summaryrefslogtreecommitdiff
path: root/docs/configuration/firewall
diff options
context:
space:
mode:
authorwhyrlpool <26317568+whyrlpool@users.noreply.github.com>2024-07-03 17:32:28 +0100
committerGitHub <noreply@github.com>2024-07-03 17:32:28 +0100
commitb88448bb7b006a92d601053b9def83e16fc28cac (patch)
tree60459549f090c5a2cf6c1eabf66eaed2e60371d6 /docs/configuration/firewall
parent63988391efed6c7f193c832abb649f996b8ea33a (diff)
parent8214ffe4c61f6a14bddf2fed43bff915f2503c6f (diff)
downloadvyos-documentation-b88448bb7b006a92d601053b9def83e16fc28cac.tar.gz
vyos-documentation-b88448bb7b006a92d601053b9def83e16fc28cac.zip
Merge pull request #1 from whyrlpool:current
proofread and update firewall docs
Diffstat (limited to 'docs/configuration/firewall')
-rw-r--r--docs/configuration/firewall/bridge.rst48
-rw-r--r--docs/configuration/firewall/flowtables.rst26
-rw-r--r--docs/configuration/firewall/global-options.rst22
-rw-r--r--docs/configuration/firewall/groups.rst19
-rw-r--r--docs/configuration/firewall/index.rst26
-rw-r--r--docs/configuration/firewall/ipv4.rst165
-rw-r--r--docs/configuration/firewall/ipv6.rst167
-rw-r--r--docs/configuration/firewall/zone.rst18
8 files changed, 244 insertions, 247 deletions
diff --git a/docs/configuration/firewall/bridge.rst b/docs/configuration/firewall/bridge.rst
index f84fd456..2e3d3634 100644
--- a/docs/configuration/firewall/bridge.rst
+++ b/docs/configuration/firewall/bridge.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2023-11-08
+:lastproofread: 2024-07-03
.. _firewall-configuration:
@@ -12,13 +12,13 @@ Bridge Firewall Configuration
Overview
********
-In this section there's useful information of all firewall configuration that
-can be done regarding bridge, and appropriate op-mode commands.
+In this section there's useful information on all firewall configuration that
+can be done regarding bridges, and appropriate op-mode commands.
Configuration commands covered in this section:
.. cfgcmd:: set firewall bridge ...
-From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>`
+From the main structure defined in :doc:`Firewall Overview</configuration/firewall/index>`
in this section you can find detailed information only for the next part
of the general structure:
@@ -41,7 +41,7 @@ For traffic that needs to be forwarded internally by the bridge, base chain is
is **forward**, and it's base command for filtering is ``set firewall bridge
forward filter ...``, which happens in stage 4, highlighted with red color.
-Custom bridge firewall chains can be create with command ``set firewall bridge
+Custom bridge firewall chains can be created with the command ``set firewall bridge
name <name> ...``. In order to use such custom chain, a rule with action jump,
and the appropriate target should be defined in a base chain.
@@ -55,9 +55,9 @@ and the appropriate target should be defined in a base chain.
Bridge Rules
************
-For firewall filtering, firewall rules needs to be created. Each rule is
+For firewall filtering, firewall rules need to be created. Each rule is
numbered, has an action to apply if the rule is matched, and the ability
-to specify multiple criteria matchers. Data packets go through the rules
+to specify multiple matching criteria. Data packets go through the rules
from 1 - 999999, so order is crucial. At the first match the action of the
rule will be executed.
@@ -65,7 +65,7 @@ Actions
=======
If a rule is defined, then an action must be defined for it. This tells the
-firewall what to do if all criteria matchers defined for such rule do match.
+firewall what to do if all matching criterea in the rule are met.
In firewall bridge rules, the action can be:
@@ -101,7 +101,7 @@ In firewall bridge rules, the action can be:
queue <0-65535>
To be used only when action is set to ``queue``. Use this command to specify
- queue target to use. Queue range is also supported.
+ the queue target to use. Queue range is also supported.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
queue-options bypass
@@ -121,7 +121,7 @@ In firewall bridge rules, the action can be:
distribute packets between several queues.
Also, **default-action** is an action that takes place whenever a packet does
-not match any rule in it's chain. For base chains, possible options for
+not match any rule in its' chain. For base chains, possible options for
**default-action** are **accept** or **drop**.
.. cfgcmd:: set firewall bridge forward filter default-action
@@ -129,10 +129,10 @@ not match any rule in it's chain. For base chains, possible options for
.. cfgcmd:: set firewall bridge name <name> default-action
[accept | continue | drop | jump | queue | return]
- This set the default action of the rule-set if no rule matched a packet
- criteria. If default-action is set to ``jump``, then
+ This sets the default action of the rule-set if a packet does not match
+ any of the rules in that chain. If default-action is set to ``jump``, then
``default-jump-target`` is also needed. Note that for base chains, default
- action can only be set to ``accept`` or ``drop``, while on custom chain,
+ action can only be set to ``accept`` or ``drop``, while on custom chains
more actions are available.
.. cfgcmd:: set firewall bridge name <name> default-jump-target <text>
@@ -141,9 +141,9 @@ not match any rule in it's chain. For base chains, possible options for
command to specify jump target for default rule.
.. note:: **Important note about default-actions:**
- If default action for any base chain is not defined, then the default
- action is set to **accept** for that chain. For custom chains, if default
- action is not defined, then the default-action is set to **drop**.
+ If the default action for any base chain is not defined, then the default
+ action is set to **accept** for that chain. For custom chains, if the
+ default action is not defined, then the default-action is set to **drop**.
Firewall Logs
=============
@@ -155,7 +155,7 @@ log options can be defined.
.. cfgcmd:: set firewall bridge name <name> rule <1-999999> log
Enable logging for the matched packet. If this configuration command is not
- present, then log is not enabled.
+ present, then the log is not enabled.
.. cfgcmd:: set firewall bridge forward filter default-log
.. cfgcmd:: set firewall bridge name <name> default-log
@@ -170,14 +170,15 @@ log options can be defined.
log-options level [emerg | alert | crit | err | warn | notice
| info | debug]
- Define log-level. Only applicable if rule log is enable.
+ Define log-level. Only applicable if rule log is enabled.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
log-options group <0-65535>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
log-options group <0-65535>
- Define log group to send message to. Only applicable if rule log is enable.
+ Define the log group to send messages to. Only applicable if rule log is
+ enabled.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
log-options snapshot-length <0-9000>
@@ -185,15 +186,16 @@ log options can be defined.
log-options snapshot-length <0-9000>
Define length of packet payload to include in netlink message. Only
- applicable if rule log is enable and log group is defined.
