summaryrefslogtreecommitdiff
path: root/docs/quick-start.rst
diff options
context:
space:
mode:
Diffstat (limited to 'docs/quick-start.rst')
-rw-r--r--docs/quick-start.rst73
1 files changed, 35 insertions, 38 deletions
diff --git a/docs/quick-start.rst b/docs/quick-start.rst
index a6055576..d14a43ca 100644
--- a/docs/quick-start.rst
+++ b/docs/quick-start.rst
@@ -122,14 +122,12 @@ network via IP masquerade.
Firewall
########
-.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall
- structure can be found on all vyos instalations. Documentation for most
- of the new firewall CLI can be found in the `firewall
- <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_
- chapter. The legacy firewall is still available for versions before
- 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy`
- chapter. The examples in this section use the new firewall configuration
- commands.
+.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be
+ found on all vyos instalations. Documentation for most of the new firewall CLI
+ can be found in the :ref:`firewall` chapter. The legacy firewall is still available
+ for versions before 1.4-rolling-202308040557 and can be found in the
+ :ref:`firewall-legacy` chapter. The examples in this section still use the
+ legacy firewall configuration options.
Add a set of firewall policies for our outside/WAN interface.
@@ -138,25 +136,19 @@ which was not initiated from the internal/LAN side first.
.. code-block:: none
- set firewall ipv4 forward filter default-action 'drop'
- set firewall ipv4 forward filter rule 10 action 'accept'
- set firewall ipv4 forward filter rule 10 state established 'enable'
- set firewall ipv4 forward filter rule 10 state related 'enable'
- set firewall ipv4 forward filter rule 20 action 'drop'
- set firewall ipv4 forward filter rule 20 state invalid 'enable'
- set firewall ipv4 forward filter rule 30 inbound-interface interface-name 'eth1'
- set firewall ipv4 forward filter rule 30 action 'accept'
-
- set firewall ipv4 input filter default-action drop
- set firewall ipv4 input filter rule 10 action 'accept'
- set firewall ipv4 input filter rule 10 state established 'enable'
- set firewall ipv4 input filter rule 10 state related 'enable'
- set firewall ipv4 input filter rule 20 action 'drop'
- set firewall ipv4 input filter rule 20 state invalid 'enable'
- set firewall ipv4 input filter rule 30 action 'accept'
- set firewall ipv4 input filter rule 30 icmp type-name 'echo-request'
- set firewall ipv4 input filter rule 30 protocol 'icmp'
- set firewall ipv4 input filter rule 30 state new 'enable'
+ set firewall name OUTSIDE-IN default-action 'drop'
+ set firewall name OUTSIDE-IN rule 10 action 'accept'
+ set firewall name OUTSIDE-IN rule 10 state established 'enable'
+ set firewall name OUTSIDE-IN rule 10 state related 'enable'
+
+ set firewall name OUTSIDE-LOCAL default-action 'drop'
+ set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
+ set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
+ set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
+ set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
+ set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
+ set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
+ set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
If you wanted to enable SSH access to your firewall from the outside/WAN
interface, you could create some additional rules to allow that kind of
@@ -167,19 +159,24 @@ blocks brute-forcing attempts:
.. code-block:: none
- set firewall ipv4 input filter rule 40 action 'drop'
- set firewall ipv4 input filter rule 40 inbound-interface interface-name 'eth0'
- set firewall ipv4 input filter rule 40 destination port '22'
- set firewall ipv4 input filter rule 40 protocol 'tcp'
- set firewall ipv4 input filter rule 40 recent count '4'
- set firewall ipv4 input filter rule 40 recent time 'minute'
- set firewall ipv4 input filter rule 40 state new 'enable'
+ set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
+ set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
+ set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
+ set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
+ set firewall name OUTSIDE-LOCAL rule 30 recent time 'minute'
+ set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
+
+ set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
+ set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
+ set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
+ set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'
- set firewall ipv4 input filter rule 41 action 'accept'
- set firewall ipv4 input filter rule 41 destination port '22'
- set firewall ipv4 input filter rule 41 protocol 'tcp'
- set firewall ipv4 input filter rule 41 state new 'enable'
+Apply the firewall policies:
+
+.. code-block:: none
+ set firewall interface eth0 in name 'OUTSIDE-IN'
+ set firewall interface eth0 local name 'OUTSIDE-LOCAL'
Commit changes, save the configuration, and exit configuration mode:
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-22 06:45:21 +0000