summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
m---------docs/_include/vyos-1x0
-rw-r--r--docs/changelog/1.3.rst34
-rw-r--r--docs/changelog/1.4.rst66
-rw-r--r--docs/configexamples/zone-policy.rst10
-rw-r--r--docs/configuration/firewall/general-legacy.rst6
-rw-r--r--docs/configuration/firewall/zone.rst10
-rw-r--r--docs/quick-start.rst68
7 files changed, 162 insertions, 32 deletions
diff --git a/docs/_include/vyos-1x b/docs/_include/vyos-1x
-Subproject bbcf94bba674e4c001d9439439b8fd405f39501
+Subproject 6c3defcc1e5e89cd2c031fdaa0975737529d7d5
diff --git a/docs/changelog/1.3.rst b/docs/changelog/1.3.rst
index 1c90609b..52b7d2f3 100644
--- a/docs/changelog/1.3.rst
+++ b/docs/changelog/1.3.rst
@@ -8,6 +8,40 @@
_ext/releasenotes.py
+2023-09-11
+==========
+
+* :vytask:`T5557` ``(bug): bgp: Use treat-as-withdraw for tunnel encapsulation attribute CVE-2023-38802``
+* :vytask:`T3424` ``(default): PPPoE IA-PD doesn't work in VRF``
+
+
+2023-09-10
+==========
+
+* :vytask:`T5555` ``(bug): Fix timezone migrator (system 13-to-14)``
+* :vytask:`T5545` ``(bug): sflow is not working``
+
+
+2023-09-08
+==========
+
+* :vytask:`T4426` ``(default): Add arpwatch to the image``
+
+
+2023-09-05
+==========
+
+* :vytask:`T5524` ``(feature): Add config directory to liveCD``
+* :vytask:`T2958` ``(bug): DHCP server doesn't work from a live CD``
+* :vytask:`T5428` ``(bug): dhcp: client renewal fails when running inside VRF``
+
+
+2023-09-04
+==========
+
+* :vytask:`T5506` ``(bug): Container bridge interfaces do not have a link-local address``
+
+
2023-08-31
==========
diff --git a/docs/changelog/1.4.rst b/docs/changelog/1.4.rst
index 64902a9c..f99c72bb 100644
--- a/docs/changelog/1.4.rst
+++ b/docs/changelog/1.4.rst
@@ -8,6 +8,72 @@
_ext/releasenotes.py
+2023-09-11
+==========
+
+* :vytask:`T3424` ``(default): PPPoE IA-PD doesn't work in VRF``
+* :vytask:`T2773` ``(feature): EIGRP support for VRF``
+
+
+2023-09-10
+==========
+
+* :vytask:`T5565` ``(bug): Builds as vyos-999-timestamp instead of vyos-1.4-rolling-timestamp``
+* :vytask:`T5555` ``(bug): Fix timezone migrator (system 13-to-14)``
+* :vytask:`T5529` ``(bug): Missing symbolic link in linux-firmware package.``
+
+
+2023-09-09
+==========
+
+* :vytask:`T5540` ``(bug): vyos-1x: Wrong VHT configuration for WiFi 802.11ac``
+* :vytask:`T5423` ``(bug): ipsec: no output for op-cmd "show vpn ike secrets"``
+* :vytask:`T3700` ``(feature): Support VLAN tunnel mapping of VLAN aware bridges``
+
+
+2023-09-08
+==========
+
+* :vytask:`T5502` ``(bug): Firewall - wrong parser for inbound and/or outbound interface``
+* :vytask:`T5460` ``(feature): Firewall - remove config-trap``
+* :vytask:`T5450` ``(feature): Firewall interface group - Allow inverted matcher``
+* :vytask:`T4426` ``(default): Add arpwatch to the image``
+* :vytask:`T4356` ``(bug): DHCP v6 client only supports single interface configuration``
+
+
+2023-09-07
+==========
+
+* :vytask:`T5489` ``(feature): Change to BBR as TCP congestion control, or at least make it an config option``
+* :vytask:`T5510` ``(feature): Shrink imagesize and improve read performance by changing mksquashfs syntax``
+
+
+2023-09-06
+==========
+
+* :vytask:`T5542` ``(bug): ipoe-server: external-dhcp(dhcp-relay) not woking / not implemented``
+* :vytask:`T5548` ``(bug): HAProxy renders timeouts incorrectly``
+* :vytask:`T5544` ``(feature): Allow CAP_SYS_MODULE to be set on containers``
+
+
+2023-09-05
+==========
+
