images/firewall-gral-packet-flow.png + +Main notes regarding this packet flow and terminology used in VyOS firewall: + + * **Bridge Port?**: choose appropiate path based on if interface were the + packet was received is part of a bridge, or not. + +If interface were the packet was received isn't part of a bridge, then packet +is processed at the **IP Layer**: + + * **Prerouting**: several actions can be done in this stage, and currently + these actions are defined in different parts in vyos configuration. Order + is important, and all these actions are performed before any actions + define under ``firewall`` section. Relevant configuration that acts in + this stage are: + + * **Conntrack Ignore**: rules defined under ``set system conntrack ignore + [ipv4 | ipv6] ...``. + + * **Policy Route**: rules defined under ``set policy [route | route6] + ...``. + + * **Destination NAT**: rules defined under ``set [nat | nat66] + destination...``. + + * **Destination is the router?**: choose appropiate path based on + destination IP address. Transit forward continunes to **forward**, + while traffic that destination IP address is configured on the router + continues to **input**. + + * **Input**: stage where traffic destinated to the router itself can be + filtered and controlled. This is where all rules for securing the router + should take place. This includes ipv4 and ipv6 filtering rules, defined + in: + + * ``set firewall ipv4 input filter ...``. + + * ``set firewall ipv6 input filter ...``. + + * **Forward**: stage where transit traffic can be filtered and controlled. + This includes ipv4 and ipv6 filtering rules, defined in: + + * ``set firewall ipv4 forward filter ...``. + + * ``set firewall ipv6 forward filter ...``. + + * **Output**: stage where traffic that is originated by the router itself + can be filtered and controlled. Bare in mind that this traffic can be a + new connection originted by a internal process running on VyOS router, + such as NTP, or can be a response to traffic received externaly through + **inputt** (for example response to an ssh login attempt to the router). + This includes ipv4 and ipv6 filtering rules, defined in: + + * ``set firewall ipv4 input filter ...``. + + * ``set firewall ipv6 output filter ...``. + + * **Postrouting**: as in **Prerouting**, several actions defined in + different parts of VyOS configuration are performed in this + stage. This includes: + + * **Source NAT**: rules defined under ``set [nat | nat66] + destination...``. + +If interface were the packet was received is part of a bridge, then packet +is processed at the **Bridge Layer**, which contains a ver basic setup where +for bridge filtering: + + * **Forward (Bridge)**: stage where traffic that is trasspasing through the + bridge is filtered and controlled: + + * ``set firewall bridge forward filter ...``. + +Main structure VyOS firewall cli is shown next: + +.. code-block:: none + + - set firewall + * bridge + - forward + + filter + * flowtable + - custom_flow_table + + ... + * global-options + + all-ping + + broadcast-ping + + ... + * group + - address-group + - ipv6-address-group + - network-group + - ipv6-network-group + - interface-group + - mac-group + - port-group + - domain-group + * ipv4 + - forward + + filter + - input + + filter + - output + + filter + - name + + custom_name + * ipv6 + - forward + + filter + - input + + filter + - output + + filter + - ipv6-name + + custom_name + * zone + - custom_zone_name + + ... + +Please, refer to appropiate section for more information about firewall +configuration: + +.. toctree:: + :maxdepth: 1 + :includehidden: + + global-options + groups + bridge + ipv4 + ipv6 + flowtables + +.. note:: **For more information** + of Netfilter hooks and Linux networking packet flows can be + found in `Netfilter-Hooks + <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_ + + +Zone-based firewall +^^^^^^^^^^^^^^^^^^^ .. toctree:: :maxdepth: 1 :includehidden: - general zone + +With zone-based firewalls a new concept was implemented, in addtion to the +standard in and out traffic flows, a local flow was added. This local was for +traffic originating and destined to the router itself. Which means additional +rules were required to secure the firewall itself from the network, in +addition to the existing inbound and outbound rules from the traditional +concept above. + +To configure VyOS with the +:doc:`zone-based firewall configuration </configuration/firewall/zone>` + +As the example image below shows, the device now needs rules to allow/block +traffic to or from the services running on the device that have open +connections on that interface. + +.. figure:: /_static/images/firewall-zonebased.png diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst new file mode 100644 index 00000000..9a683d22 --- /dev/null +++ b/docs/configuration/firewall/ipv4.rst @@ -0,0 +1,1179 @@ +:lastproofread: 2023-11-08 + +.. _firewall-ipv4-configuration: + +########################### +IPv4 Firewall Configuration +########################### + +******** +Overview +******** + +In this section there's useful information of all firewall configuration that +can be done regarding IPv4, and appropiate op-mode commands. +Configuration commands covered in this section: + +.. cfgcmd:: set firewall ipv4 ... + +From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * ipv4 + - forward + + filter + - input + + filter + - output + + filter + - name + + custom_name + +For transit traffic, which is received by the router and forwarded, base chain +is **forward**. A simplified packet flow diagram for transit traffic is shown +next: + +.. figure:: /_static/images/firewall-fwd-packet-flow.png + +Where firewall base chain to configure firewall filtering rules for transit +traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, +highlightened with red color. + +For traffic towards the router itself, base chain is **input**, while traffic +originated by the router, base chain is **output**. +A new simplified packet flow diagram is shown next, which shows the path +for traffic destinated to the router itself, and traffic generated by the +router (starting from circle number 6): + +.. figure:: /_static/images/firewall-input-packet-flow.png + +Base chain is for traffic toward the router is ``set firewall ipv4 input +filter ...`` + +And base chain for traffic generated by the router is ``set firewall ipv4 +output filter ...`` + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop** + +Custom firewall chains can be created, with commands +``set firewall ipv4 name <name> ...``. In order to use +such custom chain, a rule with **action jump**, and the appropiate **target** +should be defined in a base chain. + +********************* +Firewall - IPv4 Rules +********************* + +For firewall filtering, firewall rules needs to be created. Each rule is +numbered, has an action to apply if the rule is matched, and the ability +to specify multiple criteria matchers. Data packets go through the rules +from 1 - 999999, so order is crucial. At the first match the action of the +rule will be executed. + +Actions +======= + +If a rule is defined, then an action must be defined for it. This tells the +firewall what to do if all criteria matchers defined for such rule do match. + +The action can be : + + * ``accept``: accept the packet. + + * ``continue``: continue parsing next rule. + + * ``drop``: drop the packet. + + * ``reject``: reject the packet. + + * ``jump``: jump to another custom chain. + + * ``return``: Return from the current chain and continue at the next rule + of the last chain. + + * ``queue``: Enqueue packet to userspace. + + * ``synproxy``: synproxy the packet. