VTYSH extensions. Zones and firewall


Preliminary version.

30.08.2023


Contents 1

Changelog 3

Debug /informational commands 3

Configuration commands 3

Zone based IPv4 firewall settings 4


Changelog

24.07.2023 - Added „log syslog“ command to log all matched packets to the system log.

24.07.2023 — Removed not existing logging part from „drop invalid“ command.

02.08.2023 — Contents has been added.

30.08.2023 — Added <show ip | ipv6 firewall rules command.


Debug /informational
commands


** show <ip|ipv6> firewall forward zone WORD **
Show port forwarding for zone name (e.g. Wan) and IPv4 or IPv6 firewall. Command exists in enable mode.

** show <ip|ipv6> firewall nat source zone WORD **
Show IPv4 or IPv6 firewall Source NAT rules for zone name (e.g. Wan). Command exists in enable mode.

** show <ip|ipv6> firewall rules zone WORD **
Show IPv4 or IPv6 firewall incoming traffic processing rules for zone name (e.g. Wan). Command exists in enable mode.

** show <ip | IPv6> firewall rules **
Displays current installed firewall rule list. Requires maximal privilege level.


Configuration commands


** start <ip|ipv6> firewall **
Start IPv4 or IPv6 Firewall.

** no start <ip|ipv6> firewall **
Stop IPv4 or IPv6 firewall.

** no <ip|ipv6> firewall **
Remove IPv4 or IPv6 firewall settings.

** <ip|ipv6> firewall **
Enter IPv4 or IPv6 Firewall configuration mode. All commands below until <exit|end|quit> command exist in this mode.


The single command set is available for both IPv4 and IPv6 firewall. Just keep in mind A.B.C.D notation for IPv4 addresses and X:X::X:X for Ipv6.


** <input|output|forward> policy <permit|deny|reject> [log] **
Setup default policy for processing icoming, outgoing or torwarding traffic. Allows to write matches to syslog optionally.

** <no input|output|forward> policy **
Resets policy to «permit».

** drop invalid **
Drop Invalid packets and (optionally) log matches to syslog.

** no drop invalid **
Do not drop Invalid packets.

** log syslog **
Log all matched packets to the system log.

** no log syslog **
Do not log any matched packets to the system log.

** syn flood protect rate (1-65535) burst (1-65535) **
Enable SYN-packets flood attack protection. Speficy normal and burst rates in PPS. Packets over the limit will be dropped.

** no syn flood protect **
Disable SYN-packets flood attack protection.

** send netflow from IFNAME to <A.B.C.D|X:X::X:X> port (1-65535) **
Collect and send netflow data from interface (e.g. eth0) to collector specified by IPv4 or IPv6 address and port number 

** no send netflow **
Disable netflow collector.

** <exit|quit|end> **
Exit current mode and down to previous mode Quit current mode and down to previous mode End current mode and down to previous mode 

** no zone NAME **
Remove zone (interface-group) (e.g. Wan or Lan).

** zone NAME **
Create zone (interface-group) (e.g. Wan or Lan). Enter ZONE node.

** interface IFNAME **
Include to zone.

** no interface IFNAME **
Exclude interface from zone.


Zone based IPv4
firewall settings


** <ip|ipv6> firewall **
Enter IPv4 or IPv6 Firewall configuration mode. All commands below until <exit|end|quit> command exist in this mode.


Per
zone settings


** <input|output|forward> policy <permit|deny|reject> [log] **
Setup policy for Icoming, Outgoing or Forwarding traffic. Optionally log matches to syslog..

** <no input|output|forward> policy **
Reset previously configured policy to «permit».

** fix mss output to WORD **
 Fix MSS For outgoing packets To Zone Zone Name (e.g. Wan) 

** no fix mss output to WORD **
 Fix MSS for outgoing packets to zone name (e.g. Wan) 

** easy napt output to WORD **
 Make Easy NAPT for outgoing packets to zone name (e.g. Wan) 

** no easy napt output to WORD **
 Make Easy NAPT For outgoing packets To Zone Zone Name (e.g. Wan) 


Port
forwarding


** forward <tcp|udp> outside A.B.C.D port range (1-65535) to (1-65535) inside A.B.C.D port range (1-65535) to (1-65535) [description WORD] **
Add port forwarding rule for port ranges and protocol TCP or UDP.

