summaryrefslogtreecommitdiff
path: root/docs/quick-start.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/quick-start.rst')
-rw-r--r--docs/quick-start.rst29
1 files changed, 16 insertions, 13 deletions
diff --git a/docs/quick-start.rst b/docs/quick-start.rst
index 518e5d86..2aa3cbbb 100644
--- a/docs/quick-start.rst
+++ b/docs/quick-start.rst
@@ -60,7 +60,7 @@ Configure Source NAT for our "Inside" network.
set nat source rule 100 source address '192.168.0.0/24'
set nat source rule 100 translation address masquerade
-Add a set of firewall policies for our "Outside" interface.
+Add a set of firewall policies for our "Outside" interface.
This configuration creates a proper stateful firewall that blocks all traffic:
@@ -79,9 +79,11 @@ This configuration creates a proper stateful firewall that blocks all traffic:
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
-If you wanted to enable SSH access to your firewall from the the Internet, you could create some additional rules to allow the traffic.
+If you wanted to enable SSH access to your firewall from the Internet, you
+could create some additional rules to allow the traffic.
-These rules allow SSH traffic and rate limit it to 4 requests per minute. This blocks brute-forcing attempts:
+These rules allow SSH traffic and rate limit it to 4 requests per minute. This
+blocks brute-forcing attempts:
.. code-block:: sh
@@ -121,8 +123,8 @@ The traffic policy subsystem provides an interface to Linux traffic control
(tc_).
One common use of traffic policy is to limit bandwidth for an interface. In
-the example below we limit bandwidth for our LAN connection to 200 Mbit download
-and out WAN connection to 50 Mbit upload:
+the example below we limit bandwidth for our LAN connection to 200 Mbit
+download and out WAN connection to 50 Mbit upload:
.. code-block:: sh
@@ -176,7 +178,8 @@ See further information in the :ref:`qos` chapter.
Security Hardening
^^^^^^^^^^^^^^^^^^
-Especially if you are allowing SSH access from the Internet, there are a few additional configuration steps that should be taken.
+Especially if you are allowing SSH access from the Internet, there are a few
+additional configuration steps that should be taken.
Create a user to replace the default `vyos` user:
@@ -185,18 +188,20 @@ Create a user to replace the default `vyos` user:
set system login user myvyosuser level admin
set system login user myvyosuser authentication plaintext-password mysecurepassword
-Set up SSH key based authentication. For example, on Linux you'd want to run `ssh-keygen -t rsa`. Then the contents of `id_rsa.pub` would be used below:
+Set up SSH key based authentication. For example, on Linux you'd want to run
+``ssh-keygen -t rsa``. Then the contents of ``id_rsa.pub`` would be used below:
.. code-block:: sh
set system login user myvyosuser authentication public-keys myusername@mydesktop type ssh-rsa
set system login user myvyosuser authentication public-keys myusername@mydesktop key contents_of_id_rsa.pub
-Or you can use the `loadkey` command. Commit and save.
+Or you can use the ``loadkey`` command. Commit and save.
-Finally, try and ssh into the VyOS install as your new user.
-
-Once you have confirmed that your new user can access your server, without a password, delete the original `vyos` user and disable password authentication into SSH:
+Finally, try and SSH into the VyOS install as your new user. Once you have
+confirmed that your new user can access your server, without a password, delete
+the original ``vyos`` user and probably disable password authentication for
+SSH:
.. code-block:: sh
@@ -205,6 +210,4 @@ Once you have confirmed that your new user can access your server, without a pas
Commit and save.
-
-
.. _tc: http://en.wikipedia.org/wiki/Tc_(Linux)