+* :vytask:`T5524` ``(feature): Add config directory to liveCD``
+* :vytask:`T5519` ``(bug): Function `call` sometimes hangs``
+* :vytask:`T5508` ``(bug): Configuration Migration Fails to New Netfilter Firewall Syntax``
+* :vytask:`T5495` ``(feature): Enable snmp module also for frr/ldpd``
+* :vytask:`T2958` ``(bug): DHCP server doesn't work from a live CD``
+* :vytask:`T5428` ``(bug): dhcp: client renewal fails when running inside VRF``
+
+
+2023-09-04
+==========
+
+* :vytask:`T5536` ``(bug): show dhcp client leases caues No module named 'vyos.validate'``
+* :vytask:`T5506` ``(bug): Container bridge interfaces do not have a link-local address``
+
+
2023-09-03
==========
diff --git a/docs/configexamples/zone-policy.rst b/docs/configexamples/zone-policy.rst
index 90de8b24..08db13b9 100644
--- a/docs/configexamples/zone-policy.rst
+++ b/docs/configexamples/zone-policy.rst
@@ -5,6 +5,16 @@
Zone-Policy example
-------------------
+.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall
+ structure can be found on all vyos instalations, and zone based firewall is
+ no longer supported. Documentation for most of the new firewall CLI can be
+ found in the `firewall
+ <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_
+ chapter. The legacy firewall is still available for versions before
+ 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy`
+ chapter. The examples in this section use the legacy firewall configuration
+ commands, since this feature has been removed in earlier releases.
+
.. note:: In :vytask:`T2199` the syntax of the zone configuration was changed.
The zone configuration moved from ``zone-policy zone <name>`` to ``firewall
zone <name>``.
diff --git a/docs/configuration/firewall/general-legacy.rst b/docs/configuration/firewall/general-legacy.rst
index de91e54b..2e6b0061 100644
--- a/docs/configuration/firewall/general-legacy.rst
+++ b/docs/configuration/firewall/general-legacy.rst
@@ -1,6 +1,6 @@
:lastproofread: 2021-06-29
-.. _firewall:
+.. _firewall-legacy:
###############
Firewall-Legacy
@@ -8,7 +8,7 @@ Firewall-Legacy
.. note:: **Important note:**
This documentation is valid only for VyOS Sagitta prior to
- 1.4-rolling-YYYYMMDDHHmm
+ 1.4-rolling-202308040557
********
Overview
@@ -153,7 +153,7 @@ Groups
******
Firewall groups represent collections of IP addresses, networks, ports,
-mac addresses or domains. Once created, a group can be referenced by
+mac addresses or domains. Once created, a group can be referenced by
firewall, nat and policy route rules as either a source or destination
matcher. Members can be added or removed from a group without changes to,
or the need to reload, individual firewall rules.
diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst
index 6afd47e9..70ad7b65 100644
--- a/docs/configuration/firewall/zone.rst
+++ b/docs/configuration/firewall/zone.rst
@@ -6,6 +6,16 @@
Zone Based Firewall
###################
+.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall
+ structure can be found on all vyos instalations, and zone based firewall is
+ no longer supported. Documentation for most of the new firewall CLI can be
+ found in the `firewall
+ <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_
+ chapter. The legacy firewall is still available for versions before
+ 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy`
+ chapter. The examples in this section use the legacy firewall configuration
+ commands, since this feature has been removed in earlier releases.
