summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
authorChristian Breunig <christian@breunig.cc>2024-02-15 07:18:56 +0100
committerChristian Breunig <christian@breunig.cc>2024-02-15 07:18:56 +0100
commit1c0997cab9fe6eecb24ec686a0aae65a98150c5b (patch)
treef3c1a8269ddbcdabb8da1826f9a6391a89a73847 /docs
parent7103937ac538a50771a90aa3dc9e80b487a4d82e (diff)
downloadvyos-documentation-1c0997cab9fe6eecb24ec686a0aae65a98150c5b.tar.gz
vyos-documentation-1c0997cab9fe6eecb24ec686a0aae65a98150c5b.zip
quick-start: fix fix merge-conflicts
Diffstat (limited to 'docs')
-rw-r--r--docs/quick-start.rst29
1 files changed, 12 insertions, 17 deletions
diff --git a/docs/quick-start.rst b/docs/quick-start.rst
index f0a3c828..f10a66e9 100644
--- a/docs/quick-start.rst
+++ b/docs/quick-start.rst
@@ -158,10 +158,6 @@ Configure Stateful Packet Filtering
With the new firewall structure, we have have a lot of flexibility in how we
group and order our rules, as shown by the two alternative approaches below.
-<<<<<<< HEAD
-Option 1: Common Chain
-^^^^^^^^^^^^^^^^^^^^^^
-=======
Option 1: Global State Policies
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Using options defined in ``set firewall global-options state-policy``, state
@@ -180,7 +176,6 @@ Most installations would choose this option, and will contain:
Option 2: Common/Custom Chain
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
->>>>>>> 32460e70 (Fix typos in quick-start)
We can create a common chain for stateful connection filtering of multiple
interfaces (or multiple netfilter hooks on one interface). Those individual
@@ -200,11 +195,11 @@ The chain we will create is called ``CONN_FILTER`` and has three rules:
set firewall ipv4 name CONN_FILTER default-action 'return'
set firewall ipv4 name CONN_FILTER rule 10 action 'accept'
- set firewall ipv4 name CONN_FILTER rule 10 state established
- set firewall ipv4 name CONN_FILTER rule 10 state related
+ set firewall ipv4 name CONN_FILTER rule 10 state established
+ set firewall ipv4 name CONN_FILTER rule 10 state related
set firewall ipv4 name CONN_FILTER rule 20 action 'drop'
- set firewall ipv4 name CONN_FILTER rule 20 state invalid
+ set firewall ipv4 name CONN_FILTER rule 20 state invalid
Then, we can jump to the common chain from both the ``forward`` and ``input``
hooks as the first filtering rule in the respective chains:
@@ -227,16 +222,16 @@ creating rules on each hook's chain:
.. code-block:: none
set firewall ipv4 forward filter rule 5 action 'accept'
- set firewall ipv4 forward filter rule 5 state established
- set firewall ipv4 forward filter rule 5 state related
+ set firewall ipv4 forward filter rule 5 state established
+ set firewall ipv4 forward filter rule 5 state related
set firewall ipv4 forward filter rule 10 action 'drop'
- set firewall ipv4 forward filter rule 10 state invalid
+ set firewall ipv4 forward filter rule 10 state invalid
set firewall ipv4 input filter rule 5 action 'accept'
- set firewall ipv4 input filter rule 5 state established
- set firewall ipv4 input filter rule 5 state related
+ set firewall ipv4 input filter rule 5 state established
+ set firewall ipv4 input filter rule 5 state related
set firewall ipv4 input filter rule 10 action 'drop'
- set firewall ipv4 input filter rule 10 state invalid
+ set firewall ipv4 input filter rule 10 state invalid
Block Incoming Traffic
----------------------
@@ -305,11 +300,11 @@ interface group to 4 per minute:
set firewall ipv4 name VyOS_MANAGEMENT rule 20 action 'drop'
set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent count 4
set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent time minute
- set firewall ipv4 name VyOS_MANAGEMENT rule 20 state new
+ set firewall ipv4 name VyOS_MANAGEMENT rule 20 state new
set firewall ipv4 name VyOS_MANAGEMENT rule 20 inbound-interface group 'WAN'
set firewall ipv4 name VyOS_MANAGEMENT rule 21 action 'accept'
- set firewall ipv4 name VyOS_MANAGEMENT rule 21 state new
+ set firewall ipv4 name VyOS_MANAGEMENT rule 21 state new
set firewall ipv4 name VyOS_MANAGEMENT rule 21 inbound-interface group 'WAN'
Allow Access to Services
@@ -324,7 +319,7 @@ all hosts on the ``NET-INSIDE-v4`` network:
set firewall ipv4 input filter rule 30 action 'accept'
set firewall ipv4 input filter rule 30 icmp type-name 'echo-request'
set firewall ipv4 input filter rule 30 protocol 'icmp'
- set firewall ipv4 input filter rule 30 state new
+ set firewall ipv4 input filter rule 30 state new
set firewall ipv4 input filter rule 40 action 'accept'
set firewall ipv4 input filter rule 40 destination port '53'