| Parameter |
Choices/Defaults |
Comments |
|
config
list
/ elements=dictionary
|
|
A dictionary of Firewall rule-set options.
|
|
afi
string
/ required
|
|
Specifies the type of rule-set.
|
|
rule_sets
list
/ elements=dictionary
|
|
The Firewall rule-set list.
|
|
|
default_action
string
|
Choices:
- drop
- reject
- accept
- jump
|
Default action for rule-set.
drop (Drop if no prior rules are hit (default))
reject (Drop and notify source if no prior rules are hit)
accept (Accept if no prior rules are hit)
jump (Jump to another rule-set, 1.4+)
|
|
|
default_jump_target
string
|
|
Default jump target if the default action is jump.
Only valid in 1.4 and later.
Only valid when default_action = jump.
|
|
|
description
string
|
|
Rule set description.
|
|
|
enable_default_log
boolean
|
|
Option to log packets hitting default-action.
|
|
|
filter
string
|
Choices:
- input
- output
- forward
|
Filter type (exclusive to "name").
Supported in 1.4 and later.
|
|
|
name
string
|
|
Firewall rule set name.
Required for 1.3- and optional for 1.4+.
|
|
|
rules
list
/ elements=dictionary
|
|
A dictionary that specifies the rule-set configurations.
|
|
|
|
action
string
|
Choices:
- drop
- reject
- accept
- inspect
- continue
- return
- jump
+ - offload
- queue
- synproxy
|
Specifying the action.
inspect is available < 1.4
continue, return, jump, queue, synproxy are available >= 1.4
|
|
|
|
description
string
|
|
Description of this rule.
|
|
|
|
destination
dictionary
|
|
Specifying the destination parameters.
|
|
|
|
|
address
string
|
|
Destination ip address subnet or range.
IPv4/6 address, subnet or range to match.
Match everything except the specified address, subnet or range.
Destination ip address subnet or range.
|
|
|
|
|
group
dictionary
|
|
Destination group.
|
|
|
|
|
|
address_group
string
|
|
Group of addresses.
|
|
|
|
|
|
network_group
string
|
|
Group of networks.
|
|
|
|
|
|
port_group
string
|
|
Group of ports.
|
|
|
|
|
port
string
|
|
Multiple destination ports can be specified as a comma-separated list.
The whole list can also be "negated" using '!'.
For example:'!22,telnet,http,123,1001-1005'.
|
|
|
|
disable
boolean
|
|
Option to disable firewall rule.
aliased to disabled
aliases: disabled
|
|
|
|
fragment
string
|
Choices:
- match-frag
- match-non-frag
|
IP fragment match.
|
|
|
|
icmp
dictionary
|
|
ICMP type and code information.
|
|
|
|
|
code
integer
|
|
ICMP code.
|
|
|
|
|
type
integer
|
|
ICMP type.
|
|
|
|
|
type_name
string
|
Choices:
- any
- echo-reply
- destination-unreachable
- network-unreachable
- host-unreachable
- protocol-unreachable
- port-unreachable
- fragmentation-needed
- source-route-failed
- network-unknown
- host-unknown
- network-prohibited
- host-prohibited
- TOS-network-unreachable
- TOS-host-unreachable
- communication-prohibited
- host-precedence-violation
- precedence-cutoff
- source-quench
- redirect
- network-redirect
- host-redirect
- TOS-network-redirect
- TOS-host-redirect
- echo-request
- router-advertisement
- router-solicitation
- time-exceeded
- ttl-zero-during-transit
- ttl-zero-during-reassembly
- parameter-problem
- ip-header-bad
- required-option-missing
- timestamp-request
- timestamp-reply
- address-mask-request
- address-mask-reply
- ping
- pong
- ttl-exceeded
|
ICMP type-name.
|
|
|
|
inbound_interface
dictionary
|
|
Inbound interface.
Only valid in 1.4 and later.
|
|
|
|
|
group
string
|
|
Interface group.
|
|
|
|
|
name
string
|
|
Interface name.
Can have wildcards
|
|
|
|
ipsec
string
|
Choices:
- match-ipsec
- match-none
- match-ipsec-in
- match-ipsec-out
- match-none-in
- match-none-out
|
Inbound ip sec packets.
VyOS 1.4 and older match-ipsec/match-none
VyOS 1.5 and later require -in/-out suffixes
|
|
|
|
jump_target
string
|
|
Jump target if the action is jump.
Only valid in 1.4 and later.
Only valid when action = jump.
|
|
|
|
limit
dictionary
|
|
Rate limit using a token bucket filter.
|
|
|
|
|
burst
integer
|
|
Maximum number of packets to allow in excess of rate.
|
|
|
|
|
rate
dictionary
|
|
format for rate (integer/time unit).
any one of second, minute, hour or day may be used to specify time unit.
eg. 1/second implies rule to be matched at an average of once per second.
|
|
|
|
|
|
number
integer
|
|
This is the integer value.
|
|
|
|
|
|
unit
string
|
|
This is the time unit.
|
|
|
|
log
string
|
|
Option to log packets matching rule.
|
|
|
|
number
integer
/ required
|
|
Rule number.
|
+
+ |
+ |
+ |
+
+
+ offload_target
+
+
+ string
+
+ |
+
+ |
+
+ Match flowtable object.