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return | synproxy] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return | synproxy] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return] + + This required setting defines the action of the current rule. If action is + set to jump, then jump-target is also needed. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + jump-target <text> + + To be used only when action is set to ``jump``. Use this command to specify + jump target. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + queue <0-65535> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + queue <0-65535> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + queue <0-65535> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + queue <0-65535> + + To be used only when action is set to ``queue``. Use this command to specify + queue target to use. Queue range is also supported. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + queue-options bypass +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + queue-options bypass +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + queue-options bypass +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + queue-options bypass + + To be used only when action is set to ``queue``. Use this command to let + packet go through firewall when no userspace software is connected to the + queue. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + queue-options fanout +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + queue-options fanout +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + queue-options fanout +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + queue-options fanout + + To be used only when action is set to ``queue``. Use this command to + distribute packets between several queues. + +Also, **default-action** is an action that takes place whenever a packet does +not match any rule in it's chain. For base chains, possible options for +**default-action** are **accept** or **drop**. + +.. cfgcmd:: set firewall ipv4 forward filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv4 input filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv4 output filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv4 name <name> default-action + [accept | drop | jump | queue | reject | return] + + This set the default action of the rule-set if no rule matched a packet + criteria. If default-action is set to ``jump``, then + ``default-jump-target`` is also needed. Note that for base chains, default + action can only be set to ``accept`` or ``drop``, while on custom chain, + more actions are available. + +.. cfgcmd:: set firewall ipv4 name <name> default-jump-target <text> + + To be used only when ``defult-action`` is set to ``jump``. Use this + command to specify jump target for default rule. + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop**. + +Firewall Logs +============= + +Logging can be enable for every single firewall rule. If enabled, other +log options can be defined. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> log +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> log +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log + + Enable logging for the matched packet. If this configuration command is not + present, then log is not enabled. + +.. cfgcmd:: set firewall ipv4 forward filter enable-default-log +.. cfgcmd:: set firewall ipv4 input filter enable-default-log +.. cfgcmd:: set firewall ipv4 output filter enable-default-log +.. cfgcmd:: set firewall ipv4 name <name> enable-default-log + + Use this command to enable the logging of the default action on + the specified chain. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] + + Define log-level. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options group <0-65535> + + Define log group to send message to. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options snapshot-length <0-9000> + + Define length of packet payload to include in netlink message. Only + applicable if rule log is enable and log group is defined. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + log-options queue-threshold <0-65535> + + Define number of packets to queue inside the kernel before sending them to + userspace. Only applicable if rule log is enable and log group is defined. + +Firewall Description +==================== + +For reference, a description can be defined for every single rule, and for +every defined custom chain. + +.. cfgcmd:: set firewall ipv4 name <name> description <text> + + Provide a rule-set description to a custom firewall chain. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> description <text> + + Provide a description for each rule. + +Rule Status +=========== + +When defining a rule, it is enable by default. In some cases, it is useful to +just disable the rule, rather than removing it. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> disable + + Command for disabling a rule but keep it in the configuration. + +Matching criteria +================= + +There are a lot of matching criteria against which the packet can be tested. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + connection-status nat [destination | source] + + Match criteria based on nat connection status. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + connection-mark <1-2147483647> + + Match criteria based on connection mark. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source address [address | addressrange | CIDR] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination address [address | addressrange | CIDR] + + Match criteria based on source and/or destination address. This is similar + to the network groups part, but here you are able to negate the matching + addresses. + + .. code-block:: none + + set firewall ipv4 name FOO rule 50 source address 192.0.2.10-192.0.2.11 + # with a '!' the rule match everything except the specified subnet + set firewall ipv4 input filter FOO rule 51 source address !203.0.113.0/24 + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source address-mask [address] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination address-mask [address] + + An arbitrary netmask can be applied to mask addresses to only match against + a specific portion. + + This functions for both individual addresses and address groups. + + .. code-block:: none + + # Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet + set firewall ipv4 name FOO rule 100 destination address 0.11.0.13 + set firewall ipv4 name FOO rule 100 destination address-mask 0.255.0.255 + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination fqdn <fqdn> + + Specify a Fully Qualified Domain Name as source/destination matcher. Ensure + router is able to resolve such dns query. