From 49008adbef48b10e404b307309fc330b241022cf Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Tue, 14 Jun 2022 09:46:50 -0300 Subject: Firewall: Add firewall documentation --- docs/configuration/firewall/index.rst | 54 ++++++++++++++++++++++++----------- 1 file changed, 37 insertions(+), 17 deletions(-) (limited to 'docs/configuration/firewall') diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 55881b1b..0cbc60c8 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -264,7 +264,7 @@ the action of the rule will be executed. .. cfgcmd:: set firewall name rule <1-999999> action [drop | reject | accept] -.. cfgcmd:: set firewall ipv6-name rule <1-999999> action [drop |  +.. cfgcmd:: set firewall ipv6-name rule <1-999999> action [drop | reject | accept] This required setting defines the action of the current rule. @@ -275,11 +275,18 @@ the action of the rule will be executed. Provide a description for each rule. .. cfgcmd:: set firewall name rule <1-999999> log [disable | enable] -.. cfgcmd:: set firewall ipv6-name rule <1-999999> log [disable | +.. cfgcmd:: set firewall ipv6-name rule <1-999999> log [disable | enable] Enable or disable logging for the matched packet. +.. cfgcmd:: set firewall name rule <1-999999> log-level [emerg | + alert | crit | err | warn | notice | info | debug] +.. cfgcmd:: set firewall ipv6-name rule <1-999999> log-level [emerg | + alert | crit | err | warn | notice | info | debug] + + Define log-level. Only applicable if rule log is enable. + .. cfgcmd:: set firewall name rule <1-999999> disable .. cfgcmd:: set firewall ipv6-name rule <1-999999> disable @@ -355,37 +362,40 @@ There are a lot of matching criteria against which the package can be tested. set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338' .. cfgcmd:: set firewall name rule <1-999999> source group - address-group + address-group .. cfgcmd:: set firewall name rule <1-999999> destination group - address-group + address-group .. cfgcmd:: set firewall ipv6-name rule <1-999999> source group - address-group + address-group .. cfgcmd:: set firewall ipv6-name rule <1-999999> destination group - address-group + address-group - Use a specific address-group + Use a specific address-group. Prepend character '!' for inverted matching + criteria. .. cfgcmd:: set firewall name rule <1-999999> source group - network-group + network-group .. cfgcmd:: set firewall name rule <1-999999> destination group - network-group + network-group .. cfgcmd:: set firewall ipv6-name rule <1-999999> source group - network-group + network-group .. cfgcmd:: set firewall ipv6-name rule <1-999999> destination group - network-group + network-group - Use a specific network-group + Use a specific network-group. Prepend character '!' for inverted matching + criteria. .. cfgcmd:: set firewall name rule <1-999999> source group - port-group + port-group .. cfgcmd:: set firewall name rule <1-999999> destination group - port-group + port-group .. cfgcmd:: set firewall ipv6-name rule <1-999999> source group - port-group + port-group .. cfgcmd:: set firewall ipv6-name rule <1-999999> destination group - port-group + port-group - Use a specific port-group + Use a specific port-group. Prepend character '!' for inverted matching + criteria. .. cfgcmd:: set firewall name rule <1-999999> protocol [ | <0-255> | all | tcp_udp] @@ -423,6 +433,16 @@ There are a lot of matching criteria against which the package can be tested. Match against the state of a packet. +.. cfgcmd:: set firewall name rule <1-999999> ttl <0-255> + + Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for + 'greater than', and 'lt' stands for 'less than'. + +.. cfgcmd:: set firewall ipv6-name rule <1-999999> hop-limit <0-255> + + Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for + 'greater than', and 'lt' stands for 'less than'. *********************************** Applying a Rule-Set to an Interface -- cgit v1.2.3 From bd66e4fb6f683f47935c02dfca6a899afeca69b2 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Tue, 28 Jun 2022 11:31:07 -0300 Subject: Firewall: T4299: add geoip matching criteria --- docs/configuration/firewall/index.rst | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) (limited to 'docs/configuration/firewall') diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 0cbc60c8..5081ce2f 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -323,6 +323,22 @@ There are a lot of matching