IPv4 Firewall Configuration
Overview
This section provides information on IPv4 firewall configuration and appropriate operation-mode commands. This section covers the following configuration commands:
To learn about the general traffic flow in VyOS firewalls, see Firewall.
- set firewall
* ipv4
- forward
+ filter
- input
+ filter
- output
+ filter
+ raw
- prerouting
+ raw
- name
+ custom_name
First, the router receives all traffic and processes it in the prerouting stage.
This stage includes:
Firewall Prerouting: commands found under
set firewall ipv4 prerouting raw ...Conntrack Ignore:
set system conntrack ignore ipv4...Policy Route: commands found under
set policy route ...Destination NAT: commands found under
set nat destination ...
For transit traffic, which is received by the router and forwarded, the base chain is forward. The following is a simplified packet flow diagram for transit traffic:
The base firewall chain for configuring filtering rules for transit traffic is
set firewall ipv4 forward filter ..., which occurs in stage 5, highlighted
in red.
For traffic to the router itself, the base chain is input. For traffic the router originates, the base chain is output. A simplified packet flow diagram is shown next, which shows the path for traffic destined to the router itself and traffic the router generates (starting from circle number 6):
The base chain for traffic towards the router is
set firewall ipv4 input filter ...
The base chain for traffic the router generates is set firewall ipv4 output ..., where two sub-chains are available: filter and raw:
Output Prerouting:
set firewall ipv4 output raw .... As described in Prerouting, the system processes rules in this section before the connection tracking subsystem.Output Filter:
set firewall ipv4 output filter .... The system processes rules in this section after the connection tracking subsystem.
Note
Important note about default-actions: If you do not define a default action for a base chain, the system sets the default action to accept for that chain. For custom chains, if you do not define a default action, the system sets the default-action to drop.
You can create custom firewall chains using the following commands:
set firewall ipv4 name <name> .... To use a custom chain, you must define
a rule with the action jump and the appropriate target in a base
chain.
Firewall - IPv4 Rules
Each firewall rule has a number, an action to apply if the rule matches, and the ability to specify multiple matching criteria. Packets traverse rules numbered 1-999999, so order is crucial. The system executes the rule action at the first match.
Actions
If you define a rule, you must define an action for it. The action tells the firewall what to do if all the criteria you define for that rule are met.
The action can be:
accept: Accept the packet.continue: Continue parsing the next rule.drop: Drop the packet.reject: Reject the packet.jump: Jump to another custom chain.return: Return from the current chain and continue at the next rule of the last chain.queue: Enqueue packet to userspace.synproxy: Synproxy the packet.
This required setting defines the action of the current rule. If you set the action to jump, you must also specify a jump-target.
Use this command only when the action is set to jump. Specify the
jump target.
Use this command only when the action is set to queue. Specify the
queue target to use. Queue range is also supported.
Use this command only when the action is set to queue. Allow the packet
to pass through the firewall when no userspace software is connected to the
queue.
Use this command only when the action is set to queue. Distribute
packets between several queues.
Also, default-action is an action that applies when a packet does not match any rule in its chain. For base chains, possible options for default-action are accept or drop.
This command sets the default action of the rule-set if a packet does not
match the criteria of any rule. If you set the default-action to jump,
you must also specify default-jump-target. Note that for base chains,
you can set the default action only to accept or drop, while on
custom chains, more actions are available.
Use this command only when you set default-action to jump. Specify
the jump target for the default rule.
Note
Important note about default-actions: If you do not define a default action for a base chain, the system sets the default action to accept for that chain. For custom chains, if you do not define a default action, the system sets the default-action to drop.
Firewall Logs
You can enable logging for every single firewall rule. If you enable logging, you can define other log options.
Enable logging for the matched packet. If this command is not present, then logging is not enabled.
Use this command to enable logging of the default action on the specified chain.
Define the log level. Only applicable if you enable rule logging.
Define the log group to send messages to. Only applicable if you enable rule logging.
Define the length of packet payload to include in a netlink message. Only applicable if you enable rule logging and define the log group.
Firewall Description
You can add a description for reference for every single rule and for every defined custom chain.
Provide a rule-set description for a custom firewall chain.
Rule Status
When you define a rule, it is enabled by default. In some cases, it is useful to disable the rule rather than removing it.
Matching criteria
There are a lot of matching criteria against which the packet can be tested.
Match based on nat connection status.
Match based on connection mark.
Match based on connection tracking protocol helper module to secure use of that helper module. See below for possible completions <module>.
Possible completions:
ftp Related traffic from FTP helper
h323 Related traffic from H.323 helper
pptp Related traffic from PPTP helper
nfs Related traffic from NFS helper
sip Related traffic from SIP helper
tftp Related traffic from TFTP helper
sqlnet Related traffic from SQLNet helper
Match criteria based on source and/or destination address. This is similar to the network groups part, but here you are able to negate the matching addresses.
set firewall ipv4 name FOO rule 50 source address 192.0.2.10-192.0.2.11
# with a '!' the rule match everything except the specified subnet
set firewall ipv4 name FOO rule 51 source address !203.0.113.0/24
An arbitrary netmask can be applied to mask addresses to only match against a specific portion.
This functions for both individual addresses and address groups.
# Match any IPv4 address with `11` as the 2nd octet and `13` as the forth octet
set firewall ipv4 name FOO rule 100 destination address 0.11.0.13
set firewall ipv4 name FOO rule 100 destination address-mask 0.255.0.255
Specify a Fully Qualified Domain Name as source/destination to match. Ensure that the router is able to resolve this dns query.
Match IP addresses based on its geolocation. More info: geoip matching. Use inverse-match to match anything except the given country-codes.
Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, permits redistribution so we can include a database in images(~3MB compressed). Includes cron script (manually callable by op-mode update geoip) to keep database and rules updated.
You can only specify a source mac-address to match.
set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33
set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34
A port can be set by number or name as defined in /etc/services.
set firewall ipv4 forward filter rule 10 source port '22'
set firewall ipv4 forward filter rule 11 source port '!http'
set firewall ipv4 forward filter rule 12 source port 'https'
Multiple source ports can be specified as a comma-separated list.
The whole list can also be “negated” using !. For example:
Use a specific address-group. Prepending the character ! to invert the
criteria to match is also supported.
Use a specific dynamic-address-group. Prepending the character ! to
invert the criteria to match is also supported.
Use a specific network-group. Prepending the character ! to invert the
criteria to match is also supported.
Use a specific port-group. Prepending the character ! to invert the
criteria to match is also supported.
Use a specific domain-group. Prepending the character ! to invert the
criteria to match is also supported.
Use a specific mac-group. Prepending the character ! to invert the
criteria to match is also supported.
Match based on dscp value.
Match based on fragmentation.
Match based on icmp code and type.
Match based on icmp type-name. Use tab for information about what type-name criteria are supported.
Match based on inbound interface. Wildcard * is supported. For example:
eth2*. Prepend the character ! to invert the criteria. For example:
!eth2
Note
If an interface is attached to a non-default vrf, when using
inbound-interface, the vrf name must be used. For example set firewall ipv4 forward filter rule 10 inbound-interface name MGMT
Match based on the inbound interface group. Prepend the character ! to
invert the criteria. For example, !IFACE_GROUP
Match based on outbound interface. Wildcard * is supported. For example:
eth2*. Prepend the character ! to invert the criteria. For example:
!eth2
Note
If an interface is attached to a non-default vrf, when using
outbound-interface, the real interface name must be used. For example
set firewall ipv4 forward filter rule 10 outbound-interface name eth0
Match based on outbound interface group. Prepend the character ! to
invert the criteria. For example: !IFACE_GROUP
Match based on ipsec.
Match based on the maximum number of packets to allow in excess of rate.
Specify the maximum average rate as integer/unit. For example: 5/minutes
Match based on packet length. Specify multiple values from 1 to 65535 and ranges.
Match based on the packet type.
Match based on protocol number or name as defined in /etc/protocols.
Special names are all for all protocols and tcp_udp for TCP and UDP
based packets. The ! character negates the selected protocol.
set firewall ipv4 forward filter rule 10 protocol tcp_udp
set firewall ipv4 forward filter rule 11 protocol !tcp_udp
Match based on recently seen sources.
Specify TCP flags. Allowed values are ack, cwr, ecn, fin,
psh, rst, syn, and urg. Specify multiple values, and use
not for inverted selection, as shown in the example.
set firewall ipv4 input filter rule 10 tcp flags 'ack'
set firewall ipv4 input filter rule 12 tcp flags 'syn'
set firewall ipv4 input filter rule 13 tcp flags not 'fin'
Packet Modifications
Starting from VyOS-1.5-rolling-202410060007, the firewall can modify packets before sending them out. This feature provides more flexibility in packet handling.
Set a specific value of Differentiated Services Codepoint (DSCP).
Set a specific packet mark value.
Set the TCP-MSS (TCP maximum segment size) for the connection.
Set the TTL (Time to Live) value.
Synproxy
Synproxy connections
Set the TCP-MSS (maximum segment size) for the connection
Set the window scale factor for TCP window scaling
Example synproxy
Requirements to enable synproxy:
Traffic must be symmetric.
Synproxy relies on syncookies and TCP timestamps, ensure these are enabled.
