diff options
| -rw-r--r-- | docs/404.rst | 3 | ||||
| m--------- | docs/_include/vyos-1x | 0 | ||||
| -rw-r--r-- | docs/_templates/layout.html | 2 | ||||
| -rw-r--r-- | docs/automation/command-scripting.rst | 2 | ||||
| -rw-r--r-- | docs/changelog/1.3.rst | 19 | ||||
| -rw-r--r-- | docs/changelog/1.4.rst | 72 | ||||
| -rw-r--r-- | docs/changelog/1.5.rst | 70 | ||||
| -rw-r--r-- | docs/cli.rst | 29 | ||||
| -rw-r--r-- | docs/configexamples/autotest/Wireguard/Wireguard.rst | 2 | ||||
| -rw-r--r-- | docs/configexamples/ha.rst | 2 | ||||
| -rw-r--r-- | docs/configexamples/policy-based-ipsec-and-firewall.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/highavailability/index.rst | 2 | ||||
| -rw-r--r-- | docs/configuration/nat/nat44.rst | 2 | ||||
| -rw-r--r-- | docs/configuration/pki/index.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/service/https.rst | 13 | ||||
| -rw-r--r-- | docs/configuration/vpn/l2tp.rst | 2 | ||||
| -rw-r--r-- | docs/configuration/vpn/site2site_ipsec.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/vrf/index.rst | 4 | ||||
| -rw-r--r-- | docs/quick-start.rst | 34 |
19 files changed, 211 insertions, 59 deletions
diff --git a/docs/404.rst b/docs/404.rst index 5073773a..2ae79f2e 100644 --- a/docs/404.rst +++ b/docs/404.rst @@ -8,4 +8,5 @@ Try using the search box or go to the release homepage: * `1.2.x (crux) <https://docs.vyos.io/en/crux/>`_ * `1.3.x (equuleus) <https://docs.vyos.io/en/equuleus/>`_ - * `rolling release (sagitta) <https://docs.vyos.io/en/latest/>`_ + * `1.4.x (sagitta) <https://docs.vyos.io/en/sagitta/>`_ + * `rolling release (circinus) <https://docs.vyos.io/en/latest/>`_ diff --git a/docs/_include/vyos-1x b/docs/_include/vyos-1x -Subproject fd9e2c24e739fd327f860c45fa00241fd1acca7 +Subproject cd19b9d6b0c21a5d07a9f5a98e5e90d09d8d4cc diff --git a/docs/_templates/layout.html b/docs/_templates/layout.html index e7ede58c..6cb68508 100644 --- a/docs/_templates/layout.html +++ b/docs/_templates/layout.html @@ -1,5 +1,5 @@ {% extends "!layout.html" %} -{%- set current_version = "1.4.x sagitta" %} +{%- set current_version = "1.5.x circinus" %} {% block extrahead %} <link href="{{ pathto("_static/css/custom.css", True) }}" rel="stylesheet" type="text/css"> <link href="{{ pathto("_static/css/datatables.css", True) }}" rel="stylesheet" type="text/css"> diff --git a/docs/automation/command-scripting.rst b/docs/automation/command-scripting.rst index 64564e5a..c8a72a36 100644 --- a/docs/automation/command-scripting.rst +++ b/docs/automation/command-scripting.rst @@ -94,7 +94,7 @@ Here is a simple example: #!/bin/vbash source /opt/vyatta/etc/functions/script-template configure - source < /config/scripts/setfirewallgroup.py + source <(/config/scripts/setfirewallgroup.py) commit diff --git a/docs/changelog/1.3.rst b/docs/changelog/1.3.rst index c5192eab..5ce9f5cf 100644 --- a/docs/changelog/1.3.rst +++ b/docs/changelog/1.3.rst @@ -8,6 +8,25 @@ _ext/releasenotes.py +2023-11-15 +========== + +* :vytask:`T5661` ``(enhancment): Add show show ssh dynamic-protection attacker and show log ssh dynamic-protection`` +* :vytask:`T1276` ``(bug): dhcp relay + VLAN fails`` + + +2023-11-07 +========== + +* :vytask:`T5586` ``(feature): Disable by default SNMP for Keepalived VRRP`` + + +2023-11-06 +========== + +* :vytask:`T4269` ``(feature): node.def generator should automatically add default values`` + + 2023-10-26 ========== diff --git a/docs/changelog/1.4.rst b/docs/changelog/1.4.rst index 86b201df..96bdae15 100644 --- a/docs/changelog/1.4.rst +++ b/docs/changelog/1.4.rst @@ -8,6 +8,78 @@ _ext/releasenotes.py +2023-11-18 +========== + +* :vytask:`T1354` ``(feature): Add support for VLAN-Aware bridges`` + + +2023-11-16 +========== + +* :vytask:`T5726` ``(bug): HTTPS API image cannot be updated`` +* :vytask:`T5738` ``(feature): Extend XML building blocks`` +* :vytask:`T5736` ``(feature): igmp: migrate "protocols igmp" to "protocols pim"`` +* :vytask:`T5733` ``(feature): pim(6): rewrite FRR PIM daemon configuration to get_config_dict() and add missing IGMP features`` +* :vytask:`T5689` ``(default): FRR 9.0.1 in VyOS current segfaults on show rpki prefix $prefix`` +* :vytask:`T5595` ``(feature): Multicast - PIM bfd feature enable`` +* :vytask:`T3638` ``(bug): Passwords With Dollar Sign Set Incorrectly`` + + +2023-11-15 +========== + +* :vytask:`T5695` ``(feature): Build FRR with LUA scripts --enable-scripting option`` +* :vytask:`T5665` ``(bug): radius user not working`` +* :vytask:`T5728` ``(bug): Improve compatibility between OpenVPN on VyOS 1.5 and OpenVPN Connect Client`` +* :vytask:`T5732` ``(bug): generate firewall rule-resequence drops geoip country-code from output`` +* :vytask:`T5661` ``(enhancment): Add show show ssh dynamic-protection attacker and show log ssh dynamic-protection`` +* :vytask:`T1276` ``(bug): dhcp relay + VLAN fails`` + + +2023-11-13 +========== + +* :vytask:`T5698` ``(feature): EVPN ESI Multihoming`` +* :vytask:`T5563` ``(bug): container: Container environment variable cannot be set`` +* :vytask:`T5706` ``(bug): Systemd-udevd high CPU utilization for multiple dynamic ppp/l2tp/ipoe interfaces`` + + +2023-11-10 +========== + +* :vytask:`T5727` ``(bug): validator: Use native URL validator instead of regex-based validator`` + + +2023-11-08 +========== + +* :vytask:`T5720` ``(bug): PPPoE-server adding new interface does not work`` +* :vytask:`T5716` ``(bug): PPPoE-server shaper template bug down-limiter option does not rely on fwmark`` +* :vytask:`T5702` ``(feature): Add ability to set include_ifmib_iface_prefix and ifmib_max_num_ifaces for SNMP`` +* :vytask:`T5648` ``(bug): ldpd neighbour template errors`` +* :vytask:`T5564` ``(bug): Both show firewall group and show firewall summary fails`` +* :vytask:`T5559` ``(feature): Selective proxy-arp/proxy-ndp when doing SNAT/DNAT`` +* :vytask:`T5541` ``(bug): Zone-Based Firewalling in VyOS Sagitta 1.4`` +* :vytask:`T5513` ``(bug): Anomalies in show firewall command after refactoring`` +* :vytask:`T4864` ``(bug): `show firewall` command errors`` + + +2023-11-07 +========== + +* :vytask:`T5586` ``(feature): Disable by default SNMP for Keepalived VRRP`` + + +2023-11-06 +========== + +* :vytask:`T5705` ``(bug): rsyslog - Not working when using facility=all`` +* :vytask:`T5704` ``(feature): PPPoE-server add max-starting option`` +* :vytask:`T5707` ``(bug): Wireguard peer public key update leaves redundant peers and breaks connectivity`` +* :vytask:`T4269` ``(feature): node.def generator should automatically add default values`` + + 2023-11-05 ========== diff --git a/docs/changelog/1.5.rst b/docs/changelog/1.5.rst index 3cb54a85..145cf648 100644 --- a/docs/changelog/1.5.rst +++ b/docs/changelog/1.5.rst @@ -8,6 +8,74 @@ _ext/releasenotes.py +2023-11-18 +========== + +* :vytask:`T1354` ``(feature): Add support for VLAN-Aware bridges`` + + +2023-11-16 +========== + +* :vytask:`T5726` ``(bug): HTTPS API image cannot be updated`` +* :vytask:`T5738` ``(feature): Extend XML building blocks`` +* :vytask:`T5736` ``(feature): igmp: migrate "protocols igmp" to "protocols pim"`` +* :vytask:`T5733` ``(feature): pim(6): rewrite FRR PIM daemon configuration to get_config_dict() and add missing IGMP features`` +* :vytask:`T5689` ``(default): FRR 9.0.1 in VyOS current segfaults on show rpki prefix $prefix`` +* :vytask:`T5595` ``(feature): Multicast - PIM bfd feature enable`` + + +2023-11-15 +========== + +* :vytask:`T5695` ``(feature): Build FRR with LUA scripts --enable-scripting option`` +* :vytask:`T5677` ``(bug): show lldp neighbors generates TypeError when neighbor has no `descr``` +* :vytask:`T5728` ``(bug): Improve compatibility between OpenVPN on VyOS 1.5 and OpenVPN Connect Client`` +* :vytask:`T5732` ``(bug): generate firewall