+ applicable if rule log is enabled and the log group is defined.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999>
log-options queue-threshold <0-65535>
.. cfgcmd:: set firewall bridge name <name> rule <1-999999>
log-options queue-threshold <0-65535>
- Define number of packets to queue inside the kernel before sending them to
- userspace. Only applicable if rule log is enable and log group is defined.
+ Define the number of packets to queue inside the kernel before sending them
+ to userspace. Only applicable if rule log is enabled and the log group is
+ defined.
Firewall Description
====================
@@ -207,7 +209,7 @@ For reference, a description can be defined for every defined custom chain.
Rule Status
===========
-When defining a rule, it is enable by default. In some cases, it is useful to
+When defining a rule, it is enabled by default. In some cases, it is useful to
just disable the rule, rather than removing it.
.. cfgcmd:: set firewall bridge forward filter rule <1-999999> disable
diff --git a/docs/configuration/firewall/flowtables.rst b/docs/configuration/firewall/flowtables.rst
index ae95a85f..915bf39d 100644
--- a/docs/configuration/firewall/flowtables.rst
+++ b/docs/configuration/firewall/flowtables.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2024-06-20
+:lastproofread: 2024-07-02
.. _firewall-flowtables-configuration:
@@ -12,12 +12,12 @@ Flowtables Firewall Configuration
Overview
********
-In this section there's useful information of all firewall configuration that
+In this section there's useful information on all firewall configuration that
can be done regarding flowtables.
.. cfgcmd:: set firewall flowtables ...
-From main structure defined in
+From the main structure defined in
:doc:`Firewall Overview</configuration/firewall/index>`
in this section you can find detailed information only for the next part
of the general structure:
@@ -30,7 +30,7 @@ of the general structure:
+ ...
-Flowtables allows you to define a fastpath through the flowtable datapath.
+Flowtables allow you to define a fastpath through the flowtable datapath.
The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP
and UDP protocols.
@@ -107,10 +107,10 @@ Things to be considered in this setup:
* Minimum firewall ruleset is provided, which includes some filtering rules,
and appropriate rules for using flowtable offload capabilities.
-As described, first packet will be evaluated by all the firewall path, so
+As described, the first packet will be evaluated by the firewall path, so a
desired connection should be explicitly accepted. Same thing should be taken
into account for traffic in reverse order. In most cases state policies are
-used in order to accept connection in reverse patch.
+used in order to accept a connection in the reverse path.
We will only accept traffic coming from interface eth0, protocol tcp and
destination port 1122. All other traffic trespassing the router should be
@@ -142,7 +142,7 @@ Explanation
Analysis on what happens for desired connection:
- 1. First packet is received on eth0, with destination address 192.0.2.100,
+ 1. Firstly, a packet is received on eth0, with destination address 192.0.2.100,
protocol tcp and destination port 1122. Assume such destination address is
reachable through interface eth1.
@@ -151,22 +151,22 @@ Analysis on what happens for desired connection:
3. Rule 110 is hit, so connection is accepted.
- 4. Once answer from server 192.0.2.100 is seen in opposite direction,
+ 4. Once an answer from server 192.0.2.100 is seen in opposite direction,
connection state will be triggered to **established**, so this reply is
accepted in rule 20.
- 5. Second packet for this connection is received by the router. Since
+ 5. The second packet for this connection is received by the router. Since
connection state is **established**, then rule 10 is hit, and a new entry
in the flowtable FT01 is added for this connection.
- 6. All the following packets will skip traditional path, and will be offloaded
- and will use the **Fast Path**.
+ 6. All the following packets will skip the traditional path, will be
+ offloaded and use the **Fast Path**.
Checks
------
-It's time to check conntrack table, to see if any connection was accepted,
-and if was properly offloaded
+It's time to check the conntrack table, to see if any connections were accepted,
+and if it was properly offloaded
.. code-block:: none
diff --git a/docs/configuration/firewall/global-options.rst b/docs/configuration/firewall/global-options.rst
index 7c52045e..87fb755d 100644
--- a/docs/configuration/firewall/global-options.rst
+++ b/docs/configuration/firewall/global-options.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2023-12-26
+:lastproofread: 2024-07-03
.. _firewall-global-options-configuration:
@@ -25,7 +25,7 @@ Configuration
.. cfgcmd:: set firewall global-options all-ping [enable | disable]
By default, when VyOS receives an ICMP echo request packet destined for
- itself, it will answer with an ICMP echo reply, unless you avoid it
+ itself, it will answer with an ICMP echo reply, unless you prevent it
through its firewall.
With the firewall you can set rules to accept, drop or reject ICMP in,
@@ -55,7 +55,7 @@ Configuration
.. cfgcmd:: set firewall global-options broadcast-ping [enable | disable]
- This setting enable or disable the response of icmp broadcast
+ This setting enables or disables the response to icmp broadcast
messages. The following system parameter will be altered:
* ``net.ipv4.icmp_echo_ignore_broadcasts``
@@ -63,8 +63,8 @@ Configuration
.. cfgcmd:: set firewall global-options ip-src-route [enable | disable]
.. cfgcmd:: set firewall global-options ipv6-src-route [enable | disable]
- This setting handle if VyOS accept packets with a source route
- option. The following system parameter will be altered:
+ This setting handles if VyOS accepts packets with a source route
+ option. The following system parameters will be altered:
* ``net.ipv4.conf.all.accept_source_route``
* ``net.ipv6.conf.all.accept_source_route``
@@ -73,22 +73,22 @@ Configuration
.. cfgcmd:: set firewall global-options ipv6-receive-redirects
[enable | disable]
- enable or disable of ICMPv4 or ICMPv6 redirect messages accepted
- by VyOS. The following system parameter will be altered:
+ Enable or disable ICMPv4 or ICMPv6 redirect messages being accepted by
+ VyOS. The following system parameters will be altered:
* ``net.ipv4.conf.all.accept_redirects``
* ``net.ipv6.conf.all.accept_redirects``
.. cfgcmd:: set firewall global-options send-redirects [enable | disable]
- enable or disable ICMPv4 redirect messages send by VyOS
+ Enable or disable ICMPv4 redirect messages being sent by VyOS
The following system parameter will be altered:
* ``net.ipv4.conf.all.send_redirects``
.. cfgcmd:: set firewall global-options log-martians [enable | disable]
- enable or disable the logging of martian IPv4 packets.
