VTYSH extensions. Zones and firewall

Preliminary version.

30.08.2023

Contents 1

Changelog 3

Debug /informational commands 3

Configuration commands 3

Zone based IPv4 firewall settings 4

Changelog

24.07.2023 - Added „log syslog“ command to log all matched packets to the system log.

24.07.2023 — Removed not existing logging part from „drop invalid“ command.

02.08.2023 — Contents has been added.

30.08.2023 — Added <show ip | ipv6 firewall rules command.

Debug /informational commands

** show

|ipv6>

firewall forward zone WORD **

Show port forwarding for zone name (e.g. Wan) and IPv4 or IPv6 firewall. Command exists in enable mode.

** show <ip|ipv6> firewall nat source zone WORD **

Show IPv4 or IPv6 firewall Source NAT rules for zone name (e.g. Wan). Command exists in enable mode.

** show <ip|ipv6> firewall rules zone WORD **

Show IPv4 or IPv6 firewall incoming traffic processing rules for zone name (e.g. Wan). Command exists in enable mode.

** show <ip | IPv6> firewall rules **

Displays current installed firewall rule list. Requires maximal privilege level.

Configuration commands

** start <ip|ipv6> firewall **

Start IPv4 or IPv6 Firewall.

** no start <ip|ipv6> firewall **

Stop IPv4 or IPv6 firewall.

** no <ip|ipv6> firewall **

Remove IPv4 or IPv6 firewall settings.

** <ip|ipv6> firewall **

Enter IPv4 or IPv6 Firewall configuration mode. All commands below until <exit|end|quit> command exist in this mode.

The single command set is available for both IPv4 and IPv6 firewall. Just keep in mind A.B.C.D notation for IPv4 addresses and X:X::X:X for Ipv6.

** <input|output|forward> policy <permit|deny|reject> [log] **

Setup default policy for processing icoming, outgoing or torwarding traffic. Allows to write matches to syslog optionally.

** <no input|output|forward> policy **

Resets policy to «permit».

** drop invalid **

Drop Invalid packets and (optionally) log matches to syslog.

** no drop invalid **

Do not drop Invalid packets.

** log syslog **

Log all matched packets to the system log.

** no log syslog **

Do not log any matched packets to the system log.

** syn flood protect rate (1-65535) burst (1-65535) **

Enable SYN-packets flood attack protection. Speficy normal and burst rates in PPS. Packets over the limit will be dropped.

** no syn flood protect **

Disable SYN-packets flood attack protection.

** send netflow from IFNAME to <A.B.C.D|X:X::X:X> port (1-65535) **

Collect and send netflow data from interface (e.g. eth0) to collector specified by IPv4 or IPv6 address and port number

** no send netflow **

Disable netflow collector.

** <exit|quit|end> **

Exit current mode and down to previous mode Quit current mode and down to previous mode End current mode and down to previous mode

** no zone NAME **

Remove zone (interface-group) (e.g. Wan or Lan).

** zone NAME **

Create zone (interface-group) (e.g. Wan or Lan). Enter ZONE node.

** interface IFNAME **

Include to zone.

** no interface IFNAME **

Exclude interface from zone.

Zone based IPv4 firewall settings

** <ip|ipv6> firewall **

Enter IPv4 or IPv6 Firewall configuration mode. All commands below until <exit|end|quit> command exist in this mode.

Per zone settings

** <input|output|forward> policy <permit|deny|reject> [log] **

Setup policy for Icoming, Outgoing or Forwarding traffic. Optionally log matches to syslog..

** <no input|output|forward> policy **

Reset previously configured policy to «permit».

** fix mss output to WORD **

Fix MSS For outgoing packets To Zone Zone Name (e.g. Wan)

** no fix mss output to WORD **

Fix MSS for outgoing packets to zone name (e.g. Wan)

** easy napt output to WORD **

Make Easy NAPT for outgoing packets to zone name (e.g. Wan)

** no easy napt output to WORD **

Make Easy NAPT For outgoing packets To Zone Zone Name (e.g. Wan)

Port forwarding

** forward <tcp|udp> outside A.B.C.D port range (1-65535) to (1-65535) inside A.B.C.D port range (1-65535) to (1-65535) [description WORD] **

Add port forwarding rule for port ranges and protocol TCP or UDP.

