diff options
| author | Robert Göhler <github@ghlr.de> | 2023-09-13 20:46:17 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-09-13 20:46:17 +0200 |
| commit | 9688bca70d092043ec1b0406a9ba804912136174 (patch) | |
| tree | f6cb7b642939ef15ad1b7363164da1c00d6fe006 /docs/configuration | |
| parent | ed13fc46249cad21c3119b0124bf6651463f222f (diff) | |
| parent | 9d5d575d712b53a741c368bea2d311897014efb3 (diff) | |
| download | vyos-documentation-9688bca70d092043ec1b0406a9ba804912136174.tar.gz vyos-documentation-9688bca70d092043ec1b0406a9ba804912136174.zip | |
Merge pull request #1063 from NickAnderegg/overview-nftables-translation
quick-start: update firewall tutorials to reflect nftables-based firewall commands
Diffstat (limited to 'docs/configuration')
| -rw-r--r-- | docs/configuration/firewall/general-legacy.rst | 11 |
1 files changed, 7 insertions, 4 deletions
diff --git a/docs/configuration/firewall/general-legacy.rst b/docs/configuration/firewall/general-legacy.rst index 2e6b0061..041dd8aa 100644 --- a/docs/configuration/firewall/general-legacy.rst +++ b/docs/configuration/firewall/general-legacy.rst @@ -424,11 +424,13 @@ There are a lot of matching criteria against which the package can be tested. An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 and a zone-based firewall as rules will remain valid if the IPv6 prefix changes and the host - portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses - <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_) - + portion of systems IPv6 address is static (for example, with SLAAC or + `tokenised IPv6 addresses + <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_). + This functions for both individual addresses and address groups. + .. stop_vyoslinter .. code-block:: none # Match any IPv6 address with the suffix ::0000:0000:0000:beef @@ -442,6 +444,7 @@ There are a lot of matching criteria against which the package can be tested. set firewall group ipv6-address-group WEBSERVERS address ::2000 set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff + .. start_vyoslinter .. cfgcmd:: set firewall name <name> rule <1-999999> source fqdn <fqdn> .. cfgcmd:: set firewall name <name> rule <1-999999> destination fqdn <fqdn> @@ -1048,4 +1051,4 @@ Update geoip database .. opcmd:: update geoip - Command used to update GeoIP database and firewall sets.
\ No newline at end of file + Command used to update GeoIP database and firewall sets. |