+ Enable or disable the logging of martian IPv4 packets.
The following system parameter will be altered:
* ``net.ipv4.conf.all.log_martians``
@@ -103,7 +103,7 @@ Configuration
.. cfgcmd:: set firewall global-options syn-cookies [enable | disable]
- Enable or Disable if VyOS use IPv4 TCP SYN Cookies.
+ Enable or disable if VyOS uses IPv4 TCP SYN Cookies.
The following system parameter will be altered:
* ``net.ipv4.tcp_syncookies``
@@ -111,7 +111,7 @@ Configuration
.. cfgcmd:: set firewall global-options twa-hazards-protection
[enable | disable]
- Enable or Disable VyOS to be :rfc:`1337` conform.
+ Enable or Disable VyOS to be :rfc:`1337` conformant.
The following system parameter will be altered:
* ``net.ipv4.tcp_rfc1337``
diff --git a/docs/configuration/firewall/groups.rst b/docs/configuration/firewall/groups.rst
index 6111650a..fa32b98e 100644
--- a/docs/configuration/firewall/groups.rst
+++ b/docs/configuration/firewall/groups.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2023-11-08
+:lastproofread: 2024-07-03
.. _firewall-groups-configuration:
@@ -18,8 +18,7 @@ matcher, and/or as inbound/outbound in the case of interface group.
Address Groups
==============
-In an **address group** a single IP address or IP address ranges are
-defined.
+In an **address group** a single IP address or IP address range is defined.
.. cfgcmd:: set firewall group address-group <name> address [address |
address range]
@@ -43,7 +42,7 @@ Network Groups
While **network groups** accept IP networks in CIDR notation, specific
IP addresses can be added as a 32-bit prefix. If you foresee the need
-to add a mix of addresses and networks, the network group is
+to add a mix of addresses and networks, then a network group is
recommended.
.. cfgcmd:: set firewall group network-group <name> network <CIDR>
@@ -197,9 +196,9 @@ Commands used for this task are:
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> add-address-to-group
source-address address-group <name>
-Also, specific timeout can be defined per rule. In case rule gets a hit,
-source or destinatination address will be added to the group, and this
-element will remain in the group until timeout expires. If no timeout
+Also, specific timeouts can be defined per rule. In case rule gets a hit,
+a source or destinatination address will be added to the group, and this
+element will remain in the group until the timeout expires. If no timeout
is defined, then the element will remain in the group until next reboot,
or until a new commit that changes firewall configuration is done.
@@ -324,7 +323,7 @@ A 4 step port knocking example is shown next:
set firewall ipv4 input filter rule 99 protocol 'tcp'
set firewall ipv4 input filter rule 99 source group dynamic-address-group 'ALLOWED'
-Before testing, we can check members of firewall groups:
+Before testing, we can check the members of firewall groups:
.. code-block:: none
@@ -339,7 +338,7 @@ Before testing, we can check members of firewall groups:
[edit]
vyos@vyos#
-With this configuration, in order to get ssh access to the router, user
+With this configuration, in order to get ssh access to the router, the user
needs to:
1. Generate a new TCP connection with destination port 9990. As shown next,
@@ -390,7 +389,7 @@ a new entry was added to dynamic firewall group **ALLOWED**
[edit]
vyos@vyos#
-4. Now user can connect through ssh to the router (assuming ssh is configured).
+4. Now the user can connect through ssh to the router (assuming ssh is configured).
**************
Operation-mode
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index daf5f116..58e3463b 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2023-11-23
+:lastproofread: 2024-07-03
########
Firewall
@@ -28,11 +28,11 @@ packet is processed at the **IP Layer**:
* **Prerouting**: All packets that are received by the router
are processed in this stage, regardless of the destination of the packet.
- Starting from vyos-1.5-rolling-202406120020, a new section was added to
- firewall configuration. There are several actions that can be done in this
- stage, and currently these actions are also defined in different parts in
- VyOS configuration. Order is important, and relevant configuration that
- acts in this stage are:
+ Starting from vyos-1.5-rolling-202406120020, a new section was added to
+ the firewall configuration. There are several actions that can be done in
+ this stage, and currently these actions are also defined in different
+ parts of the VyOS configuration. Order is important, and the relevant
+ configuration that acts in this stage are:
* **Firewall prerouting**: rules defined under ``set firewall [ipv4 |
ipv6] prerouting raw...``. All rules defined in this section are
@@ -50,9 +50,9 @@ packet is processed at the **IP Layer**:
* **Destination NAT**: rules defined under ``set [nat | nat66]
destination...``.
- * **Destination is the router?**: choose appropriate path based on
+ * **Destination is the router?**: choose an appropriate path based on
destination IP address. Transit forward continues to **forward**,
- while traffic that destination IP address is configured on the router
+ while traffic where the destination IP address is configured on the router
continues to **input**.
* **Input**: stage where traffic destined for the router itself can be
@@ -73,7 +73,7 @@ packet is processed at the **IP Layer**:
* **Output**: stage where traffic that originates from the router itself
can be filtered and controlled. Bear in mind that this traffic can be a
- new connection originated by a internal process running on VyOS router,
+ new connection originated by a internal process running on the VyOS router
such as NTP, or a response to traffic received externally through
**input** (for example response to an ssh login attempt to the router).
This includes ipv4 and ipv6 rules, and two different sections are present:
@@ -181,10 +181,10 @@ Zone-based firewall
zone
With zone-based firewalls a new concept was implemented, in addition to the
-standard in and out traffic flows, a local flow was added. This local was for
-traffic originating and destined to the router itself. Which means additional
-rules were required to secure the firewall itself from the network, in
-addition to the existing inbound and outbound rules from the traditional
+standard in and out traffic flows, a local flow was added. This local flow was
+for traffic originating and destined to the router itself. Which means that
+additional rules were required to secure the firewall itself from the network,
+in addition to the existing inbound and outbound rules from the traditional
concept above.
To configure VyOS with the
diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst
index 39370c86..abae31a5 100644
--- a/docs/configuration/firewall/ipv4.rst
+++ b/docs/configuration/firewall/ipv4.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2023-11-08
+:lastproofread: 2024-07-03
.. _firewall-ipv4-configuration:
@@ -10,13 +10,13 @@ IPv4 Firewall Configuration
Overview
********
-In this section there's useful information of all firewall configuration that
+In this section there's useful information on all firewall configuration that
can be done regarding IPv4, and appropriate op-mode commands.
Configuration commands covered in this section:
.. cfgcmd:: set firewall ipv4 ...