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source geoip country-code <country> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination geoip country-code <country> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source geoip inverse-match + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination geoip inverse-match + + Match IP addresses based on its geolocation. More info: `geoip matching + <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. + Use inverse-match to match anything except the given country-codes. + +Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, +permits redistribution so we can include a database in images(~3MB +compressed). Includes cron script (manually callable by op-mode update +geoip) to keep database and rules updated. + + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source mac-address <mac-address> + + Only in the source criteria, you can specify a mac-address. + + .. code-block:: none + + set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33 + set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34 + + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source port [1-65535 | portname | start-end] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination port [1-65535 | portname | start-end] + + A port can be set with a port number or a name which is here + defined: ``/etc/services``. + + .. code-block:: none + + set firewall ipv4 forward filter rule 10 source port '22' + set firewall ipv4 forward filter rule 11 source port '!http' + set firewall ipv4 forward filter rule 12 source port 'https' + + Multiple source ports can be specified as a comma-separated list. + The whole list can also be "negated" using ``!``. For example: + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group address-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group address-group <name | !name> + + Use a specific address-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group network-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group network-group <name | !name> + + Use a specific network-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group port-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group port-group <name | !name> + + Use a specific port-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group domain-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group domain-group <name | !name> + + Use a specific domain-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + source group mac-group <name | !name> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + destination group mac-group <name | !name> + + Use a specific mac-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + dscp [0-63 | start-end] + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + dscp-exclude [0-63 | start-end] + + Match based on dscp value. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + fragment [match-frag | match-non-frag] + + Match based on fragment criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + icmp [code | type] <0-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + icmp [code | type] <0-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + icmp [code | type] <0-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + icmp [code | type] <0-255> + + Match based on icmp code and type. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + icmp type-name <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + icmp type-name <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + icmp type-name <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + icmp type-name <text> + + Match based on icmp type-name criteria. Use tab for information + about what **type-name** criteria are supported. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + inbound-interface name <iface> + + Match based on inbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + inbound-interface group <iface_group> + + Match based on inbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + outbound-interface name <iface> + + Match based on outbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + outbound-interface group <iface_group> + + Match based on outbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + ipsec [match-ipsec | match-none] + + Match based on ipsec criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + limit burst <0-4294967295> + + Match based on the maximum number of packets to allow in excess of rate. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + limit rate <text> + + Match based on the maximum average rate, specified as **integer/unit**. + For example **5/minutes** + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + packet-length <text> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + packet-length-exclude <text> + + Match based on packet length criteria. Multiple values from 1 to 65535 + and ranges are supported. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + packet-type [broadcast | host | multicast | other] + + Match based on packet type criteria. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] + + Match a protocol criteria. A protocol number or a name which is here + defined: ``/etc/protocols``. + Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp + based packets. The ``!`` negate the selected protocol. + + .. code-block:: none + + set firewall ipv4 forward fitler rule 10 protocol tcp_udp + set firewall ipv4 forward fitler rule 11 protocol !tcp_udp + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent count <1-255> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent time [second | minute | hour] + + Match bases on recently seen sources. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + tcp flags [not] <text> + + Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, + ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for + inverted selection use ``not``, as shown in the example. + + .. code-block:: none + + set firewall ipv4 input filter rule 10 tcp flags 'ack' + set firewall ipv4 input filter rule 12 tcp flags 'syn' + set firewall ipv4 input filter rule 13 tcp flags not 'fin' + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + state [established | invalid | new | related] [enable | disable] + + Match against the state of a packet. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + time weekdays <text> + + Time to match the defined rule. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + ttl <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + ttl <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + ttl <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + ttl <eq | gt | lt> <0-255> + + Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for + 'greater than', and 'lt' stands for 'less than'. + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent count <1-255> + +.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv4 input filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv4 output filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> + recent time <second | minute | hour> + + Match when 'count' amount of connections are seen within 'time'. These + matching criteria can be used to block brute-force attempts. + +******** +Synproxy +******** +Synproxy connections + +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> action synproxy +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> protocol tcp +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535> + + Set TCP-MSS (maximum segment size) for the connection + +.