aboutsummaryrefslogtreecommitdiffstats
path: root/doc/fw-addr-lists.md
diff options
context:
space:
mode:
authorGravatar Christian Hesse <mail@eworm.de>2024-02-29 14:22:07 +0100
committerGravatar Christian Hesse <mail@eworm.de>2024-02-29 14:22:07 +0100
commit20d1ad17d75497250c0ec155b354b9180457ad44 (patch)
tree1ae2b6c625665a994df1f906296247e502fcd4e7 /doc/fw-addr-lists.md
parentb9e0ffac1d5bed0d8243e9ee1467336517f8957a (diff)
parent62790ae091e167a1aea4c5a5fec128ee5c41ca4c (diff)
Merge branch 'fw-addr-lists' into next
Diffstat (limited to 'doc/fw-addr-lists.md')
-rw-r--r--doc/fw-addr-lists.md35
1 files changed, 33 insertions, 2 deletions
diff --git a/doc/fw-addr-lists.md b/doc/fw-addr-lists.md
index 5805905..6dc6b66 100644
--- a/doc/fw-addr-lists.md
+++ b/doc/fw-addr-lists.md
@@ -56,8 +56,12 @@ available in my repository and downloaded automatically. Import it manually
(menu `/certificate/`) if missing.
Create firewall rules to process the packets that are related to addresses
-from address-lists. This rejects the packets from and to ip addresses listed
-in address-list `block`.
+from address-lists.
+
+### IPv4 rules
+
+This rejects the packets from and to IPv4 addresses listed in
+address-list `block`.
/ip/firewall/filter/add chain=input src-address-list=block action=reject reject-with=icmp-admin-prohibited;
/ip/firewall/filter/add chain=forward src-address-list=block action=reject reject-with=icmp-admin-prohibited;
@@ -85,6 +89,33 @@ Alternatively handle the packets in firewall's raw section if you prefer:
> ⚠️ **Warning**: Just again... The order of firewall rules is important. Make
> sure they actually take effect as expected!
+### IPv6 rules
+
+These are the same rules, but for IPv6.
+
+Reject packets in address-list `block`:
+
+ /ipv6/firewall/filter/add chain=input src-address-list=block action=reject reject-with=icmp-admin-prohibited;
+ /ipv6/firewall/filter/add chain=forward src-address-list=block action=reject reject-with=icmp-admin-prohibited;
+ /ipv6/firewall/filter/add chain=forward dst-address-list=block action=reject reject-with=icmp-admin-prohibited;
+ /ipv6/firewall/filter/add chain=output dst-address-list=block action=reject reject-with=icmp-admin-prohibited;
+
+Allow packets in address-list `allow`:
+
+ /ipv6/firewall/filter/add chain=input src-address-list=allow action=accept;
+ /ipv6/firewall/filter/add chain=forward src-address-list=allow action=accept;
+ /ipv6/firewall/filter/add chain=forward dst-address-list=allow action=accept;
+ /ipv6/firewall/filter/add chain=output dst-address-list=allow action=accept;
+
+Drop packets in firewall's raw section:
+
+ /ipv6/firewall/raw/add chain=prerouting src-address-list=block action=drop;
+ /ipv6/firewall/raw/add chain=prerouting dst-address-list=block action=drop;
+ /ipv6/firewall/raw/add chain=output dst-address-list=block action=drop;
+
+> ⚠️ **Warning**: Just again... The order of firewall rules is important. Make
+> sure they actually take effect as expected!
+
---
[⬅️ Go back to main README](../README.md)
[⬆️ Go back to top](#top)