diff options
| author | Christian Poessinger <christian@poessinger.com> | 2019-09-17 05:39:01 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-09-17 05:39:01 +0200 |
| commit | 6ae968116ca045551133b1623788f917ce20b1b2 (patch) | |
| tree | a87010c1baf88603834693cbc5067a83e01c71a1 | |
| parent | 5468ffd289770021b3f57cfac4cea8ed8085de29 (diff) | |
| parent | 8a9b0b66cce423835674674daf44f2d00f4abe00 (diff) | |
| download | vyos-documentation-6ae968116ca045551133b1623788f917ce20b1b2.tar.gz vyos-documentation-6ae968116ca045551133b1623788f917ce20b1b2.zip | |
Merge pull request #105 from currite/openvpn_reneg
Openvpn reneg
| -rw-r--r-- | docs/firewall.rst | 23 | ||||
| -rw-r--r-- | docs/vpn/openvpn.rst | 4 |
2 files changed, 26 insertions, 1 deletions
diff --git a/docs/firewall.rst b/docs/firewall.rst index f41bbcbb..f875ad12 100644 --- a/docs/firewall.rst +++ b/docs/firewall.rst @@ -102,6 +102,27 @@ first be created): set zone-policy zone INSIDE from OUTSIDE firewall name INSIDE-OUT +How VyOS replies when being pinged +---------------------------------- + +By default, when VyOS receives an ICMP echo request packet destined for itself, it will answer with an ICMP echo reply, unless you avoid it through its firewall. + +With the firewall you can set rules to accept, drop or reject ICMP in, out or local traffic. You can also use the general **firewall all-ping** command. This command affects only to LOCAL (packets destined for your VyOS system), not to IN or OUT traffic. + +.. note:: **firewall all-ping** affects only to LOCAL and it always behaves in the most restrictive way + +.. code-block:: sh + + set firewall all-ping enable + +When the command above is set, VyOS will answer every ICMP echo request addressed to itself, but that will only happen if no other rule is applied droping or rejecting local echo requests. In case of conflict, VyOS will not answer ICMP echo requests. + +.. code-block:: sh + + set firewall all-ping disable + +When the comand above is set, VyOS will answer no ICMP echo request addressed to itself at all, no matter where it comes from or whether more specific rules are being applied to accept them. + Example Partial Config ---------------------- @@ -170,4 +191,4 @@ Example Partial Config } } } - }
\ No newline at end of file + } diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst index 84dfec6d..e252d016 100644 --- a/docs/vpn/openvpn.rst +++ b/docs/vpn/openvpn.rst @@ -175,6 +175,10 @@ First we need to specify the basic settings. 1194/UDP is the default. The `persistent-tunnel` option is recommended, it prevents the TUN/TAP device from closing on connection resets or daemon reloads. + +.. note:: Using **openvpn-option -reneg-sec** can be tricky. This option is used to renegotiate data channel after n seconds. When used at both server and client, the lower value will trigger the renegotiation. If you set it to 0 on one side of the connection (to disable it), the chosen value on the other side will determine when the renegotiation will occur. + + .. code-block:: sh set interfaces openvpn vtun10 mode server |