** forward <tcp|udp> outside port range (1-65535) to (1-65535) inside A.B.C.D port range (1-65535) to (1-65535) [description WORD] **

Add port forwarding rule for port ranges and protocol TCP or UDP.

** forward <tcp|udp> outside A.B.C.D port (1-65535) inside A.B.C.D port (1-65535) [description WORD] **

Add port forwarding rule for ports and protocol TCP or UDP.

** forward <tcp|udp> outside port (1-65535) inside A.B.C.D port (1-65535) [description WORD] **

Add port forwarding rule for ports and protocol TCP or UDP.

** forward <tcp|udp> outside A.B.C.D port range (1-65535) to (1-65535) inside A.B.C.D port range (1-65535) to (1-65535) log [description WORD] **

Add port forwarding rule for port ranges and protocol TCP or UDP and logging matches to syslog.

** forward <tcp|udp> outside port range (1-65535) to (1-65535) inside A.B.C.D port range (1-65535) to (1-65535) log [description WORD] **

Add port forwarding rule for port ranges and protocol TCP or UDP and logging matches to syslog.

** forward <tcp|udp> outside A.B.C.D port (1-65535) inside A.B.C.D port (1-66535) log [description WORD] **

Add port forwarding rule for ports and protocol TCP or UDP and logging matches to syslog.

** forward <tcp|udp> outside port (1-65535) inside A.B.C.D port (1-65535) log [description WORD] **

Add port forwarding rule for ports and protocol TCP or UDP and logging matches to syslog.

** no forward <tcp|udp> outside A.B.C.D port range (1-65535) to (1-65535) **

Undo port forwarding rule.

** no forward <tcp|udp> outside port range (1-65535) to (1-65535) **

Undo port forwarding rule.

** no forward <tcp|udp> outside A.B.C.D port (1-65535) **

Undo port forwarding rule.

** no forward <tcp|udp> outside port (1-65535) **

Undo port forwarding rule.

Source NAT

** nat <tcp|udp> source A.B.C.D port range (1-65535) to (1-65535) for A.B.C.D port range (1-65535) to (1-65535) log [description WORD] **

Create source NAT rule for orotocols TCP or UDP and port ranges. Log matches to the syslog.

** nat <tcp|udp> source A.B.C.D port (1-65535) for A.B.C.D port (1-65535) log [description WORD] **

Create source NAT rule for orotocols TCP or UDP and ports. Log matches to the syslog.

** nat <tcp|udp> source A.B.C.D port range (1-65535) to (1-65535) for A.B.C.D port range (1-65535) to (1-65535) [description WORD] **

Create source NAT rule for orotocols TCP or UDP and port ranges.

** no nat <tcp|udp> source A.B.C.D port range (1-65535) to (1-65535) for A.B.C.D port range (1-65535) to (1-65535) **

Create source NAT rule for orotocols TCP or UDP and port ranges.

** nat <tcp|udp> source A.B.C.D port (1-65535) for A.B.C.D port (1-65535) [description WORD] **

Create source NAT rule for orotocols TCP or UDP and ports.

** no nat <tcp|udp> source A.B.C.D port (1-65535) for A.B.C.D port (1-65535) **

Undo Source NAT rule.

** nat <any|tcp|udp|icmp|gre> source A.B.C.D internal A.B.C.D mask (0-32) log [description WORD] **

Undo Source NAT rule.

** nat <any|tcp|udp|icmp|gre> source A.B.C.D internal A.B.C.D mask (0-32) [description WORD] **

Undo Source NAT rule.

** no nat <any|tcp|udp|icmp|gre> source A.B.C.D internal A.B.C.D mask (0-32) **

Undo Source NAT rule.

Incoming traffic processing rules

** rule <permit|deny|reject> <tcp|udp> ipp2p WORD hw-address WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) log [description WORD] **

Configure rule to deny, permit or reject incoming traffic for some protocols and log matches to system log.

** rule <permit|deny|reject> <tcp|udp> ipp2p WORD hw-address WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) [description WORD] **

Configure rule to deny, permit or reject incoming traffic for some protocols.

** no rule <permit|deny|reject> <tcp|udp> ipp2p WORD hw-address WORD source A.B.C.D mask (0-32) destination A.B.C.D mask (0-32) **