Chat Facebook
0934.666.003
0899.500.266
0938.086.846
0903.209.123

Ubiquiti – EdgeRouter – Create a Firewall Rule

To create a firewall rule, use the set or edit commands (both methods are described below). In addition, use the comparediscarduptopcopy, and rename commands. Create a firewall rule using the full syntax:

ubnt@ubnt:~$ configure
[edit]
ubnt@ubnt# set firewall name TEST default-action drop
[edit]
ubnt@ubnt# set firewall name TEST enable-default-log
[edit]
ubnt@ubnt# set firewall name TEST rule 10 description “allow icmp”
[edit]
ubnt@ubnt# set firewall name TEST rule 10 action accept
[edit]
ubnt@ubnt# set firewall name TEST rule 10 protocol icmp
[edit]

To display uncommitted changes, use the compare command:

ubnt@ubnt# compare
[edit firewall]
+name TEST {
+ default-action drop
+ enable-default-log
+ rule 10 {
+  action accept
+  description “allow icmp”
+  protocol icmp
+ }
+}
[edit]

To undo uncommitted changes, use the discard command:

ubnt@ubnt# discard
Changes have been discarded
[edit]
ubnt@ubnt# compare
No changes between working and active configurations
[edit]

To create the same firewall rule while reducing the amount of repetition in the full syntax, use the edit command:

ubnt@ubnt# edit firewall name TEST
[edit firewall name TEST]
ubnt@ubnt#set default-action drop
[edit firewall name TEST]
ubnt@ubnt# set enable-default-log
[edit firewall name TEST]
ubnt@ubnt#edit rule 10
[edit firewall name TEST rule 10]

Press the ? or tab key to display options for the specified edit level.

ubnt@ubnt# set
action disable ipsec p2p source time
description fragment limit protocol state 
destination icmp log recent tcp 
[edit firewall name TEST rule 10]
ubnt@ubnt# set description “allow icmp”
[edit firewall name TEST rule 10]
ubnt@ubnt# set action accept
[edit firewall name TEST rule 10]
ubnt@ubnt# set protocol icmp
[edit firewall name TEST rule 10]

To show changes within the edit level, use the compare command:

ubnt@ubnt# compare
[edit firewall name TEST rule 10]
+action accept
+description “allow icmp”
+protocol icmp
[edit firewall name TEST rule 10]

To move up an edit level, use the up command:

ubnt@ubnt#up
[edit firewall name TEST]
ubnt@ubnt# compare
[edit firewall name TEST]
+default-action drop
+enable-default-log
+rule 10 {
+ action accept
+ description “allow icmp”
+ protocol icmp
+}
[edit firewall name TEST]
ubnt@ubnt# up
[edit firewall]
ubnt@ubnt# compare
[edit firewall]
+name TEST {
+ default-action drop
+ enable-default-log
+ rule 10 {
+  action accept
+  description “allow icmp”
+  protocol icmp
+ }
+}
[edit firewall]

To return to the top edit level, use the top command:

ubnt@ubnt# top
[edit]
ubnt@ubnt# compare
[edit firewall]
+name TEST{
+ default-action drop
+ enable-default-log
+ rule 10 {
+  action accept
+  description “allow icmp”
+  protocol icmp
+ }
+}
[edit]

To display the existing firewall rule, use the show firewall command:

ubnt@ubnt# show firewall
name WAN1_LOCAL {
 default-action drop
 rule 10 {
  action accept
  state {
   established enable
   related enable
  }
 }
 rule 20 {
  action drop
  state {
   invalid enable
  }
 }
 rule 30 {
  action accept
  destination {
   port 22
  }
  protocol tcp
 }
}
[edit]

To create a new firewall rule from an existing firewall rule, use the copy command.

ubnt@ubnt# edit firewall
[edit firewall]
ubnt@ubnt# copy name WAN1_LOCAL to name WAN2_LOCAL
[edit firewall]
ubnt@ubnt# commit
[edit firewall]
ubnt@ubnt#top
[edit]
ubnt@ubnt#show firewall
name WAN1_LOCAL {
 default-action drop
 rule 10 {
  action accept
  state {
   established enable
   related enable
  }
 }
 rule 20 {
  action drop
  state {
   invalid enable
  }
 }
 rule 30 {
  action accept
  destination {
   port 22
  }
  protocol tcp
 }
}
name WAN2_LOCAL {
 default-action drop
 rule 10 {
  action accept
  state {
   established enable
   related enable
  }
 }
 rule 20 {
  action drop
  state {
   invalid enable
  }
 }
 rule 30 {
  action accept
  destination {
   port 22
  }
  protocol tcp
 }
}
[edit]

To change the name of the new firewall rule, use the rename command.

ubnt@ubnt# edit firewall
[edit firewall]
ubnt@ubnt# rename name W[TAB]
WAN1_LOCAL WAN2_LOCAL
[edit firewall]
ubnt@ubnt# rename name WAN2_LOCAL to name WAN2_IN
[edit firewall]
ubnt@ubnt# commit
[edit firewall]
ubnt@ubnt#top
[edit]
ubnt@ubnt# show firewall name
name WAN1_LOCAL {
 default-action drop
 rule 10 {
  action accept
  state {
   established enable
   related enable
  }
 }
 rule 20 {
  action drop
  state {
   invalid enable
  }
 }
 rule 30 {
  action accept
  destination {
   port 22
  }
  protocol tcp
 }
}
name WAN2_IN {
 default-action drop
 rule 10 {
  action accept
  state {
   established enable
   related enable
  }
 }
 rule 20 {
  action drop
  state {
   invalid enable
  }
 }
 rule 30 {
  action accept
  destination {
   port 22
  }
  protocol tcp
 }
}
[edit]
ubnt@ubnt#

Viết một bình luận