summaryrefslogtreecommitdiff
path: root/docs/_locale/de/configuration.pot
diff options
context:
space:
mode:
Diffstat (limited to 'docs/_locale/de/configuration.pot')
-rw-r--r--docs/_locale/de/configuration.pot513
1 files changed, 329 insertions, 184 deletions
diff --git a/docs/_locale/de/configuration.pot b/docs/_locale/de/configuration.pot
index 02238ad3..1a96d419 100644
--- a/docs/_locale/de/configuration.pot
+++ b/docs/_locale/de/configuration.pot
@@ -177,6 +177,10 @@ msgstr "**External check**"
msgid "**Firewall mark**"
msgstr "**Firewall mark**"
+#: ../../configuration/firewall/index.rst:41
+msgid "**For more information** of Netfilter hooks and Linux networking packet flows can be found in `Netfilter-Hooks <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_"
+msgstr "**For more information** of Netfilter hooks and Linux networking packet flows can be found in `Netfilter-Hooks <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_"
+
#: ../../configuration/protocols/bgp.rst:94
msgid "**IGP cost check**"
msgstr "**IGP cost check**"
@@ -201,11 +205,11 @@ msgstr "**Important note:** This documentation is valid only for VyOS Sagitta pr
msgid "**Important note:** This documentation is valid only for VyOS Sagitta prior to 1.4-rolling-YYYYMMDDHHmm"
msgstr "**Wichtiger Hinweis: ** Diese Dokumentation ist nur für VyOS Sagitta vor 1.4-Rolling-YYYYMMDDHHMM gültig"
-#: ../../configuration/firewall/general.rst:79
+#: ../../configuration/firewall/general.rst:72
msgid "**Important note about default-actions:** If default action for any chain is not defined, then the default action is set to **accept** for that chain. Only for custom chains, the default action is set to **drop**."
msgstr "**Wichtiger Hinweis zu Standardaktionen: ** Wenn die Standardaktion für eine Kette nicht definiert ist, ist die Standardaktion für diese Kette auf ** accept** gesetzt. Nur für benutzerdefinierte Ketten ist die Standardaktion auf **drop** gesetzt."
-#: ../../configuration/firewall/general.rst:411
+#: ../../configuration/firewall/general.rst:404
msgid "**Important note about default-actions:** If default action for any chain is not defined, then the default action is set to **drop** for that chain."
msgstr "**Important note about default-actions:** If default action for any chain is not defined, then the default action is set to **drop** for that chain."
@@ -623,7 +627,7 @@ msgstr "**exporter**: aggregates packets into flows and exports flow records tow
msgid "**firewall all-ping** affects only to LOCAL and it always behaves in the most restrictive way"
msgstr "**firewall all-ping** affects only to LOCAL and it always behaves in the most restrictive way"
-#: ../../configuration/firewall/general.rst:106
+#: ../../configuration/firewall/general.rst:99
msgid "**firewall global-options all-ping** affects only to LOCAL and it always behaves in the most restrictive way"
msgstr "**firewall global-options all-ping** affects only to LOCAL and it always behaves in the most restrictive way"
@@ -1309,17 +1313,17 @@ msgstr "<x.x.x.x>: IP address to match."
msgid "ARP"
msgstr "ARP"
-#: ../../configuration/firewall/general.rst:309
+#: ../../configuration/firewall/general.rst:302
#: ../../configuration/firewall/general-legacy.rst:257
msgid "A **domain group** represents a collection of domains."
msgstr "A **domain group** represents a collection of domains."
-#: ../../configuration/firewall/general.rst:291
+#: ../../configuration/firewall/general.rst:284
#: ../../configuration/firewall/general-legacy.rst:242
msgid "A **mac group** represents a collection of mac addresses."
msgstr "A **mac group** represents a collection of mac addresses."
-#: ../../configuration/firewall/general.rst:266
+#: ../../configuration/firewall/general.rst:259
#: ../../configuration/firewall/general-legacy.rst:217
msgid "A **port group** represents only port numbers, not the protocol. Port groups can be referenced for either TCP or UDP. It is recommended that TCP and UDP groups are created separately to avoid accidentally filtering unnecessary ports. Ranges of ports can be specified by using `-`."
msgstr "A **port group** represents only port numbers, not the protocol. Port groups can be referenced for either TCP or UDP. It is recommended that TCP and UDP groups are created separately to avoid accidentally filtering unnecessary ports. Ranges of ports can be specified by using `-`."
@@ -1481,7 +1485,7 @@ msgstr "A physical interface is required to connect this MACsec instance to. Tra
msgid "A pool of addresses can be defined by using a hyphen between two IP addresses:"
msgstr "A pool of addresses can be defined by using a hyphen between two IP addresses:"
-#: ../../configuration/firewall/general.rst:768
+#: ../../configuration/firewall/general.rst:761
#: ../../configuration/firewall/general-legacy.rst:506
msgid "A port can be set with a port number or a name which is here defined: ``/etc/services``."
msgstr "A port can be set with a port number or a name which is here defined: ``/etc/services``."
@@ -1624,7 +1628,7 @@ msgstr "Action must be taken immediately - A condition that should be corrected
msgid "Action which will be run once the ctrl-alt-del keystroke is received."
msgstr "Action which will be run once the ctrl-alt-del keystroke is received."
-#: ../../configuration/firewall/general.rst:334
+#: ../../configuration/firewall/general.rst:327
#: ../../configuration/policy/route.rst:238
msgid "Actions"
msgstr "Actions"
@@ -1697,6 +1701,10 @@ msgstr "Add public key portion for the certificate named `name` to the VyOS CLI.
msgid "Add the CAs private key to the VyOS CLI. This should never leave the system, and is only required if you use VyOS as your certificate generator as mentioned above."
msgstr "Add the CAs private key to the VyOS CLI. This should never leave the system, and is only required if you use VyOS as your certificate generator as mentioned above."
+#: ../../configuration/vpn/remoteaccess_ipsec.rst:163
+msgid "Add the commands from Snippet in the Windows side via PowerShell. Also import the root CA cert to the Windows “Trusted Root Certification Authorities” and establish the connection."
+msgstr "Add the commands from Snippet in the Windows side via PowerShell. Also import the root CA cert to the Windows “Trusted Root Certification Authorities” and establish the connection."
+
#: ../../configuration/pki/index.rst:232
msgid "Add the private key portion of this certificate to the CLI. This should never leave the system as it is used to decrypt the data."
msgstr "Add the private key portion of this certificate to the CLI. This should never leave the system as it is used to decrypt the data."
@@ -1741,7 +1749,7 @@ msgstr "Address Conversion"
msgid "Address Families"
msgstr "Address Families"
-#: ../../configuration/firewall/general.rst:199
+#: ../../configuration/firewall/general.rst:192
#: ../../configuration/firewall/general-legacy.rst:168
msgid "Address Groups"
msgstr "Address Groups"
@@ -1790,6 +1798,10 @@ msgstr "After commit the plaintext passwords will be hashed and stored in your c
msgid "After committing the configuration we can verify all leaked routes are installed, and try to ICMP ping PC1 from PC3."
msgstr "After committing the configuration we can verify all leaked routes are installed, and try to ICMP ping PC1 from PC3."
+#: ../../configuration/vpn/remoteaccess_ipsec.rst:80
+msgid "After the PKI certs are all set up we can start configuring our IPSec/IKE proposals used for key-exchange end data encryption. The used encryption ciphers and integrity algorithms vary from operating system to operating system. The ones used in this example are validated to work on Windows 10."
+msgstr "After the PKI certs are all set up we can start configuring our IPSec/IKE proposals used for key-exchange end data encryption. The used encryption ciphers and integrity algorithms vary from operating system to operating system. The ones used in this example are validated to work on Windows 10."
+
#: ../../configuration/pki/index.rst:212
msgid "After we have imported the CA certificate(s) we can now import and add certificates used by services on this router."
msgstr "After we have imported the CA certificate(s) we can now import and add certificates used by services on this router."
@@ -1898,7 +1910,7 @@ msgstr "Allow host networking in a container. The network stack of the container
msgid "Allow this BFD peer to not be directly connected"
msgstr "Allow this BFD peer to not be directly connected"
-#: ../../configuration/firewall/general.rst:1144
+#: ../../configuration/firewall/general.rst:1137
#: ../../configuration/firewall/general-legacy.rst:694
msgid "Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``, ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma separated. The ``!`` negate the selected protocol."
msgstr "Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``, ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma separated. The ``!`` negate the selected protocol."
@@ -1923,7 +1935,7 @@ msgstr "Allows you to configure the next-hop interface for an interface-based IP
msgid "Already learned known_hosts files of clients need an update as the public key will change."
msgstr "Already learned known_hosts files of clients need an update as the public key will change."
-#: ../../configuration/firewall/general.rst:384
+#: ../../configuration/firewall/general.rst:377
msgid "Also, **default-action** is an action that takes place whenever a packet does not match any rule in it's chain. For base chains, possible options for **default-action** are **accept** or **drop**."
msgstr "Also, **default-action** is an action that takes place whenever a packet does not match any rule in it's chain. For base chains, possible options for **default-action** are **accept** or **drop**."
@@ -1955,7 +1967,7 @@ msgstr "Alternative to multicast, the remote IPv4 address of the VXLAN tunnel ca
msgid "Always exclude this address from any defined range. This address will never be assigned by the DHCP server."
msgstr "Always exclude this address from any defined range. This address will never be assigned by the DHCP server."
-#: ../../configuration/firewall/general.rst:248
+#: ../../configuration/firewall/general.rst:241
msgid "An **interface group** represents a collection of interfaces."
msgstr "An **interface group** represents a collection of interfaces."
@@ -2007,7 +2019,7 @@ msgstr "An arbitrary netmask can be applied to mask addresses to only match agai
msgid "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 and a zone-based firewall as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)."
msgstr "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 and a zone-based firewall as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)."
-#: ../../configuration/firewall/general.rst:626
+#: ../../configuration/firewall/general.rst:619
msgid "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)"
msgstr "An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)"
@@ -2213,6 +2225,14 @@ msgstr "As shown in the example above, one of the possibilities to match packets
msgid "As shown in the last command of the example above, the `queue-type` setting allows these combinations. You will be able to use it in many policies."
msgstr "As shown in the last command of the example above, the `queue-type` setting allows these combinations. You will be able to use it in many policies."
+#: ../../configuration/firewall/index.rst:81
+msgid "As the example image below shows, the device now needs rules to allow/block traffic to or from the services running on the device that have open connections on that interface."
+msgstr "As the example image below shows, the device now needs rules to allow/block traffic to or from the services running on the device that have open connections on that interface."
+
+#: ../../configuration/firewall/index.rst:60
+msgid "As the example image below shows, the device was configured with rules blocking inbound or outbound traffic on each interface."
+msgstr "As the example image below shows, the device was configured with rules blocking inbound or outbound traffic on each interface."
+
#: ../../configuration/interfaces/tunnel.rst:69
msgid "As the name implies, it's IPv4 encapsulated in IPv6, as simple as that."
msgstr "As the name implies, it's IPv4 encapsulated in IPv6, as simple as that."
@@ -2333,7 +2353,7 @@ msgstr "Assured Forwarding(AF) 43"
msgid "At every round, the deficit counter adds the quantum so that even large packets will have their opportunity to be dequeued."
msgstr "At every round, the deficit counter adds the quantum so that even large packets will have their opportunity to be dequeued."
-#: ../../configuration/firewall/general.rst:1496
+#: ../../configuration/firewall/general.rst:1489
#: ../../configuration/firewall/general-legacy.rst:972
msgid "At the moment it not possible to look at the whole firewall log with VyOS operational commands. All logs will save to ``/var/logs/messages``. For example: ``grep '10.10.0.10' /var/log/messages``"
msgstr "At the moment it not possible to look at the whole firewall log with VyOS operational commands. All logs will save to ``/var/logs/messages``. For example: ``grep '10.10.0.10' /var/log/messages``"
@@ -2764,7 +2784,7 @@ msgstr "By default, the BGP prefix is advertised even if it's not present in the
msgid "By default, this bridging is allowed."
msgstr "By default, this bridging is allowed."
-#: ../../configuration/firewall/general.rst:97
+#: ../../configuration/firewall/general.rst:90
#: ../../configuration/firewall/general-legacy.rst:42
msgid "By default, when VyOS receives an ICMP echo request packet destined for itself, it will answer with an ICMP echo reply, unless you avoid it through its firewall."
msgstr "By default, when VyOS receives an ICMP echo request packet destined for itself, it will answer with an ICMP echo reply, unless you avoid it through its firewall."
@@ -2935,6 +2955,10 @@ msgstr "Client Address Pools"
msgid "Client Authentication"
msgstr "Client Authentication"
+#: ../../configuration/vpn/remoteaccess_ipsec.rst:137
+msgid "Client Configuration"
+msgstr "Client Configuration"
+
#: ../../configuration/vpn/sstp.rst:278
msgid "Client IP addresses will be provided from pool `192.0.2.0/25`"
msgstr "Client IP addresses will be provided from pool `192.0.2.0/25`"
@@ -2975,7 +2999,7 @@ msgstr "Clock daemon"
msgid "Command completion can be used to list available time zones. The adjustment for daylight time will take place automatically based on the time of year."
msgstr "Command completion can be used to list available time zones. The adjustment for daylight time will take place automatically based on the time of year."
-#: ../../configuration/firewall/general.rst:537
+#: ../../configuration/firewall/general.rst:530
msgid "Command for disabling a rule but keep it in the configuration."
msgstr "Command for disabling a rule but keep it in the configuration."
@@ -2983,7 +3007,7 @@ msgstr "Command for disabling a rule but keep it in the configuration."
msgid "Command should probably be extended to list also the real interfaces assigned to this one VRF to get a better overview."
msgstr "Command should probably be extended to list also the real interfaces assigned to this one VRF to get a better overview."
-#: ../../configuration/firewall/general.rst:1551
+#: ../../configuration/firewall/general.rst:1544
#: ../../configuration/firewall/general-legacy.rst:1054
msgid "Command used to update GeoIP database and firewall sets."
msgstr "Command used to update GeoIP database and firewall sets."
@@ -3081,7 +3105,7 @@ msgstr "Confidentiality – Encryption of packets to prevent snooping by an unau
#: ../../configuration/system/flow-accounting.rst:43
#: ../../configuration/system/lcd.rst:17
#: ../../configuration/system/login.rst:241
-#: ../../configuration/system/login.rst:294
+#: ../../configuration/system/login.rst:310
#: ../../configuration/system/sflow.rst:12
#: ../../configuration/vpn/dmvpn.rst:38
#: ../../configuration/vpn/dmvpn.rst:182
@@ -3099,6 +3123,8 @@ msgstr "Configuration"
#: ../../configuration/protocols/pim6.rst:78
#: ../../configuration/protocols/rip.rst:239
#: ../../configuration/protocols/segment-routing.rst:187
+#: ../../configuration/system/login.rst:279
+#: ../../configuration/system/login.rst:348
msgid "Configuration Example"
msgstr "Configuration Example"
@@ -3211,11 +3237,11 @@ msgstr "Configure SNAT rule (40) to only NAT packets with a destination address
msgid "Configure :abbr:`MTU (Maximum Transmission Unit)` on given `<interface>`. It is the size (in bytes) of the largest ethernet frame sent on this link."
msgstr "Configure :abbr:`MTU (Maximum Transmission Unit)` on given `<interface>`. It is the size (in bytes) of the largest ethernet frame sent on this link."
-#: ../../configuration/system/login.rst:345
+#: ../../configuration/system/login.rst:373
msgid "Configure `<message>` which is shown after user has logged in to the system."
msgstr "Configure `<message>` which is shown after user has logged in to the system."
-#: ../../configuration/system/login.rst:340
+#: ../../configuration/system/login.rst:368
msgid "Configure `<message>` which is shown during SSH connect and before a user is logged in."
msgstr "Configure `<message>` which is shown during SSH connect and before a user is logged in."
@@ -3441,7 +3467,7 @@ msgstr "Configure service `<name>` mode TCP or HTTP"
msgid "Configure service `<name>` to use the backend <name>"
msgstr "Configure service `<name>` to use the backend <name>"
-#: ../../configuration/system/login.rst:364
+#: ../../configuration/system/login.rst:392
msgid "Configure session timeout after which the user will be logged out."
msgstr "Configure session timeout after which the user will be logged out."
@@ -3465,7 +3491,7 @@ msgstr "Configure the connection tracking protocol helper modules. All modules a
msgid "Configure the discrete port under which the RADIUS server can be reached."
msgstr "Configure the discrete port under which the RADIUS server can be reached."
-#: ../../configuration/system/login.rst:305
+#: ../../configuration/system/login.rst:321
msgid "Configure the discrete port under which the TACACS server can be reached."
msgstr "Configure the discrete port under which the TACACS server can be reached."
@@ -3744,7 +3770,7 @@ msgstr "Currently dynamic routing is supported for the following protocols:"
msgid "Custom File"
msgstr "Custom File"
-#: ../../configuration/firewall/general.rst:84
+#: ../../configuration/firewall/general.rst:77
msgid "Custom firewall chains can be created, with commands ``set firewall [ipv4 | ipv6] [name | ipv6-name] <name> ...``. In order to use such custom chain, a rule with **action jump**, and the appropiate **target** should be defined in a base chain."
msgstr "Custom firewall chains can be created, with commands ``set firewall [ipv4 | ipv6] [name | ipv6-name] <name> ...``. In order to use such custom chain, a rule with **action jump**, and the appropiate **target** should be defined in a base chain."
@@ -3875,7 +3901,7 @@ msgstr "DSCP values as per :rfc:`2474` and :rfc:`4595`:"
msgid "DSSS/CCK Mode in 40 MHz, this sets ``[DSSS_CCK-40]``"
msgstr "DSSS/CCK Mode in 40 MHz, this sets ``[DSSS_CCK-40]``"
-#: ../../configuration/firewall/general.rst:721
+#: ../../configuration/firewall/general.rst:714
#: ../../configuration/firewall/general-legacy.rst:480
msgid "Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, permits redistribution so we can include a database in images(~3MB compressed). Includes cron script (manually callable by op-mode update geoip) to keep database and rules updated."
msgstr "Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, permits redistribution so we can include a database in images(~3MB compressed). Includes cron script (manually callable by op-mode update geoip) to keep database and rules updated."
@@ -3994,12 +4020,12 @@ msgstr "Define Conection Timeouts"
msgid "Define IPv4/IPv6 management address transmitted via LLDP. Multiple addresses can be defined. Only addresses connected to the system will be transmitted."
msgstr "Define IPv4/IPv6 management address transmitted via LLDP. Multiple addresses can be defined. Only addresses connected to the system will be transmitted."
-#: ../../configuration/firewall/general.rst:232
+#: ../../configuration/firewall/general.rst:225
#: ../../configuration/firewall/general-legacy.rst:201
msgid "Define a IPv4 or IPv6 Network group."
msgstr "Define a IPv4 or IPv6 Network group."
-#: ../../configuration/firewall/general.rst:208
+#: ../../configuration/firewall/general.rst:201
#: ../../configuration/firewall/general-legacy.rst:177
msgid "Define a IPv4 or a IPv6 address group"
msgstr "Define a IPv4 or a IPv6 address group"
@@ -4012,17 +4038,17 @@ msgstr "Define a Zone"
msgid "Define a discrete source IP address of 100.64.0.1 for SNAT rule 20"
msgstr "Define a discrete source IP address of 100.64.0.1 for SNAT rule 20"
-#: ../../configuration/firewall/general.rst:313
+#: ../../configuration/firewall/general.rst:306
#: ../../configuration/firewall/general-legacy.rst:261
msgid "Define a domain group."
msgstr "Define a domain group."
-#: ../../configuration/firewall/general.rst:295
+#: ../../configuration/firewall/general.rst:288
#: ../../configuration/firewall/general-legacy.rst:246
msgid "Define a mac group."
msgstr "Define a mac group."
-#: ../../configuration/firewall/general.rst:275
+#: ../../configuration/firewall/general.rst:268
#: ../../configuration/firewall/general-legacy.rst:226
msgid "Define a port group. A port name can be any name defined in /etc/services. e.g.: http"
msgstr "Define a port group. A port name can be any name defined in /etc/services. e.g.: http"
@@ -4031,7 +4057,7 @@ msgstr "Define a port group. A port name can be any name defined in /etc/service
msgid "Define allowed ciphers used for the SSH connection. A number of allowed ciphers can be specified, use multiple occurrences to allow multiple ciphers."
msgstr "Define allowed ciphers used for the SSH connection. A number of allowed ciphers can be specified, use multiple occurrences to allow multiple ciphers."
-#: ../../configuration/firewall/general.rst:252
+#: ../../configuration/firewall/general.rst:245
msgid "Define an interface group. Wildcard are accepted too."
msgstr "Define an interface group. Wildcard are accepted too."
@@ -4127,22 +4153,22 @@ msgstr "Define different modes for sending replies in response to received ARP r
msgid "Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on interface."
msgstr "Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on interface."
-#: ../../configuration/firewall/general.rst:483
+#: ../../configuration/firewall/general.rst:476
#: ../../configuration/firewall/general-legacy.rst:361
msgid "Define length of packet payload to include in netlink message. Only applicable if rule log is enable and log group is defined."
msgstr "Define length of packet payload to include in netlink message. Only applicable if rule log is enable and log group is defined."
-#: ../../configuration/firewall/general.rst:457
+#: ../../configuration/firewall/general.rst:450
#: ../../configuration/firewall/general-legacy.rst:347
msgid "Define log-level. Only applicable if rule log is enable."
msgstr "Define log-level. Only applicable if rule log is enable."
-#: ../../configuration/firewall/general.rst:470
+#: ../../configuration/firewall/general.rst:463
#: ../../configuration/firewall/general-legacy.rst:354
msgid "Define log group to send message to. Only applicable if rule log is enable."
msgstr "Define log group to send message to. Only applicable if rule log is enable."
-#: ../../configuration/firewall/general.rst:497
+#: ../../configuration/firewall/general.rst:490
#: ../../configuration/firewall/general-legacy.rst:369
msgid "Define number of packets to queue inside the kernel before sending them to userspace. Only applicable if rule log is enable and log group is defined."
msgstr "Define number of packets to queue inside the kernel before sending them to userspace. Only applicable if rule log is enable and log group is defined."
@@ -4300,7 +4326,7 @@ msgstr "Disable a BFD peer"
msgid "Disable a container."
msgstr "Disable a container."
-#: ../../configuration/firewall/general.rst:1290
+#: ../../configuration/firewall/general.rst:1283
msgid "Disable conntrack loose track option"
msgstr "Disable conntrack loose track option"
@@ -4541,7 +4567,7 @@ msgstr "Does not need to be used together with proxy_arp."
msgid "Domain"
msgstr "Domain"
-#: ../../configuration/firewall/general.rst:307
+#: ../../configuration/firewall/general.rst:300
#: ../../configuration/firewall/general-legacy.rst:255
msgid "Domain Groups"
msgstr "Domain Groups"
@@ -4866,17 +4892,17 @@ msgstr "Enable given legacy protocol on this LLDP instance. Legacy protocols inc
msgid "Enable layer 7 HTTP health check"
msgstr "Enable layer 7 HTTP health check"
-#: ../../configuration/firewall/general.rst:184
+#: ../../configuration/firewall/general.rst:177
#: ../../configuration/firewall/general-legacy.rst:126
msgid "Enable or Disable VyOS to be :rfc:`1337` conform. The following system parameter will be altered:"
msgstr "Enable or Disable VyOS to be :rfc:`1337` conform. The following system parameter will be altered:"
-#: ../../configuration/firewall/general.rst:176
+#: ../../configuration/firewall/general.rst:169
#: ../../configuration/firewall/general-legacy.rst:119
msgid "Enable or Disable if VyOS use IPv4 TCP SYN Cookies. The following system parameter will be altered:"
msgstr "Enable or Disable if VyOS use IPv4 TCP SYN Cookies. The following system parameter will be altered:"
-#: ../../configuration/firewall/general.rst:433
+#: ../../configuration/firewall/general.rst:426
#: ../../configuration/firewall/general-legacy.rst:340
msgid "Enable or disable logging for the matched packet."
msgstr "Enable or disable logging for the matched packet."
@@ -5108,6 +5134,10 @@ msgstr "Every Virtual Ethernet interfaces behaves like a real Ethernet interface
msgid "Every WWAN connection requires an :abbr:`APN (Access Point Name)` which is used by the client to dial into the ISPs network. This is a mandatory parameter. Contact your Service Provider for correct APN."
msgstr "Every WWAN connection requires an :abbr:`APN (Access Point Name)` which is used by the client to dial into the ISPs network. This is a mandatory parameter. Contact your Service Provider for correct APN."
+#: ../../configuration/vpn/remoteaccess_ipsec.rst:98
+msgid "Every connection/remote-access pool we configure also needs a pool where we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. Authorized clients will receive an IPv4 address from the configured IPv4 prefix and an IPv6 address from the IPv6 prefix. We can also send some DNS nameservers down to our clients used on their connection."
+msgstr "Every connection/remote-access pool we configure also needs a pool where we can draw our client IP addresses from. We provide one IPv4 and IPv6 pool. Authorized clients will receive an IPv4 address from the configured IPv4 prefix and an IPv6 address from the IPv6 prefix. We can also send some DNS nameservers down to our clients used on their connection."
+
#: ../../configuration/highavailability/index.rst:397
#: ../../configuration/interfaces/bonding.rst:291
#: ../../configuration/interfaces/l2tpv3.rst:86
@@ -5134,7 +5164,7 @@ msgstr "Every WWAN connection requires an :abbr:`APN (Access Point Name)` which
#: ../../configuration/service/snmp.rst:145
#: ../../configuration/service/tftp-server.rst:47
#: ../../configuration/system/acceleration.rst:58
-#: ../../configuration/system/login.rst:367
+#: ../../configuration/system/login.rst:395
#: ../../configuration/system/name-server.rst:28
#: ../../configuration/system/name-server.rst:63
#: ../../configuration/system/sflow.rst:49
@@ -5723,7 +5753,7 @@ msgstr "Example IPv6 only:"
msgid "Example Network"
msgstr "Example Network"
-#: ../../configuration/firewall/general.rst:1502
+#: ../../configuration/firewall/general.rst:1495
#: ../../configuration/firewall/general-legacy.rst:979
msgid "Example Partial Config"
msgstr "Example Partial Config"
@@ -5744,7 +5774,7 @@ msgstr "Example for configuring a simple L2TP over IPsec VPN for remote access (
msgid "Example of redirection:"
msgstr "Example of redirection:"
-#: ../../configuration/firewall/general.rst:1285
+#: ../../configuration/firewall/general.rst:1278
msgid "Example synproxy"
msgstr "Example synproxy"
@@ -5920,8 +5950,7 @@ msgstr "Filtering is used for both input and output of the routing information.
msgid "Finally, to apply the policy route to ingress traffic on our LAN interface, we use:"
msgstr "Finally, to apply the policy route to ingress traffic on our LAN interface, we use:"
-#: ../../configuration/firewall/general.rst:7
-#: ../../configuration/firewall/index.rst:3
+#: ../../configuration/firewall/index.rst:5
msgid "Firewall"
msgstr "Firewall"
@@ -5929,7 +5958,15 @@ msgstr "Firewall"
msgid "Firewall-Legacy"
msgstr "Firewall-Legacy"
-#: ../../configuration/firewall/general.rst:502
+#: ../../configuration/firewall/general.rst:7
+msgid "Firewall Configuration"
+msgstr "Firewall Configuration"
+
+#: ../../configuration/firewall/general-legacy.rst:7
+msgid "Firewall Configuration (Deprecated)"
+msgstr "Firewall Configuration (Deprecated)"
+
+#: ../../configuration/firewall/general.rst:495
msgid "Firewall Description"
msgstr "Firewall Description"
@@ -5938,15 +5975,15 @@ msgstr "Firewall Description"
msgid "Firewall Exceptions"
msgstr "Firewall Exceptions"
-#: ../../configuration/firewall/general.rst:417
+#: ../../configuration/firewall/general.rst:410
msgid "Firewall Logs"
msgstr "Firewall Logs"
-#: ../../configuration/firewall/general.rst:325
+#: ../../configuration/firewall/general.rst:318
msgid "Firewall Rules"
msgstr "Firewall Rules"
-#: ../../configuration/firewall/general.rst:193
+#: ../../configuration/firewall/general.rst:186
msgid "Firewall groups represent collections of IP addresses, networks, ports, mac addresses, domains or interfaces. Once created, a group can be referenced by firewall, nat and policy route rules as either a source or destination matcher, and as inbpund/outbound in the case of interface group."
msgstr "Firewall groups represent collections of IP addresses, networks, ports, mac addresses, domains or interfaces. Once created, a group can be referenced by firewall, nat and policy route rules as either a source or destination matcher, and as inbpund/outbound in the case of interface group."
@@ -5990,6 +6027,10 @@ msgstr "First, you need to generate a key by running ``run generate pki openvpn
msgid "First hop interface of a route to match."
msgstr "First hop interface of a route to match."
+#: ../../configuration/vpn/remoteaccess_ipsec.rst:20
+msgid "First of all, we need to create a CA root certificate and server certificate on the server side."
+msgstr "First of all, we need to create a CA root certificate and server certificate on the server side."
+
#: ../../configuration/protocols/bgp.rst:171
msgid "First of all you must configure BGP router with the :abbr:`ASN (Autonomous System Number)`. The AS number is an identifier for the autonomous system. The BGP protocol uses the AS number for detecting whether the BGP connection is internal or external. VyOS does not have a special command to start the BGP process. The BGP process starts when the first neighbor is configured."
msgstr "First of all you must configure BGP router with the :abbr:`ASN (Autonomous System Number)`. The AS number is an identifier for the autonomous system. The BGP protocol uses the AS number for detecting whether the BGP connection is internal or external. VyOS does not have a special command to start the BGP process. The BGP process starts when the first neighbor is configured."
@@ -6118,11 +6159,11 @@ msgstr "For example, if problems with poor time synchronization are experienced,
msgid "For example:"
msgstr "For example:"
-#: ../../configuration/firewall/general.rst:66
+#: ../../configuration/firewall/general.rst:59
msgid "For firewall filtering, configuration should be done in ``set firewall [ipv4 | ipv6] ...``"
msgstr "For firewall filtering, configuration should be done in ``set firewall [ipv4 | ipv6] ...``"
-#: ../../configuration/firewall/general.rst:327
+#: ../../configuration/firewall/general.rst:320
msgid "For firewall filtering, firewall rules needs to be created. Each rule is numbered, has an action to apply if the rule is matched, and the ability to specify multiple criteria matchers. Data packets go through the rules from 1 - 999999, so order is crucial. At the first match the action of the rule will be executed."
msgstr "For firewall filtering, firewall rules needs to be created. Each rule is numbered, has an action to apply if the rule is matched, and the ability to specify multiple criteria matchers. Data packets go through the rules from 1 - 999999, so order is crucial. At the first match the action of the rule will be executed."
@@ -6170,7 +6211,7 @@ msgstr "For optimal scalability, Multicast shouldn't be used at all, but instead
msgid "For outbound updates the order of preference is:"
msgstr "For outbound updates the order of preference is:"
-#: ../../configuration/firewall/general.rst:504
+#: ../../configuration/firewall/general.rst:497
msgid "For reference, a description can be defined for every single rule, and for every defined custom chain."
msgstr "For reference, a description can be defined for every single rule, and for every defined custom chain."
@@ -6210,15 +6251,15 @@ msgstr "For the ingress traffic of an interface, there is only one policy you ca
msgid "For the sake of demonstration, `example #1 in the official documentation <https://www.zabbix.com/documentation/current/manual/installation/containers>`_ to the declarative VyOS CLI syntax."
msgstr "For the sake of demonstration, `example #1 in the official documentation <https://www.zabbix.com/documentation/current/manual/installation/containers>`_ to the declarative VyOS CLI syntax."
-#: ../../configuration/firewall/general.rst:73
+#: ../../configuration/firewall/general.rst:66
msgid "For traffic originated by the router, base chain is **output filter**: ``set firewall [ipv4 | ipv6] output filter ...``"
msgstr "For traffic originated by the router, base chain is **output filter**: ``set firewall [ipv4 | ipv6] output filter ...``"
-#: ../../configuration/firewall/general.rst:76
+#: ../../configuration/firewall/general.rst:69
msgid "For traffic towards the router itself, base chain is **input filter**: ``set firewall [ipv4 | ipv6] input filter ...``"
msgstr "For traffic towards the router itself, base chain is **input filter**: ``set firewall [ipv4 | ipv6] input filter ...``"
-#: ../../configuration/firewall/general.rst:69
+#: ../../configuration/firewall/general.rst:62
msgid "For transit traffic, which is received by the router and forwarded, base chain is **forward filter**: ``set firewall [ipv4 | ipv6] forward filter ...``"
msgstr "For transit traffic, which is received by the router and forwarded, base chain is **forward filter**: ``set firewall [ipv4 | ipv6] forward filter ...``"
@@ -6375,7 +6416,7 @@ msgstr "Given the following example we have one VyOS router acting as OpenVPN se
msgid "Gloabal"
msgstr "Gloabal"
-#: ../../configuration/firewall/general.rst:91
+#: ../../configuration/firewall/general.rst:84
msgid "Global Options"
msgstr "Global Options"
@@ -6400,7 +6441,7 @@ msgstr "Graceful Restart"
msgid "Gratuitous ARP"
msgstr "Gratuitous ARP"
-#: ../../configuration/firewall/general.rst:191
+#: ../../configuration/firewall/general.rst:184
#: ../../configuration/firewall/general-legacy.rst:153
msgid "Groups"
msgstr "Groups"
@@ -6682,6 +6723,10 @@ msgstr "IPSec IKE and ESP"
msgid "IPSec IKE and ESP Groups;"
msgstr "IPSec IKE and ESP Groups;"
+#: ../../configuration/vpn/remoteaccess_ipsec.rst:4
+msgid "IPSec IKEv2 Remote Access VPN"
+msgstr "IPSec IKEv2 Remote Access VPN"
+
#: ../../configuration/vpn/site2site_ipsec.rst:281
msgid "IPSec IKEv2 site2site VPN"
msgstr "IPSec IKEv2 site2site VPN"
@@ -7003,7 +7048,7 @@ msgstr "If a response is heard, the lease is abandoned, and the server does not
msgid "If a route has an ORIGINATOR_ID attribute because it has been reflected, that ORIGINATOR_ID will be used. Otherwise, the router-ID of the peer the route was received from will be used."
msgstr "If a route has an ORIGINATOR_ID attribute because it has been reflected, that ORIGINATOR_ID will be used. Otherwise, the router-ID of the peer the route was received from will be used."
-#: ../../configuration/firewall/general.rst:336
+#: ../../configuration/firewall/general.rst:329
msgid "If a rule is defined, then an action must be defined for it. This tells the firewall what to do if all criteria matchers defined for such rule do match."
msgstr "If a rule is defined, then an action must be defined for it. This tells the firewall what to do if all criteria matchers defined for such rule do match."
@@ -7349,7 +7394,7 @@ msgstr "If this parameter is not set or 0, an on-demand link will not be taken d
msgid "If unset, incoming connections to the RADIUS server will use the nearest interface address pointing towards the server - making it error prone on e.g. OSPF networks when a link fails and a backup route is taken."
msgstr "If unset, incoming connections to the RADIUS server will use the nearest interface address pointing towards the server - making it error prone on e.g. OSPF networks when a link fails and a backup route is taken."
-#: ../../configuration/system/login.rst:323
+#: ../../configuration/system/login.rst:339
msgid "If unset, incoming connections to the TACACS server will use the nearest interface address pointing towards the server - making it error prone on e.g. OSPF networks when a link fails and a backup route is taken."
msgstr "If unset, incoming connections to the TACACS server will use the nearest interface address pointing towards the server - making it error prone on e.g. OSPF networks when a link fails and a backup route is taken."
@@ -7448,7 +7493,7 @@ msgstr "If you want to change the maximum number of flows, which are tracking si
msgid "If you want to disable a rule but let it in the configuration."
msgstr "If you want to disable a rule but let it in the configuration."
-#: ../../configuration/system/login.rst:278
+#: ../../configuration/system/login.rst:294
msgid "If you want to have admin users to authenticate via RADIUS it is essential to sent the ``Cisco-AV-Pair shell:priv-lvl=15`` attribute. Without the attribute you will only get regular, non privilegued, system users."
msgstr "If you want to have admin users to authenticate via RADIUS it is essential to sent the ``Cisco-AV-Pair shell:priv-lvl=15`` attribute. Without the attribute you will only get regular, non privilegued, system users."
@@ -7555,7 +7600,7 @@ msgstr "In a nutshell, the current implementation provides the following feature
msgid "In addition, you can specify many other parameters to get BGP information:"
msgstr "In addition, you can specify many other parameters to get BGP information:"
-#: ../../configuration/system/login.rst:285
+#: ../../configuration/system/login.rst:301
msgid "In addition to :abbr:`RADIUS (Remote Authentication Dial-In User Service)`, :abbr:`TACACS (Terminal Access Controller Access Control System)` can also be found in large deployments."
msgstr "In addition to :abbr:`RADIUS (Remote Authentication Dial-In User Service)`, :abbr:`TACACS (Terminal Access Controller Access Control System)` can also be found in large deployments."
@@ -7583,7 +7628,7 @@ msgstr "In addition you can also disable the whole service without the need to r
msgid "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address."
msgstr "In addition you will specifiy the IP address or FQDN for the client where it will connect to. The address parameter can be used up to two times and is used to assign the clients specific IPv4 (/32) or IPv6 (/128) address."
-#: ../../configuration/firewall/general.rst:201
+#: ../../configuration/firewall/general.rst:194
#: ../../configuration/firewall/general-legacy.rst:170
msgid "In an **address group** a single IP address or IP address ranges are defined."
msgstr "In an **address group** a single IP address or IP address ranges are defined."
@@ -7747,7 +7792,7 @@ msgstr "In the example above, the first 499 sessions connect without delay. PADO
msgid "In the example used for the Quick Start configuration above, we demonstrate the following configuration:"
msgstr "In the example used for the Quick Start configuration above, we demonstrate the following configuration:"
-#: ../../configuration/system/login.rst:369
+#: ../../configuration/system/login.rst:397
msgid "In the following example, both `User1` and `User2` will be able to SSH into VyOS as user ``vyos`` using their very own keys. `User1` is restricted to only be able to connect from a single IP address. In addition if password base login is wanted for the ``vyos`` user a 2FA/MFA keycode is required in addition to the password."
msgstr "In the following example, both `User1` and `User2` will be able to SSH into VyOS as user ``vyos`` using their very own keys. `User1` is restricted to only be able to connect from a single IP address. In addition if password base login is wanted for the ``vyos`` user a 2FA/MFA keycode is required in addition to the password."
@@ -7795,6 +7840,10 @@ msgstr "In this example, we will be using the example Quick Start configuration
msgid "In this example all traffic destined to ports \"80, 2222, 8888\" protocol TCP marks to fwmark \"111\" and balanced between 2 real servers. Port \"0\" is required if multiple ports are used."
msgstr "In this example all traffic destined to ports \"80, 2222, 8888\" protocol TCP marks to fwmark \"111\" and balanced between 2 real servers. Port \"0\" is required if multiple ports are used."
+#: ../../configuration/firewall/index.rst:36
+msgid "In this example image, a simplifed traffic flow is shown to help provide context to the terms of `forward`, `input`, and `output` for the new firewall CLI format."
+msgstr "In this example image, a simplifed traffic flow is shown to help provide context to the terms of `forward`, `input`, and `output` for the new firewall CLI format."
+
#: ../../configuration/interfaces/openvpn.rst:334
msgid "In this example we will use the most complicated case: a setup where each client is a router that has its own subnet (think HQ and branch offices), since simpler setups are subsets of it."
msgstr "In this example we will use the most complicated case: a setup where each client is a router that has its own subnet (think HQ and branch offices), since simpler setups are subsets of it."
@@ -7958,7 +8007,7 @@ msgstr "Interconnect the global VRF with vrf \"red\" using the veth10 <-> veth 1
msgid "Interface Configuration"
msgstr "Interface Configuration"
-#: ../../configuration/firewall/general.rst:246
+#: ../../configuration/firewall/general.rst:239
msgid "Interface Groups"
msgstr "Interface Groups"
@@ -8020,6 +8069,10 @@ msgstr "Interfaces whose DHCP client nameservers to forward requests to."
msgid "Internally, in flow-accounting processes exist a buffer for data exchanging between core process and plugins (each export target is a separated plugin). If you have high traffic levels or noted some problems with missed records or stopping exporting, you may try to increase a default buffer size (10 MiB) with the next command:"
msgstr "Internally, in flow-accounting processes exist a buffer for data exchanging between core process and plugins (each export target is a separated plugin). If you have high traffic levels or noted some problems with missed records or stopping exporting, you may try to increase a default buffer size (10 MiB) with the next command:"
+#: ../../configuration/vpn/remoteaccess_ipsec.rst:6
+msgid "Internet Key Exchange version 2 (IKEv2) is a tunneling protocol, based on IPsec, that establishes a secure VPN communication between VPN devices, and defines negotiation and authentication processes for IPsec security associations (SAs). It is often known as IKEv2/IPSec or IPSec IKEv2 remote-access — or road-warriors as others call it."
+msgstr "Internet Key Exchange version 2 (IKEv2) is a tunneling protocol, based on IPsec, that establishes a secure VPN communication between VPN devices, and defines negotiation and authentication processes for IPsec security associations (SAs). It is often known as IKEv2/IPSec or IPSec IKEv2 remote-access — or road-warriors as others call it."
+
#: ../../configuration/trafficpolicy/index.rst:791
msgid "Internetwork Control"
msgstr "Internetwork Control"
@@ -8185,6 +8238,10 @@ msgstr "Key Parameters:"
msgid "Key Points:"
msgstr "Key Points:"
+#: ../../configuration/vpn/remoteaccess_ipsec.rst:12
+msgid "Key exchange and payload encryption is done using IKE and ESP proposals as known from IKEv1 but the connections are faster to establish, more reliable, and also support roaming from IP to IP (called MOBIKE which makes sure your connection does not drop when changing networks from e.g. WIFI to LTE and back). Authentication can be achieved with X.509 certificates."
+msgstr "Key exchange and payload encryption is done using IKE and ESP proposals as known from IKEv1 but the connections are faster to establish, more reliable, and also support roaming from IP to IP (called MOBIKE which makes sure your connection does not drop when changing networks from e.g. WIFI to LTE and back). Authentication can be achieved with X.509 certificates."
