diff options
| -rw-r--r-- | README.md | 18 | ||||
| -rw-r--r-- | docs/configuration/firewall/ipv4.rst | 12 | ||||
| -rw-r--r-- | docs/configuration/firewall/ipv6.rst | 12 | ||||
| -rw-r--r-- | docs/configuration/nat/nat44.rst | 62 | ||||
| -rw-r--r-- | docs/configuration/vpn/sstp.rst | 5 |
5 files changed, 67 insertions, 42 deletions
@@ -90,12 +90,14 @@ If the `vyos/vyos-documentation` container could not be found locally it will be automatically fetched from Dockerhub. ```bash -$ docker run --rm -it -v "$(pwd)":/vyos -w /vyos/docs \ - -e GOSU_UID=$(id -u) -e GOSU_GID=$(id -g) vyos/vyos-documentation make html +$ git clone https://github.com/vyos/vyos-documentation.git -# sphinx autobuild -$ docker run --rm -it -p 8000:8000 -v "$(pwd)":/vyos -w /vyos/docs -e \ - GOSU_UID=$(id -u) -e GOSU_GID=$(id -g) vyos/vyos-documentation make livehtml +$ cd vyos-documentation + +$ docker run --rm -it -v "$(pwd)":/vyos -w /vyos/docs -e GOSU_UID=$(id -u) -e GOSU_GID=$(id -g) vyos/vyos-documentation make html + +# For sphinx autobuild +$ docker run --rm -it -p 8000:8000 -v "$(pwd)":/vyos -w /vyos/docs -e GOSU_UID=$(id -u) -e GOSU_GID=$(id -g) vyos/vyos-documentation make livehtml ``` ### Test the docs @@ -103,13 +105,11 @@ $ docker run --rm -it -p 8000:8000 -v "$(pwd)":/vyos -w /vyos/docs -e \ To test all files, run: ```bash -$ docker run --rm -it -v "$(pwd)":/vyos -w /vyos/docs \ - -e GOSU_UID=$(id -u) -e GOSU_GID=$(id -g) vyos/vyos-documentation vale . +$ docker run --rm -it -v "$(pwd)":/vyos -w /vyos/docs -e GOSU_UID=$(id -u) -e GOSU_GID=$(id -g) vyos/vyos-documentation vale . ``` to test a specific file (e.g. `quick-start.rst`) ```bash -$ docker run --rm -it -v "$(pwd)":/vyos -w /vyos/docs -e GOSU_UID=$(id -u) \ - -e GOSU_GID=$(id -g) vyos/vyos-documentation vale quick-start.rst +$ docker run --rm -it -v "$(pwd)":/vyos -w /vyos/docs -e GOSU_UID=$(id -u) -e GOSU_GID=$(id -g) vyos/vyos-documentation vale quick-start.rst ``` diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst index 7b80dc67..2fe877bb 100644 --- a/docs/configuration/firewall/ipv4.rst +++ b/docs/configuration/firewall/ipv4.rst @@ -841,13 +841,13 @@ geoip) to keep database and rules updated. set firewall ipv4 input filter rule 13 tcp flags not 'fin' .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> - state [established | invalid | new | related] [enable | disable] + state [established | invalid | new | related] .. cfgcmd:: set firewall ipv4 input filter rule <1-999999> - state [established | invalid | new | related] [enable | disable] + state [established | invalid | new | related] .. cfgcmd:: set firewall ipv4 output filter rule <1-999999> - state [established | invalid | new | related] [enable | disable] + state [established | invalid | new | related] .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> - state [established | invalid | new | related] [enable | disable] + state [established | invalid | new | related] Match against the state of a packet. @@ -986,12 +986,12 @@ Requirements to enable synproxy: set firewall global-options syn-cookies 'enable' set firewall ipv4 input filter rule 10 action 'synproxy' set firewall ipv4 input filter rule 10 destination port '8080' - set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1' + set firewall ipv4 input filter rule 10 inbound-interface name 'eth1' set firewall ipv4 input filter rule 10 protocol 'tcp' set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7' set firewall ipv4 input filter rule 1000 action 'drop' - set firewall ipv4 input filter rule 1000 state invalid 'enable' + set firewall ipv4 input filter rule 1000 state invalid *********************** diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst index b0249124..29cbe097 100644 --- a/docs/configuration/firewall/ipv6.rst +++ b/docs/configuration/firewall/ipv6.rst @@ -850,13 +850,13 @@ geoip) to keep database and rules updated. set firewall ipv6 input filter rule 13 tcp flags not 'fin' .