summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorRobert Göhler <github@ghlr.de>2022-10-09 21:01:08 +0200
committerGitHub <noreply@github.com>2022-10-09 21:01:08 +0200
commit4ba654fa4f6aab148775c3af270387d91aa2c796 (patch)
tree2baf67421cf16e633d99db75e1ef981cdcae1d17 /docs
parentd5bb462db1bd0e51b3e8d13a459c6980f7beed82 (diff)
parent7118b6119f8be5a31b4adbd052ec8ff9cfd01ffb (diff)
downloadvyos-documentation-4ba654fa4f6aab148775c3af270387d91aa2c796.tar.gz
vyos-documentation-4ba654fa4f6aab148775c3af270387d91aa2c796.zip
Merge pull request #870 from ganawaj/feature/correct-firewall-application
firewall: correct rule-set interface assignments
Diffstat (limited to 'docs')
-rw-r--r--docs/configuration/firewall/general.rst23
1 files changed, 12 insertions, 11 deletions
diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst
index cfd7a8ce..0cf8bcec 100644
--- a/docs/configuration/firewall/general.rst
+++ b/docs/configuration/firewall/general.rst
@@ -591,17 +591,18 @@ A Rule-Set can be applied to every interface:
* ``out``: Ruleset for forwarded packets on an outbound interface
* ``local``: Ruleset for packets destined for this router
-.. cfgcmd:: set interface ethernet <ethN> firewall [in | out | local]
- [name | ipv6-name] <rule-set>
+.. cfgcmd:: set firewall interface <interface> [in | out | local] [name |
+ ipv6-name] <rule-set>
+
Here are some examples for applying a rule-set to an interface
.. code-block:: none
- set interface ethernet eth1 vif 100 firewall in name LANv4-IN
- set interface ethernet eth1 vif 100 firewall out name LANv4-OUT
- set interface bonding bond0 firewall in name LANv4-IN
- set interfaces openvpn vtun1 firewall in name Lanv4-IN
+ set firewall interface eth1.100 in name LANv4-IN
+ set firewall interface eth1.100 out name LANv4-OUT
+ set firewall interface bond0 in name LANv4-IN
+ set firewall interface vtun1 in name LANv4-IN
.. note::
As you can see in the example here, you can assign the same rule-set to
@@ -815,6 +816,11 @@ Example Partial Config
.. code-block:: none
firewall {
+ interface eth0 {
+ in {
+ name FROM-INTERNET
+ }
+ }
all-ping enable
broadcast-ping disable
config-trap disable
@@ -871,11 +877,6 @@ Example Partial Config
address dhcp
description OUTSIDE
duplex auto
- firewall {
- in {
- name FROM-INTERNET
- }
- }
}
}