+
#: ../../configuration/pki/index.rst:167
msgid "Key usage (CLI)"
msgstr "Key usage (CLI)"
@@ -8283,6 +8340,10 @@ msgstr "Lease time will be left at the default value which is 24 hours"
msgid "Lease timeout in seconds (default: 86400)"
msgstr "Lease timeout in seconds (default: 86400)"
+#: ../../configuration/firewall/index.rst:47
+msgid "Legacy Firewall"
+msgstr "Legacy Firewall"
+
#: ../../configuration/interfaces/vxlan.rst:112
msgid "Let's assume PC4 on Leaf2 wants to ping PC5 on Leaf3. Instead of setting Leaf3 as our remote end manually, Leaf2 encapsulates the packet into a UDP-packet and sends it to its designated multicast-address via Spine1. When Spine1 receives this packet it forwards it to all other leaves who has joined the same multicast-group, in this case Leaf3. When Leaf3 receives the packet it forwards it, while at the same time learning that PC4 is reachable behind Leaf2, because the encapsulated packet had Leaf2's IP address set as source IP."
msgstr "Let's assume PC4 on Leaf2 wants to ping PC5 on Leaf3. Instead of setting Leaf3 as our remote end manually, Leaf2 encapsulates the packet into a UDP-packet and sends it to its designated multicast-address via Spine1. When Spine1 receives this packet it forwards it to all other leaves who has joined the same multicast-group, in this case Leaf3. When Leaf3 receives the packet it forwards it, while at the same time learning that PC4 is reachable behind Leaf2, because the encapsulated packet had Leaf2's IP address set as source IP."
@@ -8347,7 +8408,7 @@ msgstr "Limiter"
msgid "Limiter is one of those policies that uses classes_ (Ingress qdisc is actually a classless policy but filters do work in it)."
msgstr "Limiter is one of those policies that uses classes_ (Ingress qdisc is actually a classless policy but filters do work in it)."
-#: ../../configuration/system/login.rst:351
+#: ../../configuration/system/login.rst:379
msgid "Limits"
msgstr "Limits"
@@ -8423,7 +8484,7 @@ msgstr "Load Balance"
msgid "Load Balancing"
msgstr "Load Balancing"
-#: ../../configuration/system/login.rst:392
+#: ../../configuration/system/login.rst:420
msgid "Load the container image in op-mode."
msgstr "Load the container image in op-mode."
@@ -8528,7 +8589,7 @@ msgstr "Log the connection tracking events per protocol."
msgid "Logging"
msgstr "Logging"
-#: ../../configuration/firewall/general.rst:419
+#: ../../configuration/firewall/general.rst:412
msgid "Logging can be enable for every single firewall rule. If enabled, other log options can be defined."
msgstr "Logging can be enable for every single firewall rule. If enabled, other log options can be defined."
@@ -8540,11 +8601,11 @@ msgstr "Logging to a remote host leaves the local logging configuration intact,
msgid "Login/User Management"
msgstr "Login/User Management"
-#: ../../configuration/system/login.rst:333
+#: ../../configuration/system/login.rst:361
msgid "Login Banner"
msgstr "Login Banner"
-#: ../../configuration/system/login.rst:353
+#: ../../configuration/system/login.rst:381
msgid "Login limits"
msgstr "Login limits"
@@ -8571,7 +8632,7 @@ msgstr "MAC/PHY information"
msgid "MACVLAN - Pseudo Ethernet"
msgstr "MACVLAN - Pseudo Ethernet"
-#: ../../configuration/firewall/general.rst:289
+#: ../../configuration/firewall/general.rst:282
#: ../../configuration/firewall/general-legacy.rst:240
msgid "MAC Groups"
msgstr "MAC Groups"
@@ -8669,7 +8730,7 @@ msgstr "MTU"
msgid "Mail system"
msgstr "Mail system"
-#: ../../configuration/firewall/general.rst:27
+#: ../../configuration/firewall/general.rst:20
msgid "Main structure is shown next:"
msgstr "Main structure is shown next:"
@@ -8721,7 +8782,7 @@ msgstr "Match BGP large communities."
msgid "Match IP addresses based on its geolocation. More info: `geoip matching <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_."
msgstr "Match IP addresses based on its geolocation. More info: `geoip matching <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_."
-#: ../../configuration/firewall/general.rst:717
+#: ../../configuration/firewall/general.rst:710
msgid "Match IP addresses based on its geolocation. More info: `geoip matching <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. Use inverse-match to match anything except the given country-codes."
msgstr "Match IP addresses based on its geolocation. More info: `geoip matching <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. Use inverse-match to match anything except the given country-codes."
@@ -8733,17 +8794,17 @@ msgstr "Match RPKI validation result."
msgid "Match a protocol criteria. A protocol number or a name which is defined in: ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp based packets. The ``!`` negates the selected protocol."
msgstr "Match a protocol criteria. A protocol number or a name which is defined in: ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp based packets. The ``!`` negates the selected protocol."
-#: ../../configuration/firewall/general.rst:1098
+#: ../../configuration/firewall/general.rst:1091
#: ../../configuration/firewall/general-legacy.rst:671
msgid "Match a protocol criteria. A protocol number or a name which is here defined: ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp based packets. The ``!`` negate the selected protocol."
msgstr "Match a protocol criteria. A protocol number or a name which is here defined: ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp based packets. The ``!`` negate the selected protocol."
-#: ../../configuration/firewall/general.rst:1165
+#: ../../configuration/firewall/general.rst:1158
#: ../../configuration/firewall/general-legacy.rst:709
msgid "Match against the state of a packet."
msgstr "Match against the state of a packet."
-#: ../../configuration/firewall/general.rst:931
+#: ../../configuration/firewall/general.rst:924
#: ../../configuration/firewall/general-legacy.rst:590
msgid "Match based on dscp value."
msgstr "Match based on dscp value."
@@ -8752,18 +8813,18 @@ msgstr "Match based on dscp value."
msgid "Match based on dscp value criteria. Multiple values from 0 to 63 and ranges are supported."
msgstr "Match based on dscp value criteria. Multiple values from 0 to 63 and ranges are supported."
-#: ../../configuration/firewall/general.rst:944
+#: ../../configuration/firewall/general.rst:937
#: ../../configuration/firewall/general-legacy.rst:597
msgid "Match based on fragment criteria."
msgstr "Match based on fragment criteria."
-#: ../../configuration/firewall/general.rst:963
+#: ../../configuration/firewall/general.rst:956
#: ../../configuration/firewall/general-legacy.rst:604
#: ../../configuration/policy/route.rst:131
msgid "Match based on icmp|icmpv6 code and type."
msgstr "Match based on icmp|icmpv6 code and type."
-#: ../../configuration/firewall/general.rst:982
+#: ../../configuration/firewall/general.rst:975
#: ../../configuration/firewall/general-legacy.rst:610
msgid "Match based on icmp|icmpv6 type-name criteria. Use tab for information about what **type-name** criteria are supported."
msgstr "Match based on icmp|icmpv6 type-name criteria. Use tab for information about what **type-name** criteria are supported."
@@ -8776,57 +8837,57 @@ msgstr "Match based on icmp|icmpv6 type-name criteria. Use tab for information a
msgid "Match based on inbound/outbound interface. Wilcard ``*`` can be used. For example: ``eth2*``"
msgstr "Match based on inbound/outbound interface. Wilcard ``*`` can be used. For example: ``eth2*``"
-#: ../../configuration/firewall/general.rst:994
+#: ../../configuration/firewall/general.rst:987
msgid "Match based on inbound interface. Wilcard ``*`` can be used. For example: ``eth2*``"
msgstr "Match based on inbound interface. Wilcard ``*`` can be used. For example: ``eth2*``"
-#: ../../configuration/firewall/general.rst:1020
+#: ../../configuration/firewall/general.rst:1013
#: ../../configuration/firewall/general-legacy.rst:630
msgid "Match based on ipsec criteria."
msgstr "Match based on ipsec criteria."
-#: ../../configuration/firewall/general.rst:1006
+#: ../../configuration/firewall/general.rst:999
msgid "Match based on outbound interface. Wilcard ``*`` can be used. For example: ``eth2*``"
msgstr "Match based on outbound interface. Wilcard ``*`` can be used. For example: ``eth2*``"
-#: ../../configuration/firewall/general.rst:1071
+#: ../../configuration/firewall/general.rst:1064
#: ../../configuration/firewall/general-legacy.rst:656
#: ../../configuration/policy/route.rst:176
msgid "Match based on packet length criteria. Multiple values from 1 to 65535 and ranges are supported."
msgstr "Match based on packet length criteria. Multiple values from 1 to 65535 and ranges are supported."
-#: ../../configuration/firewall/general.rst:1085
+#: ../../configuration/firewall/general.rst:1078
#: ../../configuration/firewall/general-legacy.rst:664
#: ../../configuration/policy/route.rst:184
msgid "Match based on packet type criteria."
msgstr "Match based on packet type criteria."
-#: ../../configuration/firewall/general.rst:1046
+#: ../../configuration/firewall/general.rst:1039
#: ../../configuration/firewall/general-legacy.rst:644
msgid "Match based on the maximum average rate, specified as **integer/unit**. For example **5/minutes**"
msgstr "Match based on the maximum average rate, specified as **integer/unit**. For example **5/minutes**"
-#: ../../configuration/firewall/general.rst:1033
+#: ../../configuration/firewall/general.rst:1026
#: ../../configuration/firewall/general-legacy.rst:637
msgid "Match based on the maximum number of packets to allow in excess of rate."
msgstr "Match based on the maximum number of packets to allow in excess of rate."
-#: ../../configuration/firewall/general.rst:1131
+#: ../../configuration/firewall/general.rst:1124
#: ../../configuration/firewall/general-legacy.rst:689
msgid "Match bases on recently seen sources."
msgstr "Match bases on recently seen sources."
-#: ../../configuration/firewall/general.rst:569
+#: ../../configuration/firewall/general.rst:562
#: ../../configuration/firewall/general-legacy.rst:394
msgid "Match criteria based on connection mark."
msgstr "Match criteria based on connection mark."
-#: ../../configuration/firewall/general.rst:556
+#: ../../configuration/firewall/general.rst:549
#: ../../configuration/firewall/general-legacy.rst:387
msgid "Match criteria based on nat connection status."
msgstr "Match criteria based on nat connection status."
-#: ../../configuration/firewall/general.rst:593
+#: ../../configuration/firewall/general.rst:586
msgid "Match criteria based on source and/or destination address. This is similar to the network groups part, but here you are able to negate the matching addresses."
msgstr "Match criteria based on source and/or destination address. This is similar to the network groups part, but here you are able to negate the matching addresses."
@@ -8834,7 +8895,7 @@ msgstr "Match criteria based on source and/or destination address. This is simil
msgid "Match domain name"
msgstr "Match domain name"
-#: ../../configuration/firewall/general.rst:1241
+#: ../../configuration/firewall/general.rst:1234
#: ../../configuration/firewall/general-legacy.rst:732
#: ../../configuration/policy/route.rst:234
msgid "Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'."
@@ -8848,18 +8909,18 @@ msgstr "Match local preference."
msgid "Match route metric."
msgstr "Match route metric."
-#: ../../configuration/firewall/general.rst:1229
+#: ../../configuration/firewall/general.rst:1222
#: ../../configuration/firewall/general-legacy.rst:726
#: ../../configuration/policy/route.rst:229
msgid "Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'."
msgstr "Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'."
-#: ../../configuration/firewall/general.rst:1266
+#: ../../configuration/firewall/general.rst:1259
#: ../../configuration/firewall/general-legacy.rst:742
msgid "Match when 'count' amount of connections are seen within 'time'. These matching criteria can be used to block brute-force attempts."
msgstr "Match when 'count' amount of connections are seen within 'time'. These matching criteria can be used to block brute-force attempts."
-#: ../../configuration/firewall/general.rst:541
+#: ../../configuration/firewall/general.rst:534
#: ../../configuration/firewall/general-legacy.rst:378
#: ../../configuration/policy/route.rst:38
msgid "Matching criteria"
@@ -8937,6 +8998,10 @@ msgstr "Monitoring functionality with ``telegraf`` and ``InfluxDB 2`` is provide
msgid "More details about the IPsec and VTI issue and option disable-route-autoinstall https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july"
msgstr "More details about the IPsec and VTI issue and option disable-route-autoinstall https://blog.vyos.io/vyos-1-dot-2-0-development-news-in-july"
+#: ../../configuration/vpn/remoteaccess_ipsec.rst:139
+msgid "Most operating systems include native client support for IPsec IKEv2 VPN connections, and others typically have an app or add-on package which adds the capability. This section covers IPsec IKEv2 client configuration for Windows 10."
+msgstr "Most operating systems include native client support for IPsec IKEv2 VPN connections, and others typically have an app or add-on package which adds the capability. This section covers IPsec IKEv2 client configuration for Windows 10."
+
#: ../../configuration/container/index.rst:85
msgid "Mount a volume into the container"
msgstr "Mount a volume into the container"
@@ -9028,7 +9093,7 @@ msgid "Multiple networks/client IP addresses can be configured."
msgstr "Multiple networks/client IP addresses can be configured."
#: ../../configuration/system/login.rst:248
-#: ../../configuration/system/login.rst:301
+#: ../../configuration/system/login.rst:317
msgid "Multiple servers can be specified."
msgstr "Multiple servers can be specified."
@@ -9036,7 +9101,7 @@ msgstr "Multiple servers can be specified."
msgid "Multiple services can be used per interface. Just specify as many services per interface as you like!"
msgstr "Multiple services can be used per interface. Just specify as many services per interface as you like!"
-#: ../../configuration/firewall/general.rst:777
+#: ../../configuration/firewall/general.rst:770
#: ../../configuration/firewall/general-legacy.rst:515
msgid "Multiple source ports can be specified as a comma-separated list. The whole list can also be \"negated\" using ``!``. For example:"
msgstr "Multiple source ports can be specified as a comma-separated list. The whole list can also be \"negated\" using ``!``. For example:"
@@ -9183,6 +9248,10 @@ msgstr "NetFlow is usually enabled on a per-interface basis to limit load on the
msgid "NetFlow v5 example:"
msgstr "NetFlow v5 example:"
+#: ../../configuration/firewall/index.rst:16
+msgid "Netfilter based"
+msgstr "Netfilter based"
+
#: ../../configuration/policy/prefix-list.rst:43
#: ../../configuration/policy/prefix-list.rst:76
msgid "Netmask greater than length."