-From main structure defined in
+From the main structure defined in
:doc:`Firewall Overview</configuration/firewall/index>`
in this section you can find detailed information only for the next part
of the general structure:
@@ -51,28 +51,28 @@ This stage includes:
* :doc:`Destination NAT</configuration/nat/nat44>`: commands found under
``set nat destination ...``
-For transit traffic, which is received by the router and forwarded, base chain
-is **forward**. A simplified packet flow diagram for transit traffic is shown
-next:
+For transit traffic, which is received by the router and forwarded, the base
+chain is **forward**. A simplified packet flow diagram for transit traffic is
+shown next:
.. figure:: /_static/images/firewall-fwd-packet-flow.png
-Firewall base chain to configure firewall filtering rules for transit traffic
+The base firewall chain to configure filtering rules for transit traffic
is ``set firewall ipv4 forward filter ...``, which happens in stage 5,
-highlighted with red color.
+highlighted in the color red.
-For traffic towards the router itself, base chain is **input**, while traffic
-originated by the router, base chain is **output**.
+For traffic towards the router itself, the base chain is **input**, while
+traffic originated by the router has the base chain **output**.
A new simplified packet flow diagram is shown next, which shows the path
for traffic destined to the router itself, and traffic generated by the
router (starting from circle number 6):
.. figure:: /_static/images/firewall-input-packet-flow.png
-Base chain for traffic towards the router is ``set firewall ipv4 input
+The base chain for traffic towards the router is ``set firewall ipv4 input
filter ...``
-And base chain for traffic generated by the router is ``set firewall ipv4
+And the base chain for traffic generated by the router is ``set firewall ipv4
output ...``, where two sub-chains are available: **filter** and **raw**:
* **Output Prerouting**: ``set firewall ipv4 output raw ...``.
@@ -82,9 +82,9 @@ output ...``, where two sub-chains are available: **filter** and **raw**:
in this section are processed after connection tracking subsystem.
.. note:: **Important note about default-actions:**
- If default action for any base chain is not defined, then the default
- action is set to **accept** for that chain. For custom chains, if default
- action is not defined, then the default-action is set to **drop**
+ If a default action for any base chain is not defined, then the default
+ action is set to **accept** for that chain. For custom chains, if the
+ default action is not defined, then the default-action is set to **drop**
Custom firewall chains can be created, with commands
``set firewall ipv4 name <name> ...``. In order to use
@@ -95,9 +95,9 @@ should be defined in a base chain.
Firewall - IPv4 Rules
*********************
-For firewall filtering, firewall rules needs to be created. Each rule is
+For firewall filtering, firewall rules need to be created. Each rule is
numbered, has an action to apply if the rule is matched, and the ability
-to specify multiple criteria matchers. Data packets go through the rules
+to specify multiple matching criteria. Data packets go through the rules
from 1 - 999999, so order is crucial. At the first match the action of the
rule will be executed.
@@ -105,7 +105,7 @@ Actions
=======
If a rule is defined, then an action must be defined for it. This tells the
-firewall what to do if all criteria matchers defined for such rule do match.
+firewall what to do if all of the criteria defined for that rule match.
The action can be :
@@ -135,8 +135,8 @@ The action can be :
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action
[accept | continue | drop | jump | queue | reject | return]
- This required setting defines the action of the current rule. If action is
- set to jump, then jump-target is also needed.
+ This required setting defines the action of the current rule. If the action
+ is set to jump, then a jump-target is also needed.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
jump-target <text>
@@ -148,7 +148,7 @@ The action can be :
jump-target <text>
To be used only when action is set to ``jump``. Use this command to specify
- jump target.
+ the jump target.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
queue <0-65535>
@@ -160,7 +160,7 @@ The action can be :
queue <0-65535>
To be used only when action is set to ``queue``. Use this command to specify
- queue target to use. Queue range is also supported.
+ the queue target to use. Queue range is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
queue-options bypass
@@ -171,7 +171,7 @@ The action can be :
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
queue-options bypass
- To be used only when action is set to ``queue``. Use this command to let
+ To be used only when action is set to ``queue``. Use this command to let the
packet go through firewall when no userspace software is connected to the
queue.
@@ -200,21 +200,21 @@ not match any rule in it's chain. For base chains, possible options for
.. cfgcmd:: set firewall ipv4 name <name> default-action
[accept | drop | jump | queue | reject | return]
- This set the default action of the rule-set if no rule matched a packet
- criteria. If default-action is set to ``jump``, then
- ``default-jump-target`` is also needed. Note that for base chains, default
- action can only be set to ``accept`` or ``drop``, while on custom chain,
- more actions are available.
+ This sets the default action of the rule-set if a packet does not match the
+ criteria of any rule. If default-action is set to ``jump``, then
+ ``default-jump-target`` is also needed. Note that for base chains, the
+ default action can only be set to ``accept`` or ``drop``, while on custom
+ chains, more actions are available.
.. cfgcmd:: set firewall ipv4 name <name> default-jump-target <text>
To be used only when ``default-action`` is set to ``jump``. Use this
- command to specify jump target for default rule.
+ command to specify the jump target for the default rule.
.. note:: **Important note about default-actions:**
- If default action for any base chain is not defined, then the default
- action is set to **accept** for that chain. For custom chains, if default
- action is not defined, then the default-action is set to **drop**.
+ If the default action for any base chain is not defined, then the default
+ action is set to **accept** for that chain. For custom chains if a default
+ action is not defined then the default-action is set to **drop**.
Firewall Logs
=============
@@ -228,7 +228,7 @@ log options can be defined.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log
Enable logging for the matched packet. If this configuration command is not
- present, then log is not enabled.
+ present, then the log is not enabled.
.. cfgcmd:: set firewall ipv4 forward filter default-log
.. cfgcmd:: set firewall ipv4 input filter default-log
@@ -251,7 +251,7 @@ log options can be defined.
log-options level [emerg | alert | crit | err | warn | notice
| info | debug]
- Define log-level. Only applicable if rule log is enable.
+ Define log-level. Only applicable if rule log is enabled.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
log-options group <0-65535>
@@ -262,7 +262,8 @@ log options can be defined.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
log-options group <0-65535>
- Define log group to send message to. Only applicable if rule log is enable.
+ Define the log group to send messages to. Only applicable if rule log is
+ enabled.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
log-options snapshot-length <0-9000>
@@ -273,8 +274,8 @@ log options can be defined.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
log-options snapshot-length <0-9000>
- Define length of packet payload to include in netlink message. Only
- applicable if rule log is enable and log group is defined.
