IPv6 Firewall Configuration
Overview
This section covers useful information about IPv6 firewall configuration and appropriate operation-mode commands.
This section describes the following configuration commands:
To learn about the general traffic flow in VyOS firewalls, see Firewall.
- set firewall
* ipv6
- forward
+ filter
- input
+ filter
- output
+ filter
+ raw
- prerouting
+ raw
- name
+ custom_name
The router first receives all traffic and processes it in the prerouting section.
This stage includes:
Firewall Prerouting: commands found under
set firewall ipv6 prerouting raw ...Conntrack Ignore:
set system conntrack ignore ipv6...Policy Route: commands found under
set policy route6 ...Destination NAT: commands found under
set nat66 destination ...
For transit traffic that the router receives and forwards, the base chain is forward. The following diagram shows a simplified packet flow for transit traffic:
Use set firewall ipv6 forward filter ... to configure filtering rules for
transit traffic. This command corresponds to stage 5 and is highlighted in red
in the diagram.
For traffic destined to the router, use the input chain. For traffic the router generates, use the output chain. The following diagram shows the packet flow for traffic destined to the router and traffic generated by the router (starting from circle number 6):
Use set firewall ipv6 input filter ... to configure traffic destined to
the router.
Use set firewall ipv6 output ... to configure traffic the router generates.
Two sub-chains are available: filter and raw:
Output Prerouting:
set firewall ipv6 output raw .... As described in Prerouting, the firewall processes rules in this section before the connection tracking subsystem.Output Filter:
set firewall ipv6 output filter .... The firewall processes rules in this section after the connection tracking subsystem.
Note
Important note about default-actions: If you do not define a default action for a base chain, the system sets the default action to accept for that chain. For custom chains, if you do not define a default action, the system sets the default-action to drop
Create custom firewall chains using the commands
set firewall ipv6 name <name> .... To use the custom chain, define a
rule with action jump and the appropriate target in a base chain.
Firewall - IPv6 Rules
Create firewall rules for firewall filtering. Each rule is numbered and has an action to apply when the rule is matched. You can specify multiple matching criteria. Packets go through rules from 1 - 999999, so order is crucial. The firewall executes the action of the first matching rule.
Actions
If you define a rule, you must define an action for it. The action tells the firewall what to do when all criteria for that rule are met.
The action can be :
accept: accept the packet.continue: continue parsing next rule.drop: drop the packet.reject: reject the packet.jump: jump to another custom chain.return: Return from the current chain and continue at the next rule of the last chain.queue: Enqueue packet to userspace.synproxy: synproxy the packet.
This required setting defines the action of the current rule. If you set the action to jump, you must also define a jump-target.
Use this command only when action is set to jump. Specify the jump
target.
Use this command only when action is set to queue. Specify the queue
target. Queue ranges are also supported.
Use this command only when action is set to queue. This command allows
the packet to go through the firewall when no userspace software is connected
to the queue.
Use this command only when action is set to queue. This command
distributes packets among multiple queues.
Also, default-action is an action that takes place whenever a packet does not match any rule in its chain. For base chains, possible options for default-action are accept or drop.
Set the default action of the rule-set if a packet does not match any rule
criteria. If you set default-action to jump, you must also define
default-jump-target. For base chains, you can only set the default
action to accept or drop. For custom chains, more actions are
available.
To be used only when default-action is set to jump. Use this
command to specify the jump target for the default rule.
Note
Important note about default-actions: If you do not define the default action for a base chain, the system sets the default action to accept for that chain. For custom chains, if you do not define a default action, the system sets the default-action to drop.
Firewall Logs
You can enable logging for each firewall rule. When enabled, you can also define other log options.
Enable logging for matched packets. If this configuration command is not present, logging is disabled.
Use this command to enable the logging of the default action on the specified chain.
Define log-level. Only applicable if rule log is enabled.
Define the log group to send messages to. Only applicable if rule log is enabled.
Define the length of packet payload to include in a netlink message. Only applicable when rule logging is enabled and log group is defined.
Firewall Description
For reference, you can define descriptions on every rule and custom chain.
Provide a rule-set description to a custom firewall chain.
Rule Status
New rules are enabled by default. In some cases, you may want to disable a rule rather than remove it.
Matching criteria
There are a lot of matching criteria against which the packet can be tested.
Match packets based on NAT connection status.
Match packets based on connection mark.
Match based on source or destination address. This is similar to network groups, but you can negate the matching addresses here.
set firewall ipv6 name FOO rule 100 source address 2001:db8::202
Apply an arbitrary netmask to mask addresses and match only a specific portion. This is useful for IPv6 because rules remain valid when the IPv6 prefix changes if the host portion of the system’s IPv6 address is static. Examples include SLAAC and tokenised IPv6 addresses
This function works for both individual addresses and address groups.