@@ -9205,7 +9274,7 @@ msgstr "Network Control"
msgid "Network Emulator"
msgstr "Network Emulator"
-#: ../../configuration/firewall/general.rst:222
+#: ../../configuration/firewall/general.rst:215
#: ../../configuration/firewall/general-legacy.rst:191
msgid "Network Groups"
msgstr "Network Groups"
@@ -9505,6 +9574,10 @@ msgstr "Once created in the system, Pseudo-Ethernet interfaces can be referenced
msgid "Once flow accounting is configured on an interfaces it provides the ability to display captured network traffic information for all configured interfaces."
msgstr "Once flow accounting is configured on an interfaces it provides the ability to display captured network traffic information for all configured interfaces."
+#: ../../configuration/vpn/remoteaccess_ipsec.rst:73
+msgid "Once the command is completed, it will add the certificate to the configuration session, to the pki subtree. You can then review the proposed changes and commit them."
+msgstr "Once the command is completed, it will add the certificate to the configuration session, to the pki subtree. You can then review the proposed changes and commit them."
+
#: ../../configuration/service/pppoe-server.rst:63
msgid "Once the local tunnel endpoint ``set service pppoe-server gateway-address '10.1.1.2'`` has been defined, the client IP pool can be either defined as a range or as subnet using CIDR notation. If the CIDR notation is used, multiple subnets can be setup which are used sequentially."
msgstr "Once the local tunnel endpoint ``set service pppoe-server gateway-address '10.1.1.2'`` has been defined, the client IP pool can be either defined as a range or as subnet using CIDR notation. If the CIDR notation is used, multiple subnets can be setup which are used sequentially."
@@ -9562,7 +9635,7 @@ msgstr "Only 802.1Q-tagged packets are accepted on Ethernet vifs."
msgid "Only VRRP is supported. Required option."
msgstr "Only VRRP is supported. Required option."
-#: ../../configuration/firewall/general.rst:738
+#: ../../configuration/firewall/general.rst:731
#: ../../configuration/firewall/general-legacy.rst:490
msgid "Only in the source criteria, you can specify a mac-address."
msgstr "Only in the source criteria, you can specify a mac-address."
@@ -9696,7 +9769,7 @@ msgstr "Operating Modes"
msgid "Operation"
msgstr "Operation"
-#: ../../configuration/firewall/general.rst:1314
+#: ../../configuration/firewall/general.rst:1307
#: ../../configuration/firewall/general-legacy.rst:778
msgid "Operation-mode Firewall"
msgstr "Operation-mode Firewall"
@@ -9872,7 +9945,7 @@ msgstr "Overview"
msgid "Overview and basic concepts"
msgstr "Overview and basic concepts"
-#: ../../configuration/firewall/general.rst:1468
+#: ../../configuration/firewall/general.rst:1461
#: ../../configuration/firewall/general-legacy.rst:908
msgid "Overview of defined groups. You see the type, the members, and where the group is used."
msgstr "Overview of defined groups. You see the type, the members, and where the group is used."
@@ -10133,7 +10206,7 @@ msgstr "Policy for checking targets"
msgid "Policy to track previously established connections."
msgstr "Policy to track previously established connections."
-#: ../../configuration/firewall/general.rst:264
+#: ../../configuration/firewall/general.rst:257
#: ../../configuration/firewall/general-legacy.rst:215
msgid "Port Groups"
msgstr "Port Groups"
@@ -10354,7 +10427,7 @@ msgstr "Protocols are: tcp, sctp, dccp, udp, icmp and ipv6-icmp."
msgid "Provide TFTP server listening on both IPv4 and IPv6 addresses ``192.0.2.1`` and ``2001:db8::1`` serving the content from ``/config/tftpboot``. Uploading via TFTP to this server is disabled."
msgstr "Provide TFTP server listening on both IPv4 and IPv6 addresses ``192.0.2.1`` and ``2001:db8::1`` serving the content from ``/config/tftpboot``. Uploading via TFTP to this server is disabled."
-#: ../../configuration/firewall/general.rst:219
+#: ../../configuration/firewall/general.rst:212
#: ../../configuration/firewall/general-legacy.rst:188
msgid "Provide a IPv4 or IPv6 address group description"
msgstr "Provide a IPv4 or IPv6 address group description"
@@ -10363,21 +10436,21 @@ msgstr "Provide a IPv4 or IPv6 address group description"
msgid "Provide a IPv4 or IPv6 network group description."
msgstr "Provide a IPv4 or IPv6 network group description."
-#: ../../configuration/firewall/general.rst:522
+#: ../../configuration/firewall/general.rst:515
#: ../../configuration/firewall/general-legacy.rst:334
#: ../../configuration/policy/route.rst:30
msgid "Provide a description for each rule."
msgstr "Provide a description for each rule."
-#: ../../configuration/firewall/general.rst:321
+#: ../../configuration/firewall/general.rst:314
msgid "Provide a domain group description."
msgstr "Provide a domain group description."
-#: ../../configuration/firewall/general.rst:304
+#: ../../configuration/firewall/general.rst:297
msgid "Provide a mac group description."
msgstr "Provide a mac group description."
-#: ../../configuration/firewall/general.rst:286
+#: ../../configuration/firewall/general.rst:279
#: ../../configuration/firewall/general-legacy.rst:237
msgid "Provide a port group description."
msgstr "Provide a port group description."
@@ -10387,15 +10460,15 @@ msgstr "Provide a port group description."
msgid "Provide a rule-set description."
msgstr "Provide a rule-set description."
-#: ../../configuration/firewall/general.rst:510
+#: ../../configuration/firewall/general.rst:503
msgid "Provide a rule-set description to a custom firewall chain."
msgstr "Provide a rule-set description to a custom firewall chain."
-#: ../../configuration/firewall/general.rst:243
+#: ../../configuration/firewall/general.rst:236
msgid "Provide an IPv4 or IPv6 network group description."
msgstr "Provide an IPv4 or IPv6 network group description."
-#: ../../configuration/firewall/general.rst:261
+#: ../../configuration/firewall/general.rst:254
msgid "Provide an interface group description"
msgstr "Provide an interface group description"
@@ -10816,7 +10889,7 @@ msgstr "Requirements"
msgid "Requirements:"
msgstr "Requirements:"
-#: ../../configuration/firewall/general.rst:1286
+#: ../../configuration/firewall/general.rst:1279
msgid "Requirements to enable synproxy:"
msgstr "Requirements to enable synproxy:"
@@ -11024,7 +11097,7 @@ msgstr "Routing tables that will be used in this example are:"
msgid "Rule-Sets"
msgstr "Rule-Sets"
-#: ../../configuration/firewall/general.rst:1317
+#: ../../configuration/firewall/general.rst:1310
#: ../../configuration/firewall/general-legacy.rst:781
msgid "Rule-set overview"
msgstr "Rule-set overview"
@@ -11045,7 +11118,7 @@ msgstr "Rule 20 matches requests with URL paths ending in ``/mail`` or exact pat
msgid "Rule 20 matches requests with the domain name ``node2.example.com`` forwards to the backend ``bk-api-02``"
msgstr "Rule 20 matches requests with the domain name ``node2.example.com`` forwards to the backend ``bk-api-02``"
-#: ../../configuration/firewall/general.rst:526
+#: ../../configuration/firewall/general.rst:519
msgid "Rule Status"
msgstr "Rule Status"
@@ -11400,7 +11473,7 @@ msgstr "Set SNAT rule 30 to only NAT packets arriving from the 203.0.113.0/24 ne
msgid "Set SSL certeficate <name> for service <name>"
msgstr "Set SSL certeficate <name> for service <name>"
-#: ../../configuration/firewall/general.rst:1278
+#: ../../configuration/firewall/general.rst:1271
msgid "Set TCP-MSS (maximum segment size) for the connection"
msgstr "Set TCP-MSS (maximum segment size) for the connection"
@@ -11448,7 +11521,7 @@ msgstr "Set a destination and/or source port. Accepted input:"
msgid "Set a human readable, descriptive alias for this connection. Alias is used by e.g. the :opcmd:`show interfaces` command or SNMP based monitoring tools."
msgstr "Set a human readable, descriptive alias for this connection. Alias is used by e.g. the :opcmd:`show interfaces` command or SNMP based monitoring tools."
-#: ../../configuration/system/login.rst:357
+#: ../../configuration/system/login.rst:385
msgid "Set a limit on the maximum number of concurrent logged-in users on the system."
msgstr "Set a limit on the maximum number of concurrent logged-in users on the system."
@@ -11749,7 +11822,7 @@ msgstr "Set the IP address of the local interface to be used for the tunnel."
msgid "Set the IP address of the remote peer. It may be specified as an IPv4 address or an IPv6 address."
msgstr "Set the IP address of the remote peer. It may be specified as an IPv4 address or an IPv6 address."
-#: ../../configuration/firewall/general.rst:169
+#: ../../configuration/firewall/general.rst:162
#: ../../configuration/firewall/general-legacy.rst:112
msgid "Set the IPv4 source validation mode. The following system parameter will be altered:"
msgstr "Set the IPv4 source validation mode. The following system parameter will be altered:"
@@ -11951,7 +12024,7 @@ msgstr "Set the timeout in secounds for a protocol or state in a custom rule."
msgid "Set the tunnel id, which is a 32-bit integer value. Uniquely identifies the tunnel into which the session will be created."
msgstr "Set the tunnel id, which is a 32-bit integer value. Uniquely identifies the tunnel into which the session will be created."
-#: ../../configuration/firewall/general.rst:1282
+#: ../../configuration/firewall/general.rst:1275
msgid "Set the window scale factor for TCP window scaling"
msgstr "Set the window scale factor for TCP window scaling"
@@ -11987,6 +12060,10 @@ msgstr "Setting name"
msgid "Setting this up on AWS will require a \"Custom Protocol Rule\" for protocol number \"47\" (GRE) Allow Rule in TWO places. Firstly on the VPC Network ACL, and secondly on the security group network ACL attached to the EC2 instance. This has been tested as working for the official AMI image on the AWS Marketplace. (Locate the correct VPC and security group by navigating through the details pane below your EC2 instance in the AWS console)."
msgstr "Setting this up on AWS will require a \"Custom Protocol Rule\" for protocol number \"47\" (GRE) Allow Rule in TWO places. Firstly on the VPC Network ACL, and secondly on the security group network ACL attached to the EC2 instance. This has been tested as working for the official AMI image on the AWS Marketplace. (Locate the correct VPC and security group by navigating through the details pane below your EC2 instance in the AWS console)."
+#: ../../configuration/vpn/remoteaccess_ipsec.rst:78
+msgid "Setting up IPSec:"
+msgstr "Setting up IPSec:"
+
#: ../../configuration/interfaces/openvpn.rst:132
msgid "Setting up OpenVPN"
msgstr "Setting up OpenVPN"
@@ -11999,6 +12076,14 @@ msgstr "Setting up a full-blown PKI with a CA certificate would arguably defeat
msgid "Setting up certificates"
msgstr "Setting up certificates"
+#: ../../configuration/vpn/remoteaccess_ipsec.rst:19
+msgid "Setting up certificates:"
+msgstr "Setting up certificates:"
+
+#: ../../configuration/vpn/remoteaccess_ipsec.rst:113
+msgid "Setting up tunnel:"
+msgstr "Setting up tunnel:"
+
#: ../../configuration/service/dhcp-server.rst:432
msgid "Setup DHCP failover for network 192.0.2.0/24"
msgstr "Setup DHCP failover for network 192.0.2.0/24"
@@ -12011,7 +12096,7 @@ msgstr "Setup encrypted password for given username. This is useful for transfer
msgid "Setup the `<timeout>` in seconds when querying the RADIUS server."
msgstr "Setup the `<timeout>` in seconds when querying the RADIUS server."
-#: ../../configuration/system/login.rst:315
+#: ../../configuration/system/login.rst:331
msgid "Setup the `<timeout>` in seconds when querying the TACACS server."
msgstr "Setup the `<timeout>` in seconds when querying the TACACS server."
@@ -12068,7 +12153,7 @@ msgstr "Show DHCP server daemon log file"
msgid "Show DHCPv6 server daemon log file"
msgstr "Show DHCPv6 server daemon log file"
-#: ../../configuration/firewall/general.rst:1489
+#: ../../configuration/firewall/general.rst:1482
#: ../../configuration/firewall/general-legacy.rst:965
msgid "Show Firewall log"
msgstr "Show Firewall log"
@@ -12316,7 +12401,7 @@ msgstr "Show the list of all active containers."
msgid "Show the local container images."
msgstr "Show the local container images."
-#: ../../configuration/firewall/general.rst:1493
+#: ../../configuration/firewall/general.rst:1486
#: ../../configuration/firewall/general-legacy.rst:969
msgid "Show the logs of a specific Rule-Set."
msgstr "Show the logs of a specific Rule-Set."
@@ -12463,7 +12548,7 @@ msgstr "Some RADIUS_ severs use an access control list which allows or denies qu
msgid "Some application service providers (ASPs) operate a VPN gateway to provide access to their internal resources, and require that a connecting organisation translate all traffic to the service provider network to a source address provided by the ASP."
msgstr "Some application service providers (ASPs) operate a VPN gateway to provide access to their internal resources, and require that a connecting organisation translate all traffic to the service provider network to a source address provided by the ASP."
-#: ../../configuration/firewall/general.rst:93
+#: ../../configuration/firewall/general.rst:86
#: ../../configuration/firewall/general-legacy.rst:38
msgid "Some firewall settings are global and have an affect on the whole system."
msgstr "Some firewall settings are global and have an affect on the whole system."
@@ -12532,7 +12617,7 @@ msgstr "Source Prefix"
msgid "Source all connections to the RADIUS servers from given VRF `<name>`."
msgstr "Source all connections to the RADIUS servers from given VRF `<name>`."
-#: ../../configuration/system/login.rst:329
+#: ../../configuration/system/login.rst:345
msgid "Source all connections to the TACACS servers from given VRF `<name>`."
msgstr "Source all connections to the TACACS servers from given VRF `<name>`."
@@ -12685,7 +12770,7 @@ msgstr "Specifies which RADIUS server attribute contains the rate limit informat
msgid "Specify IPv4/IPv6 listen address of SSH server. Multiple addresses can be defined."
msgstr "Specify IPv4/IPv6 listen address of SSH server. Multiple addresses can be defined."
-#: ../../configuration/firewall/general.rst:670
+#: ../../configuration/firewall/general.rst:663
#: ../../configuration/firewall/general-legacy.rst:455
msgid "Specify a Fully Qualified Domain Name as source/destination matcher. Ensure router is able to resolve such dns query."
msgstr "Specify a Fully Qualified Domain Name as source/destination matcher. Ensure router is able to resolve such dns query."
@@ -12736,7 +12821,7 @@ msgstr "Specify static route into the routing table sending all non local traffi
msgid "Specify the IP `<address>` of the RADIUS server user with the pre-shared-secret given in `<secret>`."
msgstr "Specify the IP `<address>` of the RADIUS server user with the pre-shared-secret given in `<secret>`."
-#: ../../configuration/system/login.rst:298
+#: ../../configuration/system/login.rst:314
msgid "Specify the IP `<address>` of the TACACS server user with the pre-shared-secret given in `<secret>`."
msgstr "Specify the IP `<address>` of the TACACS server user with the pre-shared-secret given in `<secret>`."
@@ -12840,6 +12925,10 @@ msgstr "Start by checking for IPSec SAs (Security Associations) with:"
msgid "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos instalations, and zone based firewall is no longer supported. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` chapter. The examples in this section use the legacy firewall configuration commands, since this feature has been removed in earlier releases."
msgstr "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos instalations, and zone based firewall is no longer supported. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` chapter. The examples in this section use the legacy firewall configuration commands, since this feature has been removed in earlier releases."
+#: ../../configuration/firewall/index.rst:8
+msgid "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos installations."
+msgstr "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos installations."
+
#: ../../configuration/firewall/index.rst:5
msgid "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos installations. Documentation for most new firewall cli can be found here:"
msgstr "Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos installations. Documentation for most new firewall cli can be found here:"
@@ -12971,15 +13060,15 @@ msgstr "Synamic instructs to forward to all peers which we have a direct connect
msgid "Sync groups"
msgstr "Sync groups"
-#: ../../configuration/firewall/general.rst:1271
+#: ../../configuration/firewall/general.rst:1264
msgid "Synproxy"
msgstr "Synproxy"
-#: ../../configuration/firewall/general.rst:1272
+#: ../../configuration/firewall/general.rst:1265
msgid "Synproxy connections"
msgstr "Synproxy connections"
-#: ../../configuration/firewall/general.rst:1289
+#: ../../configuration/firewall/general.rst:1282
msgid "Synproxy relies on syncookies and TCP timestamps, ensure these are enabled"
msgstr "Synproxy relies on syncookies and TCP timestamps, ensure these are enabled"
@@ -13048,19 +13137,19 @@ msgstr "System identifier: ``1921.6800.1002`` - for system idetifiers we recomme
msgid "System is unusable - a panic condition"
msgstr "System is unusable - a panic condition"
-#: ../../configuration/system/login.rst:283
+#: ../../configuration/system/login.rst:299
msgid "TACACS+"
msgstr "TACACS+"
-#: ../../configuration/system/login.rst:388
+#: ../../configuration/system/login.rst:416
msgid "TACACS Example"
msgstr "TACACS Example"
-#: ../../configuration/system/login.rst:289
+#: ../../configuration/system/login.rst:305
msgid "TACACS is defined in :rfc:`8907`."
msgstr "TACACS is defined in :rfc:`8907`."
-#: ../../configuration/system/login.rst:319
+#: ../../configuration/system/login.rst:335
msgid "TACACS servers could be hardened by only allowing certain IP addresses to connect. As of this the source address of each TACACS query can be configured."
msgstr "TACACS servers could be hardened by only allowing certain IP addresses to connect. As of this the source address of each TACACS query can be configured."
@@ -13117,7 +13206,7 @@ msgstr "Temporary disable this RADIUS server."
msgid "Temporary disable this RADIUS server. It won't be queried."
msgstr "Temporary disable this RADIUS server. It won't be queried."
-#: ../../configuration/system/login.rst:311
+#: ../../configuration/system/login.rst:327
msgid "Temporary disable this TACACS server. It won't be queried."
msgstr "Temporary disable this TACACS server. It won't be queried."
@@ -13345,7 +13434,7 @@ msgstr "The `show bridge` operational command can be used to display configured
msgid "The above directory and default-config must be a child directory of /config/auth, since files outside this directory are not persisted after an image upgrade."
msgstr "The above directory and default-config must be a child directory of /config/auth, since files outside this directory are not persisted after an image upgrade."
-#: ../../configuration/firewall/general.rst:339
+#: ../../configuration/firewall/general.rst:332
msgid "The action can be :"
msgstr "The action can be :"
@@ -13780,6 +13869,10 @@ msgstr "The largest MTU size you can use with DSL is 1492 due to PPPoE overhead.
msgid "The last step is to define an interface route for 192.168.2.0/24 to get through the WireGuard interface `wg01`. Multiple IPs or networks can be defined and routed. The last check is allowed-ips which either prevents or allows the traffic."
msgstr "The last step is to define an interface route for 192.168.2.0/24 to get through the WireGuard interface `wg01`. Multiple IPs or networks can be defined and routed. The last check is allowed-ips which either prevents or allows the traffic."
+#: ../../configuration/firewall/index.rst:12
+msgid "The legacy and zone-based firewall configuration options is not longer supported. They are here for reference purposes only."
+msgstr "The legacy and zone-based firewall configuration options is not longer supported. They are here for reference purposes only."
+
#: ../../configuration/trafficpolicy/index.rst:552
msgid "The limiter performs basic ingress policing of traffic flows. Multiple classes of traffic can be defined and traffic limits can be applied to each class. Although the policer uses a token bucket mechanism internally, it does not have the capability to delay a packet as a shaping mechanism does. Traffic exceeding the defined bandwidth limits is directly dropped. A maximum allowed burst can be configured too."
msgstr "The limiter performs basic ingress policing of traffic flows. Multiple classes of traffic can be defined and traffic limits can be applied to each class. Although the policer uses a token bucket mechanism internally, it does not have the capability to delay a packet as a shaping mechanism does. Traffic exceeding the defined bandwidth limits is directly dropped. A maximum allowed burst can be configured too."
@@ -13864,6 +13957,10 @@ msgstr "The number parameter (1-10) configures the amount of accepted occurences
msgid "The official port for OpenVPN is 1194, which we reserve for client VPN; we will use 1195 for site-to-site VPN."
msgstr "The official port for OpenVPN is 1194, which we reserve for client VPN; we will use 1195 for site-to-site VPN."
+#: ../../configuration/firewall/index.rst:32
+msgid "The only stages VyOS will process as part of the firewall configuration is the `forward` (F4 stage), `input` (L4 stage), and `output` (L5 stage). All the other stages and steps are for reference and cant be manipulated through VyOS."
+msgstr "The only stages VyOS will process as part of the firewall configuration is the `forward` (F4 stage), `input` (L4 stage), and `output` (L5 stage). All the other stages and steps are for reference and cant be manipulated through VyOS."
+
#: ../../configuration/protocols/ospf.rst:155
msgid "The optional `disable` option allows to exclude interface from passive state. This command is used if the command :cfgcmd:`passive-interface default` was configured."
msgstr "The optional `disable` option allows to exclude interface from passive state. This command is used if the command :cfgcmd:`passive-interface default` was configured."
@@ -14163,7 +14260,7 @@ msgstr "There's a variety of client GUI frontends for any platform"
msgid "There are 3 default NTP server set. You are able to change them."
msgstr "There are 3 default NTP server set. You are able to change them."
-#: ../../configuration/firewall/general.rst:543
+#: ../../configuration/firewall/general.rst:536
#: ../../configuration/firewall/general-legacy.rst:380
msgid "There are a lot of matching criteria against which the package can be tested."
msgstr "There are a lot of matching criteria against which the package can be tested."
@@ -15373,7 +15470,7 @@ msgstr "This command will generate a default-route in L1 database."
msgid "This command will generate a default-route in L2 database."
msgstr "This command will generate a default-route in L2 database."
-#: ../../configuration/firewall/general.rst:1464
+#: ../../configuration/firewall/general.rst:1457
#: ../../configuration/firewall/general-legacy.rst:904
msgid "This command will give an overview of a rule in a single rule-set"
msgstr "This command will give an overview of a rule in a single rule-set"
@@ -15382,7 +15479,7 @@ msgstr "This command will give an overview of a rule in a single rule-set"
msgid "This command will give an overview of a rule in a single rule-set."
msgstr "This command will give an overview of a rule in a single rule-set."
-#: ../../configuration/firewall/general.rst:1442
+#: ../../configuration/firewall/general.rst:1435
#: ../../configuration/firewall/general-legacy.rst:932
msgid "This command will give an overview of a single rule-set."
msgstr "This command will give an overview of a single rule-set."
@@ -15462,7 +15559,7 @@ msgstr "This defaults to 300 seconds."
msgid "This defaults to 30 seconds."
msgstr "This defaults to 30 seconds."
-#: ../../configuration/system/login.rst:307
+#: ../../configuration/system/login.rst:323
msgid "This defaults to 49."
msgstr "This defaults to 49."
@@ -15510,7 +15607,7 @@ msgstr "This example shows how to target an MSS clamp (in our example to 1360 by
msgid "This feature summarises originated external LSAs (Type-5 and Type-7). Summary Route will be originated on-behalf of all matched external LSAs."
msgstr "This feature summarises originated external LSAs (Type-5 and Type-7). Summary Route will be originated on-behalf of all matched external LSAs."
-#: ../../configuration/firewall/general.rst:633
+#: ../../configuration/firewall/general.rst:626
#: ../../configuration/firewall/general-legacy.rst:431
msgid "This functions for both individual addresses and address groups."
msgstr "This functions for both individual addresses and address groups."
@@ -15722,7 +15819,7 @@ msgstr "This option is mandatory in Access-Point mode."
msgid "This option is required when running a DMVPN spoke."
msgstr "This option is required when running a DMVPN spoke."
-#: ../../configuration/system/login.rst:360
+#: ../../configuration/system/login.rst:388
msgid "This option must be used with ``timeout`` option."
msgstr "This option must be used with ``timeout`` option."
@@ -15751,7 +15848,7 @@ msgstr "This prompted some ISPs to develop a policy within the :abbr:`ARIN (Amer
msgid "This required setting defines the action of the current rule. If action is set to ``jump``, then ``jump-target`` is also needed."
msgstr "This required setting defines the action of the current rule. If action is set to ``jump``, then ``jump-target`` is also needed."
-#: ../../configuration/firewall/general.rst:367
+#: ../../configuration/firewall/general.rst:360
msgid "This required setting defines the action of the current rule. If action is set to jump, then jump-target is also needed."
msgstr "This required setting defines the action of the current rule. If action is set to jump, then jump-target is also needed."
@@ -15797,7 +15894,7 @@ msgstr "This section needs improvements, examples and explanations."
msgid "This set the default action of the rule-set if no rule matched a packet criteria. If defacult-action is set to ``jump``, then ``default-jump-target`` is also needed."
msgstr "This set the default action of the rule-set if no rule matched a packet criteria. If defacult-action is set to ``jump``, then ``default-jump-target`` is also needed."
-#: ../../configuration/firewall/general.rst:399
+#: ../../configuration/firewall/general.rst:392
msgid "This set the default action of the rule-set if no rule matched a packet criteria. If defacult-action is set to ``jump``, then ``default-jump-target`` is also needed. Note that for base chains, default action can only be set to ``accept`` or ``drop``, while on custom chain, more actions are available."
msgstr "This set the default action of the rule-set if no rule matched a packet criteria. If defacult-action is set to ``jump``, then ``default-jump-target`` is also needed. Note that for base chains, default action can only be set to ``accept`` or ``drop``, while on custom chain, more actions are available."
@@ -15817,12 +15914,12 @@ msgstr "This setting, which defaults to 3600 seconds, puts a maximum on the amou
msgid "This setting defaults to 1500 and is valid between 10 and 60000."
msgstr "This setting defaults to 1500 and is valid between 10 and 60000."
-#: ../../configuration/firewall/general.rst:128
+#: ../../configuration/firewall/general.rst:121
#: ../../configuration/firewall/general-legacy.rst:73
msgid "This setting enable or disable the response of icmp broadcast messages. The following system parameter will be altered:"
msgstr "This setting enable or disable the response of icmp broadcast messages. The following system parameter will be altered:"
-#: ../../configuration/firewall/general.rst:136
+#: ../../configuration/firewall/general.rst:129
#: ../../configuration/firewall/general-legacy.rst:81
msgid "This setting handle if VyOS accept packets with a source route option. The following system parameter will be altered:"
msgstr "This setting handle if VyOS accept packets with a source route option. The following system parameter will be altered:"
@@ -15905,7 +16002,7 @@ msgstr "This will match TCP traffic with source port 80."
msgid "This will render the following ddclient_ configuration entry:"
msgstr "This will render the following ddclient_ configuration entry:"
-#: ../../configuration/firewall/general.rst:1321
+#: ../../configuration/firewall/general.rst:1314
#: ../../configuration/firewall/general-legacy.rst:785
msgid "This will show you a basic firewall overview"
msgstr "This will show you a basic firewall overview"
@@ -15914,12 +16011,12 @@ msgstr "This will show you a basic firewall overview"
msgid "This will show you a rule-set statistic since the last boot."
msgstr "This will show you a rule-set statistic since the last boot."
-#: ../../configuration/firewall/general.rst:1486
+#: ../../configuration/firewall/general.rst:1479
#: ../../configuration/firewall/general-legacy.rst:900
msgid "This will show you a statistic of all rule-sets since the last boot."
msgstr "This will show you a statistic of all rule-sets since the last boot."
-#: ../../configuration/firewall/general.rst:1384
+#: ../../configuration/firewall/general.rst:1377
#: ../../configuration/firewall/general-legacy.rst:851
msgid "This will show you a summary of rule-sets and groups"
msgstr "This will show you a summary of rule-sets and groups"
@@ -15964,7 +16061,7 @@ msgstr "Time in seconds that the prefix will remain valid (default: 30 days)"
msgid "Time is in minutes and defaults to 60."
msgstr "Time is in minutes and defaults to 60."
-#: ../../configuration/firewall/general.rst:1218
+#: ../../configuration/firewall/general.rst:1211
#: ../../configuration/firewall/general-legacy.rst:722
#: ../../configuration/policy/route.rst:225
msgid "Time to match the defined rule."
@@ -16015,12 +16112,12 @@ msgstr "To automatically assign the client an IP address as tunnel endpoint, a c
msgid "To be used only when ``action`` is set to ``jump``. Use this command to specify jump target."
msgstr "To be used only when ``action`` is set to ``jump``. Use this command to specify jump target."