** forward <tcp|udp> outside port range (1-65535) to (1-65535) inside A.B.C.D port range (1-65535) to (1-65535) [description WORD] **
Add port forwarding rule for port ranges and protocol TCP or UDP.

** forward <tcp|udp> outside A.B.C.D port (1-65535) inside A.B.C.D port (1-65535) [description WORD] **
Add port forwarding rule for ports and protocol TCP or UDP.

** forward <tcp|udp> outside port (1-65535) inside A.B.C.D port (1-65535) [description WORD] **
Add port forwarding rule for ports and protocol TCP or UDP.

** forward <tcp|udp> outside A.B.C.D port range (1-65535) to (1-65535) inside A.B.C.D port range (1-65535) to (1-65535) log [description WORD] **
Add port forwarding rule for port ranges and protocol TCP or UDP and logging matches to syslog.

** forward <tcp|udp> outside port range (1-65535) to (1-65535) inside A.B.C.D port range (1-65535) to (1-65535) log [description WORD] **
Add port forwarding rule for port ranges and protocol TCP or UDP and logging matches to syslog.

** forward <tcp|udp> outside A.B.C.D port (1-65535) inside A.B.C.D port (1-66535) log [description WORD] **
Add port forwarding rule for ports and protocol TCP or UDP and logging matches to syslog.

** forward <tcp|udp> outside port (1-65535) inside A.B.C.D port (1-65535) log [description WORD] **
Add port forwarding rule for ports and protocol TCP or UDP and logging matches to syslog.

** no forward <tcp|udp> outside A.B.C.D port range (1-65535) to (1-65535) **
Undo port forwarding rule.

** no forward <tcp|udp> outside port range (1-65535) to (1-65535) **
Undo port forwarding rule.

** no forward <tcp|udp> outside A.B.C.D port (1-65535) **
Undo port forwarding rule.

** no forward <tcp|udp> outside port (1-65535) **
Undo port forwarding rule.


Source
NAT


** nat <tcp|udp> source A.B.C.D port range (1-65535) to (1-65535) for A.B.C.D port range (1-65535) to (1-65535) log [description WORD] **
Create source NAT rule for orotocols TCP or UDP and port ranges. Log matches to the syslog.


** nat <tcp|udp> source A.B.C.D port (1-65535) for A.B.C.D port (1-65535) log [description WORD] **
Create source NAT rule for orotocols TCP or UDP and ports. Log matches to the syslog.

** nat <tcp|udp> source A.B.C.D port range (1-65535) to (1-65535) for A.B.C.D port range (1-65535) to (1-65535) [description WORD] **
Create source NAT rule for orotocols TCP or UDP and port ranges.

** no nat <tcp|udp> source A.B.C.D port range (1-65535) to (1-65535) for A.B.C.D port range (1-65535) to (1-65535) **
Create source NAT rule for orotocols TCP or UDP and port ranges.

** nat <tcp|udp> source A.B.C.D port (1-65535) for A.B.C.D port (1-65535) [description WORD] **
Create source NAT rule for orotocols TCP or UDP and ports.

** no nat <tcp|udp> source A.B.C.D port (1-65535) for A.B.C.D port (1-65535) **
Undo Source NAT rule.

** nat <any|tcp|udp|icmp|gre> source A.B.C.D internal A.B.C.D mask (0-32) log [description WORD] **
Undo Source NAT rule.

** nat <any|tcp|udp|icmp|gre> source A.B.C.D internal A.B.C.D mask (0-32) [description WORD] **
Undo Source NAT rule.

** no nat <any|tcp|udp|icmp|gre> source A.B.C.D internal A.B.C.D mask (0-32) **
Undo Source NAT rule.


Incoming
traffic processing rules


** rule <permit|deny|reject> <tcp|udp> ipp2p WORD hw-address WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) log [description WORD] **
Configure rule to deny, permit or reject incoming traffic for some protocols and log matches to system log.

