| Parameter |
Choices/Defaults |
Comments |
|
config
list
/ elements=dictionary
|
|
A dictionary of Firewall rule-set options.
|
|
afi
string
/ required
|
|
Specifies the type of rule-set.
|
|
rule_sets
list
/ elements=dictionary
|
|
The Firewall rule-set list.
|
|
|
default_action
string
|
Choices:
- drop
- reject
- accept
+ - jump
|
Default action for rule-set.
drop (Drop if no prior rules are hit (default))
reject (Drop and notify source if no prior rules are hit)
- accept (Accept if no prior rules are hit)
+ accept (Accept if no prior rules are hit) - jump (Jump to another rule-set, 1.4+)
+ |
+
+
+ |
+ |
+
+
+ default_jump_target
+
+
+ string
+
+ |
+
+ |
+
+ Default jump target if the default action is jump.
+ Only valid in 1.4 and later.
+ Only valid when default_action = jump.
|
|
|
description
string
|
|
Rule set description.
|
|
|
enable_default_log
boolean
|
|
Option to log packets hitting default-action.
|
+
+ |
+ |
+
+
+ filter
+
+
+ string
+
+ |
+
+ Choices:
+ - input
+ - output
+ - forward
+
+ |
+
+ Filter type (exclusive to "name").
+ Supported in 1.4 and later.
+ |
+
|
|
name
string
|
|
Firewall rule set name.
+ Required for 1.3- and optional for 1.4+.
|
|
|
rules
list
/ elements=dictionary
|
|
A dictionary that specifies the rule-set configurations.
|
|
|
|
action
string
|
Choices:
- drop
- reject
- accept
- inspect
+ - continue
+ - return
+ - jump
+ - queue
+ - synproxy
|
Specifying the action.
+ inspect is available < 1.4
+ continue, return, jump, queue, synproxy are available >= 1.4
|
|
|
|
description
string
|
|
Description of this rule.
|
|
|
|
destination
dictionary
|
|
Specifying the destination parameters.
|
|
|
|
|
address
string
|
|
Destination ip address subnet or range.
IPv4/6 address, subnet or range to match.
Match everything except the specified address, subnet or range.
Destination ip address subnet or range.
|
|
|
|
|
group
dictionary
|
|
Destination group.
|
|
|
|
|
|
address_group
string
|
|
Group of addresses.
|
|
|
|
|
|
network_group
string
|
|
Group of networks.
|
|
|
|
|
|
port_group
string
|
|
Group of ports.
|
|
|
|
|
port
string
|
|
Multiple destination ports can be specified as a comma-separated list.
The whole list can also be "negated" using '!'.
For example:'!22,telnet,http,123,1001-1005'.
|
|
|
|
disable
boolean
|
|
Option to disable firewall rule.
+ aliased to disabled
aliases: disabled
|
|
|
|
fragment
string
|
Choices:
- match-frag
- match-non-frag
|
IP fragment match.
|
|
|
|
icmp
dictionary
|
|
ICMP type and code information.
|
|
|
|
|
code
integer
|
|
ICMP code.
|
|
|
|
|
type
integer
|
|
ICMP type.
|
|
|
|
|
type_name
string
|
Choices:
- any
- echo-reply
- destination-unreachable
- network-unreachable
- host-unreachable
- protocol-unreachable
- port-unreachable
- fragmentation-needed
- source-route-failed
- network-unknown
- host-unknown
- network-prohibited
- host-prohibited
- TOS-network-unreachable
- TOS-host-unreachable
- communication-prohibited
- host-precedence-violation
- precedence-cutoff
- source-quench
- redirect
- network-redirect
- host-redirect
- TOS-network-redirect
- TOS-host-redirect
- echo-request
- router-advertisement
- router-solicitation
- time-exceeded
- ttl-zero-during-transit
- ttl-zero-during-reassembly
- parameter-problem
- ip-header-bad
- required-option-missing
- timestamp-request
- timestamp-reply
- address-mask-request
- address-mask-reply
- ping
- pong
- ttl-exceeded
|
ICMP type-name.
|
+
+ |
+ |
+ |
+
+
+ inbound_interface
+
+
+ dictionary
+
+ |
+
+ |
+
+ Inbound interface.
+ Only valid in 1.4 and later.
+ |
+
+
+ |
+ |
+ |
+ |
+
+
+ group
+
+
+ string
+
+ |
+
+ |
+
+ Interface group.
+ |
+
+
+ |
+ |
+ |
+ |
+
+
+ name
+
+
+ string
+
+ |
+
+ |
+
+ Interface name.
+ Can have wildcards
+ |
+
+
|
|
|
ipsec
string
|
Choices:
-
VyOS 1.4 & older:
- match-ipsec
- match-none
-
VyOS 1.5+ :
- match-ipsec-in
- match-ipsec-out
- match-none-in
- match-none-out
|
Inbound ip sec packets.
|
+
+ |
+ |
+ |
+
+
+ jump_target
+
+
+ string
+
+ |
+
+ |
+
+ Jump target if the action is jump.
+ Only valid in 1.4 and later.
+ Only valid when action = jump.
+ |
+
|
|
|
limit
dictionary
|
|
Rate limit using a token bucket filter.
|
|
|
|
|
burst
integer
|
|
Maximum number of packets to allow in excess of rate.
|
|
|
|
|
rate
dictionary
|
|
format for rate (integer/time unit).
any one of second, minute, hour or day may be used to specify time unit.
eg. 1/second implies rule to be matched at an average of once per second.
|
|
|
|
|
|
number
integer
|
|
This is the integer value.
|
|
|
|
|
|
unit
string
|
|
This is the time unit.
|
|
|
|
log
string
|
|
- Option to log packets matching rule
+ Log matching packets.
|
|
|
|
number
integer
/ required
|
|
Rule number.
|
+
+ |
+ |
+ |
+
+
+ outbound_interface
+
+
+ dictionary
+
+ |
+
+ |
+
+ Match outbound interface.
+ Only valid in 1.4 and later.
+ |
+
+
+ |
+ |
+ |
+ |
+
+
+ group
+
+
+ string
+
+ |
+
+ |
+
+ Interface group.
+ |
+
+
+ |
+ |
+ |
+ |
+
+
+ name
+
+
+ string
+
+ |
+
+ |
+
+ Interface name.
+ Can have wildcards
+ |
+
+
|
|
|
p2p
list
/ elements=dictionary
|
|
P2P application packets.
|
|
|
|
|
application
string
|
Choices:
- all
- applejuice
- bittorrent
- directconnect
- edonkey
- gnutella
- kazaa
|
Name of the application.
|
+
+ |
+ |
+ |
+
+
+ packet_length
+
+
+ list
+ / elements=dictionary
+
+ |
+
+ |
+
+ Packet length match.
+ Only valid in 1.4 and later.
+ Multiple values from 1 to 65535 and ranges are supported
+ |
+
+
+ |
+ |
+ |
+ |
+
+
+ length
+
+
+ string
+
+ |
+
+ |
+
+ Packet length or range.
+ |
+
+
+
+ |
+ |
+ |
+
+
+ packet_length_exclude
+
+
+ list
+ / elements=dictionary
+
+ |
+
+ |
+
+ Packet length match.
+ Only valid in 1.4 and later.
+ Multiple values from 1 to 65535 and ranges are supported
+ |
+
+
+ |
+ |
+ |
+ |
+
+
+ length
+
+
+ string
+
+ |
+
+ |
+
+ Packet length or range.
+ |
+
+
+
+ |
+ |
+ |
+
+
+ packet_type
+
+
+ string
+
+ |
+
+ Choices:
+ - broadcast
+ - multicast
+ - host
+ - other
+
+ |
+
+ Packet type match.
+ |
+
|
|
|
protocol
string
|
|
Protocol to match (protocol name in /etc/protocols or protocol number or all).
<text> IP protocol name from /etc/protocols (e.g. "tcp" or "udp").
<0-255> IP protocol number.
tcp_udp Both TCP and UDP.
all All IP protocols.
(!)All IP protocols except for the specified name or number.
|
+
+ |
+ |
+ |
+
+
+ queue
+
+
+ string
+
+ |
+
+ |
+
+ Queue options.
+ Only valid in 1.4 and later.
+ Only valid when action = queue.
+ Can be a queue number or range.
+ |
+
+
+ |
+ |
+ |
+
+
+ queue_options
+
+
+ string
+
+ |
+
+ Choices:
+ - bypass
+ - fanout
+
+ |
+
+ Queue options.
+ Only valid in 1.4 and later.
+ Only valid when action = queue.
+ |
+
|
|
|
recent
dictionary
|
|
Parameters for matching recently seen sources.
|
|
|
|
|
count
integer
|
|
Source addresses seen more than N times.
|
|
|
|
|
time
- integer
+ string
|
|
Source addresses seen in the last N seconds.
+ Since 1.4, this is a string of second/minute/hour
|
|
|
|
source
dictionary
|
|
Source parameters.
|
|
|
|
|
address
string
|
|
Source ip address subnet or range.
IPv4/6 address, subnet or range to match.
Match everything except the specified address, subnet or range.
Source ip address subnet or range.
|
+
+ |
+ |
+ |
+ |
+
+
+ fqdn
+
+
+ string
+
+ |
+
+ |
+
+ Fully qualified domain name.
+ Available in 1.4 and later.
+ |
+
|
|
|
|
group
dictionary
|
|
Source group.
|
|
|
|
|
|
address_group
string
|
|
Group of addresses.
|
|
|
|
|
|
network_group
string
|
|
Group of networks.
|
|
|
|
|
|
port_group
string
|
|
Group of ports.
|
|
|
|
|
mac_address
string
|
|
<MAC address> MAC address to match.
<!MAC address> Match everything except the specified MAC address.
|
|
|
|
|
port
string
|
|
Multiple source ports can be specified as a comma-separated list.
The whole list can also be "negated" using '!'.
For example:'!22,telnet,http,123,1001-1005'.
|
|
|
|
state
dictionary
|
|
Session state.
|
|
|
|
|
established
boolean
|
|
Established state.
|
|
|
|
|
invalid
boolean
|
|
Invalid state.
|
|
|
|
|
new
boolean
|
|
New state.
|
|
|
|
|
related
boolean
|
|
Related state.
|
+
+ |
+ |
+ |
+
+
+ synproxy
+
+
+ dictionary
+
+ |
+
+ |
+
+ SYN proxy options.
+ Only valid in 1.4 and later.
+ Only valid when action = synproxy.
+ |
+
+
+ |
+ |
+ |
+ |
+
+
+ mss
+
+
+ integer
+
+ |
+
+ |
+
+ Adjust MSS (501-65535)
+ |
+
+
+ |
+ |
+ |
+ |
+
+
+ window_scale
+
+
+ integer
+
+ |
+
+ |
+
+ Window scale (1-14).
+ |
+
+
|
|
|
tcp
dictionary
|
|
TCP flags to match.
|
|
|
|
|
flags
+
+ list
+ / elements=dictionary
+
+ |
+
+ |
+
+ list of tcp flags to be matched
+ 5.0 breaking change to support 1.4+ and 1.3-
+ |
+
+
+ |
+ |
+ |
+ |
+ |
+
+
+ flag
+
string
|
+ Choices:
+ - ack
+ - cwr
+ - ecn
+ - fin
+ - psh
+ - rst
+ - syn
+ - urg
+ - all
+
|
- TCP flags to be matched.
+ TCP flag to be matched.
+ syn, ack, fin, rst, urg, psh, all (1.3-)
+ syn, ack, fin, rst, urg, psh, cwr, ecn (1.4+)
+ |
+
+
+ |
+ |
+ |
+ |
+ |
+
+
+ invert
+
+
+ boolean
+
+ |
+
+
+ |
+
+ Invert the match.
|
+
|
|
|
time
dictionary
|
|
Time to match rule.
|
|
|
|
|
monthdays
string
|
|
Monthdays to match rule on.
|
|
|
|
|
startdate
string
|
|
Date to start matching rule.
|
|
|
|
|
starttime
string
|
|
Time of day to start matching rule.
|
|
|
|
|
stopdate
string
|
|
Date to stop matching rule.
|
|
|
|
|
stoptime
string
|
|
Time of day to stop matching rule.
|
|
|
|
|
utc
boolean
|
|
Interpret times for startdate, stopdate, starttime and stoptime to be UTC.
|
|
|
|
|
weekdays
string
|
|
Weekdays to match rule on.
|
|
running_config
string
|
|
This option is used only with state parsed.
The value of this option should be the output received from the VyOS device by executing the command show configuration commands | grep firewall.
The state parsed reads the configuration from running_config option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result.
|
|
state
string
|
Choices:
merged ← - replaced
- overridden
- deleted
- gathered
- rendered
- parsed
|
The state the configuration should be left in
|