home

Supported platforms

Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers
Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers

Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Show On this page:

thumbnailSupported platforms

Firewall Commands

security firewall name <name> rule <rule-number> destination <destination>

Defines the destination address, MAC address, or destination port for a firewall rule.

set security firewall name name rule rule-number destination { address address | mac-address address | port port }
delete security firewall name name rule rule-number destination [ address | mac-address | port ]
show security firewall name name rule rule-number destination
name
The name of a firewall rule set.
rule-number
The numeric identifier of a rule. The identifier ranges from 1 through 9999.
address address
Specifies a destination address to match. Address formats are as follows:

ip-address: An IPv4 address.

ip-address/prefix: A network address, where 0.0.0.0/0 matches any network.

ip-address -ip-address —A range of contiguous IP addresses; for example, 192.168.1.1-192.168.1.150.

!ip-address: All IP addresses except the one specified.

!ip-address/prefix: All network addresses except the one specified.

ipv6-address: An IPv6 address; for example, fe80::20c:29fe:fe47:f89.

ip-address/prefix: A network address, where ::/0 matches any network; for example, fe80::20c:29fe:fe47:f88/64.

!ipv6-address: All IP addresses except the one specified.

!ip-address/prefix: All network addresses except the one specified.

!ip-address -ip-address —All IP addresses except those in the specified range.

address-group: The name of an address group containing a list of addresses to match.

When both an address and a port are specified, the packet is considered a match only if both the address and the port match.

mac-address address
Matches the media access control (MAC) address in the source address. The address format is six 8-bit numbers, separated by colons, in hexadecimal; for example, 00:0a:59:9a:f2:ba.
port port
Specifies a destination port to match. Port formats are as follows:

port-name: The name of an IP service; for example, http. You can specify any service name in the /etc/services file.

port-number: A port number. The number ranges from 1 through 65535.

start-end: A range of ports; for example, 1001-1005.

port-group: The name of a port group containing a list of ports to match.

When both an address and a port are specified, the packet is considered a match only if both the address and the port match.

Configuration mode 


security {
    firewall {
        name name {
            rule rule-number 
                destination {
                    address address
                    mac-address address
                    port port
            }
        }
    }
}

Use the set form of this command to define a destination address, MAC address, or destination port within a firewall rule.

Use the delete form of this command to delete a destination address, MAC address, or destination port from a firewall rule.

Use the show form of this command to display a destination address, MAC address, or destination port from a firewall rule.

Last updated: May 7, 2021