** rule <permit|deny|reject> <tcp|udp> ipp2p WORD hw-address WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) [description WORD] **
Configure rule to deny, permit or reject incoming traffic for some protocols.

** no rule <permit|deny|reject> <tcp|udp> ipp2p WORD hw-address WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) **
Remove rule to process incoming traffic. Different selectors.

** rule <permit|deny|reject> <tcp|udp> ipp2p WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) log [description WORD] **
Configure rule to deny, permit or reject incoming traffic for some protocols and log matches to system log.

** rule <permit|deny|reject> <tcp|udp> ipp2p WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) [description WORD] **
Configure rule to deny, permit or reject incoming traffic for some protocols.

** no rule <permit|deny|reject> <tcp|udp> ipp2p WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) **
Remove rule to process incoming traffic. Different selectors.

** rule <permit|deny|reject> <tcp|udp> l7 WORD hw-address WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) log [description WORD] **
Configure rule to deny, permit or reject incoming traffic for some protocols and log matches to system log.

** rule <permit|deny|reject> <tcp|udp> l7 WORD hw-address WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) [description WORD] **
Configure rule to deny, permit or reject incoming traffic for some protocols.

** no rule <permit|deny|reject> <tcp|udp> l7 WORD hw-address WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) **
Remove rule to process incoming traffic. Different selectors.

** rule <permit|deny|reject> <tcp|udp> l7 WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) log [description WORD] **
Configure rule to deny, permit or reject incoming traffic for some protocols and log matches to system log.

** rule <permit|deny|reject> <tcp|udp> l7 WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) [description WORD] **
Configure rule to deny, permit or reject incoming traffic for some protocols.

** no rule <permit|deny|reject> <tcp|udp> l7 WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) **
Remove rule to process incoming traffic. Different selectors.

** rule <permit|deny|reject> <tcp|udp> hw-address WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) port (1-65535) log [description WORD] **
Configure rule to deny, permit or reject incoming traffic for some protocols and port ranges and log matches to system log.

** rule <permit|deny|reject> <tcp|udp> hw-address WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) port (1-65535) [description WORD] **
Configure rule to deny, permit or reject incoming traffic for some protocols and ports.

** no rule <permit|deny|reject> <tcp|udp> hw-address WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) port (1-65535) **
Remove rule to process incoming traffic. Different selectors.

** rule <permit|deny|reject> <tcp|udp> source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) port (1-65535) log [description WORD] **
Configure rule to deny, permit or reject incoming traffic for some protocols and ports and log matches to system log.

** rule <permit|deny|reject> <tcp|udp> source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) port (1-65535) [description WORD] **
Configure rule to deny, permit or reject incoming traffic for some protocols and ports.

** no rule <permit|deny|reject> <tcp|udp> source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) port (1-65535) **
Remove rule to process incoming traffic. Different selectors.

** rule <permit|deny|reject> <any|tcp|udp|icmp|gre|esp|ah> hw-address WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) log [description WORD] **
Configure rule to deny, permit or reject incoming traffic for some protocols and log matches to system log.

** rule <permit|deny|reject> <any|tcp|udp|icmp|gre|esp|ah> hw-address WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) [description WORD] **
Configure rule to deny, permit or reject incoming traffic for some protocols.

** no rule <permit|deny|reject> <any|tcp|udp|icmp|gre|esp|ah> hw-address WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) **
Remove rule to process incoming traffic. Different selectors.

** rule <permit|deny|reject> <any|tcp|udp|icmp|gre|esp|ah> source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) log [description WORD] **
Configure rule to deny, permit or reject incoming traffic for some protocols and log matches to system log.

** rule <permit|deny|reject> <any|tcp|udp|icmp|gre|esp|ah> source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) [description WORD] **
Configure rule to deny, permit or reject incoming traffic for some protocols.

** no rule <permit|deny|reject> <any|tcp|udp|icmp|gre|esp|ah> source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) **
Remove rule to process incoming traffic. Different selectors.

** <exit|quit|end> **
Exit current mode and down to previous mode Quit current mode and down to previous mode End current mode and down to previous mode.