diff options
-rw-r--r-- | docs/quick-start.rst | 29 |
1 files changed, 16 insertions, 13 deletions
diff --git a/docs/quick-start.rst b/docs/quick-start.rst index 518e5d86..2aa3cbbb 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -60,7 +60,7 @@ Configure Source NAT for our "Inside" network. set nat source rule 100 source address '192.168.0.0/24' set nat source rule 100 translation address masquerade -Add a set of firewall policies for our "Outside" interface. +Add a set of firewall policies for our "Outside" interface. This configuration creates a proper stateful firewall that blocks all traffic: @@ -79,9 +79,11 @@ This configuration creates a proper stateful firewall that blocks all traffic: set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp' set firewall name OUTSIDE-LOCAL rule 20 state new 'enable' -If you wanted to enable SSH access to your firewall from the the Internet, you could create some additional rules to allow the traffic. +If you wanted to enable SSH access to your firewall from the Internet, you +could create some additional rules to allow the traffic. -These rules allow SSH traffic and rate limit it to 4 requests per minute. This blocks brute-forcing attempts: +These rules allow SSH traffic and rate limit it to 4 requests per minute. This +blocks brute-forcing attempts: .. code-block:: sh @@ -121,8 +123,8 @@ The traffic policy subsystem provides an interface to Linux traffic control (tc_). One common use of traffic policy is to limit bandwidth for an interface. In -the example below we limit bandwidth for our LAN connection to 200 Mbit download -and out WAN connection to 50 Mbit upload: +the example below we limit bandwidth for our LAN connection to 200 Mbit +download and out WAN connection to 50 Mbit upload: .. code-block:: sh @@ -176,7 +178,8 @@ See further information in the :ref:`qos` chapter. Security Hardening ^^^^^^^^^^^^^^^^^^ -Especially if you are allowing SSH access from the Internet, there are a few additional configuration steps that should be taken. +Especially if you are allowing SSH access from the Internet, there are a few +additional configuration steps that should be taken. Create a user to replace the default `vyos` user: @@ -185,18 +188,20 @@ Create a user to replace the default `vyos` user: set system login user myvyosuser level admin set system login user myvyosuser authentication plaintext-password mysecurepassword -Set up SSH key based authentication. For example, on Linux you'd want to run `ssh-keygen -t rsa`. Then the contents of `id_rsa.pub` would be used below: +Set up SSH key based authentication. For example, on Linux you'd want to run +``ssh-keygen -t rsa``. Then the contents of ``id_rsa.pub`` would be used below: .. code-block:: sh set system login user myvyosuser authentication public-keys myusername@mydesktop type ssh-rsa set system login user myvyosuser authentication public-keys myusername@mydesktop key contents_of_id_rsa.pub -Or you can use the `loadkey` command. Commit and save. +Or you can use the ``loadkey`` command. Commit and save. -Finally, try and ssh into the VyOS install as your new user. - -Once you have confirmed that your new user can access your server, without a password, delete the original `vyos` user and disable password authentication into SSH: +Finally, try and SSH into the VyOS install as your new user. Once you have +confirmed that your new user can access your server, without a password, delete +the original ``vyos`` user and probably disable password authentication for +SSH: .. code-block:: sh @@ -205,6 +210,4 @@ Once you have confirmed that your new user can access your server, without a pas Commit and save. - - .. _tc: http://en.wikipedia.org/wiki/Tc_(Linux) |