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14> + + Set the window scale factor for TCP window scaling + +Example synproxy +================ +Requirements to enable synproxy: + + * Traffic must be symmetric + * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled + * Disable conntrack loose track option + +.. code-block:: none + + set system sysctl parameter net.ipv4.tcp_timestamps value '1' + + set system conntrack tcp loose disable + set system conntrack ignore ipv4 rule 10 destination port '8080' + set system conntrack ignore ipv4 rule 10 protocol 'tcp' + set system conntrack ignore ipv4 rule 10 tcp flags syn + + set firewall global-options syn-cookies 'enable' + set firewall ipv4 input filter rule 10 action 'synproxy' + set firewall ipv4 input filter rule 10 destination port '8080' + set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1' + set firewall ipv4 input filter rule 10 protocol 'tcp' + set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' + set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7' + set firewall ipv4 input filter rule 1000 action 'drop' + set firewall ipv4 input filter rule 1000 state invalid 'enable' + + +*********************** +Operation-mode Firewall +*********************** + +Rule-set overview +================= + +.. opcmd:: show firewall + + This will show you a basic firewall overview, for all ruleset, and not + only for ipv4 + + .. code-block:: none + + vyos@vyos:~$ show firewall + Rulesets Information + + --------------------------------- + ipv4 Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ----------------------------- + 20 accept all 0 0 ip saddr @N_TRUSTEDv4 accept + 21 jump all 0 0 jump NAME_AUX + default accept all 0 0 + + --------------------------------- + ipv4 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ------------------------- + 10 accept all 156 14377 iifname != @I_LAN accept + default accept all 0 0 + + --------------------------------- + ipv4 Firewall "name AUX" + + Rule Action Protocol Packets Bytes Conditions + ------ -------- ---------- --------- ------- -------------------------------------------- + 10 accept icmp 0 0 meta l4proto icmp accept + 20 accept udp 0 0 meta l4proto udp ip saddr @A_SERVERS accept + 30 drop all 0 0 ip saddr != @A_SERVERS iifname "eth2" + + --------------------------------- + ipv4 Firewall "output filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------- + 10 reject all 0 0 oifname @I_LAN + 20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept + default accept all 72 9258 + + --------------------------------- + ipv6 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ------------------------------- + 10 accept all 0 0 ip6 saddr @N6_TRUSTEDv6 accept + default accept all 2 112 + + vyos@vyos:~$ + +.. opcmd:: show firewall summary + + This will show you a summary of rule-sets and groups + + .. code-block:: none + + vyos@vyos:~$ show firewall summary + Ruleset Summary + + IPv6 Ruleset: + + Ruleset Hook Ruleset Priority Description + -------------- -------------------- ------------------------- + forward filter + input filter + ipv6_name IPV6-VyOS_MANAGEMENT + ipv6_name IPV6-WAN_IN PUBLIC_INTERNET + + IPv4 Ruleset: + + Ruleset Hook Ruleset Priority Description + -------------- ------------------ ------------------------- + forward filter + input filter + name VyOS_MANAGEMENT + name WAN_IN PUBLIC_INTERNET + + Firewall Groups + + Name Type References Members + ----------------------- ------------------ ----------------------- ---------------- + PBX address_group WAN_IN-100 198.51.100.77 + SERVERS address_group WAN_IN-110 192.0.2.10 + WAN_IN-111 192.0.2.11 + WAN_IN-112 192.0.2.12 + WAN_IN-120 + WAN_IN-121 + WAN_IN-122 + SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2 + WAN_IN-20 + PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2 + PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2 + WAN_IN-171 + PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1 + SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2 + IPV6-WAN_IN-111 2001:db8::3 + IPV6-WAN_IN-112 2001:db8::4 + IPV6-WAN_IN-120 + IPV6-WAN_IN-121 + IPV6-WAN_IN-122 + SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5 + IPV6-WAN_IN-20 + + +.. opcmd:: show firewall ipv4 [forward | input | output] filter + +.. opcmd:: show firewall ipv4 name <name> + + This command will give an overview of a single rule-set. + + .. code-block:: none + + vyos@vyos:~$ show firewall ipv4 input filter + Ruleset Information + + --------------------------------- + IPv4 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ----------------------------------------- + 5 jump all 0 0 iifname "eth2" jump NAME_VyOS_MANAGEMENT + default accept all + +.. opcmd:: show firewall ipv4 [forward | input | output] + filter rule <1-999999> +.. opcmd:: show firewall ipv4 name <name> rule <1-999999> + + This command will give an overview of a rule in a single rule-set, plus + information for default action. + +.. code-block:: none + + vyos@vyos:~$show firewall ipv4 output filter rule 20 + Rule Information + + --------------------------------- + ipv4 Firewall "output filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------- + 20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept + default accept all 286 47614 + + vyos@vyos:~$ + + +.. opcmd:: show firewall statistics + + This will show you a statistic of all rule-sets since the last boot. + +Show Firewall log +================= + +.. opcmd:: show log firewall +.. opcmd:: show log firewall ipv4 +.. opcmd:: show log firewall ipv4 [forward | input | output | name] +.. opcmd:: show log firewall ipv4 [forward | input | output] filter +.. opcmd:: show log firewall ipv4 name <name> +.. opcmd:: show log firewall ipv4 [forward | input | output] filter rule <rule> +.. opcmd:: show log firewall ipv4 name <name> rule <rule> + + Show the logs of all firewall; show all ipv4 firewall logs; show all logs + for particular hook; show all logs for particular hook and priority; show all logs + for particular custom chain; show logs for specific Rule-Set. + +Example Partial Config +====================== + +.. code-block:: none + + firewall { + group { + network-group BAD-NETWORKS { + network 198.51.100.0/24 + network 203.0.113.0/24 + } + network-group GOOD-NETWORKS { + network 192.0.2.0/24 + } + port-group BAD-PORTS { + port 65535 + } + } + ipv4 { + forward { + filter { + default-action accept + rule 5 { + action accept + source { + group { + network-group GOOD-NETWORKS + } + } + } + rule 10 { + action drop + description "Bad Networks" + protocol all + source { + group { + network-group BAD-NETWORKS + } + } + } + } + } + } + } + +Update geoip database +===================== + +.. opcmd:: update geoip + + Command used to update GeoIP database and firewall sets. diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst new file mode 100644 index 00000000..0aa8a137 --- /dev/null +++ b/docs/configuration/firewall/ipv6.rst @@ -0,0 +1,1195 @@ +:lastproofread: 2023-11-08 + +.. _firewall-ipv6-configuration: + +########################### +IPv6 Firewall Configuration +########################### + +******** +Overview +******** + +In this section there's useful information of all firewall configuration that +can be done regarding IPv6, and appropiate op-mode commands. +Configuration commands covered in this section: + +.. cfgcmd:: set firewall ipv6 ... + +From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * ipv6 + - forward + + filter + - input + + filter + - output + + filter + - name + + custom_name + +For transit traffic, which is received by the router and forwarded, base chain +is **forward**. A simplified packet flow diagram for transit traffic is shown +next: + +.. figure:: /_static/images/firewall-fwd-packet-flow.png + +Where firewall base chain to configure firewall filtering rules for transit +traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, +highlightened with red color. + +For traffic towards the router itself, base chain is **input**, while traffic +originated by the router, base chain is **output**. +A new simplified packet flow diagram is shown next, which shows the path +for traffic destinated to the router itself, and traffic generated by the +router (starting from circle number 6): + +.. figure:: /_static/images/firewall-input-packet-flow.png + +Base chain is for traffic toward the router is ``set firewall ipv6 input +filter ...