rule-resequence drops geoip country-code from output`` +* :vytask:`T5661` ``(enhancment): Add show show ssh dynamic-protection attacker and show log ssh dynamic-protection`` + + +2023-11-13 +========== + +* :vytask:`T5698` ``(feature): EVPN ESI Multihoming`` +* :vytask:`T5563` ``(bug): container: Container environment variable cannot be set`` +* :vytask:`T5706` ``(bug): Systemd-udevd high CPU utilization for multiple dynamic ppp/l2tp/ipoe interfaces`` + + +2023-11-10 +========== + +* :vytask:`T5727` ``(bug): validator: Use native URL validator instead of regex-based validator`` + + +2023-11-08 +========== + +* :vytask:`T5720` ``(bug): PPPoE-server adding new interface does not work`` +* :vytask:`T5716` ``(bug): PPPoE-server shaper template bug down-limiter option does not rely on fwmark`` +* :vytask:`T5702` ``(feature): Add ability to set include_ifmib_iface_prefix and ifmib_max_num_ifaces for SNMP`` +* :vytask:`T5693` ``(feature): Adding variable vyos_persistence_dir (and improve variable vyos_rootfs_dir)`` +* :vytask:`T5648` ``(bug): ldpd neighbour template errors`` +* :vytask:`T5564` ``(bug): Both show firewall group and show firewall summary fails`` +* :vytask:`T5559` ``(feature): Selective proxy-arp/proxy-ndp when doing SNAT/DNAT`` +* :vytask:`T5541` ``(bug): Zone-Based Firewalling in VyOS Sagitta 1.4`` + + +2023-11-07 +========== + +* :vytask:`T5586` ``(feature): Disable by default SNMP for Keepalived VRRP`` + + +2023-11-06 +========== + +* :vytask:`T5705` ``(bug): rsyslog - Not working when using facility=all`` +* :vytask:`T5704` ``(feature): PPPoE-server add max-starting option`` +* :vytask:`T5707` ``(bug): Wireguard peer public key update leaves redundant peers and breaks connectivity`` + + 2023-11-03 ========== @@ -58,7 +126,6 @@ 2023-10-23 ========== -* :vytask:`T5637` ``(bug): Firewall default-action log`` * :vytask:`T5299` ``(bug): QoS shaper ceiling does not work`` * :vytask:`T5667` ``(feature): BGP label-unicast - enable ecmp`` @@ -194,7 +261,6 @@ * :vytask:`T5588` ``(bug): Add kernel conntrack_bridge module`` * :vytask:`T5241` ``(feature): Support veth interfaces to working with netns`` * :vytask:`T5592` ``(feature): salt: upgrade minion to 3005.2`` -* :vytask:`T5590` ``(default): Firewall "log enable" logs every packet`` 2023-09-19 diff --git a/docs/cli.rst b/docs/cli.rst index 2e5d55fc..ee9c49ed 100644 --- a/docs/cli.rst +++ b/docs/cli.rst @@ -858,24 +858,27 @@ be ``config.boot-hostname.YYYYMMDD_HHMMSS``. .. cfgcmd:: set system config-management commit-archive location <URI> - Specify remote location of commit archive as any of the below - :abbr:`URI (Uniform Resource Identifier)` + Specify remote location of commit archive as any of the below + :abbr:`URI (Uniform Resource Identifier)` - * ``scp://<user>:<passwd>@<host>:/<dir>`` - * ``sftp://<user>:<passwd>@<host>/<dir>`` - * ``ftp://<user>:<passwd>@<host>/<dir>`` - * ``tftp://<host>/<dir>`` + * ``http://<user>:<passwd>@<host>:/<dir>`` + * ``https://<user>:<passwd>@<host>:/<dir>`` + * ``ftp://<user>:<passwd>@<host>/<dir>`` + * ``sftp://<user>:<passwd>@<host>/<dir>`` + * ``scp://<user>:<passwd>@<host>:/<dir>`` + * ``tftp://<host>/<dir>`` + * ``git+https://<user>:<passwd>@<host>/<path>`` -.. note:: The number of revisions don't affect the commit-archive. + .. note:: The number of revisions don't affect the commit-archive. -.. note:: You may find VyOS not allowing the secure connection because - it cannot verify the legitimacy of the remote server. You can use - the workaround below to quickly add the remote host's SSH - fingerprint to your ``~/.ssh/known_hosts`` file: + .. note:: You may find VyOS not allowing the secure connection because + it cannot verify the legitimacy of the remote server. You can use + the workaround below to quickly add the remote host's SSH + fingerprint to your ``~/.ssh/known_hosts`` file: - .. code-block:: none + .. code-block:: none - vyos@vyos# ssh-keyscan <host> >> ~/.ssh/known_hosts + vyos@vyos# ssh-keyscan <host> >> ~/.ssh/known_hosts Saving and loading manually --------------------------- diff --git a/docs/configexamples/autotest/Wireguard/Wireguard.rst b/docs/configexamples/autotest/Wireguard/Wireguard.rst index 93092afe..7e287bcf 100644 --- a/docs/configexamples/autotest/Wireguard/Wireguard.rst +++ b/docs/configexamples/autotest/Wireguard/Wireguard.rst @@ -44,7 +44,7 @@ After this, the public key can be displayed, to save for later. .. code-block:: none - vyos@central:~$ generate pki wireguard + vyos@central:~$ generate pki wireguard key-pair Private key: cMNGHtb5dW92ORG3HS8JJlvQF8pmVGt2Ydny8hTBLnY= Public key: WyfLCTXi31gL+YbYOwoAHCl2RgS+y56cYHEK6pQsTQ8= diff --git a/docs/configexamples/ha.rst b/docs/configexamples/ha.rst index 1ceda8e9..1badf231 100644 --- a/docs/configexamples/ha.rst +++ b/docs/configexamples/ha.rst @@ -303,7 +303,7 @@ public interface. .. code-block:: none set nat source rule 10 destination address '!192.0.2.0/24' - set nat source rule 10 outbound-interface 'eth0.50' + set nat source rule 10 outbound-interface name 'eth0.50' set nat source rule 10 source address '10.200.201.0/24' set nat source rule 10 translation address '203.0.113.1' diff --git a/docs/configexamples/policy-based-ipsec-and-firewall.rst b/docs/configexamples/policy-based-ipsec-and-firewall.rst index 1f969453..9b7ba73a 100644 --- a/docs/configexamples/policy-based-ipsec-and-firewall.rst +++ b/docs/configexamples/policy-based-ipsec-and-firewall.rst @@ -194,9 +194,9 @@ And NAT Configuration: set nat source rule 10 destination group network-group 'REMOTE-NETS' set nat source rule 10 exclude - set nat source rule 10 outbound-interface 'eth0' + set nat source rule 10 outbound-interface name 'eth0' set nat source rule 10 source group network-group 'LOCAL-NETS' - set nat source rule 20 outbound-interface 'eth0' + set nat source rule 20 outbound-interface name 'eth0' set nat source rule 20 source group network-group 'LOCAL-NETS' set nat source rule 20 translation address 'masquerade' diff --git a/docs/configuration/highavailability/index.rst b/docs/configuration/highavailability/index.rst index 2f20e783..7f06faa8 100644 --- a/docs/configuration/highavailability/index.rst +++ b/docs/configuration/highavailability/index.rst @@ -450,7 +450,7 @@ Port "0" is required if multiple ports are used. set high-availability virtual-server vyos real-server 192.0.2.12 health-check script '/config/scripts/check-real-server-second.sh' set high-availability virtual-server vyos real-server 192.0.2.12 port '0' - set nat source rule 100 outbound-interface 'eth0' + set nat source rule 100 outbound-interface name 'eth0' set nat source rule 100 source address '192.0.2.0/24' set nat source rule 100 translation address 'masquerade' diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst index b42c6cfe..98b230a9 100644 --- a/docs/configuration/nat/nat44.rst +++ b/docs/configuration/nat/nat44.rst @@ -663,7 +663,7 @@ We will use source and destination address for hash generation. .. code-block:: none - set nat destination rule 10 inbound-interface inbound-interface eth0 + set nat destination rule 10 inbound-interface name eth0 set nat destination rule 10 protocol tcp set nat destination rule 10 destination port 80 set nat destination rule 10 load-balance hash source-address diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst index e83272f5..66ad84a3 100644 --- a/docs/configuration/pki/index.rst +++ b/docs/configuration/pki/index.rst @@ -148,11 +148,11 @@ WireGuard ``interface`` is used for the VyOS CLI command to identify the WireGuard interface where this private key is to be used. -.. opcmd:: generate pki wireguard pre-shared-key +.. opcmd:: generate pki wireguard preshared-key Generate a WireGuard pre-shared secret used for peers to