+
.. note:: For latest releases, refer the `firewall
<https://docs.vyos.io/en/latest/configuration/firewall/general.html#interface-groups>`_
main page to configure zone based rules. New syntax was introduced here
diff --git a/docs/quick-start.rst b/docs/quick-start.rst
index 19be7b66..a6055576 100644
--- a/docs/quick-start.rst
+++ b/docs/quick-start.rst
@@ -122,6 +122,15 @@ network via IP masquerade.
Firewall
########
+.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall
+ structure can be found on all vyos instalations. Documentation for most
+ of the new firewall CLI can be found in the `firewall
+ <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_
+ chapter. The legacy firewall is still available for versions before
+ 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy`
+ chapter. The examples in this section use the new firewall configuration
+ commands.
+
Add a set of firewall policies for our outside/WAN interface.
This configuration creates a proper stateful firewall that blocks all traffic
@@ -129,19 +138,25 @@ which was not initiated from the internal/LAN side first.
.. code-block:: none
- set firewall name OUTSIDE-IN default-action 'drop'
- set firewall name OUTSIDE-IN rule 10 action 'accept'
- set firewall name OUTSIDE-IN rule 10 state established 'enable'
- set firewall name OUTSIDE-IN rule 10 state related 'enable'
-
- set firewall name OUTSIDE-LOCAL default-action 'drop'
- set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
- set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
- set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
- set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
- set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
- set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
- set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
+ set firewall ipv4 forward filter default-action 'drop'
+ set firewall ipv4 forward filter rule 10 action 'accept'
+ set firewall ipv4 forward filter rule 10 state established 'enable'
+ set firewall ipv4 forward filter rule 10 state related 'enable'
+ set firewall ipv4 forward filter rule 20 action 'drop'
+ set firewall ipv4 forward filter rule 20 state invalid 'enable'
+ set firewall ipv4 forward filter rule 30 inbound-interface interface-name 'eth1'
+ set firewall ipv4 forward filter rule 30 action 'accept'
+
+ set firewall ipv4 input filter default-action drop
+ set firewall ipv4 input filter rule 10 action 'accept'
+ set firewall ipv4 input filter rule 10 state established 'enable'
+ set firewall ipv4 input filter rule 10 state related 'enable'
+ set firewall ipv4 input filter rule 20 action 'drop'
+ set firewall ipv4 input filter rule 20 state invalid 'enable'
+ set firewall ipv4 input filter rule 30 action 'accept'
+ set firewall ipv4 input filter rule 30 icmp type-name 'echo-request'
+ set firewall ipv4 input filter rule 30 protocol 'icmp'
+ set firewall ipv4 input filter rule 30 state new 'enable'
If you wanted to enable SSH access to your firewall from the outside/WAN
interface, you could create some additional rules to allow that kind of
@@ -152,24 +167,19 @@ blocks brute-forcing attempts:
.. code-block:: none
- set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
- set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
- set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
- set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
- set firewall name OUTSIDE-LOCAL rule 30 recent time 'minute'
- set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
-
- set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
- set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
- set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
- set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'
+ set firewall ipv4 input filter rule 40 action 'drop'
+ set firewall ipv4 input filter rule 40 inbound-interface interface-name 'eth0'
+ set firewall ipv4 input filter rule 40 destination port '22'
+ set firewall ipv4 input filter rule 40 protocol 'tcp'
+ set firewall ipv4 input filter rule 40 recent count '4'
+ set firewall ipv4 input filter rule 40 recent time 'minute'
+ set firewall ipv4 input filter rule 40 state new 'enable'
-Apply the firewall policies:
-
-.. code-block:: none
+ set firewall ipv4 input filter rule 41 action 'accept'
+ set firewall ipv4 input filter rule 41 destination port '22'
+ set firewall ipv4 input filter rule 41 protocol 'tcp'
+ set firewall ipv4 input filter rule 41 state new 'enable'
- set firewall interface eth0 in name 'OUTSIDE-IN'
- set firewall interface eth0 local name 'OUTSIDE-LOCAL'
Commit changes, save the configuration, and exit configuration mode: