docs/configuration/firewall/groups.rst


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210

:lastproofread: 2023-11-08

.. _firewall-groups-configuration:

###############
Firewall groups
###############

*************
Configuration
*************

Firewall groups represent collections of IP addresses, networks, ports,
mac addresses, domains or interfaces. Once created, a group can be referenced
by firewall, nat and policy route rules as either a source or destination
matcher, and/or as inbound/outbound in the case of interface group.

Address Groups
==============

In an **address group** a single IP address or IP address ranges are
defined.

.. cfgcmd::  set firewall group address-group <name> address [address |
   address range]
.. cfgcmd::  set firewall group ipv6-address-group <name> address <address>

   Define a IPv4 or a IPv6 address group

   .. code-block:: none

      set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1
      set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8
      set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1

.. cfgcmd::  set firewall group address-group <name> description <text>
.. cfgcmd::  set firewall group ipv6-address-group <name> description <text>

   Provide a IPv4 or IPv6 address group description

Network Groups
==============

While **network groups** accept IP networks in CIDR notation, specific
IP addresses can be added as a 32-bit prefix. If you foresee the need
to add a mix of addresses and networks, the network group is
recommended.

.. cfgcmd::  set firewall group network-group <name> network <CIDR>
.. cfgcmd::  set firewall group ipv6-network-group <name> network <CIDR>

   Define a IPv4 or IPv6 Network group.

   .. code-block:: none

      set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24
      set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24
      set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64

.. cfgcmd::  set firewall group network-group <name> description <text>
.. cfgcmd::  set firewall group ipv6-network-group <name> description <text>

   Provide an IPv4 or IPv6 network group description.

Interface Groups
================

An **interface group** represents a collection of interfaces.

.. cfgcmd::  set firewall group interface-group <name> interface <text>

   Define an interface group. Wildcard are accepted too.

.. code-block:: none

      set firewall group interface-group LAN interface bond1001
      set firewall group interface-group LAN interface eth3*

.. cfgcmd::  set firewall group interface-group <name> description <text>

   Provide an interface group description

Port Groups
===========

A **port group** represents only port numbers, not the protocol. Port
groups can be referenced for either TCP or UDP. It is recommended that
TCP and UDP groups are created separately to avoid accidentally
filtering unnecessary ports. Ranges of ports can be specified by using
`-`.

.. cfgcmd:: set firewall group port-group <name> port
   [portname | portnumber | startport-endport]

   Define a port group. A port name can be any name defined in
   /etc/services. e.g.: http

   .. code-block:: none

      set firewall group port-group PORT-TCP-SERVER1 port http
      set firewall group port-group PORT-TCP-SERVER1 port 443
      set firewall group port-group PORT-TCP-SERVER1 port 5000-5010

.. cfgcmd:: set firewall group port-group <name> description <text>

   Provide a port group description.

MAC Groups
==========

A **mac group** represents a collection of mac addresses.

.. cfgcmd::  set firewall group mac-group <name> mac-address <mac-address>

   Define a mac group.

.. code-block:: none

      set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f
      set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81

.. cfgcmd:: set firewall group mac-group <name> description <text>

   Provide a mac group description.

Domain Groups
=============

A **domain group** represents a collection of domains.

.. cfgcmd::  set firewall group domain-group <name> address <domain>

   Define a domain group.

.. code-block:: none

      set firewall group domain-group DOM address example.com

.. cfgcmd:: set firewall group domain-group <name> description <text>

   Provide a domain group description.

********
Examples
********

As said before, once firewall groups are created, they can be referenced
either in firewall, nat, nat66 and/or policy-route rules.

Here is an example were multiple groups are created: 

   .. code-block:: none
      
      set firewall group address-group SERVERS address 198.51.100.101
      set firewall group address-group SERVERS address 198.51.100.102
      set firewall group network-group TRUSTEDv4 network 192.0.2.0/30
      set firewall group network-group TRUSTEDv4 network 203.0.113.128/25
      set firewall group ipv6-network-group TRUSTEDv6 network 2001:db8::/64
      set firewall group interface-group LAN interface eth2.2001
      set firewall group interface-group LAN interface bon0
      set firewall group port-group PORT-SERVERS port http
      set firewall group port-group PORT-SERVERS port 443
      set firewall group port-group PORT-SERVERS port 5000-5010

And next, some configuration example where groups are used:

   .. code-block:: none
      
      set firewall ipv4 input filter rule 10 action accept
      set firewall ipv4 input filter rule 10 inbound-interface group !LAN
      set firewall ipv4 forward filter rule 20 action accept
      set firewall ipv4 forward filter rule 20 source group network-group TRUSTEDv4
      set firewall ipv6 input filter rule 10 action accept
      set firewall ipv6 input filter rule 10 source-group network-group TRUSTEDv6
      set nat destination rule 101 inbound-interface group LAN
      set nat destination rule 101 destination group address-group SERVERS
      set nat destination rule 101 protocol tcp
      set nat destination rule 101 destination group port-group PORT-SERVERS
      set nat destination rule 101 translation address 203.0.113.250
      set policy route PBR rule 201 destination group port-group PORT-SERVERS
      set policy route PBR rule 201 protocol tcp
      set policy route PBR rule 201 set table 15

**************
Operation-mode
**************

.. opcmd:: show firewall group <name>

   Overview of defined groups. You see the type, the members, and where the
   group is used.

   .. code-block:: none

      vyos@ZBF-15-CLean:~$ show firewall group 
      Firewall Groups

      Name          Type                References              Members
      ------------  ------------------  ----------------------  ----------------
      SERVERS       address_group       nat-destination-101     198.51.100.101
                                                                198.51.100.102
      LAN           interface_group     ipv4-input-filter-10    bon0
                                        nat-destination-101     eth2.2001
      TRUSTEDv6     ipv6_network_group  ipv6-input-filter-10    2001:db8::/64
      TRUSTEDv4     network_group       ipv4-forward-filter-20  192.0.2.0/30
                                                                203.0.113.128/25
      PORT-SERVERS  port_group          route-PBR-201           443
                                        nat-destination-101     5000-5010
                                                                http
      vyos@ZBF-15-CLean:~$