-#: ../../configuration/firewall/general.rst:408
+#: ../../configuration/firewall/general.rst:401
#: ../../configuration/firewall/general-legacy.rst:295
msgid "To be used only when ``defult-action`` is set to ``jump``. Use this command to specify jump target for default rule."
msgstr "To be used only when ``defult-action`` is set to ``jump``. Use this command to specify jump target for default rule."
-#: ../../configuration/firewall/general.rst:381
+#: ../../configuration/firewall/general.rst:374
msgid "To be used only when action is set to jump. Use this command to specify jump target."
msgstr "To be used only when action is set to jump. Use this command to specify jump target."
@@ -16036,6 +16133,18 @@ msgstr "To bypass the proxy for every request that is directed to a specific des
msgid "To configure IPv6 assignments for clients, two options need to be configured. A global prefix which is terminated on the clients cpe and a delegated prefix, the client can use for devices routed via the clients cpe."
msgstr "To configure IPv6 assignments for clients, two options need to be configured. A global prefix which is terminated on the clients cpe and a delegated prefix, the client can use for devices routed via the clients cpe."
+#: ../../configuration/firewall/index.rst:58
+msgid "To configure VyOS with the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>`"
+msgstr "To configure VyOS with the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>`"
+
+#: ../../configuration/firewall/index.rst:79
+msgid "To configure VyOS with the :doc:`zone-based firewall configuration </configuration/firewall/zone>`"
+msgstr "To configure VyOS with the :doc:`zone-based firewall configuration </configuration/firewall/zone>`"
+
+#: ../../configuration/firewall/index.rst:30
+msgid "To configure VyOS with the new :doc:`firewall configuration </configuration/firewall/general>`"
+msgstr "To configure VyOS with the new :doc:`firewall configuration </configuration/firewall/general>`"
+
#: ../../configuration/service/webproxy.rst:386
msgid "To configure blocking add the following to the configuration"
msgstr "To configure blocking add the following to the configuration"
@@ -16056,7 +16165,7 @@ msgstr "To configure your LCD display you must first identify the used hardware,
msgid "To create VLANs per user during runtime, the following settings are required on a per interface basis. VLAN ID and VLAN range can be present in the configuration at the same time."
msgstr "To create VLANs per user during runtime, the following settings are required on a per interface basis. VLAN ID and VLAN range can be present in the configuration at the same time."
-#: ../../configuration/system/login.rst:347
+#: ../../configuration/system/login.rst:375
msgid "To create a new line in your login message you need to escape the new line character by using ``\\\\n``."
msgstr "To create a new line in your login message you need to escape the new line character by using ``\\\\n``."
@@ -16226,6 +16335,10 @@ msgstr "Track option to track non VRRP interface states. VRRP changes status to
msgid "Traditional BGP did not have the feature to detect a remote peer's capabilities, e.g. whether it can handle prefix types other than IPv4 unicast routes. This was a big problem using Multiprotocol Extension for BGP in an operational network. :rfc:`2842` adopted a feature called Capability Negotiation. *bgpd* use this Capability Negotiation to detect the remote peer's capabilities. If a peer is only configured as an IPv4 unicast neighbor, *bgpd* does not send these Capability Negotiation packets (at least not unless other optional BGP features require capability negotiation)."
msgstr "Traditional BGP did not have the feature to detect a remote peer's capabilities, e.g. whether it can handle prefix types other than IPv4 unicast routes. This was a big problem using Multiprotocol Extension for BGP in an operational network. :rfc:`2842` adopted a feature called Capability Negotiation. *bgpd* use this Capability Negotiation to detect the remote peer's capabilities. If a peer is only configured as an IPv4 unicast neighbor, *bgpd* does not send these Capability Negotiation packets (at least not unless other optional BGP features require capability negotiation)."
+#: ../../configuration/firewall/index.rst:54
+msgid "Traditionally firewalls weere configured with the concept of data going in and out of an interface. The router just listened to the data flowing through and responding as required if it was directed at the router itself."
+msgstr "Traditionally firewalls weere configured with the concept of data going in and out of an interface. The router just listened to the data flowing through and responding as required if it was directed at the router itself."
+
#: ../../configuration/interfaces/openvpn.rst:9
msgid "Traditionally hardware routers implement IPsec exclusively due to relative ease of implementing it in hardware and insufficient CPU power for doing encryption in software. Since VyOS is a software router, this is less of a concern. OpenVPN has been widely used on UNIX platform for a long time and is a popular option for remote access VPN, though it's also capable of site-to-site connections."
msgstr "Traditionally hardware routers implement IPsec exclusively due to relative ease of implementing it in hardware and insufficient CPU power for doing encryption in software. Since VyOS is a software router, this is less of a concern. OpenVPN has been widely used on UNIX platform for a long time and is a popular option for remote access VPN, though it's also capable of site-to-site connections."
@@ -16254,7 +16367,7 @@ msgstr "Traffic from multicast sources will go to the Rendezvous Point, and rece
msgid "Traffic from multicast sources will go to the Rendezvous Point, and receivers will pull it from a shared tree using MLD (Multicast Listener Discovery)."
msgstr "Traffic from multicast sources will go to the Rendezvous Point, and receivers will pull it from a shared tree using MLD (Multicast Listener Discovery)."
-#: ../../configuration/firewall/general.rst:1288
+#: ../../configuration/firewall/general.rst:1281
msgid "Traffic must be symmetric"
msgstr "Traffic must be symmetric"
@@ -16383,7 +16496,7 @@ msgstr "Update"
msgid "Update container image"
msgstr "Update container image"
-#: ../../configuration/firewall/general.rst:1547
+#: ../../configuration/firewall/general.rst:1540
#: ../../configuration/firewall/general-legacy.rst:1050
msgid "Update geoip database"
msgstr "Update geoip database"
@@ -16437,27 +16550,27 @@ msgstr "Use `delete system conntrack modules` to deactive all modules."
msgid "Use a persistent LDAP connection. Normally the LDAP connection is only open while validating a username to preserve resources at the LDAP server. This option causes the LDAP connection to be kept open, allowing it to be reused for further user validations."
msgstr "Use a persistent LDAP connection. Normally the LDAP connection is only open while validating a username to preserve resources at the LDAP server. This option causes the LDAP connection to be kept open, allowing it to be reused for further user validations."
-#: ../../configuration/firewall/general.rst:806
+#: ../../configuration/firewall/general.rst:799
#: ../../configuration/firewall/general-legacy.rst:531
msgid "Use a specific address-group. Prepend character ``!`` for inverted matching criteria."
msgstr "Use a specific address-group. Prepend character ``!`` for inverted matching criteria."
-#: ../../configuration/firewall/general.rst:881
+#: ../../configuration/firewall/general.rst:874
#: ../../configuration/firewall/general-legacy.rst:567
msgid "Use a specific domain-group. Prepend character ``!`` for inverted matching criteria."
msgstr "Use a specific domain-group. Prepend character ``!`` for inverted matching criteria."
-#: ../../configuration/firewall/general.rst:906
+#: ../../configuration/firewall/general.rst:899
#: ../../configuration/firewall/general-legacy.rst:579
msgid "Use a specific mac-group. Prepend character ``!`` for inverted matching criteria."
msgstr "Use a specific mac-group. Prepend character ``!`` for inverted matching criteria."
-#: ../../configuration/firewall/general.rst:831
+#: ../../configuration/firewall/general.rst:824
#: ../../configuration/firewall/general-legacy.rst:543
msgid "Use a specific network-group. Prepend character ``!`` for inverted matching criteria."
msgstr "Use a specific network-group. Prepend character ``!`` for inverted matching criteria."
-#: ../../configuration/firewall/general.rst:856
+#: ../../configuration/firewall/general.rst:849
#: ../../configuration/firewall/general-legacy.rst:555
msgid "Use a specific port-group. Prepend character ``!`` for inverted matching criteria."
msgstr "Use a specific port-group. Prepend character ``!`` for inverted matching criteria."
@@ -16993,7 +17106,7 @@ msgstr "Use this command to enable the local router to try and connect with a ta
msgid "Use this command to enable the logging of the default action."
msgstr "Use this command to enable the logging of the default action."
-#: ../../configuration/firewall/general.rst:438
+#: ../../configuration/firewall/general.rst:431
msgid "Use this command to enable the logging of the default action on custom chains."
msgstr "Use this command to enable the logging of the default action on custom chains."
@@ -17394,6 +17507,10 @@ msgstr "Value to send to RADIUS server in NAS-Identifier attribute and to be mat
msgid "Verification"
msgstr "Verification"
+#: ../../configuration/vpn/remoteaccess_ipsec.rst:168
+msgid "Verification:"
+msgstr "Verification:"
+
#: ../../configuration/highavailability/index.rst:291
msgid "Version"
msgstr "Version"
@@ -17502,6 +17619,10 @@ msgstr "VyOS also comes with a build in SSTP server, see :ref:`sstp`."
msgid "VyOS also provides DHCPv6 server functionality which is described in this section."
msgstr "VyOS also provides DHCPv6 server functionality which is described in this section."
+#: ../../configuration/vpn/remoteaccess_ipsec.rst:127
+msgid "VyOS also supports two different modes of authentication, local and RADIUS. To create a new local user named \"vyos\" with a password of \"vyos\" use the following commands."
+msgstr "VyOS also supports two different modes of authentication, local and RADIUS. To create a new local user named \"vyos\" with a password of \"vyos\" use the following commands."
+
#: ../../configuration/vpn/dmvpn.rst:290
msgid "VyOS can also run in DMVPN spoke mode."
msgstr "VyOS can also run in DMVPN spoke mode."
@@ -17584,6 +17705,10 @@ msgstr "VyOS provide an HTTP API. You can use it to execute op-mode commands, up
msgid "VyOS provides DNS infrastructure for small networks. It is designed to be lightweight and have a small footprint, suitable for resource constrained routers and firewalls. For this we utilize PowerDNS recursor."
msgstr "VyOS provides DNS infrastructure for small networks. It is designed to be lightweight and have a small footprint, suitable for resource constrained routers and firewalls. For this we utilize PowerDNS recursor."
+#: ../../configuration/vpn/remoteaccess_ipsec.rst:144
+msgid "VyOS provides a command to generate a connection profile used by Windows clients that will connect to the \"rw\" connection on our VyOS server."
+msgstr "VyOS provides a command to generate a connection profile used by Windows clients that will connect to the \"rw\" connection on our VyOS server."
+
#: ../../configuration/policy/as-path-list.rst:5
msgid "VyOS provides policies commands exclusively for BGP traffic filtering and manipulation: **as-path-list** is one of them."
msgstr "VyOS provides policies commands exclusively for BGP traffic filtering and manipulation: **as-path-list** is one of them."
@@ -17763,7 +17888,7 @@ msgstr "We only need a single step for this interface:"
msgid "We route all traffic for the 192.168.2.0/24 network to interface `wg01`"
msgstr "We route all traffic for the 192.168.2.0/24 network to interface `wg01`"
-#: ../../configuration/system/login.rst:390
+#: ../../configuration/system/login.rst:418
msgid "We use a vontainer providing the TACACS serve rin this example."
msgstr "We use a vontainer providing the TACACS serve rin this example."
@@ -17827,7 +17952,7 @@ msgstr "When configuring your filter, you can use the ``Tab`` key to see the man
msgid "When configuring your traffic policy, you will have to set data rate values, watch out the units you are managing, it is easy to get confused with the different prefixes and suffixes you can use. VyOS will always show you the different units you can use."
msgstr "When configuring your traffic policy, you will have to set data rate values, watch out the units you are managing, it is easy to get confused with the different prefixes and suffixes you can use. VyOS will always show you the different units you can use."
-#: ../../configuration/firewall/general.rst:528
+#: ../../configuration/firewall/general.rst:521
msgid "When defining a rule, it is enable by default. In some cases, it is useful to just disable the rule, rather than removing it."
msgstr "When defining a rule, it is enable by default. In some cases, it is useful to just disable the rule, rather than removing it."
@@ -17932,12 +18057,12 @@ msgstr "When the DHCP server is considering dynamically allocating an IP address
msgid "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization."
msgstr "When the close-action option is set on the peers, the connection-type of each peer has to considered carefully. For example, if the option is set on both peers, then both would attempt to initiate and hold open multiple copies of each child SA. This might lead to instability of the device or cpu/memory utilization."
-#: ../../configuration/firewall/general.rst:113
+#: ../../configuration/firewall/general.rst:106
#: ../../configuration/firewall/general-legacy.rst:58
msgid "When the command above is set, VyOS will answer every ICMP echo request addressed to itself, but that will only happen if no other rule is applied dropping or rejecting local echo requests. In case of conflict, VyOS will not answer ICMP echo requests."
msgstr "When the command above is set, VyOS will answer every ICMP echo request addressed to itself, but that will only happen if no other rule is applied dropping or rejecting local echo requests. In case of conflict, VyOS will not answer ICMP echo requests."
-#: ../../configuration/firewall/general.rst:122
+#: ../../configuration/firewall/general.rst:115
#: ../../configuration/firewall/general-legacy.rst:67
msgid "When the command above is set, VyOS will answer no ICMP echo request addressed to itself at all, no matter where it comes from or whether more specific rules are being applied to accept them."
msgstr "When the command above is set, VyOS will answer no ICMP echo request addressed to itself at all, no matter where it comes from or whether more specific rules are being applied to accept them."
@@ -17990,7 +18115,7 @@ msgstr "When using site-to-site IPsec with VTI interfaces, be sure to disable ro
msgid "When utilizing VyOS in an environment with Arista gear you can use this blue print as an initial setup to get an LACP bond / port-channel operational between those two devices."
msgstr "When utilizing VyOS in an environment with Arista gear you can use this blue print as an initial setup to get an LACP bond / port-channel operational between those two devices."
-#: ../../configuration/firewall/general.rst:64
+#: ../../configuration/firewall/general.rst:57
msgid "Where, main key words and configuration paths that needs to be understood:"
msgstr "Where, main key words and configuration paths that needs to be understood:"
@@ -18037,7 +18162,7 @@ msgstr "Which results in a configuration of:"
msgid "Which would generate the following NAT destination configuration:"
msgstr "Which would generate the following NAT destination configuration:"
-#: ../../configuration/firewall/general.rst:224
+#: ../../configuration/firewall/general.rst:217
#: ../../configuration/firewall/general-legacy.rst:193
msgid "While **network groups** accept IP networks in CIDR notation, specific IP addresses can be added as a 32-bit prefix. If you foresee the need to add a mix of addresses and networks, the network group is recommended."
msgstr "While **network groups** accept IP networks in CIDR notation, specific IP addresses can be added as a 32-bit prefix. If you foresee the need to add a mix of addresses and networks, the network group is recommended."