communicate. -.. opcmd:: generate pki wireguard pre-shared-key install <peer> +.. opcmd:: generate pki wireguard preshared-key install <peer> Generate a WireGuard pre-shared secret used for peers to communicate. diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst index 08b16575..b767cb77 100644 --- a/docs/configuration/service/https.rst +++ b/docs/configuration/service/https.rst @@ -20,23 +20,14 @@ Configuration .. cfgcmd:: set service https api debug - To enable debug messages. Available via :opcmd:`show log` or + To enable debug messages. Available via :opcmd:`show log` or :opcmd:`monitor log` -.. cfgcmd:: set service https api port - - Set the listen port of the local API, this has no effect on the - webserver. The default is port 8080 - -.. cfgcmd:: set service https api socket - - Use local socket for API - .. cfgcmd:: set service https api strict Enforce strict path checking -.. cfgcmd:: set service https virtual-host <vhost> listen-address +.. cfgcmd:: set service https virtual-host <vhost> listen-address <ipv4 or ipv6 address> Address to listen for HTTPS requests diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst index 6ea1cc7d..26de47b3 100644 --- a/docs/configuration/vpn/l2tp.rst +++ b/docs/configuration/vpn/l2tp.rst @@ -60,7 +60,7 @@ To allow VPN-clients access via your external address, a NAT rule is required: .. code-block:: none - set nat source rule 110 outbound-interface 'eth0' + set nat source rule 110 outbound-interface name 'eth0' set nat source rule 110 source address '192.168.255.0/24' set nat source rule 110 translation address masquerade diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst index 2b3403f5..8c0af774 100644 --- a/docs/configuration/vpn/site2site_ipsec.rst +++ b/docs/configuration/vpn/site2site_ipsec.rst @@ -245,13 +245,13 @@ If there is SNAT rules on eth1, need to add exclude rule # server side set nat source rule 10 destination address '10.0.0.0/24' set nat source rule 10 'exclude' - set nat source rule 10 outbound-interface 'eth1' + set nat source rule 10 outbound-interface name 'eth1' set nat source rule 10 source address '192.168.0.0/24' # remote office side set nat source rule 10 destination address '192.168.0.0/24' set nat source rule 10 'exclude' - set nat source rule 10 outbound-interface 'eth1' + set nat source rule 10 outbound-interface name 'eth1' set nat source rule 10 source address '10.0.0.0/24' To allow traffic to pass through to clients, you need to add the following diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst index dea53321..7a50bfb2 100644 --- a/docs/configuration/vrf/index.rst +++ b/docs/configuration/vrf/index.rst @@ -295,11 +295,11 @@ Configuration set nat destination rule 110 description 'NAT ssh- INSIDE' set nat destination rule 110 destination port '2022' - set nat destination rule 110 inbound-interface 'eth0' + set nat destination rule 110 inbound-interface name 'eth0' set nat destination rule 110 protocol 'tcp' set nat destination rule 110 translation address '192.168.130.40' - set nat source rule 100 outbound-interface 'eth0' + set nat source rule 100 outbound-interface name 'eth0' set nat source rule 100 protocol 'all' set nat source rule 100 source address '192.168.130.0/24' set nat source rule 100 translation address 'masquerade' diff --git a/docs/quick-start.rst b/docs/quick-start.rst index a3927560..d20a39f9 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -114,7 +114,7 @@ network via IP masquerade. .. code-block:: none - set nat source rule 100 outbound-interface 'eth0' + set nat source rule 100 outbound-interface name 'eth0' set nat source rule 100 source address '192.168.0.0/24' set nat source rule 100 translation address masquerade @@ -185,11 +185,11 @@ The chain we will create is called ``CONN_FILTER`` and has three rules: set firewall ipv4 name CONN_FILTER default-action 'return' set firewall ipv4 name