Disable conntrack loose track option.
set system sysctl parameter net.ipv4.tcp_timestamps value '1'
set system conntrack tcp loose disable
set system conntrack ignore ipv4 rule 10 destination port '8080'
set system conntrack ignore ipv4 rule 10 protocol 'tcp'
set system conntrack ignore ipv4 rule 10 tcp flags syn
set firewall global-options syn-cookies 'enable'
set firewall ipv4 input filter rule 10 action 'synproxy'
set firewall ipv4 input filter rule 10 destination port '8080'
set firewall ipv4 input filter rule 10 inbound-interface name 'eth1'
set firewall ipv4 input filter rule 10 protocol 'tcp'
set firewall ipv4 input filter rule 10 synproxy tcp mss '1460'
set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7'
set firewall ipv4 input filter rule 1000 action 'drop'
set firewall ipv4 input filter rule 1000 state invalid
Operation-mode Firewall
Rule-set overview
This will show you a basic firewall overview, for all rule-sets, not only for IPv4.
vyos@vyos:~$ show firewall
Rulesets Information
---------------------------------
ipv4 Firewall "forward filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- -----------------------------
20 accept all 0 0 ip saddr @N_TRUSTEDv4 accept
21 jump all 0 0 jump NAME_AUX
default accept all 0 0
---------------------------------
ipv4 Firewall "input filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- -------------------------
10 accept all 156 14377 iifname != @I_LAN accept
default accept all 0 0
---------------------------------
ipv4 Firewall "name AUX"
Rule Action Protocol Packets Bytes Conditions
------ -------- ---------- --------- ------- --------------------------------------------
10 accept icmp 0 0 meta l4proto icmp accept
20 accept udp 0 0 meta l4proto udp ip saddr @A_SERVERS accept
30 drop all 0 0 ip saddr != @A_SERVERS iifname "eth2"
---------------------------------
ipv4 Firewall "output filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- ----------------------------------------
10 reject all 0 0 oifname @I_LAN
20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept
default accept all 72 9258
---------------------------------
ipv6 Firewall "input filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- -------------------------------
10 accept all 0 0 ip6 saddr @N6_TRUSTEDv6 accept
default accept all 2 112
vyos@vyos:~$
This shows you a summary of rule-sets and groups.
vyos@vyos:~$ show firewall summary
Ruleset Summary
IPv6 Ruleset:
Ruleset Hook Ruleset Priority Description
-------------- -------------------- -------------------------
forward filter
input filter
ipv6_name IPV6-VyOS_MANAGEMENT
ipv6_name IPV6-WAN_IN PUBLIC_INTERNET
IPv4 Ruleset:
Ruleset Hook Ruleset Priority Description
-------------- ------------------ -------------------------
forward filter
input filter
name VyOS_MANAGEMENT
name WAN_IN PUBLIC_INTERNET
Firewall Groups
Name Type References Members
----------------------- ------------------ ----------------------- ----------------
PBX address_group WAN_IN-100 198.51.100.77
SERVERS address_group WAN_IN-110 192.0.2.10
WAN_IN-111 192.0.2.11
WAN_IN-112 192.0.2.12
WAN_IN-120
WAN_IN-121
WAN_IN-122
SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2
WAN_IN-20
PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2
PINGABLE_ADDRESSES address_group WAN_IN-170 192.168.5.2
WAN_IN-171
PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1
SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2
IPV6-WAN_IN-111 2001:db8::3
IPV6-WAN_IN-112 2001:db8::4
IPV6-WAN_IN-120
IPV6-WAN_IN-121
IPV6-WAN_IN-122
SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5
IPV6-WAN_IN-20
This command will give an overview of a single rule-set.
vyos@vyos:~$ show firewall ipv4 input filter
Ruleset Information
---------------------------------
IPv4 Firewall "input filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- -----------------------------------------
5 jump all 0 0 iifname "eth2" jump NAME_VyOS_MANAGEMENT
default accept all
This command gives an overview of a rule in a single rule-set, plus information for default action.
vyos@vyos:~$show firewall ipv4 output filter rule 20
Rule Information
---------------------------------
ipv4 Firewall "output filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- ----------------------------------------
20 accept icmp 2 168 meta l4proto icmp oifname "eth0" accept
default accept all 286 47614
vyos@vyos:~$
Show Firewall log
Example Partial Config
firewall {
group {
network-group BAD-NETWORKS {
network 198.51.100.0/24
network 203.0.113.0/24
}
network-group GOOD-NETWORKS {
network 192.0.2.0/24
}
port-group BAD-PORTS {
port 65535
}
}
ipv4 {
forward {
filter {
default-action accept
rule 5 {
action accept
source {
group {
network-group GOOD-NETWORKS
}
}
}
rule 10 {
action drop
description "Bad Networks"
protocol all
source {
group {
network-group BAD-NETWORKS
}
}
}
}
}
}
}