# Match any IPv6 address with the suffix ::0000:0000:0000:beef
set firewall ipv6 forward filter rule 100 destination address ::beef
set firewall ipv6 forward filter rule 100 destination address-mask ::ffff:ffff:ffff:ffff
# Address groups
set firewall group ipv6-address-group WEBSERVERS address ::1000
set firewall group ipv6-address-group WEBSERVERS address ::2000
set firewall ipv6 forward filter rule 200 source group address-group WEBSERVERS
set firewall ipv6 forward filter rule 200 source address-mask ::ffff:ffff:ffff:ffff
Specify a Fully Qualified Domain Name as source or destination to match. Ensure that the router can resolve the DNS query.
Match IP addresses based on their geolocation. For more information, see GeoIP matching. Use inverse-match to match anything except the specified country codes.
DB-IP.com provides data under CC-BY-4.0 license. Attribution is required and redistribution is permitted, allowing VyOS to include a database in images (approximately 3 MB compressed). The package includes a cron script that you can manually call through op-mode update geoip to keep the database and rules updated.
You can specify only a source MAC address to match.
set firewall ipv6 input filter rule 100 source mac-address 00:53:00:11:22:33
set firewall ipv6 input filter rule 101 source mac-address !00:53:00:aa:12:34
Specify a port by number or by name as defined in /etc/services.
set firewall ipv6 forward filter rule 10 source port '22'
set firewall ipv6 forward filter rule 11 source port '!http'
set firewall ipv6 forward filter rule 12 source port 'https'
Multiple source ports can be specified as a comma-separated list.
The whole list can also be “negated” using !. For example:
set firewall ipv6 forward filter rule 10 source port '!22,https,3333-3338'
Specify an address group. You can prepend the character ! to invert the
matching criteria.
Specify a dynamic address group. You can prepend the character ! to
invert the matching criteria.
Specify a network group. You can prepend the character ! to invert the
matching criteria.
Specify a port group. You can prepend the character ! to invert the
matching criteria.
Specify a domain group. You can prepend the character ! to invert the
matching criteria.
Specify a MAC group. You can prepend the character ! to invert the
matching criteria.
Match based on dscp value.
Match packets based on fragmentation.
Match packets based on ICMP or ICMPv6 code and type.
Match based on ICMPv6 type-name. Press Tab for information about supported type-name criteria.
Match based on inbound interface. You can use the wildcard *. For
example: eth2*. You can prepend the character ! to invert the
matching criteria. For example !eth2
Note
If an interface is attached to a non-default VRF, when using
inbound-interface, use the VRF name. For example:
set firewall ipv6 forward filter rule 10 inbound-interface name MGMT
Match based on the inbound interface group. You can prepend the character
! to invert the matching criteria. For example !IFACE_GROUP
Match based on outbound interface. You can use the wildcard *. For
example: eth2*. You can prepend the character ! to invert the
matching criteria. For example !eth2
Note
If an interface is attached to a non-default VRF, when using
outbound-interface, use the physical interface name. For example:
set firewall ipv6 forward filter rule 10 outbound-interface name eth0
Match based on outbound interface group. You can prepend the character !
to invert the matching criteria. For example !IFACE_GROUP
Match packets based on IPsec.
Match based on the maximum number of packets allowed to exceed the rate limit.
Match based on the maximum average rate, specified as integer/unit.
For example, specify 5/minutes.
Match based on packet length. You can specify multiple values from 1 to 65535 and ranges.
Match based on packet type.
Match based on protocol number or name as defined in /etc/protocols.
Specify all for all protocols and tcp_udp for TCP and UDP packets.
Prepend ! to negate the protocol selection.
set firewall ipv6 input filter rule 10 protocol tcp
Match packets based on recently seen sources.
Allowed values for TCP flags: ack, cwr, ecn, fin, psh,
rst, syn, and urg. You can specify multiple values. To invert
the selection, use not, as shown in the following example.
set firewall ipv6 input filter rule 10 tcp flags 'ack'
set firewall ipv6 input filter rule 12 tcp flags 'syn'
set firewall ipv6 input filter rule 13 tcp flags not 'fin'
Match packets based on time criteria.
Match the hop-limit parameter. Use eq for equal, gt for greater than,
and lt for less than.
Packet Modifications
The firewall can modify packets before sending them. This feature provides more flexibility for packet handling.
Set a specific value of Differentiated Services Codepoint (DSCP).
Set a specific packet mark value.
Set the TCP-MSS (TCP maximum segment size) for the connection.
Synproxy
Synproxy connections
Set the TCP MSS (maximum segment size) for the connection.
Set the window scale factor for TCP window scaling.
