Bridge Firewall Configuration
Overview
In this section there’s useful information on all firewall configuration that can be done regarding bridges, and appropriate op-mode commands. Configuration commands covered in this section:
From the main structure defined in Firewall Overview in this section you can find detailed information only for the next part of the general structure:
- set firewall
* bridge
- forward
+ filter
- input
+ filter
- output
+ filter
- prerouting
+ filter
- name
+ custom_name
Traffic which is received by the router on an interface which is member of a bridge is processed on the Bridge Layer. Before the bridge decision is made, all packets are analyzed at Prerouting. First filters can be applied here, and also rules for ignoring connection tracking system can be configured. The relevant configuration that acts in prerouting is:
set firewall bridge prerouting filter ...
.
For traffic that needs to be switched internally by the bridge, base chain is
forward, and it’s base command for filtering is set firewall bridge
forward filter ...
, which happens in stage 4, highlighted with red color.

For traffic destined to the router itself, or that needs to be routed (assuming
a layer3 bridge is configured), the base chain is input, the base command
is set firewall bridge input filter ...
and the path is:

If it’s not dropped, then the packet is sent to IP Layer, and will be processed by the IP Layer firewall: IPv4 or IPv6 ruleset. Check once again the general packet flow diagram if needed.
And for traffic that originates from the bridge itself, the base chain is
output, base command is set firewall bridge output filter ...
, and
the path is:

Custom bridge firewall chains can be created with the command set firewall bridge
name <name> ...
. In order to use such custom chain, a rule with action jump,
and the appropriate target should be defined in a base chain.
Bridge Rules
For firewall filtering, firewall rules need to be created. Each rule is numbered, has an action to apply if the rule is matched, and the ability to specify multiple matching criteria. Data packets go through the rules from 1 - 999999, so order is crucial. At the first match the action of the rule will be executed.
Actions
If a rule is defined, then an action must be defined for it. This tells the firewall what to do if all matching criterea in the rule are met.
In firewall bridge rules, the action can be:
accept
: accept the packet.
continue
: continue parsing next rule.
drop
: drop the packet.
jump
: jump to another custom chain.
return
: Return from the current chain and continue at the next rule of the last chain.
queue
: Enqueue packet to userspace.
notrack
: ignore connection tracking system. This action is only available in prerouting chain.
This required setting defines the action of the current rule. If action is set to jump, then jump-target is also needed.
If action is set to queue
, use next command to specify the queue
target. Range is also supported:
Also, if action is set to queue
, use next command to specify the queue
options. Possible options are bypass
and fanout
:
Also, default-action is an action that takes place whenever a packet does not match any rule in its’ chain. For base chains, possible options for default-action are accept or drop.
This sets the default action of the rule-set if a packet does not match
any of the rules in that chain. If default-action is set to jump
, then
default-jump-target
is also needed. Note that for base chains, default
action can only be set to accept
or drop
, while on custom chains
more actions are available.
To be used only when default-action
is set to jump
. Use this
command to specify jump target for default rule.
Note
Important note about default-actions: If the default action for any base chain is not defined, then the default action is set to accept for that chain. For custom chains, if the default action is not defined, then the default-action is set to drop.
Firewall Logs
Logging can be enable for every single firewall rule. If enabled, other log options can be defined.
Enable logging for the matched packet. If this configuration command is not present, then the log is not enabled.
Use this command to enable the logging of the default action on the specified chain.
Define log-level. Only applicable if rule log is enabled.
Define the log group to send messages to. Only applicable if rule log is enabled.
Define length of packet payload to include in netlink message. Only applicable if rule log is enabled and the log group is defined.
Firewall Description
For reference, a description can be defined for every defined custom chain.
Provide a rule-set description to a custom firewall chain.
Rule Status
When defining a rule, it is enabled by default. In some cases, it is useful to just disable the rule, rather than removing it.
Matching criteria
There are a lot of matching criteria against which the packet can be tested. Please refer to IPv4 and IPv6 matching criteria for more details.
Since bridges operats at layer 2, both matchers for IPv4 and IPv6 are supported in bridge firewall configuration. Same applies to firewall groups.
Same specific matching criteria that can be used in bridge firewall are described in this section:
Match based on the Ethernet type of the packet.
Match based on the Ethernet type of the packet when it is VLAN tagged.
Match based on VLAN identifier. Range is also supported.
Packet Modifications
Starting from VyOS-1.5-rolling-202410060007, the firewall can modify packets before they are sent out. This feaure provides more flexibility in packet handling.
Set a specific value of Differentiated Services Codepoint (DSCP).
Set a specific packet mark value.
Set the TCP-MSS (TCP maximum segment size) for the connection.
Set the TTL (Time to Live) value.
Set hop limit value.
Use IP firewall
By default, for switched traffic, only the rules defined under set firewall
bridge
are applied. There are two global-options that can be configured in
order to force deeper analysis of the packet on the IP layer. These options
are:
This command enables the IPv4 firewall for bridged traffic. If this
options is used, then packet will also be parsed by rules defined in set
firewall ipv4 ...
Operation-mode Firewall
Rule-set overview
In this section you can find all useful firewall op-mode commands.
General commands for firewall configuration, counter and statistics:
And, to print only bridge firewall information:
Show Firewall log
Example
Configuration example:
set firewall bridge forward filter default-action 'drop'
set firewall bridge forward filter default-log
set firewall bridge forward filter rule 10 action 'continue'
set firewall bridge forward filter rule 10 inbound-interface name 'eth2'
set firewall bridge forward filter rule 10 vlan id '22'
set firewall bridge forward filter rule 20 action 'drop'
set firewall bridge forward filter rule 20 inbound-interface group 'TRUNK-RIGHT'
set firewall bridge forward filter rule 20 vlan id '60'
set firewall bridge forward filter rule 30 action 'jump'
set firewall bridge forward filter rule 30 jump-target 'TEST'
set firewall bridge forward filter rule 30 outbound-interface name '!eth1'
set firewall bridge forward filter rule 35 action 'accept'
set firewall bridge forward filter rule 35 vlan id '11'
set firewall bridge forward filter rule 40 action 'continue'
set firewall bridge forward filter rule 40 destination mac-address '66:55:44:33:22:11'
set firewall bridge forward filter rule 40 source mac-address '11:22:33:44:55:66'
set firewall bridge name TEST default-action 'accept'
set firewall bridge name TEST default-log
set firewall bridge name TEST rule 10 action 'continue'
set firewall bridge name TEST rule 10 log
set firewall bridge name TEST rule 10 vlan priority '0'
And op-mode commands:
vyos@BRI:~$ show firewall bridge
Rulesets bridge Information
---------------------------------
bridge Firewall "forward filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- ---------------------------------------------------------------------
10 continue all 0 0 iifname "eth2" vlan id 22 continue
20 drop all 0 0 iifname @I_TRUNK-RIGHT vlan id 60
30 jump all 2130 170688 oifname != "eth1" jump NAME_TEST
35 accept all 2080 168616 vlan id 11 accept
40 continue all 0 0 ether daddr 66:55:44:33:22:11 ether saddr 11:22:33:44:55:66 continue
default drop all 0 0
---------------------------------
bridge Firewall "name TEST"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- --------------------------------------------------
10 continue all 2130 170688 vlan pcp 0 prefix "[bri-NAM-TEST-10-C]" continue
default accept all 2130 170688
vyos@BRI:~$
vyos@BRI:~$ show firewall bridge name TEST
Ruleset Information
---------------------------------
bridge Firewall "name TEST"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- --------------------------------------------------
10 continue all 2130 170688 vlan pcp 0 prefix "[bri-NAM-TEST-10-C]" continue
default accept all 2130 170688
vyos@BRI:~$
Inspect logs:
vyos@BRI:~$ show log firewall bridge
Dec 05 14:37:47 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102
Dec 05 14:37:48 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102
Dec 05 14:37:49 kernel: [bri-NAM-TEST-10-C]IN=eth1 OUT=eth2 ARP HTYPE=1 PTYPE=0x0800 OPCODE=1 MACSRC=50:00:00:04:00:00 IPSRC=10.11.11.101 MACDST=00:00:00:00:00:00 IPDST=10.11.11.102
...
vyos@BRI:~$ show log firewall bridge forward filter
Dec 05 14:42:22 kernel: [bri-FWD-filter-default-D]IN=eth2 OUT=eth1 MAC=33:33:00:00:00:16:50:00:00:06:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0
Dec 05 14:42:22 kernel: [bri-FWD-filter-default-D]IN=eth2 OUT=eth1 MAC=33:33:00:00:00:16:50:00:00:06:00:00:86:dd SRC=0000:0000:0000:0000:0000:0000:0000:0000 DST=ff02:0000:0000:0000:0000:0000:0000:0016 LEN=96 TC=0 HOPLIMIT=1 FLOWLBL=0 PROTO=ICMPv6 TYPE=143 CODE=0