From 8118c93687b89e267111069c475e02f8e89f648c Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Wed, 12 Jun 2024 09:13:08 -0300 Subject: Firewall: Add prerouting information --- docs/_static/images/firewall-fwd-packet-flow.png | Bin 39628 -> 30593 bytes docs/_static/images/firewall-input-packet-flow.png | Bin 56752 -> 43944 bytes docs/configuration/firewall/global-options.rst | 32 +++++++++++++++++ docs/configuration/firewall/index.rst | 35 +++++++++++++----- docs/configuration/firewall/ipv4.rst | 31 +++++++++++++--- docs/configuration/firewall/ipv6.rst | 31 +++++++++++++--- docs/configuration/system/conntrack.rst | 39 ++++----------------- 7 files changed, 118 insertions(+), 50 deletions(-) (limited to 'docs') diff --git a/docs/_static/images/firewall-fwd-packet-flow.png b/docs/_static/images/firewall-fwd-packet-flow.png index e4bc2adc..1ca213e8 100644 Binary files a/docs/_static/images/firewall-fwd-packet-flow.png and b/docs/_static/images/firewall-fwd-packet-flow.png differ diff --git a/docs/_static/images/firewall-input-packet-flow.png b/docs/_static/images/firewall-input-packet-flow.png index 1c53c34a..20d356bd 100644 Binary files a/docs/_static/images/firewall-input-packet-flow.png and b/docs/_static/images/firewall-input-packet-flow.png differ diff --git a/docs/configuration/firewall/global-options.rst b/docs/configuration/firewall/global-options.rst index b3f311aa..7c52045e 100644 --- a/docs/configuration/firewall/global-options.rst +++ b/docs/configuration/firewall/global-options.rst @@ -145,3 +145,35 @@ Configuration [emerg | alert | crit | err | warn | notice | info | debug] Set the global setting for related connections. + +VyOS supports setting timeouts for connections according to the +connection type. You can set timeout values for generic connections, for ICMP +connections, UDP connections, or for TCP connections in a number of different +states. + +.. cfgcmd:: set firewall global-options timeout icmp <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout other <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp close <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp close-wait <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp established <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp fin-wait <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp last-ack <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp syn-recv <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp syn-sent <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp time-wait <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout udp other <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout udp stream <1-21474836> + :defaultvalue: + + Set the timeout in seconds for a protocol or state. \ No newline at end of file diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 1d904901..daf5f116 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -26,14 +26,23 @@ firewall are covered below: If the interface where the packet was received isn't part of a bridge, then packet is processed at the **IP Layer**: - * **Prerouting**: several actions can be done in this stage, and currently - these actions are defined in different parts in VyOS configuration. Order - is important, and all these actions are performed before any actions - defined under ``firewall`` section. Relevant configuration that acts in - this stage are: + * **Prerouting**: All packets that are received by the router + are processed in this stage, regardless of the destination of the packet. + Starting from vyos-1.5-rolling-202406120020, a new section was added to + firewall configuration. There are several actions that can be done in this + stage, and currently these actions are also defined in different parts in + VyOS configuration. Order is important, and relevant configuration that + acts in this stage are: + + * **Firewall prerouting**: rules defined under ``set firewall [ipv4 | + ipv6] prerouting raw...``. All rules defined in this section are + processed before connection tracking subsystem. * **Conntrack Ignore**: rules defined under ``set system conntrack ignore - [ipv4 | ipv6] ...``. + [ipv4 | ipv6] ...``. Starting from vyos-1.5-rolling-202406120020, + configuration done in this section can be done in ``firewall [ipv4 | + ipv6] prerouting ...``. For compatibility reasons, this feature is + still present, but it will be removed in the future. * **Policy Route**: rules defined under ``set policy [route | route6] ...``. @@ -67,11 +76,13 @@ packet is processed at the **IP Layer**: new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externally through **input** (for example response to an ssh login attempt to the router). - This includes ipv4 and ipv6 filtering rules, defined in: + This includes ipv4 and ipv6 rules, and two different sections are present: - * ``set firewall ipv4 output filter ...``. + * **Output Prerouting**: ``set firewall [ipv4 | ipv6] output filter ...``. + As described in **Prerouting**, rules defined in this section are + processed before connection tracking subsystem. - * ``set firewall ipv6 output filter ...``. + * **Output Filter**: ``set firewall [ipv4 | ipv6] output filter ...``. * **Postrouting**: as in **Prerouting**, several actions defined in different parts of VyOS configuration are performed in this @@ -120,6 +131,9 @@ The main structure of the VyOS firewall CLI is shown next: + filter - output + filter + + raw + - prerouting + + raw - name + custom_name * ipv6 @@ -129,6 +143,9 @@ The main structure of the VyOS firewall CLI is shown next: + filter - output + filter + + raw + - prerouting + + raw - ipv6-name + custom_name * zone diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst index f7f98dc7..e53f2480 100644 --- a/docs/configuration/firewall/ipv4.rst +++ b/docs/configuration/firewall/ipv4.rst @@ -31,17 +31,34 @@ of the general structure: + filter - output + filter + + raw + - prerouting + + raw - name + custom_name +First, all traffic is received by the router, and it is processed in the +**prerouting** section. + +This stage includes: + + * **Firewall Prerouting**: commands found under ``set firewall ipv4 + prerouting raw ...`` + * :doc:`Conntrack Ignore`: ``set system + conntrack ignore ipv4...