summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Göhler <github@ghlr.de>2024-03-06 21:07:05 +0100
committerGitHub <noreply@github.com>2024-03-06 21:07:05 +0100
commitb6a9c6f94d41ad5a6ea59986af417f053bcd64b9 (patch)
tree64c9182f72209fe8f9e5213aad197914bece1295
parent7385cfe0d42ac7c0f84bfa82ef2281cf56cccacc (diff)
parentbe722bf1bd9b49666b1a632e07fc156f28ec225b (diff)
downloadvyos-documentation-b6a9c6f94d41ad5a6ea59986af417f053bcd64b9.tar.gz
vyos-documentation-b6a9c6f94d41ad5a6ea59986af417f053bcd64b9.zip
Merge pull request #1311 from nicolas-fort/quickstart-fwall-backport
Quickstart: manual backport to sagitta for firewall configuration in quickstart.
-rw-r--r--docs/quick-start.rst11
1 files changed, 5 insertions, 6 deletions
diff --git a/docs/quick-start.rst b/docs/quick-start.rst
index d3291070..6935e951 100644
--- a/docs/quick-start.rst
+++ b/docs/quick-start.rst
@@ -141,7 +141,7 @@ networks, addresses, ports, and domains that describe different parts of
our network. We can then use them for filtering within our firewall rulesets,
allowing for more concise and readable configuration.
-In this case, we will create two interface groups—a ``WAN`` group for our
+In this case, we will create two interface groups — a ``WAN`` group for our
interfaces connected to the public internet and a ``LAN`` group for the
interfaces connected to our internal network. Additionally, we will create a
network group, ``NET-INSIDE-v4``, that contains our internal subnet.
@@ -156,7 +156,7 @@ Configure Stateful Packet Filtering
-----------------------------------
With the new firewall structure, we have have a lot of flexibility in how we
-group and order our rules, as shown by the two alternative approaches below.
+group and order our rules, as shown by the three alternative approaches below.
Option 1: Global State Policies
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -212,12 +212,11 @@ hooks as the first filtering rule in the respective chains:
set firewall ipv4 input filter rule 10 action 'jump'
set firewall ipv4 input filter rule 10 jump-target CONN_FILTER
-Option 2: Per-Hook Chain
+Option 3: Per-Hook Chain
^^^^^^^^^^^^^^^^^^^^^^^^
-Alternatively, instead of configuring the ``CONN_FILTER`` chain described above,
-you can take the more traditional stateful connection filtering approach by
-creating rules on each hook's chain:
+Alternatively, you can take the more traditional stateful connection
+filtering approach by creating rules on each base hook's chain:
.. code-block:: none