+ Define the length of packet payload to include in a netlink message. Only
+ applicable if rule log is enabled and log group is defined.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
log-options queue-threshold <0-65535>
@@ -285,8 +286,8 @@ log options can be defined.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
log-options queue-threshold <0-65535>
- Define number of packets to queue inside the kernel before sending them to
- userspace. Only applicable if rule log is enable and log group is defined.
+ Define the number of packets to queue inside the kernel before sending them
+ to userspace. Only applicable if rule log is enabled and log group is defined.
Firewall Description
====================
@@ -311,7 +312,7 @@ every defined custom chain.
Rule Status
===========
-When defining a rule, it is enable by default. In some cases, it is useful to
+When defining a rule, it is enabled by default. In some cases, it is useful to
just disable the rule, rather than removing it.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> disable
@@ -335,7 +336,7 @@ There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
connection-status nat [destination | source]
- Match criteria based on nat connection status.
+ Match based on nat connection status.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
connection-mark <1-2147483647>
@@ -346,7 +347,7 @@ There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
connection-mark <1-2147483647>
- Match criteria based on connection mark.
+ Match based on connection mark.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
conntrack-helper <module>
@@ -445,8 +446,8 @@ There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination fqdn <fqdn>
- Specify a Fully Qualified Domain Name as source/destination matcher. Ensure
- router is able to resolve such dns query.
+ Specify a Fully Qualified Domain Name as source/destination to match. Ensure
+ that the router is able to resolve this dns query.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source geoip country-code <country>
@@ -503,14 +504,13 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
source mac-address <mac-address>
- Only in the source criteria, you can specify a mac-address.
+ You can only specify a source mac-address to match.
.. code-block:: none
set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33
set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34
-
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source port [1-65535 | portname | start-end]
.. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
@@ -529,8 +529,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination port [1-65535 | portname | start-end]
- A port can be set with a port number or a name which is here
- defined: ``/etc/services``.
+ A port can be set by number or name as defined in ``/etc/services``.
.. code-block:: none
@@ -559,8 +558,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination group address-group <name | !name>
- Use a specific address-group. Prepend character ``!`` for inverted matching
- criteria.
+ Use a specific address-group. Prepending the character ``!`` to invert the
+ criteria to match is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source group dynamic-address-group <name | !name>
@@ -580,8 +579,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination group dynamic-address-group <name | !name>
- Use a specific dynamic-address-group. Prepend character ``!`` for inverted
- matching criteria.
+ Use a specific dynamic-address-group. Prepending the character ``!`` to
+ invert the criteria to match is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source group network-group <name | !name>
@@ -601,8 +600,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination group network-group <name | !name>
- Use a specific network-group. Prepend character ``!`` for inverted matching
- criteria.
+ Use a specific network-group. Prepending the character ``!`` to invert the
+ criteria to match is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source group port-group <name | !name>
@@ -622,8 +621,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination group port-group <name | !name>
- Use a specific port-group. Prepend character ``!`` for inverted matching
- criteria.
+ Use a specific port-group. Prepending the character ``!`` to invert the
+ criteria to match is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source group domain-group <name | !name>
@@ -643,8 +642,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination group domain-group <name | !name>
- Use a specific domain-group. Prepend character ``!`` for inverted matching
- criteria.
+ Use a specific domain-group. Prepending the character ``!`` to invert the
+ criteria to match is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
source group mac-group <name | !name>
@@ -664,8 +663,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
destination group mac-group <name | !name>
- Use a specific mac-group. Prepend character ``!`` for inverted matching
- criteria.
+ Use a specific mac-group. Prepending the character ``!`` to invert the
+ criteria to match is also supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
dscp [0-63 | start-end]
@@ -696,7 +695,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
fragment [match-frag | match-non-frag]
- Match based on fragment criteria.
+ Match based on fragmentation.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
icmp [code | type] <0-255>
@@ -718,7 +717,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
icmp type-name <text>
- Match based on icmp type-name criteria. Use tab for information
+ Match based on icmp type-name. Use tab for information
about what **type-name** criteria are supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
@@ -729,11 +728,11 @@ geoip) to keep database and rules updated.
inbound-interface name <iface>
Match based on inbound interface. Wildcard ``*`` can be used.
- For example: ``eth2*``. Prepending character ``!`` for inverted matching
- criteria is also supported. For example ``!eth2``
+ For example: ``eth2*``. Prepending the character ``!`` to invert the
+ criteria to match is also supported. For example ``!eth2``
.. note:: If an interface is attached to a non-default vrf, when using
- **inbound-interface**, vrf name must be used. For example ``set firewall
+ **inbound-interface**, the vrf name must be used. For example ``set firewall
ipv4 forward filter rule 10 inbound-interface name MGMT``
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
@@ -743,8 +742,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
inbound-interface group <iface_group>
- Match based on inbound interface group. Prepending character ``!`` for
- inverted matching criteria is also supported. For example ``!IFACE_GROUP``
+ Match based on the inbound interface group. Prepending the character ``!``
+ to invert the criteria to match is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
outbound-interface name <iface>
@@ -754,11 +753,11 @@ geoip) to keep database and rules updated.
outbound-interface name <iface>
Match based on outbound interface. Wildcard ``*`` can be used.
- For example: ``eth2*``. Prepending character ``!`` for inverted matching
- criteria is also supported. For example ``!eth2``
+ For example: ``eth2*``. Prepending the character ``!`` to invert the
+ criteria to match is also supported. For example ``!eth2``
.. note:: If an interface is attached to a non-default vrf, when using
- **outbound-interface**, real interface name must be used. For example
+ **outbound-interface**, the real interface name must be used. For example
``set firewall ipv4 forward filter rule 10 outbound-interface name eth0``
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
@@ -768,8 +767,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
outbound-interface group <iface_group>
- Match based on outbound interface group. Prepending character ``!`` for
- inverted matching criteria is also supported. For example ``!IFACE_GROUP``
+ Match based on outbound interface group. Prepending the character ``!`` to
+ invert the criteria to match is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
ipsec [match-ipsec | match-none]
@@ -780,7 +779,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
ipsec [match-ipsec | match-none]
- Match based on ipsec criteria.
+ Match based on ipsec.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
limit burst <0-4294967295>
@@ -823,7 +822,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
packet-length-exclude <text>
- Match based on packet length criteria. Multiple values from 1 to 65535
+ Match based on the packet length. Multiple values from 1 to 65535
and ranges are supported.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
@@ -835,7 +834,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
packet-type [broadcast | host | multicast | other]
- Match based on packet type criteria.
