2 files changed, 85 insertions, 19 deletions
diff --git a/docs/configuration-overview.rst b/docs/configuration-overview.rst
index bd1ab8d8..5bd80028 100644
--- a/docs/configuration-overview.rst
+++ b/docs/configuration-overview.rst
@@ -117,7 +117,7 @@ to enter configuration mode enter the command `configure` when in operational mo
 
   vyos@vyos$ configure
   [edit]
-  cyos@vyos#
+  vyos@vyos#
 
 .. note:: When going into configuration mode, prompt changes from *$* to *#*. To exit configuration mode, type `exit`.
 
@@ -292,8 +292,8 @@ configuration revisions in configuration mode, use the compare command:
   [edit]
   vyos@vyos#
 
-You can rollback configuration using the rollback command, however this
-command will currently trigger a system reboot.
+You can rollback configuration using the rollback command.  This 
+command will apply the selected revision and trigger a system reboot.
 
 .. code-block:: sh
 
@@ -328,8 +328,9 @@ or TFTP.
 Operational info from config mode
 ---------------------------------
 
-When inside configuration mode you are not directly able to execute operational commands,
-access to these commands are possible trough the use of the `run [command]` command.
+When inside configuration mode you are not directly able to execute operational commands.
+
+Access to these commands are possible through the use of the `run [command]` command.
 From this command you will have access to everything accessible from operational mode.
 Command completion and syntax help with `?` and `[tab]` will also work.
 
@@ -353,7 +354,8 @@ This feature was available in Vyatta Core since 6.3
 Local archive and revisions
 ---------------------------
 
-Revisions are stored on disk, you can view them, compare them, and rollback to previous revisions if anything goes wrong.
+Revisions are stored on disk. You can view them, compare them, and rollback to previous revisions if anything goes wrong.
+
 To view existing revisions, use `show system commit` operational mode command.
 
 .. code-block:: sh
@@ -398,4 +400,22 @@ Remote archive
 
 VyOS can copy the config to a remote location after each commit. TFTP, FTP, and SFTP servers are supported.
 
+
+You can specify the location with: 
+
+* `set system config-management commit-archive location URL` 
+
+For example, `set system config-management commit-archive location tftp://10.0.0.1/vyos`.
+
 You can specify the location with `set system config-management commit-archive location URL` command, e.g. `set system config-management commit-archive location tftp://10.0.0.1/vyos`.
+
+Wipe config and restore default
+-------------------------------
+
+In the case you want to completely delete your configuration and restore the default one, you can enter the following command in configuration mode:
+
+.. code-block:: sh
+
+  load /opt/vyatta/etc/config.boot.default
+
+.. note:: If you are remotely connected, you will lose your connection. You may want to copy first the config, edit it to ensure connectivity, and load the edited config.
diff --git a/docs/quick-start.rst b/docs/quick-start.rst
index 226c81d0..ebe4d402 100644
--- a/docs/quick-start.rst
+++ b/docs/quick-start.rst
@@ -28,15 +28,10 @@ Enable SSH for remote management:
 
   set service ssh port '22'
 
-Configure Source NAT for our "Inside" network.
-
-.. code-block:: sh
 
-  set nat source rule 100 outbound-interface 'eth0'
-  set nat source rule 100 source address '192.168.0.0/24'
-  set nat source rule 100 translation address masquerade
 
-Configure a DHCP Server:
+Configure DHCP Server and DNS
+^^^^^^^^^^^^^^^^^^^^^^^
 
 .. code-block:: sh
 
@@ -49,17 +44,27 @@ Configure a DHCP Server:
 
 And a DNS forwarder:
 
-Please note that the `listen-on` statement is deprecated. Please use
-`listen-address` instead!
-
 .. code-block:: sh
 
   set service dns forwarding cache-size '0'
-  set service dns forwarding listen-on 'eth1'
+  set service dns forwarding listen-address '192.168.0.1'
   set service dns forwarding name-server '8.8.8.8'
   set service dns forwarding name-server '8.8.4.4'
 
-Add a set of firewall policies for our "Outside" interface:
+NAT and Firewall
+^^^^^^^^^^^^^^^^
+
+Configure Source NAT for our "Inside" network.
+
+.. code-block:: sh
+
+  set nat source rule 100 outbound-interface 'eth0'
+  set nat source rule 100 source address '192.168.0.0/24'
+  set nat source rule 100 translation address masquerade
+
+Add a set of firewall policies for our "Outside" interface.  
+
+This configuration creates a proper stateful firewall that blocks all traffic:
 
 .. code-block:: sh
 
@@ -75,6 +80,13 @@ Add a set of firewall policies for our "Outside" interface:
   set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
   set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
   set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
+
+If you wanted to enable SSH access to your firewall from the the Internet, you could create some additional rules to allow the traffic.
+
+These rules allow SSH traffic and rate limit it to 4 requests per minute. This blocks brute-forcing attempts:
+
+.. code-block:: sh
+
   set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
   set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
   set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
@@ -105,7 +117,7 @@ Commit changes, save the configuration, and exit configuration mode:
   vyos@vyos$
 
 Basic QoS
----------
+^^^^^^^^^
 
 The traffic policy subsystem provides an interface to Linux traffic control
 (tc_).
@@ -163,4 +175,38 @@ VyOS 1.2 (Crux) also supports HFSC (:code:`set traffic-policy shaper-hfsc`)
 
 See further information in the :ref:`qos` chapter.
 
+Security Hardening
+^^^^^^^^^^^^^^^^^^
+
+Especially if you are allowing SSH access from the Internet, there are a few additional configuration steps that should be taken.
+
+Create a user to replace the default `vyos` user:
+
+.. code-block:: sh
+
+  set system login user myvyosuser level admin
+  set system login user myvyosuser authentication plaintext-password mysecurepassword
+
+Set up SSH key based authentication.  For example, on Linux you'd want to run `ssh-keygen -t rsa`.  Then the contents of `id_rsa.pub` would be used below:
+
+.. code-block:: sh
+
+  set system login user myvyosuser authentication public-keys myusername@mydesktop type ssh-rsa
+  set system login user myvyosuser authentication public-keys myusername@mydesktop key contents_of_id_rsa.pub
+
+Or you can use the `loadkey` command. Commit and save.
+
+Finally, try and ssh into the VyOS install as your new user.  
+
+Once you have confirmed that your new user can access your server, without a password, delete the original `vyos` user and disable password authentication into SSH:
+
+.. code-block:: sh
+
+  delete system login user vyos
+  set service ssh disable-password-authentication
+
+Commit and save.
+
+
+
 .. _tc: http://en.wikipedia.org/wiki/Tc_(Linux)