summaryrefslogtreecommitdiff
path: root/docs/configuration
diff options
context:
space:
mode:
authorNicolás Fort <95703796+nicolas-fort@users.noreply.github.com>2024-08-17 05:23:09 -0300
committerGitHub <noreply@github.com>2024-08-17 09:23:09 +0100
commit1831fb6d973a4471e70038bb5efef901075b2caa (patch)
tree3e94b22692dd46842dab29682a0c4e765e9c604a /docs/configuration
parent5410ab6dcc6bcbd153ab324c44c3aba060698f10 (diff)
downloadvyos-documentation-1831fb6d973a4471e70038bb5efef901075b2caa.tar.gz
vyos-documentation-1831fb6d973a4471e70038bb5efef901075b2caa.zip
Firewall: add warning message, saying that during boot, all interfaces are loaded before firewall. (#1524)
Diffstat (limited to 'docs/configuration')
-rw-r--r--docs/configuration/firewall/index.rst5
1 files changed, 5 insertions, 0 deletions
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index 9f21a772..a5b88839 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -4,6 +4,11 @@
Firewall
########
+.. warning:: Due to a race condition that can lead to a failure during boot
+ process, all interfaces are initialized before firewall is configured. This
+ leads to a situation where the system is open to all traffic, and can be
+ considered as a security risk.
+
As VyOS is based on Linux it leverages its firewall. The Netfilter project
created iptables and its successor nftables for the Linux kernel to
work directly on packet data flows. This now extends the concept of