+ Match based on the packet type.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
protocol [<text> | <0-255> | all | tcp_udp]
@@ -846,10 +845,9 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
protocol [<text> | <0-255> | all | tcp_udp]
- Match a protocol criteria. A protocol number or a name which is here
- defined: ``/etc/protocols``.
+ Match based on protocol number or name as defined in ``/etc/protocols``.
Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
- based packets. The ``!`` negate the selected protocol.
+ based packets. The ``!`` negates the selected protocol.
.. code-block:: none
@@ -874,7 +872,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
recent time [second | minute | hour]
- Match bases on recently seen sources.
+ Match based on recently seen sources.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
tcp flags [not] <text>
@@ -958,8 +956,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
ttl <eq | gt | lt> <0-255>
- Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for
- 'greater than', and 'lt' stands for 'less than'.
+ Match the time to live parameter, where 'eq' stands for 'equal'; 'gt' stands
+ for 'greater than', and 'lt' stands for 'less than'.
.. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
recent count <1-255>
@@ -994,7 +992,7 @@ Synproxy connections
.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999>
synproxy tcp mss <501-65535>
- Set TCP-MSS (maximum segment size) for the connection
+ Set the TCP-MSS (maximum segment size) for the connection
.. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999>
synproxy tcp window-scale <1-14>
@@ -1028,7 +1026,6 @@ Requirements to enable synproxy:
set firewall ipv4 input filter rule 1000 action 'drop'
set firewall ipv4 input filter rule 1000 state invalid
-
***********************
Operation-mode Firewall
***********************
@@ -1038,7 +1035,7 @@ Rule-set overview
.. opcmd:: show firewall
- This will show you a basic firewall overview, for all ruleset, and not
+ This will show you a basic firewall overview, for all rule-sets, and not
only for ipv4
.. code-block:: none
diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst
index 511fd51f..5f526dac 100644
--- a/docs/configuration/firewall/ipv6.rst
+++ b/docs/configuration/firewall/ipv6.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2023-11-08
+:lastproofread: 2024-07-03
.. _firewall-ipv6-configuration:
@@ -10,13 +10,13 @@ IPv6 Firewall Configuration
Overview
********
-In this section there's useful information of all firewall configuration that
+In this section there's useful information on all firewall configuration that
can be done regarding IPv6, and appropriate op-mode commands.
Configuration commands covered in this section:
.. cfgcmd:: set firewall ipv6 ...
-From main structure defined in
+From the main structure defined in
:doc:`Firewall Overview</configuration/firewall/index>`
in this section you can find detailed information only for the next part
of the general structure:
@@ -51,29 +51,29 @@ This stage includes:
* :doc:`Destination NAT</configuration/nat/nat44>`: commands found under
``set nat66 destination ...``
-For transit traffic, which is received by the router and forwarded, base chain
-is **forward**. A simplified packet flow diagram for transit traffic is shown
-next:
+For transit traffic, which is received by the router and forwarded, the base
+chain is **forward**. A simplified packet flow diagram for transit traffic is
+shown next:
.. figure:: /_static/images/firewall-fwd-packet-flow.png
-Firewall base chain to configure firewall filtering rules for transit traffic
+The base firewall chain to configure filtering rules for transit traffic
is ``set firewall ipv6 forward filter ...``, which happens in stage 5,
-highlighted with red color.
+highlighted in the color red.
-For traffic towards the router itself, base chain is **input**, while traffic
-originated by the router, base chain is **output**.
+For traffic towards the router itself, the base chain is **input**, while
+traffic originated by the router has the base chain **output**.
A new simplified packet flow diagram is shown next, which shows the path
for traffic destined to the router itself, and traffic generated by the
router (starting from circle number 6):
.. figure:: /_static/images/firewall-input-packet-flow.png
-Base chain for traffic towards the router is ``set firewall ipv6 input
+The base chain for traffic towards the router is ``set firewall ipv6 input
filter ...``
-And base chain for traffic generated by the router is ``set firewall ipv6
-output filter ...``, where two sub-chains are available: **filter** and **raw**:
+And the base chain for traffic generated by the router is ``set firewall ipv6
+output ...``, where two sub-chains are available: **filter** and **raw**:
* **Output Prerouting**: ``set firewall ipv6 output raw ...``.
As described in **Prerouting**, rules defined in this section are
@@ -82,9 +82,9 @@ output filter ...``, where two sub-chains are available: **filter** and **raw**:
in this section are processed after connection tracking subsystem.
.. note:: **Important note about default-actions:**
- If default action for any base chain is not defined, then the default
- action is set to **accept** for that chain. For custom chains, if default
- action is not defined, then the default-action is set to **drop**
+ If a default action for any base chain is not defined, then the default
+ action is set to **accept** for that chain. For custom chains, if the
+ default action is not defined, then the default-action is set to **drop**
Custom firewall chains can be created, with commands
``set firewall ipv6 name <name> ...``. In order to use
@@ -95,9 +95,9 @@ should be defined in a base chain.
Firewall - IPv6 Rules
******************************
-For firewall filtering, firewall rules needs to be created. Each rule is
+For firewall filtering, firewall rules need to be created. Each rule is
numbered, has an action to apply if the rule is matched, and the ability
-to specify multiple criteria matchers. Data packets go through the rules
+to specify multiple matching criteria. Data packets go through the rules
from 1 - 999999, so order is crucial. At the first match the action of the
rule will be executed.
@@ -105,7 +105,7 @@ Actions
=======
If a rule is defined, then an action must be defined for it. This tells the
-firewall what to do if all criteria matchers defined for such rule do match.
+firewall what to do if all of the criteria defined for that rule match.
The action can be :
@@ -135,8 +135,8 @@ The action can be :
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> action
[accept | continue | drop | jump | queue | reject | return]
- This required setting defines the action of the current rule. If action is
- set to jump, then jump-target is also needed.
+ This required setting defines the action of the current rule. If the action
+ is set to jump, then a jump-target is also needed.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
jump-target <text>
@@ -148,7 +148,7 @@ The action can be :
jump-target <text>
To be used only when action is set to ``jump``. Use this command to specify
- jump target.
+ the jump target.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
queue <0-65535>
@@ -160,7 +160,7 @@ The action can be :
queue <0-65535>
To be used only when action is set to ``queue``. Use this command to specify
- queue target to use. Queue range is also supported.