`` + * :doc:`Policy Route`: commands found under + ``set policy route ...`` + * :doc:`Destination NAT`: commands found under + ``set nat destination ...`` + For transit traffic, which is received by the router and forwarded, base chain is **forward**. A simplified packet flow diagram for transit traffic is shown next: .. figure:: /_static/images/firewall-fwd-packet-flow.png -Where firewall base chain to configure firewall filtering rules for transit -traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, +Firewall base chain to configure firewall filtering rules for transit traffic +is ``set firewall ipv4 forward filter ...``, which happens in stage 5, highlighted with red color. For traffic towards the router itself, base chain is **input**, while traffic @@ -52,11 +69,17 @@ router (starting from circle number 6): .. figure:: /_static/images/firewall-input-packet-flow.png -Base chain is for traffic toward the router is ``set firewall ipv4 input +Base chain for traffic towards the router is ``set firewall ipv4 input filter ...`` And base chain for traffic generated by the router is ``set firewall ipv4 -output filter ...`` +output ...``, where two sub-chains are available: **filter** and **raw**: + +* **Output Prerouting**: ``set firewall ipv4 output raw ...``. + As described in **Prerouting**, rules defined in this section are + processed before connection tracking subsystem. +* **Output Filter**: ``set firewall ipv4 output filter ...``. Rules defined + in this section are processed after connection tracking subsystem. .. note:: **Important note about default-actions:** If default action for any base chain is not defined, then the default diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst index cbf18a7d..423f3e09 100644 --- a/docs/configuration/firewall/ipv6.rst +++ b/docs/configuration/firewall/ipv6.rst @@ -31,17 +31,34 @@ of the general structure: + filter - output + filter + + raw + - prerouting + + raw - name + custom_name +First, all traffic is received by the router, and it is processed in the +**prerouting** section. + +This stage includes: + + * **Firewall Prerouting**: commands found under ``set firewall ipv6 + prerouting raw ...`` + * :doc:`Conntrack Ignore`: ``set system + conntrack ignore ipv6...`` + * :doc:`Policy Route`: commands found under + ``set policy route6 ...`` + * :doc:`Destination NAT`: commands found under + ``set nat66 destination ...`` + For transit traffic, which is received by the router and forwarded, base chain is **forward**. A simplified packet flow diagram for transit traffic is shown next: .. figure:: /_static/images/firewall-fwd-packet-flow.png -Where firewall base chain to configure firewall filtering rules for transit -traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, +Firewall base chain to configure firewall filtering rules for transit traffic +is ``set firewall ipv6 forward filter ...``, which happens in stage 5, highlighted with red color. For traffic towards the router itself, base chain is **input**, while traffic @@ -52,11 +69,17 @@ router (starting from circle number 6): .. figure:: /_static/images/firewall-input-packet-flow.png -Base chain is for traffic toward the router is ``set firewall ipv6 input +Base chain for traffic towards the router is ``set firewall ipv6 input filter ...`` And base chain for traffic generated by the router is ``set firewall ipv6 -output filter ...`` +output filter ...``, where two sub-chains are available: **filter** and **raw**: + +* **Output Prerouting**: ``set firewall ipv6 output raw ...``. + As described in **Prerouting**, rules defined in this section are + processed before connection tracking subsystem. +* **Output Filter**: ``set firewall ipv6 output filter ...``. Rules defined + in this section are processed after connection tracking subsystem. .. note:: **Important note about default-actions:** If default action for any base chain is not defined, then the default diff --git a/docs/configuration/system/conntrack.rst b/docs/configuration/system/conntrack.rst index 1401e02e..6d551575 100644 --- a/docs/configuration/system/conntrack.rst +++ b/docs/configuration/system/conntrack.rst @@ -64,39 +64,7 @@ Configure Contrack Timeouts ================= -VyOS supports setting timeouts for connections according to the -connection type. You can set timeout values for generic connections, for ICMP -connections, UDP connections, or for TCP connections in a number of different -states. - -.. cfgcmd:: set system conntrack timeout icmp <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout other <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout tcp close <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout tcp close-wait <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout tcp established <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout tcp fin-wait <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout tcp last-ack <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout tcp syn-recv <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout tcp syn-sent <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout tcp time-wait <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout udp other <1-21474836> - :defaultvalue: -.. cfgcmd:: set system conntrack timeout udp stream <1-21474836> - :defaultvalue: - - Set the timeout in seconds for a protocol or state. - -You can also define custom timeout values to apply to a specific subset of +You can define custom timeout values to apply to a specific subset of connections, based on a packet and flow selector. To do this, you need to create a rule defining the packet and flow selector. @@ -177,6 +145,11 @@ create a rule defining the packet and flow selector. Conntrack ignore rules ====================== +.. note:: **Important note about conntrack ignore rules:** + Starting from vyos-1.5-rolling-202406120020, ignore rules can be defined in + ``set firewall [ipv4 | ipv6] prerouting raw ...``. It's expected that in + the future the conntrack ignore rules will be removed. + Customized ignore rules, based on a packet and flow selector. .. cfgcmd:: set system conntrack ignore [ipv4 | ipv6] rule <1-999999> -- cgit v1.2.3