Reply
Highlighted
Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3125
Solutions: 945
Contributions: 16

EdgeOS CLI Primer (part 2)

This post is a continuation of part 1: EdgeOS CLI Primer (part 1)

- Using edit, up, top, discard, copy, rename
First we'll create a firewall rule using the full syntax and then we'll create the same rule using edit levels to cut down the amount of repetition in the full syntax.
ubnt@ubnt# set firewall name TEST default-action drop                           

ubnt@ubnt# set firewall name TEST enable-default-log
ubnt@ubnt# set firewall name TEST rule 10 description "allow icmp"
ubnt@ubnt# set firewall name TEST rule 10 action accept
ubnt@ubnt# set firewall name TEST rule 10 protocol icmp
We can view our uncommitted change with compare:
ubnt@ubnt# compare
+name TEST {
+ default-action drop
+ enable-default-log
+ rule 10 {
+ action accept
+ description "allow icmp"
+ protocol icmp
+ }
+}
Now let's use discard to undo the uncommitted changes and this time create the same firewall rule using edit
ubnt@ubnt# discard
Changes have been discarded

ubnt@ubnt# compare
No changes between working and active configurations
You'll notice while in config mode that each line begins with to indicate that you're at the top level of edit. Now let's change the edit level to create the same firewall rule as above:
ubnt@ubnt# edit firewall name TEST                  

ubnt@ubnt# set default-action drop

ubnt@ubnt# set enable-default-log
Now edit rule 10
ubnt@ubnt# edit rule 10                                                         
Using the "?" or tab completion will just show options for the given edit level
ubnt@ubnt# set ?
action disable ipsec p2p source time
description fragment limit protocol state
destination icmp log recent tcp

ubnt@ubnt# set description "allow icmp"

ubnt@ubnt# set action accept

ubnt@ubnt# set protocol icmp
The compare command will now only show change within the edit level
ubnt@ubnt# compare                                                              

+action accept
+description "allow icmp"
+protocol icmp
We can use the up command to move up a edit level
ubnt@ubnt# up                                                                   

ubnt@ubnt# compare

+default-action drop
+enable-default-log
+rule 10 {
+ action accept
+ description "allow icmp"
+ protocol icmp
+}

ubnt@ubnt# up

ubnt@ubnt# compare

+name TEST {
+ default-action drop
+ enable-default-log
+ rule 10 {
+ action accept
+ description "allow icmp"
+ protocol icmp
+ }
+}
From any edit level we can use the top command to return to the top edit level
ubnt@ubnt# top                                                                  

ubnt@ubnt# compare

+name TEST {
+ default-action drop
+ enable-default-log
+ rule 10 {
+ action accept
+ description "allow icmp"
+ protocol icmp
+ }
+}
One of the most usefull uses of edit are the copy and rename commands. Say we have the following firewall rule and want to copy it and make some changes to the copy:
ubnt@ubnt# show firewall
name WAN1_LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
rule 30 {
action accept
destination {
port 22
}
protocol tcp
}
}

ubnt@ubnt# edit firewall
ubnt@ubnt# copy name WAN1_LOCAL to name WAN2_LOCAL
ubnt@ubnt# commit
ubnt@ubnt# top
ubnt@ubnt# show firewall
name WAN1_LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
rule 30 {
action accept
destination {
port 22
}
protocol tcp
}
}
name WAN2_LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
rule 30 {
action accept
destination {
port 22
}
protocol tcp
}
}
The rename comand works the same way with edit:

ubnt@ubnt# edit firewall
ubnt@ubnt# rename name W
WAN1_LOCAL WAN2_LOCAL
ubnt@ubnt# rename name WAN2_LOCAL to name WAN2_IN
ubnt@ubnt# commit
ubnt@ubnt# top
ubnt@ubnt# show firewall name
name WAN1_LOCAL {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
rule 30 {
action accept
destination {
port 22
}
protocol tcp
}
}
name WAN2_IN {
default-action drop
rule 10 {
action accept
state {
established enable
related enable
}
}
rule 20 {
action drop
state {
invalid enable
}
}
rule 30 {
action accept
destination {
port 22
}
protocol tcp
}
}
ubnt@ubnt#

Link to CLI Primer (part #3)
EdgeMAX Router Software Development
Established Member
Posts: 1,211
Registered: ‎06-14-2012
Kudos: 1008
Solutions: 80
Contributions: 9

Re: EdgeOS CLI Primer (part 2)

Another great command for mass producing firewall entries is show configuration from OP mode. If in EDIT mode, you can use to execute an OP mode command.

run show configuration commands


It will, as I recently discovered, respect the edit level you are at in EDIT mode.


ubnt@mrjester# edit firewall name mgmt-local

ubnt@mrjester# run show configuration commands
set 'default-action' 'drop'
set 'enable-default-log'
set 'rule' '1' 'action' 'accept'
set 'rule' '1' 'description' 'STATE-EST'
set 'rule' '1' 'state' 'established' 'enable'
set 'rule' '1' 'state' 'related' 'enable'
set 'rule' '2' 'action' 'drop'
set 'rule' '2' 'description' 'STATE-INV'
set 'rule' '2' 'log' 'enable'
set 'rule' '2' 'state' 'invalid' 'enable'
set 'rule' '10' 'action' 'accept'
set 'rule' '10' 'description' 'ICMP'
set 'rule' '10' 'limit' 'burst' '1'
set 'rule' '10' 'limit' 'rate' '10/second'
set 'rule' '10' 'log' 'enable'
set 'rule' '10' 'protocol' 'icmp'
set 'rule' '20' 'action' 'accept'
set 'rule' '20' 'description' 'Allow for mgmt'
set 'rule' '20' 'action' 'accept'
set 'rule' '20' 'description' 'http'
set 'rule' '20' 'destination' 'address' '10.0.1.1'
set 'rule' '20' 'destination' 'port' '80'
set 'rule' '20' 'log' 'enable'
set 'rule' '20' 'protocol' 'tcp'
set 'rule' '20' 'source' 'address' '10.1.0.1'
set 'rule' '20' 'source' 'port' '5000'

ubnt@mrjester#
Reply