+ the queue target to use. Queue range is also supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
queue-options bypass
@@ -171,7 +171,7 @@ The action can be :
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
queue-options bypass
- To be used only when action is set to ``queue``. Use this command to let
+ To be used only when action is set to ``queue``. Use this command to let the
packet go through firewall when no userspace software is connected to the
queue.
@@ -200,21 +200,21 @@ not match any rule in it's chain. For base chains, possible options for
.. cfgcmd:: set firewall ipv6 name <name> default-action
[accept | drop | jump | queue | reject | return]
- This set the default action of the rule-set if no rule matched a packet
- criteria. If default-action is set to ``jump``, then
- ``default-jump-target`` is also needed. Note that for base chains, default
- action can only be set to ``accept`` or ``drop``, while on custom chain,
- more actions are available.
+ This sets the default action of the rule-set if a packet does not match the
+ criteria of any rule. If default-action is set to ``jump``, then
+ ``default-jump-target`` is also needed. Note that for base chains, the
+ default action can only be set to ``accept`` or ``drop``, while on custom
+ chains, more actions are available.
.. cfgcmd:: set firewall ipv6 name <name> default-jump-target <text>
To be used only when ``default-action`` is set to ``jump``. Use this
- command to specify jump target for default rule.
+ command to specify the jump target for the default rule.
.. note:: **Important note about default-actions:**
- If default action for any base chain is not defined, then the default
- action is set to **accept** for that chain. For custom chains, if default
- action is not defined, then the default-action is set to **drop**.
+ If the default action for any base chain is not defined, then the default
+ action is set to **accept** for that chain. For custom chains if a default
+ action is not defined then the default-action is set to **drop**.
Firewall Logs
=============
@@ -228,7 +228,7 @@ log options can be defined.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> log
Enable logging for the matched packet. If this configuration command is not
- present, then log is not enabled.
+ present, then the log is not enabled.
.. cfgcmd:: set firewall ipv6 forward filter default-log
.. cfgcmd:: set firewall ipv6 input filter default-log
@@ -251,7 +251,7 @@ log options can be defined.
log-options level [emerg | alert | crit | err | warn | notice
| info | debug]
- Define log-level. Only applicable if rule log is enable.
+ Define log-level. Only applicable if rule log is enabled.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
log-options group <0-65535>
@@ -262,7 +262,8 @@ log options can be defined.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
log-options group <0-65535>
- Define log group to send message to. Only applicable if rule log is enable.
+ Define the log group to send messages to. Only applicable if rule log is
+ enabled.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
log-options snapshot-length <0-9000>
@@ -273,8 +274,8 @@ log options can be defined.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
log-options snapshot-length <0-9000>
- Define length of packet payload to include in netlink message. Only
- applicable if rule log is enable and log group is defined.
+ Define the length of packet payload to include in a netlink message. Only
+ applicable if rule log is enabled and log group is defined.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
log-options queue-threshold <0-65535>
@@ -285,8 +286,8 @@ log options can be defined.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
log-options queue-threshold <0-65535>
- Define number of packets to queue inside the kernel before sending them to
- userspace. Only applicable if rule log is enable and log group is defined.
+ Define the number of packets to queue inside the kernel before sending them
+ to userspace. Only applicable if rule log is enabled and log group is defined.
Firewall Description
====================
@@ -311,7 +312,7 @@ every defined custom chain.
Rule Status
===========
-When defining a rule, it is enable by default. In some cases, it is useful to
+When defining a rule, it is enabled by default. In some cases, it is useful to
just disable the rule, rather than removing it.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> disable
@@ -335,7 +336,7 @@ There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
connection-status nat [destination | source]
- Match criteria based on nat connection status.
+ Match based on nat connection status.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
connection-mark <1-2147483647>
@@ -346,7 +347,7 @@ There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
connection-mark <1-2147483647>
- Match criteria based on connection mark.
+ Match based on connection mark.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
source address [address | addressrange | CIDR]
@@ -366,9 +367,8 @@ There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
destination address [address | addressrange | CIDR]
- Match criteria based on source and/or destination address. This is similar
- to the network groups part, but here you are able to negate the matching
- addresses.
+ Match based on source and/or destination address. This is similar to the
+ network groups part, but here you are able to negate the matching addresses.
.. code-block:: none
@@ -433,8 +433,8 @@ There are a lot of matching criteria against which the packet can be tested.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
destination fqdn <fqdn>
- Specify a Fully Qualified Domain Name as source/destination matcher. Ensure
- router is able to resolve such dns query.
+ Specify a Fully Qualified Domain Name as source/destination to match. Ensure
+ that the router is able to resolve this dns query.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
source geoip country-code <country>
@@ -491,7 +491,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
source mac-address <mac-address>
- Only in the source criteria, you can specify a mac-address.
+ You can only specify a source mac-address to match.
.. code-block:: none
@@ -516,8 +516,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
destination port [1-65535 | portname | start-end]
- A port can be set with a port number or a name which is here
- defined: ``/etc/services``.
+ A port can be set by number or name as defined in ``/etc/services``.
.. code-block:: none
@@ -550,8 +549,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
destination group address-group <name | !name>
- Use a specific address-group. Prepend character ``!`` for inverted matching
- criteria.
+ Use a specific address-group. Prepending the character ``!`` to invert the
+ criteria to match is also supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
source group dynamic-address-group <name | !name>
@@ -571,8 +570,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
destination group dynamic-address-group <name | !name>
- Use a specific dynamic-address-group. Prepend character ``!`` for inverted
- matching criteria.
+ Use a specific dynamic-address-group. Prepending the character ``!`` to
+ invert the criteria to match is also supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
source group network-group <name | !name>
@@ -592,8 +591,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
destination group network-group <name | !name>
- Use a specific network-group. Prepend character ``!`` for inverted matching
- criteria.
+ Use a specific network-group. Prepending the character ``!`` to invert the
+ criteria to match is also supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
source group port-group <name | !name>
@@ -613,8 +612,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
destination group port-group <name | !name>
- Use a specific port-group. Prepend character ``!`` for inverted matching
- criteria.
+ Use a specific port-group. Prepending the character ``!`` to invert the
+ criteria to match is also supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
source group domain-group <name | !name>
@@ -634,8 +633,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
destination group domain-group <name | !name>
- Use a specific domain-group. Prepend character ``!`` for inverted matching
- criteria.
