diff options
author | Christian Hesse <mail@eworm.de> | 2024-02-29 14:22:07 +0100 |
---|---|---|
committer | Christian Hesse <mail@eworm.de> | 2024-02-29 14:22:07 +0100 |
commit | 20d1ad17d75497250c0ec155b354b9180457ad44 (patch) | |
tree | 1ae2b6c625665a994df1f906296247e502fcd4e7 /doc/fw-addr-lists.md | |
parent | b9e0ffac1d5bed0d8243e9ee1467336517f8957a (diff) | |
parent | 62790ae091e167a1aea4c5a5fec128ee5c41ca4c (diff) |
Merge branch 'fw-addr-lists' into next
Diffstat (limited to 'doc/fw-addr-lists.md')
-rw-r--r-- | doc/fw-addr-lists.md | 35 |
1 files changed, 33 insertions, 2 deletions
diff --git a/doc/fw-addr-lists.md b/doc/fw-addr-lists.md index 5805905..6dc6b66 100644 --- a/doc/fw-addr-lists.md +++ b/doc/fw-addr-lists.md @@ -56,8 +56,12 @@ available in my repository and downloaded automatically. Import it manually (menu `/certificate/`) if missing. Create firewall rules to process the packets that are related to addresses -from address-lists. This rejects the packets from and to ip addresses listed -in address-list `block`. +from address-lists. + +### IPv4 rules + +This rejects the packets from and to IPv4 addresses listed in +address-list `block`. /ip/firewall/filter/add chain=input src-address-list=block action=reject reject-with=icmp-admin-prohibited; /ip/firewall/filter/add chain=forward src-address-list=block action=reject reject-with=icmp-admin-prohibited; @@ -85,6 +89,33 @@ Alternatively handle the packets in firewall's raw section if you prefer: > ⚠️ **Warning**: Just again... The order of firewall rules is important. Make > sure they actually take effect as expected! +### IPv6 rules + +These are the same rules, but for IPv6. + +Reject packets in address-list `block`: + + /ipv6/firewall/filter/add chain=input src-address-list=block action=reject reject-with=icmp-admin-prohibited; + /ipv6/firewall/filter/add chain=forward src-address-list=block action=reject reject-with=icmp-admin-prohibited; + /ipv6/firewall/filter/add chain=forward dst-address-list=block action=reject reject-with=icmp-admin-prohibited; + /ipv6/firewall/filter/add chain=output dst-address-list=block action=reject reject-with=icmp-admin-prohibited; + +Allow packets in address-list `allow`: + + /ipv6/firewall/filter/add chain=input src-address-list=allow action=accept; + /ipv6/firewall/filter/add chain=forward src-address-list=allow action=accept; + /ipv6/firewall/filter/add chain=forward dst-address-list=allow action=accept; + /ipv6/firewall/filter/add chain=output dst-address-list=allow action=accept; + +Drop packets in firewall's raw section: + + /ipv6/firewall/raw/add chain=prerouting src-address-list=block action=drop; + /ipv6/firewall/raw/add chain=prerouting dst-address-list=block action=drop; + /ipv6/firewall/raw/add chain=output dst-address-list=block action=drop; + +> ⚠️ **Warning**: Just again... The order of firewall rules is important. Make +> sure they actually take effect as expected! + --- [⬅️ Go back to main README](../README.md) [⬆️ Go back to top](#top) |