summaryrefslogtreecommitdiff
path: root/docs/configuration/firewall/flowtables.rst
diff options
context:
space:
mode:
authorwhyrlpool <26317568+whyrlpool@users.noreply.github.com>2024-07-03 17:26:08 +0100
committerGitHub <noreply@github.com>2024-07-03 17:26:08 +0100
commit8214ffe4c61f6a14bddf2fed43bff915f2503c6f (patch)
tree60459549f090c5a2cf6c1eabf66eaed2e60371d6 /docs/configuration/firewall/flowtables.rst
parent63ee8dfafac3f9aef13d9e25b21216443d02c258 (diff)
downloadvyos-documentation-8214ffe4c61f6a14bddf2fed43bff915f2503c6f.tar.gz
vyos-documentation-8214ffe4c61f6a14bddf2fed43bff915f2503c6f.zip
proofread and update firewall docs
Diffstat (limited to 'docs/configuration/firewall/flowtables.rst')
-rw-r--r--docs/configuration/firewall/flowtables.rst26
1 files changed, 13 insertions, 13 deletions
diff --git a/docs/configuration/firewall/flowtables.rst b/docs/configuration/firewall/flowtables.rst
index ae95a85f..915bf39d 100644
--- a/docs/configuration/firewall/flowtables.rst
+++ b/docs/configuration/firewall/flowtables.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2024-06-20
+:lastproofread: 2024-07-02
.. _firewall-flowtables-configuration:
@@ -12,12 +12,12 @@ Flowtables Firewall Configuration
Overview
********
-In this section there's useful information of all firewall configuration that
+In this section there's useful information on all firewall configuration that
can be done regarding flowtables.
.. cfgcmd:: set firewall flowtables ...
-From main structure defined in
+From the main structure defined in
:doc:`Firewall Overview</configuration/firewall/index>`
in this section you can find detailed information only for the next part
of the general structure:
@@ -30,7 +30,7 @@ of the general structure:
+ ...
-Flowtables allows you to define a fastpath through the flowtable datapath.
+Flowtables allow you to define a fastpath through the flowtable datapath.
The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP
and UDP protocols.
@@ -107,10 +107,10 @@ Things to be considered in this setup:
* Minimum firewall ruleset is provided, which includes some filtering rules,
and appropriate rules for using flowtable offload capabilities.
-As described, first packet will be evaluated by all the firewall path, so
+As described, the first packet will be evaluated by the firewall path, so a
desired connection should be explicitly accepted. Same thing should be taken
into account for traffic in reverse order. In most cases state policies are
-used in order to accept connection in reverse patch.
+used in order to accept a connection in the reverse path.
We will only accept traffic coming from interface eth0, protocol tcp and
destination port 1122. All other traffic trespassing the router should be
@@ -142,7 +142,7 @@ Explanation
Analysis on what happens for desired connection:
- 1. First packet is received on eth0, with destination address 192.0.2.100,
+ 1. Firstly, a packet is received on eth0, with destination address 192.0.2.100,
protocol tcp and destination port 1122. Assume such destination address is
reachable through interface eth1.
@@ -151,22 +151,22 @@ Analysis on what happens for desired connection:
3. Rule 110 is hit, so connection is accepted.
- 4. Once answer from server 192.0.2.100 is seen in opposite direction,
+ 4. Once an answer from server 192.0.2.100 is seen in opposite direction,
connection state will be triggered to **established**, so this reply is
accepted in rule 20.
- 5. Second packet for this connection is received by the router. Since
+ 5. The second packet for this connection is received by the router. Since
connection state is **established**, then rule 10 is hit, and a new entry
in the flowtable FT01 is added for this connection.
- 6. All the following packets will skip traditional path, and will be offloaded
- and will use the **Fast Path**.
+ 6. All the following packets will skip the traditional path, will be
+ offloaded and use the **Fast Path**.
Checks
------
-It's time to check conntrack table, to see if any connection was accepted,
-and if was properly offloaded
+It's time to check the conntrack table, to see if any connections were accepted,
+and if it was properly offloaded
.. code-block:: none