`` + +And base chain for traffic generated by the router is ``set firewall ipv6 +output filter ...`` + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop** + +Custom firewall chains can be created, with commands +``set firewall ipv6 name <name> ...``. In order to use +such custom chain, a rule with **action jump**, and the appropiate **target** +should be defined in a base chain. + +****************************** +Firewall - IPv6 Rules +****************************** + +For firewall filtering, firewall rules needs to be created. Each rule is +numbered, has an action to apply if the rule is matched, and the ability +to specify multiple criteria matchers. Data packets go through the rules +from 1 - 999999, so order is crucial. At the first match the action of the +rule will be executed. + +Actions +======= + +If a rule is defined, then an action must be defined for it. This tells the +firewall what to do if all criteria matchers defined for such rule do match. + +The action can be : + + * ``accept``: accept the packet. + + * ``continue``: continue parsing next rule. + + * ``drop``: drop the packet. + + * ``reject``: reject the packet. + + * ``jump``: jump to another custom chain. + + * ``return``: Return from the current chain and continue at the next rule + of the last chain. + + * ``queue``: Enqueue packet to userspace. + + * ``synproxy``: synproxy the packet. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return | synproxy] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return | synproxy] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> action + [accept | continue | drop | jump | queue | reject | return] + + This required setting defines the action of the current rule. If action is + set to jump, then jump-target is also needed. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + jump-target <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + jump-target <text> + + To be used only when action is set to ``jump``. Use this command to specify + jump target. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + queue <0-65535> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + queue <0-65535> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + queue <0-65535> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + queue <0-65535> + + To be used only when action is set to ``queue``. Use this command to specify + queue target to use. Queue range is also supported. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + queue-options bypass +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + queue-options bypass +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + queue-options bypass +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + queue-options bypass + + To be used only when action is set to ``queue``. Use this command to let + packet go through firewall when no userspace software is connected to the + queue. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + queue-options fanout +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + queue-options fanout +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + queue-options fanout +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + queue-options fanout + + To be used only when action is set to ``queue``. Use this command to + distribute packets between several queues. + +Also, **default-action** is an action that takes place whenever a packet does +not match any rule in it's chain. For base chains, possible options for +**default-action** are **accept** or **drop**. + +.. cfgcmd:: set firewall ipv6 forward filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv6 input filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv6 output filter default-action + [accept | drop] +.. cfgcmd:: set firewall ipv6 name <name> default-action + [accept | drop | jump | queue | reject | return] + + This set the default action of the rule-set if no rule matched a packet + criteria. If default-action is set to ``jump``, then + ``default-jump-target`` is also needed. Note that for base chains, default + action can only be set to ``accept`` or ``drop``, while on custom chain, + more actions are available. + +.. cfgcmd:: set firewall ipv6 name <name> default-jump-target <text> + + To be used only when ``defult-action`` is set to ``jump``. Use this + command to specify jump target for default rule. + +.. note:: **Important note about default-actions:** + If default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if default + action is not defined, then the default-action is set to **drop**. + +Firewall Logs +============= + +Logging can be enable for every single firewall rule. If enabled, other +log options can be defined. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> log +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> log +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> log +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> log + + Enable logging for the matched packet. If this configuration command is not + present, then log is not enabled. + +.. cfgcmd:: set firewall ipv6 forward filter enable-default-log +.. cfgcmd:: set firewall ipv6 input filter enable-default-log +.. cfgcmd:: set firewall ipv6 output filter enable-default-log +.. cfgcmd:: set firewall ipv6 name <name> enable-default-log + + Use this command to enable the logging of the default action on + the specified chain. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + log-options level [emerg | alert | crit | err | warn | notice + | info | debug] + + Define log-level. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + log-options group <0-65535> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + log-options group <0-65535> + + Define log group to send message to. Only applicable if rule log is enable. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + log-options snapshot-length <0-9000> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + log-options snapshot-length <0-9000> + + Define length of packet payload to include in netlink message. Only + applicable if rule log is enable and log group is defined. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + log-options queue-threshold <0-65535> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + log-options queue-threshold <0-65535> + + Define number of packets to queue inside the kernel before sending them to + userspace. Only applicable if rule log is enable and log group is defined. + +Firewall Description +==================== + +For reference, a description can be defined for every single rule, and for +every defined custom chain. + +.. cfgcmd:: set firewall ipv6 name <name> description <text> + + Provide a rule-set description to a custom firewall chain. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + description <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> description <text> + + Provide a description for each rule. + +Rule Status +=========== + +When defining a rule, it is enable by default. In some cases, it is useful to +just disable the rule, rather than removing it. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> disable +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> disable + + Command for disabling a rule but keep it in the configuration. + +Matching criteria +================= + +There are a lot of matching criteria against which the packet can be tested. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + connection-status nat [destination | source] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + connection-status nat [destination | source] + + Match criteria based on nat connection status. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + connection-mark <1-2147483647> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + connection-mark <1-2147483647> + + Match criteria based on connection mark. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source address [address | addressrange | CIDR] + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination address [address | addressrange | CIDR] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination address [address | addressrange | CIDR] + + Match criteria based on source and/or destination address. This is similar + to the network groups part, but here you are able to negate the matching + addresses. + + .. code-block:: none + + set firewall ipv6 name FOO rule 100 source address 2001:db8::202 + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source address-mask [address] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source address-mask [address] + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination address-mask [address] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination address-mask [address] + + An arbitrary netmask can be applied to mask addresses to only match against + a specific portion. This is particularly useful with IPv6 as rules will + remain valid if the IPv6 prefix changes and the host + portion of systems IPv6 address is static (for example, with SLAAC or + `tokenised IPv6 addresses + <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_) + + This functions for both individual addresses and address groups. + + .. code-block:: none + + # Match any IPv6 address with the suffix ::0000:0000:0000:beef + set firewall ipv6 forward filter rule 100 destination address ::beef + set firewall ipv6 forward filter rule 100 destination address-mask ::ffff:ffff:ffff:ffff + # Address groups + set firewall group ipv6-address-group WEBSERVERS address ::1000 + set firewall group ipv6-address-group WEBSERVERS address ::2000 + set firewall ipv6 forward filter rule 200 source group address-group WEBSERVERS + set firewall ipv6 forward filter rule 200 source address-mask ::ffff:ffff:ffff:ffff + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination fqdn <fqdn> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination fqdn <fqdn> + + Specify a Fully Qualified Domain Name as source/destination matcher. Ensure + router is able to resolve such dns query. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source geoip country-code <country> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source geoip country-code <country> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination geoip country-code <country> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination geoip country-code <country> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source geoip inverse-match +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source geoip inverse-match + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination geoip inverse-match +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination geoip inverse-match + + Match IP addresses based on its geolocation. More info: `geoip matching + <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. + Use inverse-match to match anything except the given country-codes. + +Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, +permits redistribution so we can include a database in images(~3MB +compressed). Includes cron script (manually callable by op-mode update +geoip) to keep database and rules updated. + + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source mac-address <mac-address> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source mac-address <mac-address> + + Only in the source criteria, you can specify a mac-address. + + .. code-block:: none + + set firewall ipv6 input filter rule 100 source mac-address 00:53:00:11:22:33 + set firewall ipv6 input filter rule 101 source mac-address !00:53:00:aa:12:34 + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source port [1-65535 | portname | start-end] + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination port [1-65535 | portname | start-end] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination port [1-65535 | portname | start-end] + + A port can be set with a port number or a name which is here + defined: ``/etc/services``. + + .. code-block:: none + + set firewall ipv6 forward filter rule 10 source port '22' + set firewall ipv6 forward filter rule 11 source port '!http' + set firewall ipv6 forward filter rule 12 source port 'https' + + Multiple source ports can be specified as a comma-separated list. + The whole list can also be "negated" using ``!``. For example: + + .. code-block:: none + + set firewall ipv6 forward filter rule 10 source port '!22,https,3333-3338' + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group address-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group address-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group address-group <name | !name> + + Use a specific address-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group network-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group network-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group network-group <name | !name> + + Use a specific network-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group port-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group port-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group port-group <name | !name> + + Use a specific port-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group domain-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group domain-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group domain-group <name | !name> + + Use a specific domain-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + source group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + source group mac-group <name | !name> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + destination group mac-group <name | !name> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + destination group mac-group <name | !name> + + Use a specific mac-group. Prepend character ``!`` for inverted matching + criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + dscp [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + dscp [0-63 | start-end] + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + dscp-exclude [0-63 | start-end] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + dscp-exclude [0-63 | start-end] + + Match based on dscp value. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + fragment [match-frag | match-non-frag] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + fragment [match-frag | match-non-frag] + + Match based on fragment criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + icmpv6 [code | type] <0-255> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + icmpv6 [code | type] <0-255> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + icmpv6 [code | type] <0-255> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + icmpv6 [code | type] <0-255> + + Match based on icmp|icmpv6 code and type. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + icmpv6 type-name <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + icmpv6 type-name <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + icmpv6 type-name <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + icmpv6 type-name <text> + + Match based on icmpv6 type-name criteria. Use tab for information + about what **type-name** criteria are supported. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + inbound-interface name <iface> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + inbound-interface name <iface> + + Match based on inbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + inbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + inbound-interface group <iface_group> + + Match based on inbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + outbound-interface name <iface> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + outbound-interface name <iface> + + Match based on outbound interface. Wilcard ``*`` can be used. + For example: ``eth2*``. Prepending character ``!`` for inverted matching + criteria is also supportd. For example ``!eth2`` + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + outbound-interface group <iface_group> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + outbound-interface group <iface_group> + + Match based on outbound interface group. Prepending character ``!`` for + inverted matching criteria is also supportd. For example ``!IFACE_GROUP`` + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + ipsec [match-ipsec | match-none] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + ipsec [match-ipsec | match-none] + + Match based on ipsec criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + limit burst <0-4294967295> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + limit burst <0-4294967295> + + Match based on the maximum number of packets to allow in excess of rate. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + limit rate <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + limit rate <text> + + Match based on the maximum average rate, specified as **integer/unit**. + For example **5/minutes** + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + packet-length <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + packet-length <text> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + packet-length-exclude <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + packet-length-exclude <text> + + Match based on packet length criteria. Multiple values from 1 to 65535 + and ranges are supported. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + packet-type [broadcast | host | multicast | other] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + packet-type [broadcast | host | multicast | other] + + Match based on packet type criteria. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + protocol [<text> | <0-255> | all | tcp_udp] + + Match a protocol criteria. A protocol number or a name which is here + defined: ``/etc/protocols``. + Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp + based packets. The ``!`` negate the selected protocol. + + .. code-block:: none + + set firewall ipv6 input filter rule 10 protocol tcp + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + recent count <1-255> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + recent time [second | minute | hour] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + recent time [second | minute | hour] + + Match bases on recently seen sources. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + tcp flags [not] <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + tcp flags [not] <text> + + Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, + ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for + inverted selection use ``not``, as shown in the example. + + .. code-block:: none + + set firewall ipv6 input filter rule 10 tcp flags 'ack' + set firewall ipv6 input filter rule 12 tcp flags 'syn' + set firewall ipv6 input filter rule 13 tcp flags not 'fin' + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + state [established | invalid | new | related] [enable | disable] +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + state [established | invalid | new | related] [enable | disable] + + Match against the state of a packet. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time startdate <text> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time starttime <text> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time stopdate <text> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time stoptime <text> +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + time weekdays <text> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + time weekdays <text> + + Time to match the defined rule. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + hop-limit <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + hop-limit <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + hop-limit <eq | gt | lt> <0-255> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + hop-limit <eq | gt | lt> <0-255> + + Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for + 'greater than', and 'lt' stands for 'less than'. + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + recent count <1-255> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + recent count <1-255> + +.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv6 input filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv6 output filter rule <1-999999> + recent time <second | minute | hour> +.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> + recent time <second | minute | hour> + + Match when 'count' amount of connections are seen within 'time'. These + matching criteria can be used to block brute-force attempts. + +******** +Synproxy +******** +Synproxy connections + +.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> action synproxy +.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> protocol tcp +.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535> + + Set TCP-MSS (maximum segment size) for the connection + +.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14> + + Set the window scale factor for TCP window scaling + +Example synproxy +================ +Requirements to enable synproxy: + + * Traffic must be symmetric + * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled + * Disable conntrack loose track option + +.. code-block:: none + + set system sysctl parameter net.ipv4.tcp_timestamps value '1' + + set system conntrack tcp loose disable + set system conntrack ignore ipv6 rule 10 destination port '8080' + set system conntrack ignore ipv6 rule 10 protocol 'tcp' + set system conntrack ignore ipv6 rule 10 tcp flags syn + + set firewall global-options syn-cookies 'enable' + set firewall ipv6 input filter rule 10 action 'synproxy' + set firewall ipv6 input filter rule 10 destination port '8080' + set firewall ipv6 input filter rule 10 inbound-interface interface-name 'eth1' + set firewall ipv6 input filter rule 10 protocol 'tcp' + set firewall ipv6 input filter rule 10 synproxy tcp mss '1460' + set firewall ipv6 input filter rule 10 synproxy tcp window-scale '7' + set firewall ipv6 input filter rule 1000 action 'drop' + set firewall ipv6 input filter rule 1000 state invalid 'enable' + +*********************** +Operation-mode Firewall +*********************** + +Rule-set overview +================= + +.. opcmd:: show firewall + + This will show you a basic firewall overview + + .. code-block:: none + + vyos@vyos:~$ show firewall + Rulesets Information + + --------------------------------- + IPv4 Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ----------------------------------------- + 5 jump all 0 0 iifname "eth1" jump NAME_VyOS_MANAGEMENT + 10 jump all 0 0 oifname "eth1" jump NAME_WAN_IN + 15 jump all 0 0 iifname "eth3" jump NAME_WAN_IN + default accept all + + --------------------------------- + IPv4 Firewall "name VyOS_MANAGEMENT" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- -------------------------------- + 5 accept all 0 0 ct state established accept + 10 drop all 0 0 ct state invalid + 20 accept all 0 0 ip saddr @A_GOOD_GUYS accept + 30 accept all 0 0 ip saddr @N_ENTIRE_RANGE accept + 40 accept all 0 0 ip saddr @A_VyOS_SERVERS accept + 50 accept icmp 0 0 meta l4proto icmp accept + default drop all 0 0 + + --------------------------------- + IPv6 Firewall "forward filter" + + Rule Action Protocol + ------- -------- ---------- + 5 jump all + 10 jump all + 15 jump all + default accept all + + --------------------------------- + IPv6 Firewall "input filter" + + Rule Action Protocol + ------- -------- ---------- + 5 jump all + default accept all + + --------------------------------- + IPv6 Firewall "ipv6_name IPV6-VyOS_MANAGEMENT" + + Rule Action Protocol + ------- -------- ---------- + 5 accept all + 10 drop all + 20 accept all + 30 accept all + 40 accept all + 50 accept ipv6-icmp + default drop all + +.. opcmd:: show firewall summary + + This will show you a summary of rule-sets and groups + + .. code-block:: none + + vyos@vyos:~$ show firewall summary + Ruleset Summary + + IPv6 Ruleset: + + Ruleset Hook Ruleset Priority Description + -------------- -------------------- ------------------------- + forward filter + input filter + ipv6_name IPV6-VyOS_MANAGEMENT + ipv6_name IPV6-WAN_IN PUBLIC_INTERNET + + IPv4 Ruleset: + + Ruleset Hook Ruleset Priority Description + -------------- ------------------ ------------------------- + forward filter + input filter + name VyOS_MANAGEMENT + name WAN_IN PUBLIC_INTERNET + + Firewall Groups + + Name Type References Members + ----------------------- ------------------ ----------------------- ---------------- + PBX address_group WAN_IN-100 198.51.100.77 + SERVERS address_group WAN_IN-110 192.0.2.10 + WAN_IN-111 192.0.2.11 + WAN_IN-112 192.0.2.12 + WAN_IN-120 + WAN_IN-121 + WAN_IN-122 + SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2 + WAN_IN-20 + PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2 + PINGABLE_ADRESSES address_group WAN_IN-170 192.168.5.2 + WAN_IN-171 + PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1 + SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2 + IPV6-WAN_IN-111 2001:db8::3 + IPV6-WAN_IN-112 2001:db8::4 + IPV6-WAN_IN-120 + IPV6-WAN_IN-121 + IPV6-WAN_IN-122 + SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5 + IPV6-WAN_IN-20 + + +.. opcmd:: show firewall ipv6 [forward | input | output] filter + +.. opcmd:: show firewall ipv6 ipv6-name <name> + + This command will give an overview of a single rule-set. + + .. code-block:: none + + vyos@vyos:~$ show firewall ipv6 input filter + Ruleset Information + + --------------------------------- + ipv6 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ------------------------------------------------------------------------------ + 10 jump all 13 1456 iifname "eth1" jump NAME6_INP-ETH1 + 20 accept ipv6-icmp 10 1112 meta l4proto ipv6-icmp iifname "eth0" prefix "[ipv6-INP-filter-20-A]" accept + default accept all 14 1584 + + vyos@vyos:~$ + +.. opcmd:: show firewall ipv6 [forward | input | output] + filter rule <1-999999> + +.. opcmd:: show firewall ipv6 name <name> rule <1-999999> + +.. opcmd:: show firewall ipv6 ipv6-name <name> rule <1-999999> + + This command will give an overview of a rule in a single rule-set + +.. opcmd:: show firewall group <name> + + Overview of defined groups. You see the type, the members, and where the + group is used. + + .. code-block:: none + + vyos@vyos:~$ show firewall group LAN + Firewall Groups + + Name Type References Members + ------------ ------------------ ----------------------- ---------------- + LAN ipv6_network_group IPV6-VyOS_MANAGEMENT-30 2001:db8::0/64 + IPV6-WAN_IN-30 + LAN network_group VyOS_MANAGEMENT-30 192.168.200.0/24 + WAN_IN-30 + + +.. opcmd:: show firewall statistics + + This will show you a statistic of all rule-sets since the last boot. + +Show Firewall log +================= + +.. opcmd:: show log firewall +.. opcmd:: show log firewall ipv6 +.. opcmd:: show log firewall ipv6 [forward | input | output | name] +.. opcmd:: show log firewall ipv6 [forward | input | output] filter +.. opcmd:: show log firewall ipv6 name <name> +.. opcmd:: show log firewall ipv6 [forward | input | output] filter rule <rule> +.. opcmd:: show log firewall ipv6 name <name> rule <rule> + + Show the logs of all firewall; show all ipv6 firewall logs; show all logs + for particular hook; show all logs for particular hook and priority; show all logs + for particular custom chain; show logs for specific Rule-Set. + +Example Partial Config +====================== + +.. code-block:: none + + firewall { + ipv6 { + input { + filter { + rule 10 { + action jump + inbound-interface { + name eth1 + } + jump-target INP-ETH1 + } + rule 20 { + action accept + inbound-interface { + name eth0 + } + log + protocol ipv6-icmp + } + } + } + name INP-ETH1 { + default-action drop + enable-default-log + rule 10 { + action accept + protocol tcp_udp + } + } + } + } + + +Update geoip database +===================== + +.. opcmd:: update geoip + + Command used to update GeoIP database and firewall sets. diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst index b27e02b9..1ab9c630 100644 --- a/docs/configuration/firewall/zone.rst +++ b/docs/configuration/firewall/zone.rst @@ -1,4 +1,4 @@ -:lastproofread: 2022-09-14 +:lastproofread: 2023-11-01 .. _firewall-zone: @@ -6,9 +6,43 @@ Zone Based Firewall ################### +******** +Overview +******** + +.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall + structure can be found on all vyos instalations. Zone based firewall was + removed in that version, but re introduced in VyOS 1.4 and 1.5. All + versions built after 2023-10-22 has this feature. + Documentation for most of the new firewall CLI can be + found in the `firewall + <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ + chapter. The legacy firewall is still available for versions before + 1.4-rolling-202308040557 and can be found in the + :doc:`legacy firewall configuration </configuration/firewall/general-legacy>` + chapter. + +In this section there's useful information of all firewall configuration that +is needed for zone-based firewall. +Configuration commands covered in this section: + +.. cfgcmd:: set firewall zone ... + +From main structure defined in +:doc:`Firewall Overview</configuration/firewall/index>` +in this section you can find detailed information only for the next part +of the general structure: + +.. code-block:: none + + - set firewall + * zone + - custom_zone_name + + ... + In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to -firewall rules. A Zone is a group of interfaces that have similar functions or +firewall rules. A zone is a group of interfaces that have similar functions or features. It establishes the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network. @@ -36,7 +70,7 @@ firewall can be created to simplify configuration when multiple interfaces belong to the same security zone. Instead of applying rule-sets to interfaces, they are applied to source zone-destination zone pairs. -An basic introduction to zone-based firewalls can be found `here +A basic introduction to zone-based firewalls can be found `here <https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_, and an example at :ref:`examples-zone-policy`. |