CONN_FILTER rule 10 action 'accept' - set firewall ipv4 name CONN_FILTER rule 10 state established 'enable' - set firewall ipv4 name CONN_FILTER rule 10 state related 'enable' + set firewall ipv4 name CONN_FILTER rule 10 state established + set firewall ipv4 name CONN_FILTER rule 10 state related set firewall ipv4 name CONN_FILTER rule 20 action 'drop' - set firewall ipv4 name CONN_FILTER rule 20 state invalid 'enable' + set firewall ipv4 name CONN_FILTER rule 20 state invalid Then, we can jump to the common chain from both the ``forward`` and ``input`` hooks as the first filtering rule in the respective chains: @@ -212,16 +212,16 @@ creating rules on each hook's chain: .. code-block:: none set firewall ipv4 forward filter rule 5 action 'accept' - set firewall ipv4 forward filter rule 5 state established 'enable' - set firewall ipv4 forward filter rule 5 state related 'enable' + set firewall ipv4 forward filter rule 5 state established + set firewall ipv4 forward filter rule 5 state related set firewall ipv4 forward filter rule 10 action 'drop' - set firewall ipv4 forward filter rule 10 state invalid 'enable' + set firewall ipv4 forward filter rule 10 state invalid set firewall ipv4 input filter rule 5 action 'accept' - set firewall ipv4 input filter rule 5 state established 'enable' - set firewall ipv4 input filter rule 5 state related 'enable' + set firewall ipv4 input filter rule 5 state established + set firewall ipv4 input filter rule 5 state related set firewall ipv4 input filter rule 10 action 'drop' - set firewall ipv4 input filter rule 10 state invalid 'enable' + set firewall ipv4 input filter rule 10 state invalid Block Incoming Traffic ---------------------- @@ -241,7 +241,7 @@ group and is addressed to our local network. set firewall ipv4 forward filter rule 100 action jump set firewall ipv4 forward filter rule 100 jump-target OUTSIDE-IN - set firewall ipv4 forward filter rule 100 inbound-interface interface-group WAN + set firewall ipv4 forward filter rule 100 inbound-interface group WAN set firewall ipv4 forward filter rule 100 destination group network-group NET-INSIDE-v4 We should also block all traffic destinated to the router itself that isn't @@ -285,17 +285,17 @@ interface group to 4 per minute: .. code-block:: none set firewall ipv4 name VyOS_MANAGEMENT rule 15 action 'accept' - set firewall ipv4 name VyOS_MANAGEMENT rule 15 inbound-interface interface-group 'LAN' + set firewall ipv4 name VyOS_MANAGEMENT rule 15 inbound-interface group 'LAN' set firewall ipv4 name VyOS_MANAGEMENT rule 20 action 'drop' set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent count 4 set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent time minute - set firewall ipv4 name VyOS_MANAGEMENT rule 20 state new enable - set firewall ipv4 name VyOS_MANAGEMENT rule 20 inbound-interface interface-group 'WAN' + set firewall ipv4 name VyOS_MANAGEMENT rule 20 state new + set firewall ipv4 name VyOS_MANAGEMENT rule 20 inbound-interface group 'WAN' set firewall ipv4 name VyOS_MANAGEMENT rule 21 action 'accept' - set firewall ipv4 name VyOS_MANAGEMENT rule 21 state new enable - set firewall ipv4 name VyOS_MANAGEMENT rule 21 inbound-interface interface-group 'WAN' + set firewall ipv4 name VyOS_MANAGEMENT rule 21 state new + set firewall ipv4 name VyOS_MANAGEMENT rule 21 inbound-interface group 'WAN' Allow Access to Services ------------------------ @@ -309,7 +309,7 @@ all hosts on the ``NET-INSIDE-v4`` network: set firewall ipv4 input filter rule 30 action 'accept' set firewall ipv4 input filter rule 30 icmp type-name 'echo-request' set firewall ipv4 input filter rule 30 protocol 'icmp' - set firewall ipv4 input filter rule 30 state new 'enable' + set firewall ipv4 input filter rule 30 state new set firewall ipv4 input filter rule 40 action 'accept' set firewall ipv4 input filter rule 40 destination port '53' |