Global Options Firewall Configuration

Overview

Some firewall settings are global and affect the entire system. This section provides information about these global options that you can configure using the VyOS CLI.

Configuration commands covered in this section:

set firewall global-options …

Configuration

set firewall global-options all-ping [enable | disable]

By default, when VyOS receives an ICMP echo request packet destined for itself, it answers with an ICMP echo reply, unless your firewall prevents it.

You can set firewall rules to accept, drop, or reject ICMP in, out, or local traffic. You can also use the firewall global-options all-ping command. This command affects only LOCAL traffic (packets destined for your VyOS system), not IN or OUT traffic.

Note

firewall global-options all-ping affects only LOCAL traffic and always behaves in the most restrictive way

set firewall global-options all-ping enable

When you set this command, VyOS answers every ICMP echo request addressed to itself, but that response occurs only if no other rule drops or rejects local echo requests. In case of conflict, VyOS does not answer ICMP echo requests.

set firewall global-options all-ping disable

When you set this command, VyOS answers no ICMP echo requests addressed to itself, regardless of where they come from or what specific rules accept them.

set firewall global-options apply-to-bridged-traffic [ipv4 | ipv6]

Apply IPv4 or IPv6 firewall rules to bridged traffic.

set firewall global-options broadcast-ping [enable | disable]

Enable or disable the response to ICMP broadcast messages. The system alters the following parameter:

  • net.ipv4.icmp_echo_ignore_broadcasts

set firewall global-options ip-src-route [enable | disable]
set firewall global-options ipv6-src-route [enable | disable]

Set whether VyOS accepts packets with a source route option. The following sysctl parameters will be changed:

  • net.ipv4.conf.all.accept_source_route

  • net.ipv6.conf.all.accept_source_route

set firewall global-options receive-redirects [enable | disable]
set firewall global-options ipv6-receive-redirects [enable | disable]

Allow VyOS to accept ICMPv4 and ICMPv6 redirect messages. The following sysctl parameters will be changed:

  • net.ipv4.conf.all.accept_redirects

  • net.ipv6.conf.all.accept_redirects

set firewall global-options send-redirects [enable | disable]

Allow VyOS to send ICMPv4 redirect messages. The following sysctl parameter will be changed:

  • net.ipv4.conf.all.send_redirects

set firewall global-options log-martians [enable | disable]

Allow VyOS to log martian IPv4 packets. The following sysctl parameter will be changed:

  • net.ipv4.conf.all.log_martians

set firewall global-options source-validation [strict | loose | disable]

Set the IPv4 source validation mode. The following sysctl parameter will be changed:

  • net.ipv4.conf.all.rp_filter

set firewall global-options syn-cookies [enable | disable]

Allow VyOS to use IPv4 TCP SYN Cookies. The following sysctl parameter will be changed:

  • net.ipv4.tcp_syncookies

set firewall global-options twa-hazards-protection [enable | disable]

Enable or disable VyOS RFC 1337 conformance. The following sysctl parameter will be changed:

  • net.ipv4.tcp_rfc1337

set firewall global-options state-policy established action [accept | drop | reject]
set firewall global-options state-policy established log
set firewall global-options state-policy established log-level [emerg | alert | crit | err | warn | notice | info | debug]

Set the global setting for an established connection.

set firewall global-options state-policy invalid action [accept | drop | reject]
set firewall global-options state-policy invalid log
set firewall global-options state-policy invalid log-level [emerg | alert | crit | err | warn | notice | info | debug]

Set the global setting for invalid packets.

set firewall global-options state-policy related action [accept | drop | reject]
set firewall global-options state-policy related log
set firewall global-options state-policy related log-level [emerg | alert | crit | err | warn | notice | info | debug]

Set the global setting for related connections.

VyOS supports setting timeouts for connections by connection type. You can set timeout values for generic connections, ICMP connections, UDP connections, or TCP connections in various states.

set firewall global-options timeout icmp <1-21474836>
set firewall global-options timeout other <1-21474836>
set firewall global-options timeout tcp close <1-21474836>
set firewall global-options timeout tcp close-wait <1-21474836>
set firewall global-options timeout tcp established <1-21474836>
set firewall global-options timeout tcp fin-wait <1-21474836>
set firewall global-options timeout tcp last-ack <1-21474836>
set firewall global-options timeout tcp syn-recv <1-21474836>
set firewall global-options timeout tcp syn-sent <1-21474836>
set firewall global-options timeout tcp time-wait <1-21474836>
set firewall global-options timeout udp other <1-21474836>
set firewall global-options timeout udp stream <1-21474836>

Set the timeout in seconds for a protocol or state.