Example synproxy
Requirements to enable synproxy:
Traffic must be symmetric
Synproxy relies on syncookies and TCP timestamps, ensure these are enabled
Disable conntrack loose track option
set system sysctl parameter net.ipv4.tcp_timestamps value '1'
set system conntrack tcp loose disable
set system conntrack ignore ipv6 rule 10 destination port '8080'
set system conntrack ignore ipv6 rule 10 protocol 'tcp'
set system conntrack ignore ipv6 rule 10 tcp flags syn
set firewall global-options syn-cookies 'enable'
set firewall ipv6 input filter rule 10 action 'synproxy'
set firewall ipv6 input filter rule 10 destination port '8080'
set firewall ipv6 input filter rule 10 inbound-interface name 'eth1'
set firewall ipv6 input filter rule 10 protocol 'tcp'
set firewall ipv6 input filter rule 10 synproxy tcp mss '1460'
set firewall ipv6 input filter rule 10 synproxy tcp window-scale '7'
set firewall ipv6 input filter rule 1000 action 'drop'
set firewall ipv6 input filter rule 1000 state invalid
Operation-mode Firewall
Rule-set overview
Show a basic firewall overview for all rule-sets, not only for IPv6:
vyos@vyos:~$ show firewall
Rulesets Information
---------------------------------
IPv4 Firewall "forward filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- -----------------------------------------
5 jump all 0 0 iifname "eth1" jump NAME_VyOS_MANAGEMENT
10 jump all 0 0 oifname "eth1" jump NAME_WAN_IN
15 jump all 0 0 iifname "eth3" jump NAME_WAN_IN
default accept all
---------------------------------
IPv4 Firewall "name VyOS_MANAGEMENT"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- --------------------------------
5 accept all 0 0 ct state established accept
10 drop all 0 0 ct state invalid
20 accept all 0 0 ip saddr @A_GOOD_GUYS accept
30 accept all 0 0 ip saddr @N_ENTIRE_RANGE accept
40 accept all 0 0 ip saddr @A_VyOS_SERVERS accept
50 accept icmp 0 0 meta l4proto icmp accept
default drop all 0 0
---------------------------------
IPv6 Firewall "forward filter"
Rule Action Protocol
------- -------- ----------
5 jump all
10 jump all
15 jump all
default accept all
---------------------------------
IPv6 Firewall "input filter"
Rule Action Protocol
------- -------- ----------
5 jump all
default accept all
---------------------------------
IPv6 Firewall "ipv6_name IPV6-VyOS_MANAGEMENT"
Rule Action Protocol
------- -------- ----------
5 accept all
10 drop all
20 accept all
30 accept all
40 accept all
50 accept ipv6-icmp
default drop all
This will show you a summary of rule-sets and groups
vyos@vyos:~$ show firewall summary
Ruleset Summary
IPv6 Ruleset:
Ruleset Hook Ruleset Priority Description
-------------- -------------------- -------------------------
forward filter
input filter
ipv6_name IPV6-VyOS_MANAGEMENT
ipv6_name IPV6-WAN_IN PUBLIC_INTERNET
IPv4 Ruleset:
Ruleset Hook Ruleset Priority Description
-------------- ------------------ -------------------------
forward filter
input filter
name VyOS_MANAGEMENT
name WAN_IN PUBLIC_INTERNET
Firewall Groups
Name Type References Members
----------------------- ------------------ ----------------------- ----------------
PBX address_group WAN_IN-100 198.51.100.77
SERVERS address_group WAN_IN-110 192.0.2.10
WAN_IN-111 192.0.2.11
WAN_IN-112 192.0.2.12
WAN_IN-120
WAN_IN-121
WAN_IN-122
SUPPORT address_group VyOS_MANAGEMENT-20 192.168.1.2
WAN_IN-20
PHONE_VPN_SERVERS address_group WAN_IN-160 10.6.32.2
PINGABLE_ADDRESSES address_group WAN_IN-170 192.168.5.2
WAN_IN-171
PBX ipv6_address_group IPV6-WAN_IN-100 2001:db8::1
SERVERS ipv6_address_group IPV6-WAN_IN-110 2001:db8::2
IPV6-WAN_IN-111 2001:db8::3
IPV6-WAN_IN-112 2001:db8::4
IPV6-WAN_IN-120
IPV6-WAN_IN-121
IPV6-WAN_IN-122
SUPPORT ipv6_address_group IPV6-VyOS_MANAGEMENT-20 2001:db8::5
IPV6-WAN_IN-20
This command will give an overview of a single rule-set.
vyos@vyos:~$ show firewall ipv6 input filter
Ruleset Information
---------------------------------
ipv6 Firewall "input filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- ------------------------------------------------------------------------------
10 jump all 13 1456 iifname "eth1" jump NAME6_INP-ETH1
20 accept ipv6-icmp 10 1112 meta l4proto ipv6-icmp iifname "eth0" prefix "[ipv6-INP-filter-20-A]" accept
default accept all 14 1584
vyos@vyos:~$
This command will give an overview of a rule in a single rule-set
Show an overview of defined groups, including the type, members, and where the group is used.
vyos@vyos:~$ show firewall group LAN
Firewall Groups
Name Type References Members
------------ ------------------ ----------------------- ----------------
LAN ipv6_network_group IPV6-VyOS_MANAGEMENT-30 2001:db8::0/64
IPV6-WAN_IN-30
LAN network_group VyOS_MANAGEMENT-30 192.168.200.0/24
WAN_IN-30
Show Firewall log
Example Partial Config
firewall {
ipv6 {
input {
filter {
rule 10 {
action jump
inbound-interface {
name eth1
}
jump-target INP-ETH1
}
rule 20 {
action accept
inbound-interface {
name eth0
}
log
protocol ipv6-icmp
}
}
}
name INP-ETH1 {
default-action drop
default-log
rule 10 {
action accept
protocol tcp_udp
}
}
}
}