+ Use a specific domain-group. Prepending the character ``!`` to invert the
+ criteria to match is also supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
source group mac-group <name | !name>
@@ -655,8 +654,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
destination group mac-group <name | !name>
- Use a specific mac-group. Prepend character ``!`` for inverted matching
- criteria.
+ Use a specific mac-group. Prepending the character ``!`` to invert the
+ criteria to match is also supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
dscp [0-63 | start-end]
@@ -687,7 +686,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
fragment [match-frag | match-non-frag]
- Match based on fragment criteria.
+ Match based on fragmentation.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
icmpv6 [code | type] <0-255>
@@ -709,7 +708,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
icmpv6 type-name <text>
- Match based on icmpv6 type-name criteria. Use tab for information
+ Match based on icmpv6 type-name. Use tab for information
about what **type-name** criteria are supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
@@ -720,11 +719,11 @@ geoip) to keep database and rules updated.
inbound-interface name <iface>
Match based on inbound interface. Wildcard ``*`` can be used.
- For example: ``eth2*``. Prepending character ``!`` for inverted matching
- criteria is also supported. For example ``!eth2``
+ For example: ``eth2*``. Prepending the character ``!`` to invert the
+ criteria to match is also supported. For example ``!eth2``
.. note:: If an interface is attached to a non-default vrf, when using
- **inbound-interface**, vrf name must be used. For example ``set firewall
+ **inbound-interface**, the vrf name must be used. For example ``set firewall
ipv6 forward filter rule 10 inbound-interface name MGMT``
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
@@ -734,8 +733,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
inbound-interface group <iface_group>
- Match based on inbound interface group. Prepending character ``!`` for
- inverted matching criteria is also supported. For example ``!IFACE_GROUP``
+ Match based on the inbound interface group. Prepending the character ``!``
+ to invert the criteria to match is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
outbound-interface name <iface>
@@ -745,11 +744,11 @@ geoip) to keep database and rules updated.
outbound-interface name <iface>
Match based on outbound interface. Wildcard ``*`` can be used.
- For example: ``eth2*``. Prepending character ``!`` for inverted matching
- criteria is also supported. For example ``!eth2``
+ For example: ``eth2*``. Prepending the character ``!`` to invert the
+ criteria to match is also supported. For example ``!eth2``
.. note:: If an interface is attached to a non-default vrf, when using
- **outbound-interface**, real interface name must be used. For example
+ **outbound-interface**, the real interface name must be used. For example
``set firewall ipv6 forward filter rule 10 outbound-interface name eth0``
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
@@ -759,8 +758,8 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
outbound-interface group <iface_group>
- Match based on outbound interface group. Prepending character ``!`` for
- inverted matching criteria is also supported. For example ``!IFACE_GROUP``
+ Match based on outbound interface group. Prepending the character ``!`` to
+ invert the criteria to match is also supported. For example ``!IFACE_GROUP``
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
ipsec [match-ipsec | match-none]
@@ -771,7 +770,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
ipsec [match-ipsec | match-none]
- Match based on ipsec criteria.
+ Match based on ipsec.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
limit burst <0-4294967295>
@@ -814,7 +813,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
packet-length-exclude <text>
- Match based on packet length criteria. Multiple values from 1 to 65535
+ Match based on the packet length. Multiple values from 1 to 65535
and ranges are supported.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
@@ -826,7 +825,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
packet-type [broadcast | host | multicast | other]
- Match based on packet type criteria.
+ Match based on the packet type.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
protocol [<text> | <0-255> | all | tcp_udp]
@@ -837,10 +836,9 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
protocol [<text> | <0-255> | all | tcp_udp]
- Match a protocol criteria. A protocol number or a name which is here
- defined: ``/etc/protocols``.
+ Match based on protocol number or name as defined in ``/etc/protocols``.
Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
- based packets. The ``!`` negate the selected protocol.
+ based packets. The ``!`` negates the selected protocol.
.. code-block:: none
@@ -948,7 +946,7 @@ geoip) to keep database and rules updated.
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
hop-limit <eq | gt | lt> <0-255>
- Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
+ Match the hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
'greater than', and 'lt' stands for 'less than'.
.. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
@@ -984,7 +982,7 @@ Synproxy connections
.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>
synproxy tcp mss <501-65535>
- Set TCP-MSS (maximum segment size) for the connection
+ Set the TCP-MSS (maximum segment size) for the connection
.. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>
synproxy tcp window-scale <1-14>
@@ -1027,7 +1025,8 @@ Rule-set overview
.. opcmd:: show firewall
- This will show you a basic firewall overview
+ This will show you a basic firewall overview, for all rule-sets, and not
+ only for ipv6
.. code-block:: none
diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst
index f71ad8c1..73ce0a4d 100644
--- a/docs/configuration/firewall/zone.rst
+++ b/docs/configuration/firewall/zone.rst
@@ -1,4 +1,4 @@
-:lastproofread: 2023-11-01
+:lastproofread: 2024-07-03
.. _firewall-zone:
@@ -11,9 +11,9 @@ Overview
********
.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall
- structure can be found on all VyOS installations. Zone based firewall was
- removed in that version, but re introduced in VyOS 1.4 and 1.5. All
- versions built after 2023-10-22 has this feature.
+ structure can be found on all VyOS installations. The Zone based firewall
+ was removed in that version, but re introduced in VyOS 1.4 and 1.5. All
+ versions built after 2023-10-22 have this feature.
Documentation for most of the new firewall CLI can be
found in the `firewall
<https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_
@@ -22,13 +22,13 @@ Overview
:doc:`legacy firewall configuration </configuration/firewall/general-legacy>`
chapter.
-In this section there's useful information of all firewall configuration that
-is needed for zone-based firewall.
+In this section there's useful information on all firewall configuration that
+is needed for the zone-based firewall.
Configuration commands covered in this section:
.. cfgcmd:: set firewall zone ...
-From main structure defined in
+From the main structure defined in
:doc:`Firewall Overview</configuration/firewall/index>`
in this section you can find detailed information only for the next part
of the general structure:
@@ -53,7 +53,7 @@ Key Points:
interface can be assigned to only a single zone.
* All traffic to and from an interface within a zone is permitted.
* All traffic between zones is affected by existing policies
-* Traffic cannot flow between zone member interface and any interface that is
+* Traffic cannot flow between a zone member interface and any interface that is
not a zone member.
* You need 2 separate firewalls to define traffic: one for each direction.
@@ -129,7 +129,7 @@ Operation-mode
.. opcmd:: show firewall zone-policy
- This will show you a basic summary of zones configuration.
+ This will show you a basic summary of the zone configuration.
.. code-block:: none