summaryrefslogtreecommitdiff
path: root/docs/configuration/firewall/groups.rst
diff options
context:
space:
mode:
authorwhyrlpool <26317568+whyrlpool@users.noreply.github.com>2024-07-03 17:26:08 +0100
committerGitHub <noreply@github.com>2024-07-03 17:26:08 +0100
commit8214ffe4c61f6a14bddf2fed43bff915f2503c6f (patch)
tree60459549f090c5a2cf6c1eabf66eaed2e60371d6 /docs/configuration/firewall/groups.rst
parent63ee8dfafac3f9aef13d9e25b21216443d02c258 (diff)
downloadvyos-documentation-8214ffe4c61f6a14bddf2fed43bff915f2503c6f.tar.gz
vyos-documentation-8214ffe4c61f6a14bddf2fed43bff915f2503c6f.zip
proofread and update firewall docs
Diffstat (limited to 'docs/configuration/firewall/groups.rst')
-rw-r--r--docs/configuration/firewall/groups.rst19
1 files changed, 9 insertions, 10 deletions
diff --git a/docs/configuration/firewall/groups.rst b/docs/configuration/firewall/groups.rst
index 6111650a..fa32b98e 100644
--- a/docs/configuration/firewall/groups.rst
+++ b/docs/configuration/firewall/groups.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2023-11-08
+:lastproofread: 2024-07-03
.. _firewall-groups-configuration:
@@ -18,8 +18,7 @@ matcher, and/or as inbound/outbound in the case of interface group.
Address Groups
==============
-In an **address group** a single IP address or IP address ranges are
-defined.
+In an **address group** a single IP address or IP address range is defined.
.. cfgcmd:: set firewall group address-group <name> address [address |
address range]
@@ -43,7 +42,7 @@ Network Groups
While **network groups** accept IP networks in CIDR notation, specific
IP addresses can be added as a 32-bit prefix. If you foresee the need
-to add a mix of addresses and networks, the network group is
+to add a mix of addresses and networks, then a network group is
recommended.
.. cfgcmd:: set firewall group network-group <name> network <CIDR>
@@ -197,9 +196,9 @@ Commands used for this task are:
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> add-address-to-group
source-address address-group <name>
-Also, specific timeout can be defined per rule. In case rule gets a hit,
-source or destinatination address will be added to the group, and this
-element will remain in the group until timeout expires. If no timeout
+Also, specific timeouts can be defined per rule. In case rule gets a hit,
+a source or destinatination address will be added to the group, and this
+element will remain in the group until the timeout expires. If no timeout
is defined, then the element will remain in the group until next reboot,
or until a new commit that changes firewall configuration is done.
@@ -324,7 +323,7 @@ A 4 step port knocking example is shown next:
set firewall ipv4 input filter rule 99 protocol 'tcp'
set firewall ipv4 input filter rule 99 source group dynamic-address-group 'ALLOWED'
-Before testing, we can check members of firewall groups:
+Before testing, we can check the members of firewall groups:
.. code-block:: none
@@ -339,7 +338,7 @@ Before testing, we can check members of firewall groups:
[edit]
vyos@vyos#
-With this configuration, in order to get ssh access to the router, user
+With this configuration, in order to get ssh access to the router, the user
needs to:
1. Generate a new TCP connection with destination port 9990. As shown next,
@@ -390,7 +389,7 @@ a new entry was added to dynamic firewall group **ALLOWED**
[edit]
vyos@vyos#
-4. Now user can connect through ssh to the router (assuming ssh is configured).
+4. Now the user can connect through ssh to the router (assuming ssh is configured).
**************
Operation-mode