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> - state [established | invalid | new | related] [enable | disable] + state [established | invalid | new | related] .. cfgcmd:: set firewall ipv6 input filter rule <1-999999> - state [established | invalid | new | related] [enable | disable] + state [established | invalid | new | related] .. cfgcmd:: set firewall ipv6 output filter rule <1-999999> - state [established | invalid | new | related] [enable | disable] + state [established | invalid | new | related] .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> - state [established | invalid | new | related] [enable | disable] + state [established | invalid | new | related] Match against the state of a packet. @@ -971,12 +971,12 @@ Requirements to enable synproxy: set firewall global-options syn-cookies 'enable' set firewall ipv6 input filter rule 10 action 'synproxy' set firewall ipv6 input filter rule 10 destination port '8080' - set firewall ipv6 input filter rule 10 inbound-interface interface-name 'eth1' + set firewall ipv6 input filter rule 10 inbound-interface name 'eth1' set firewall ipv6 input filter rule 10 protocol 'tcp' set firewall ipv6 input filter rule 10 synproxy tcp mss '1460' set firewall ipv6 input filter rule 10 synproxy tcp window-scale '7' set firewall ipv6 input filter rule 1000 action 'drop' - set firewall ipv6 input filter rule 1000 state invalid 'enable' + set firewall ipv6 input filter rule 1000 state invalid *********************** Operation-mode Firewall diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst index c660f8f4..2ec0c9b8 100644 --- a/docs/configuration/nat/nat44.rst +++ b/docs/configuration/nat/nat44.rst @@ -148,23 +148,35 @@ rule. * **outbound-interface** - applicable only to :ref:`source-nat`. It configures the interface which is used for the outside traffic that - this translation rule applies to. + this translation rule applies to. Interface groups, inverted + selection and wildcard, are also supported. - Example: + Examples: .. code-block:: none - set nat source rule 20 outbound-interface eth0 + set nat source rule 20 outbound-interface name eth0 + set nat source rule 30 outbound-interface name bond1* + set nat source rule 20 outbound-interface name !vtun2 + set nat source rule 20 outbound-interface group GROUP1 + set nat source rule 20 outbound-interface group !GROUP2 + * **inbound-interface** - applicable only to :ref:`destination-nat`. It configures the interface which is used for the inside traffic the - translation rule applies to. + translation rule applies to. Interface groups, inverted + selection and wildcard, are also supported. Example: .. code-block:: none - set nat destination rule 20 inbound-interface eth1 + set nat destination rule 20 inbound-interface name eth0 + set nat destination rule 30 inbound-interface name bond1* + set nat destination rule 20 inbound-interface name !vtun2 + set nat destination rule 20 inbound-interface group GROUP1 + set nat destination rule 20 inbound-interface group !GROUP2 + * **protocol** - specify which types of protocols this translation rule applies to. Only packets matching the specified protocol are NATed. @@ -323,7 +335,7 @@ demonstrate the following configuration: .. code-block:: none - set nat source rule 100 outbound-interface 'eth0' + set nat source rule 100 outbound-interface name 'eth0' set nat source rule 100 source address '192.168.0.0/24' set nat source rule 100 translation address 'masquerade' @@ -332,7 +344,9 @@ Which generates the following configuration: .. code-block:: none rule 100 { - outbound-interface eth0 + outbound-interface { + name eth0 + } source { address 192.168.0.0/24 } @@ -424,19 +438,19 @@ Example: set nat destination rule 100 description 'Regular destination NAT from external' set nat destination rule 100 destination port '3389' - set nat destination rule 100 inbound-interface 'pppoe0' + set nat destination rule 100 inbound-interface name 'pppoe0' set nat destination rule 100 protocol 'tcp' set nat destination rule 100 translation address '192.0.2.40' set nat destination rule 110 description 'NAT Reflection: INSIDE' set nat destination rule 110 destination port '3389' - set nat destination rule 110 inbound-interface 'eth0.10' + set nat destination rule 110 inbound-interface name 'eth0.10' set nat destination rule 110 protocol 'tcp' set nat destination rule 110 translation address '192.0.2.40' set nat source rule 110 description 'NAT Reflection: INSIDE' set nat source rule 110 destination address '192.0.2.0/24' - set nat source rule 110 outbound-interface 'eth0.10' + set nat source rule 110 outbound-interface name 'eth0.10' set nat source rule 110 protocol 'tcp' set nat source rule 110 source address '192.0.2.0/24' set nat source rule 110 translation address 'masquerade' @@ -452,7 +466,9 @@ Which results in a configuration of: destination { port 3389 } - inbound-interface pppoe0 + inbound-interface { + name pppoe0 + } protocol tcp translation { address 192.0.2.40 @@ -463,7 +479,9 @@ Which results in a configuration of: destination { port 3389 } - inbound-interface eth0.10 + inbound-interface { + name eth0.10 + } protocol tcp translation { address 192.0.2.40 @@ -476,7 +494,9 @@ Which results in a configuration of: destination { address 192.0.2.0/24 } - outbound-interface eth0.10 + outbound-interface { + name eth0.10 + } protocol tcp source { address 192.0.2.0/24 @@ -515,7 +535,7 @@ Our configuration commands would be: set nat destination rule 10 description 'Port Forward: HTTP to 192.168.0.100' set nat destination rule 10 destination port '80' - set nat destination rule 10 inbound-interface 'eth0' + set nat destination rule 10 inbound-interface name 'eth0' set nat destination rule 10 protocol 'tcp' set nat destination rule 10 translation address '192.168.0.100' @@ -530,7 +550,9 @@ Which would generate the following NAT destination configuration: destination { port 80 } - inbound-interface eth0 + inbound-interface { + name eth0 + } protocol tcp translation { address 192.168.0.100 @@ -610,10 +632,10 @@ and one external interface: set interfaces ethernet eth1 description 'Outside interface' set nat destination rule 2000 description '1-to-1 NAT example' set nat destination rule 2000 destination address '192.0.2.30' - set nat destination rule 2000 inbound-interface 'eth1' + set nat destination rule 2000 inbound-interface name 'eth1' set nat destination rule 2000 translation address '192.168.1.10' set nat source rule 2000 description '1-to-1 NAT example' - set nat source rule 2000 outbound-interface 'eth1' + set nat source rule 2000 outbound-interface name 'eth1' set nat source rule 2000 source address '192.168.1.10' set nat source rule 2000 translation address '192.0.2.30' @@ -639,7 +661,7 @@ We will use source and destination address for hash generation. .. code-block:: none - set nat destination rule 10 inbound-interface eth0 + set nat destination rule 10 inbound-interface name eth0 set nat destination rule 10 protocol tcp set nat destination rule 10 destination port 80 set nat destination rule 10 load-balance hash source-address @@ -655,7 +677,7 @@ We will generate the hash randomly. .. code-block:: none - set nat source rule 10 outbound-interface eth0 + set nat source rule 10 outbound-interface name eth0 set nat source rule 10 source address 10.0.0.0/8 set nat source rule 10 load-balance hash random set nat source rule 10 load-balance backend 192.0.2.251 weight 33 @@ -709,12 +731,10 @@ NAT Configuration set nat source rule 110 description 'Internal to ASP' set nat source rule 110 destination address '172.27.1.0/24' - set nat source rule 110 outbound-interface 'any' set nat source rule 110 source address '192.168.43.0/24' set nat source rule 110 translation address '172.29.41.89' set nat source rule 120 description 'Internal to ASP' set nat source rule 120 destination address '10.125.0.0/16' - set nat source rule 120 outbound-interface 'any' set nat source rule 120 source address '192.168.43.0/24' set nat source rule 120 translation address '172.29.41.89' diff --git a/docs/configuration/vpn/sstp.rst b/docs/configuration/vpn/sstp.rst index cc942ee5..cd064162 100644 --- a/docs/configuration/vpn/sstp.rst +++ b/docs/configuration/vpn/sstp.rst @@ -471,6 +471,11 @@ Global Advanced options Windows Internet Name Service (WINS) servers propagated to client +.. cfgcmd:: set vpn sstp host-name <hostname> + + If this option is given, only SSTP connections to the specified host + and with the same TLS SNI will be allowed. + *********************** Configuring SSTP client *********************** |