diff options
author | Christian Breunig <christian@breunig.cc> | 2024-02-15 07:18:56 +0100 |
---|---|---|
committer | Christian Breunig <christian@breunig.cc> | 2024-02-15 07:18:56 +0100 |
commit | 1c0997cab9fe6eecb24ec686a0aae65a98150c5b (patch) | |
tree | f3c1a8269ddbcdabb8da1826f9a6391a89a73847 /docs | |
parent | 7103937ac538a50771a90aa3dc9e80b487a4d82e (diff) | |
download | vyos-documentation-1c0997cab9fe6eecb24ec686a0aae65a98150c5b.tar.gz vyos-documentation-1c0997cab9fe6eecb24ec686a0aae65a98150c5b.zip |
quick-start: fix fix merge-conflicts
Diffstat (limited to 'docs')
-rw-r--r-- | docs/quick-start.rst | 29 |
1 files changed, 12 insertions, 17 deletions
diff --git a/docs/quick-start.rst b/docs/quick-start.rst index f0a3c828..f10a66e9 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -158,10 +158,6 @@ Configure Stateful Packet Filtering With the new firewall structure, we have have a lot of flexibility in how we group and order our rules, as shown by the two alternative approaches below. -<<<<<<< HEAD -Option 1: Common Chain -^^^^^^^^^^^^^^^^^^^^^^ -======= Option 1: Global State Policies ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Using options defined in ``set firewall global-options state-policy``, state @@ -180,7 +176,6 @@ Most installations would choose this option, and will contain: Option 2: Common/Custom Chain ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ->>>>>>> 32460e70 (Fix typos in quick-start) We can create a common chain for stateful connection filtering of multiple interfaces (or multiple netfilter hooks on one interface). Those individual @@ -200,11 +195,11 @@ The chain we will create is called ``CONN_FILTER`` and has three rules: set firewall ipv4 name CONN_FILTER default-action 'return' set firewall ipv4 name CONN_FILTER rule 10 action 'accept' - set firewall ipv4 name CONN_FILTER rule 10 state established - set firewall ipv4 name CONN_FILTER rule 10 state related + set firewall ipv4 name CONN_FILTER rule 10 state established + set firewall ipv4 name CONN_FILTER rule 10 state related set firewall ipv4 name CONN_FILTER rule 20 action 'drop' - set firewall ipv4 name CONN_FILTER rule 20 state invalid + set firewall ipv4 name CONN_FILTER rule 20 state invalid Then, we can jump to the common chain from both the ``forward`` and ``input`` hooks as the first filtering rule in the respective chains: @@ -227,16 +222,16 @@ creating rules on each hook's chain: .. code-block:: none set firewall ipv4 forward filter rule 5 action 'accept' - set firewall ipv4 forward filter rule 5 state established - set firewall ipv4 forward filter rule 5 state related + set firewall ipv4 forward filter rule 5 state established + set firewall ipv4 forward filter rule 5 state related set firewall ipv4 forward filter rule 10 action 'drop' - set firewall ipv4 forward filter rule 10 state invalid + set firewall ipv4 forward filter rule 10 state invalid set firewall ipv4 input filter rule 5 action 'accept' - set firewall ipv4 input filter rule 5 state established - set firewall ipv4 input filter rule 5 state related + set firewall ipv4 input filter rule 5 state established + set firewall ipv4 input filter rule 5 state related set firewall ipv4 input filter rule 10 action 'drop' - set firewall ipv4 input filter rule 10 state invalid + set firewall ipv4 input filter rule 10 state invalid Block Incoming Traffic ---------------------- @@ -305,11 +300,11 @@ interface group to 4 per minute: set firewall ipv4 name VyOS_MANAGEMENT rule 20 action 'drop' set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent count 4 set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent time minute - set firewall ipv4 name VyOS_MANAGEMENT rule 20 state new + set firewall ipv4 name VyOS_MANAGEMENT rule 20 state new set firewall ipv4 name VyOS_MANAGEMENT rule 20 inbound-interface group 'WAN' set firewall ipv4 name VyOS_MANAGEMENT rule 21 action 'accept' - set firewall ipv4 name VyOS_MANAGEMENT rule 21 state new + set firewall ipv4 name VyOS_MANAGEMENT rule 21 state new set firewall ipv4 name VyOS_MANAGEMENT rule 21 inbound-interface group 'WAN' Allow Access to Services @@ -324,7 +319,7 @@ all hosts on the ``NET-INSIDE-v4`` network: set firewall ipv4 input filter rule 30 action 'accept' set firewall ipv4 input filter rule 30 icmp type-name 'echo-request' set firewall ipv4 input filter rule 30 protocol 'icmp' - set firewall ipv4 input filter rule 30 state new + set firewall ipv4 input filter rule 30 state new set firewall ipv4 input filter rule 40 action 'accept' set firewall ipv4 input filter rule 40 destination port '53' |