criteria against which the package can be tested. set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24 set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202 +.. cfgcmd:: set firewall name rule <1-999999> source geoip country-code + +.. cfgcmd:: set firewall ipv6-name rule <1-999999> source geoip + country-code +.. cfgcmd:: set firewall name rule <1-999999> destination geoip + country-code +.. cfgcmd:: set firewall ipv6-name rule <1-999999> destination geoip + country-code + +Match IP addresses based on its geolocation. More info: `geoip matching +`_ + +Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, +permits redistribution so we can include a database in images(~3MB +compressed). Includes cron script (manually callable by op-mode update +geoip) to keep database and rules updated. .. cfgcmd:: set firewall name rule <1-999999> source mac-address @@ -806,3 +822,11 @@ Example Partial Config } } } + + +Update geoip database +===================== + +.. opcmd:: update geoip + + Command used to update GeoIP database and firewall sets. \ No newline at end of file -- cgit v1.2.3 From 54196d2ca6179685b511b1c5de139bb7d778bf1d Mon Sep 17 00:00:00 2001 From: Remi van Dijk | Link-it Date: Wed, 6 Jul 2022 11:43:33 +0200 Subject: Firewall: T4299: Add inverse-match to geoip --- docs/configuration/firewall/index.rst | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) (limited to 'docs/configuration/firewall') diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 5081ce2f..a83ea2ae 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -325,15 +325,25 @@ There are a lot of matching criteria against which the package can be tested. .. cfgcmd:: set firewall name rule <1-999999> source geoip country-code +.. cfgcmd:: set firewall name rule <1-999999> source geoip inverse-match .. cfgcmd:: set firewall ipv6-name rule <1-999999> source geoip country-code +.. cfgcmd:: set firewall ipv6-name rule <1-999999> source geoip + inverse-match .. cfgcmd:: set firewall name rule <1-999999> destination geoip country-code +.. cfgcmd:: set firewall name rule <1-999999> destination geoip + inverse-match .. cfgcmd:: set firewall ipv6-name rule <1-999999> destination geoip country-code +.. cfgcmd:: set firewall ipv6-name rule <1-999999> destination geoip + inverse-match + +Match IP addresses based on its geolocation. +More info: `geoip matching +`_. -Match IP addresses based on its geolocation. More info: `geoip matching -`_ +Use inverse-match to match anything except the given country-codes. Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, permits redistribution so we can include a database in images(~3MB @@ -531,10 +541,10 @@ Applying a Rule-Set to a Zone Before you are able to apply a rule-set to a zone you have to create the zones first. -It helps to think of the syntax as: (see below). The 'rule-set' should be +It helps to think of the syntax as: (see below). The 'rule-set' should be written from the perspective of: *Source Zone*-to->*Destination Zone* -.. cfgcmd:: set zone-policy zone from +.. cfgcmd:: set zone-policy zone from firewall name .. cfgcmd:: set zone-policy zone from firewall name @@ -829,4 +839,4 @@ Update geoip database .. opcmd:: update geoip - Command used to update GeoIP database and firewall sets. \ No newline at end of file + Command used to update GeoIP database and firewall sets. -- cgit v1.2.3 From 52d4e27612f0f4ad36b4635984d1ca7ac26d7689 Mon Sep 17 00:00:00 2001 From: Remi Date: Sat, 9 Jul 2022 17:24:52 +0200 Subject: Firewall: add 'recent' matching criteria --- docs/configuration/firewall/index.rst | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'docs/configuration/firewall') diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index a83ea2ae..a36877b7 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -469,6 +469,16 @@ geoip) to keep database and rules updated. Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'. + +.. cfgcmd:: set firewall name rule <1-999999> recent count <1-255> +.. cfgcmd:: set firewall ipv6-name rule <1-999999> recent count <1-255> +.. cfgcmd:: set firewall name rule <1-999999> recent time +.. cfgcmd:: set firewall ipv6-name rule <1-999999> recent time + + Match when 'count' amount of connections are seen within 'time'. These + matching criteria can be used to block brute-force attempts. *********************************** Applying a Rule-Set to an Interface -- cgit v1.2.3