@@ -18070,6 +18195,10 @@ msgstr "Will be recorded only packets/flows on **incoming** direction in configu
msgid "Will drop `<shared-network-name>_` from client DNS record, using only the host declaration name and domain: `<hostname>.<domain-name>`"
msgstr "Will drop `<shared-network-name>_` from client DNS record, using only the host declaration name and domain: `<hostname>.<domain-name>`"
+#: ../../configuration/vpn/remoteaccess_ipsec.rst:147
+msgid "Windows expects the server name to be also used in the server's certificate common name, so it's best to use this DNS name for your VPN connection."
+msgstr "Windows expects the server name to be also used in the server's certificate common name, so it's best to use this DNS name for your VPN connection."
+
#: ../../configuration/interfaces/wireguard.rst:7
#: ../../configuration/pki/index.rst:132
msgid "WireGuard"
@@ -18116,6 +18245,10 @@ msgstr "Wireless options"
msgid "Wireless options (Station/Client)"
msgstr "Wireless options (Station/Client)"
+#: ../../configuration/firewall/index.rst:23
+msgid "With VyOS being based on top of Linux and its kernel, the Netfilter project created the iptables and now the successor nftables for the Linux kernel to work directly on the data flows. This now extends the concept of zone-based security to allow for manipulating the data at multiple stages once accepted by the network interface and the driver before being handed off to the destination (e.g. a web server OR another device)."
+msgstr "With VyOS being based on top of Linux and its kernel, the Netfilter project created the iptables and now the successor nftables for the Linux kernel to work directly on the data flows. This now extends the concept of zone-based security to allow for manipulating the data at multiple stages once accepted by the network interface and the driver before being handed off to the destination (e.g. a web server OR another device)."
+
#: ../../configuration/interfaces/wireguard.rst:269
msgid "With WireGuard, a Road Warrior VPN config is similar to a site-to-site VPN. It just lacks the ``address`` and ``port`` statements."
msgstr "With WireGuard, a Road Warrior VPN config is similar to a site-to-site VPN. It just lacks the ``address`` and ``port`` statements."
@@ -18124,7 +18257,7 @@ msgstr "With WireGuard, a Road Warrior VPN config is similar to a site-to-site V
msgid "With the ``name-server`` option set to ``none``, VyOS will ignore the nameservers your ISP sends you and thus you can fully rely on the ones you have configured statically."
msgstr "With the ``name-server`` option set to ``none``, VyOS will ignore the nameservers your ISP sends you and thus you can fully rely on the ones you have configured statically."
-#: ../../configuration/firewall/general.rst:101
+#: ../../configuration/firewall/general.rst:94
#: ../../configuration/firewall/general-legacy.rst:46
msgid "With the firewall you can set rules to accept, drop or reject ICMP in, out or local traffic. You can also use the general **firewall all-ping** command. This command affects only to LOCAL (packets destined for your VyOS system), not to IN or OUT traffic."
msgstr "With the firewall you can set rules to accept, drop or reject ICMP in, out or local traffic. You can also use the general **firewall all-ping** command. This command affects only to LOCAL (packets destined for your VyOS system), not to IN or OUT traffic."
@@ -18133,6 +18266,10 @@ msgstr "With the firewall you can set rules to accept, drop or reject ICMP in, o
msgid "With this command, you can specify how the URL path should be matched against incoming requests."
msgstr "With this command, you can specify how the URL path should be matched against incoming requests."
+#: ../../configuration/firewall/index.rst:73
+msgid "With zone-based firewalls a new concept was implemented, in addtion to the standard in and out traffic flows, a local flow was added. This local was for traffic originating and destined to the router itself. Which means additional rules were required to secure the firewall itself from the network, in addition to the existing inbound and outbound rules from the traditional concept above."
+msgstr "With zone-based firewalls a new concept was implemented, in addtion to the standard in and out traffic flows, a local flow was added. This local was for traffic originating and destined to the router itself. Which means additional rules were required to secure the firewall itself from the network, in addition to the existing inbound and outbound rules from the traditional concept above."
+
#: ../../configuration/service/dhcp-server.rst:290
#: ../../configuration/service/dhcp-server.rst:295
#: ../../configuration/service/dhcp-server.rst:300
@@ -18151,7 +18288,7 @@ msgstr "Y"
msgid "You apply a rule-set always to a zone from an other zone, it is recommended to create one rule-set for each zone pair."
msgstr "You apply a rule-set always to a zone from an other zone, it is recommended to create one rule-set for each zone pair."
-#: ../../configuration/system/login.rst:335
+#: ../../configuration/system/login.rst:363
msgid "You are able to set post-login or pre-login banner messages to display certain information for this system."
msgstr "You are able to set post-login or pre-login banner messages to display certain information for this system."
@@ -18245,7 +18382,7 @@ msgstr "You can not run this in a VRRP setup, if multiple mDNS repeaters are lau
msgid "You can now \"dial\" the peer with the follwoing command: ``sstpc --log-level 4 --log-stderr --user vyos --password vyos vpn.example.com -- call vyos``."
msgstr "You can now \"dial\" the peer with the follwoing command: ``sstpc --log-level 4 --log-stderr --user vyos --password vyos vpn.example.com -- call vyos``."
-#: ../../configuration/system/login.rst:413
+#: ../../configuration/system/login.rst:441
msgid "You can now SSH into your system using admin/admin as a default user supplied from the ``lfkeitel/tacacs_plus:latest`` container."
msgstr "You can now SSH into your system using admin/admin as a default user supplied from the ``lfkeitel/tacacs_plus:latest`` container."
@@ -18346,10 +18483,18 @@ msgstr "Zebra supports prefix-lists and Route Mapss to match routes received fro
msgid "Zone-Policy Overview"
msgstr "Zone-Policy Overview"
+#: ../../configuration/firewall/index.rst:66
+msgid "Zone-based firewall"
+msgstr "Zone-based firewall"
+
#: ../../configuration/firewall/zone.rst:7
msgid "Zone Based Firewall"
msgstr "Zone Based Firewall"
+#: ../../configuration/firewall/zone.rst:7
+msgid "Zone Based Firewall (Deprecated)"
+msgstr "Zone Based Firewall (Deprecated)"
+
#: ../../configuration/protocols/ospf.rst:792
msgid "[A.B.C.D] – link-state-id. With this specified the command displays portion of the network environment that is being described by the advertisement. The value entered depends on the advertisement’s LS type. It must be entered in the form of an IP address."
msgstr "[A.B.C.D] – link-state-id. With this specified the command displays portion of the network environment that is being described by the advertisement. The value entered depends on the advertisement’s LS type. It must be entered in the form of an IP address."
@@ -18907,7 +19052,7 @@ msgstr "``accept-own-nexthop`` - Well-known communities value accept-o
msgid "``accept-own`` - Well-known communities value ACCEPT_OWN 0xFFFF0001"
msgstr "``accept-own`` - Well-known communities value ACCEPT_OWN 0xFFFF0001"
-#: ../../configuration/firewall/general.rst:341
+#: ../../configuration/firewall/general.rst:334
msgid "``accept``: accept the packet."
msgstr "``accept``: accept the packet."
@@ -19083,7 +19228,7 @@ msgstr "``disable`` disable IPComp compression (default);"
msgid "``disable`` disable MOBIKE;"
msgstr "``disable`` disable MOBIKE;"
-#: ../../configuration/firewall/general.rst:343
+#: ../../configuration/firewall/general.rst:336
msgid "``drop``: drop the packet."
msgstr "``drop``: drop the packet."
@@ -19251,7 +19396,7 @@ msgstr "``interval`` keep-alive interval in seconds <2-86400> (default 30);"
msgid "``isis`` - Intermediate System to Intermediate System (IS-IS)"
msgstr "``isis`` - Intermediate System to Intermediate System (IS-IS)"
-#: ../../configuration/firewall/general.rst:347
+#: ../../configuration/firewall/general.rst:340
msgid "``jump``: jump to another custom chain."
msgstr "``jump``: jump to another custom chain."
@@ -19377,52 +19522,52 @@ msgstr "``n`` - 802.11n - 600 Mbits/sec"
msgid "``name`` is used for the VyOS CLI command to identify this key. This key ``name`` is then used in the CLI configuration to reference the key instance."
msgstr "``name`` is used for the VyOS CLI command to identify this key. This key ``name`` is then used in the CLI configuration to reference the key instance."
-#: ../../configuration/firewall/general.rst:149
+#: ../../configuration/firewall/general.rst:142
#: ../../configuration/firewall/general-legacy.rst:93
msgid "``net.ipv4.conf.all.accept_redirects``"
msgstr "``net.ipv4.conf.all.accept_redirects``"
-#: ../../configuration/firewall/general.rst:139
+#: ../../configuration/firewall/general.rst:132
#: ../../configuration/firewall/general-legacy.rst:84
msgid "``net.ipv4.conf.all.accept_source_route``"
msgstr "``net.ipv4.conf.all.accept_source_route``"
-#: ../../configuration/firewall/general.rst:164
+#: ../../configuration/firewall/general.rst:157
#: ../../configuration/firewall/general-legacy.rst:108
msgid "``net.ipv4.conf.all.log_martians``"
msgstr "``net.ipv4.conf.all.log_martians``"
-#: ../../configuration/firewall/general.rst:172
+#: ../../configuration/firewall/general.rst:165
#: ../../configuration/firewall/general-legacy.rst:115
msgid "``net.ipv4.conf.all.rp_filter``"
msgstr "``net.ipv4.conf.all.rp_filter``"
-#: ../../configuration/firewall/general.rst:157
+#: ../../configuration/firewall/general.rst:150
#: ../../configuration/firewall/general-legacy.rst:101
msgid "``net.ipv4.conf.all.send_redirects``"
msgstr "``net.ipv4.conf.all.send_redirects``"
-#: ../../configuration/firewall/general.rst:131
+#: ../../configuration/firewall/general.rst:124
#: ../../configuration/firewall/general-legacy.rst:76
msgid "``net.ipv4.icmp_echo_ignore_broadcasts``"
msgstr "``net.ipv4.icmp_echo_ignore_broadcasts``"
-#: ../../configuration/firewall/general.rst:187
+#: ../../configuration/firewall/general.rst:180
#: ../../configuration/firewall/general-legacy.rst:129
msgid "``net.ipv4.tcp_rfc1337``"
msgstr "``net.ipv4.tcp_rfc1337``"
-#: ../../configuration/firewall/general.rst:179
+#: ../../configuration/firewall/general.rst:172
#: ../../configuration/firewall/general-legacy.rst:122
msgid "``net.ipv4.tcp_syncookies``"
msgstr "``net.ipv4.tcp_syncookies``"
-#: ../../configuration/firewall/general.rst:150
+#: ../../configuration/firewall/general.rst:143
#: ../../configuration/firewall/general-legacy.rst:94
msgid "``net.ipv6.conf.all.accept_redirects``"
msgstr "``net.ipv6.conf.all.accept_redirects``"
-#: ../../configuration/firewall/general.rst:140
+#: ../../configuration/firewall/general.rst:133
#: ../../configuration/firewall/general-legacy.rst:85
msgid "``net.ipv6.conf.all.accept_source_route``"
msgstr "``net.ipv6.conf.all.accept_source_route``"
@@ -19544,7 +19689,7 @@ msgstr "``protocol`` - define the protocol for match traffic, which should be en
msgid "``psk`` - Preshared secret key name:"
msgstr "``psk`` - Preshared secret key name:"
-#: ../../configuration/firewall/general.rst:352
+#: ../../configuration/firewall/general.rst:345
msgid "``queue``: Enqueue packet to userspace."
msgstr "``queue``: Enqueue packet to userspace."
@@ -19552,7 +19697,7 @@ msgstr "``queue``: Enqueue packet to userspace."
msgid "``rate``: Number of packets. Default 5."
msgstr "``rate``: Number of packets. Default 5."
-#: ../../configuration/firewall/general.rst:345
+#: ../../configuration/firewall/general.rst:338
msgid "``reject``: reject the packet."
msgstr "``reject``: reject the packet."
@@ -19585,7 +19730,7 @@ msgstr "``respond`` - does not try to initiate a connection to a remote peer. In
msgid "``restart`` set action to restart;"
msgstr "``restart`` set action to restart;"
-#: ../../configuration/firewall/general.rst:349
+#: ../../configuration/firewall/general.rst:342
msgid "``return``: Return from the current chain and continue at the next rule of the last chain."
msgstr "``return``: Return from the current chain and continue at the next rule of the last chain."
@@ -19681,7 +19826,7 @@ msgstr "``static`` - Statically configured routes"
msgid "``station`` - Connects to another access point"
msgstr "``station`` - Connects to another access point"
-#: ../../configuration/firewall/general.rst:354
+#: ../../configuration/firewall/general.rst:347
msgid "``synproxy``: synproxy the packet."
msgstr "``synproxy``: synproxy the packet."
@@ -20019,7 +20164,7 @@ msgstr "domain-search"
msgid "emerg"
msgstr "emerg"
-#: ../../configuration/firewall/general.rst:154
+#: ../../configuration/firewall/general.rst:147
msgid "enable or disable ICMPv4 redirect messages send by VyOS The following system parameter will be altered:"
msgstr "enable or disable ICMPv4 redirect messages send by VyOS The following system parameter will be altered:"
@@ -20027,12 +20172,12 @@ msgstr "enable or disable ICMPv4 redirect messages send by VyOS The following sy
msgid "enable or disable ICMPv4 redirect messages send by VyOS The following system parameter will be altered:"
msgstr "enable or disable ICMPv4 redirect messages send by VyOS The following system parameter will be altered:"
-#: ../../configuration/firewall/general.rst:146
+#: ../../configuration/firewall/general.rst:139
#: ../../configuration/firewall/general-legacy.rst:90
msgid "enable or disable of ICMPv4 or ICMPv6 redirect messages accepted by VyOS. The following system parameter will be altered:"
msgstr "enable or disable of ICMPv4 or ICMPv6 redirect messages accepted by VyOS. The following system parameter will be altered:"
-#: ../../configuration/firewall/general.rst:161
+#: ../../configuration/firewall/general.rst:154
#: ../../configuration/firewall/general-legacy.rst:105
msgid "enable or disable the logging of martian IPv4 packets. The following system parameter will be altered:"
msgstr "enable or disable the logging of martian IPv4 packets. The following system parameter will be altered:"