+ |
+
|
|
|
outbound_interface
dictionary
|
|
Match outbound interface.
Only valid in 1.4 and later.
|
|
|
|
|
group
string
|
|
Interface group.
|
|
|
|
|
name
string
|
|
Interface name.
Can have wildcards
|
|
|
|
packet_length
list
/ elements=dictionary
|
|
Packet length match.
Only valid in 1.4 and later.
Multiple values from 1 to 65535 and ranges are supported
|
|
|
|
|
length
string
|
|
Packet length or range.
|
|
|
|
packet_length_exclude
list
/ elements=dictionary
|
|
Packet length match.
Only valid in 1.4 and later.
Multiple values from 1 to 65535 and ranges are supported
|
|
|
|
|
length
string
|
|
Packet length or range.
|
|
|
|
packet_type
string
|
Choices:
- broadcast
- multicast
- host
- other
|
Packet type match.
|
|
|
|
protocol
string
|
|
Protocol to match (protocol name in /etc/protocols or protocol number or all).
<text> IP protocol name from /etc/protocols (e.g. "tcp" or "udp").
<0-255> IP protocol number.
tcp_udp Both TCP and UDP.
all All IP protocols.
(!)All IP protocols except for the specified name or number.
|
|
|
|
queue
string
|
|
Queue options.
Only valid in 1.4 and later.
Only valid when action = queue.
Can be a queue number or range.
|
|
|
|
queue_options
string
|
|
Queue options.
Only valid in 1.4 and later.
Only valid when action = queue.
|
|
|
|
recent
dictionary
|
|
Parameters for matching recently seen sources.
|
|
|
|
|
count
integer
|
|
Source addresses seen more than N times.
|
|
|
|
|
time
string
|
|
Source addresses seen in the last N seconds.
Since 1.4, this is a string of second/minute/hour
|
|
|
|
source
dictionary
|
|
Source parameters.
|
|
|
|
|
address
string
|
|
Source ip address subnet or range.
IPv4/6 address, subnet or range to match.
Match everything except the specified address, subnet or range.
Source ip address subnet or range.
|
|
|
|
|
fqdn
string
|
|
Fully qualified domain name.
Available in 1.4 and later.
|
|
|
|
|
group
dictionary
|
|
Source group.
|
|
|
|
|
|
address_group
string
|
|
Group of addresses.
|
|
|
|
|
|
network_group
string
|
|
Group of networks.
|
|
|
|
|
|
port_group
string
|
|
Group of ports.
|
|
|
|
|
mac_address
string
|
|
<MAC address> MAC address to match.
<!MAC address> Match everything except the specified MAC address.
|
|
|
|
|
port
string
|
|
Multiple source ports can be specified as a comma-separated list.
The whole list can also be "negated" using '!'.
For example:'!22,telnet,http,123,1001-1005'.
|
|
|
|
state
dictionary
|
|
Session state.
|
|
|
|
|
established
boolean
|
|
Established state.
|
|
|
|
|
invalid
boolean
|
|
Invalid state.
|
|
|
|
|
new
boolean
|
|
New state.
|
|
|
|
|
related
boolean
|
|
Related state.
|
|
|
|
synproxy
dictionary
|
|
SYN proxy options.
Only valid in 1.4 and later.
Only valid when action = synproxy.
|
|
|
|
|
mss
integer
|
|
Adjust MSS (501-65535)
|
|
|
|
|
window_scale
integer
|
|
Window scale (1-14).
|
|
|
|
tcp
dictionary
|
|
TCP flags to match.
|
|
|
|
|
flags
list
/ elements=dictionary
|
|
list of tcp flags to be matched
5.0 breaking change to support 1.4+ and 1.3-
|
|
|
|
|
|
flag
string
|
Choices:
- ack
- cwr
- ecn
- fin
- psh
- rst
- syn
- urg
- all
|
TCP flag to be matched.
syn, ack, fin, rst, urg, psh, all (1.3-)
syn, ack, fin, rst, urg, psh, cwr, ecn (1.4+)
|
|
|
|
|
|
invert
boolean
|
|
Invert the match.
|
|
|
|
time
dictionary
|
|
Time to match rule.
|
|
|
|
|
monthdays
string
|
|
Monthdays to match rule on.
|
|
|
|
|
startdate
string
|
|
Date to start matching rule.
|
|
|
|
|
starttime
string
|
|
Time of day to start matching rule.
|
|
|
|
|
stopdate
string
|
|
Date to stop matching rule.
|
|
|
|
|
stoptime
string
|
|
Time of day to stop matching rule.
|
|
|
|
|
utc
boolean
|
|
Interpret times for startdate, stopdate, starttime and stoptime to be UTC.
|
|
|
|
|
weekdays
string
|
|
Weekdays to match rule on.
|
|
running_config
string
|
|
This option is used only with state parsed.
The value of this option should be the output received from the VyOS device by executing the command show configuration commands | grep firewall.
The state parsed reads the configuration from running_config option and transforms it into Ansible structured data as per the resource module's argspec and the value is then returned in the parsed key within the result.
|
|
state
string
|
Choices:
merged ← - replaced
- overridden
- deleted
- gathered
- rendered
- parsed
|
The state the configuration should be left in
|