summaryrefslogtreecommitdiff
path: root/docs
diff options
context:
space:
mode:
Diffstat (limited to 'docs')
-rw-r--r--docs/404.rst3
m---------docs/_include/vyos-1x0
-rw-r--r--docs/_templates/layout.html2
-rw-r--r--docs/automation/command-scripting.rst2
-rw-r--r--docs/changelog/1.3.rst19
-rw-r--r--docs/changelog/1.4.rst72
-rw-r--r--docs/changelog/1.5.rst70
-rw-r--r--docs/cli.rst29
-rw-r--r--docs/configexamples/autotest/Wireguard/Wireguard.rst2
-rw-r--r--docs/configexamples/ha.rst2
-rw-r--r--docs/configexamples/policy-based-ipsec-and-firewall.rst4
-rw-r--r--docs/configuration/highavailability/index.rst2
-rw-r--r--docs/configuration/nat/nat44.rst2
-rw-r--r--docs/configuration/pki/index.rst4
-rw-r--r--docs/configuration/service/https.rst13
-rw-r--r--docs/configuration/vpn/l2tp.rst2
-rw-r--r--docs/configuration/vpn/site2site_ipsec.rst4
-rw-r--r--docs/configuration/vrf/index.rst4
-rw-r--r--docs/quick-start.rst34
19 files changed, 211 insertions, 59 deletions
diff --git a/docs/404.rst b/docs/404.rst
index 5073773a..2ae79f2e 100644
--- a/docs/404.rst
+++ b/docs/404.rst
@@ -8,4 +8,5 @@ Try using the search box or go to the release homepage:
* `1.2.x (crux) <https://docs.vyos.io/en/crux/>`_
* `1.3.x (equuleus) <https://docs.vyos.io/en/equuleus/>`_
- * `rolling release (sagitta) <https://docs.vyos.io/en/latest/>`_
+ * `1.4.x (sagitta) <https://docs.vyos.io/en/sagitta/>`_
+ * `rolling release (circinus) <https://docs.vyos.io/en/latest/>`_
diff --git a/docs/_include/vyos-1x b/docs/_include/vyos-1x
-Subproject fd9e2c24e739fd327f860c45fa00241fd1acca7
+Subproject cd19b9d6b0c21a5d07a9f5a98e5e90d09d8d4cc
diff --git a/docs/_templates/layout.html b/docs/_templates/layout.html
index e7ede58c..6cb68508 100644
--- a/docs/_templates/layout.html
+++ b/docs/_templates/layout.html
@@ -1,5 +1,5 @@
{% extends "!layout.html" %}
-{%- set current_version = "1.4.x sagitta" %}
+{%- set current_version = "1.5.x circinus" %}
{% block extrahead %}
<link href="{{ pathto("_static/css/custom.css", True) }}" rel="stylesheet" type="text/css">
<link href="{{ pathto("_static/css/datatables.css", True) }}" rel="stylesheet" type="text/css">
diff --git a/docs/automation/command-scripting.rst b/docs/automation/command-scripting.rst
index 64564e5a..c8a72a36 100644
--- a/docs/automation/command-scripting.rst
+++ b/docs/automation/command-scripting.rst
@@ -94,7 +94,7 @@ Here is a simple example:
#!/bin/vbash
source /opt/vyatta/etc/functions/script-template
configure
- source < /config/scripts/setfirewallgroup.py
+ source <(/config/scripts/setfirewallgroup.py)
commit
diff --git a/docs/changelog/1.3.rst b/docs/changelog/1.3.rst
index c5192eab..5ce9f5cf 100644
--- a/docs/changelog/1.3.rst
+++ b/docs/changelog/1.3.rst
@@ -8,6 +8,25 @@
_ext/releasenotes.py
+2023-11-15
+==========
+
+* :vytask:`T5661` ``(enhancment): Add show show ssh dynamic-protection attacker and show log ssh dynamic-protection``
+* :vytask:`T1276` ``(bug): dhcp relay + VLAN fails``
+
+
+2023-11-07
+==========
+
+* :vytask:`T5586` ``(feature): Disable by default SNMP for Keepalived VRRP``
+
+
+2023-11-06
+==========
+
+* :vytask:`T4269` ``(feature): node.def generator should automatically add default values``
+
+
2023-10-26
==========
diff --git a/docs/changelog/1.4.rst b/docs/changelog/1.4.rst
index 86b201df..96bdae15 100644
--- a/docs/changelog/1.4.rst
+++ b/docs/changelog/1.4.rst
@@ -8,6 +8,78 @@
_ext/releasenotes.py
+2023-11-18
+==========
+
+* :vytask:`T1354` ``(feature): Add support for VLAN-Aware bridges``
+
+
+2023-11-16
+==========
+
+* :vytask:`T5726` ``(bug): HTTPS API image cannot be updated``
+* :vytask:`T5738` ``(feature): Extend XML building blocks``
+* :vytask:`T5736` ``(feature): igmp: migrate "protocols igmp" to "protocols pim"``
+* :vytask:`T5733` ``(feature): pim(6): rewrite FRR PIM daemon configuration to get_config_dict() and add missing IGMP features``
+* :vytask:`T5689` ``(default): FRR 9.0.1 in VyOS current segfaults on show rpki prefix $prefix``
+* :vytask:`T5595` ``(feature): Multicast - PIM bfd feature enable``
+* :vytask:`T3638` ``(bug): Passwords With Dollar Sign Set Incorrectly``
+
+
+2023-11-15
+==========
+
+* :vytask:`T5695` ``(feature): Build FRR with LUA scripts --enable-scripting option``
+* :vytask:`T5665` ``(bug): radius user not working``
+* :vytask:`T5728` ``(bug): Improve compatibility between OpenVPN on VyOS 1.5 and OpenVPN Connect Client``
+* :vytask:`T5732` ``(bug): generate firewall rule-resequence drops geoip country-code from output``
+* :vytask:`T5661` ``(enhancment): Add show show ssh dynamic-protection attacker and show log ssh dynamic-protection``
+* :vytask:`T1276` ``(bug): dhcp relay + VLAN fails``
+
+
+2023-11-13
+==========
+
+* :vytask:`T5698` ``(feature): EVPN ESI Multihoming``
+* :vytask:`T5563` ``(bug): container: Container environment variable cannot be set``
+* :vytask:`T5706` ``(bug): Systemd-udevd high CPU utilization for multiple dynamic ppp/l2tp/ipoe interfaces``
+
+
+2023-11-10
+==========
+
+* :vytask:`T5727` ``(bug): validator: Use native URL validator instead of regex-based validator``
+
+
+2023-11-08
+==========
+
+* :vytask:`T5720` ``(bug): PPPoE-server adding new interface does not work``
+* :vytask:`T5716` ``(bug): PPPoE-server shaper template bug down-limiter option does not rely on fwmark``
+* :vytask:`T5702` ``(feature): Add ability to set include_ifmib_iface_prefix and ifmib_max_num_ifaces for SNMP``
+* :vytask:`T5648` ``(bug): ldpd neighbour template errors``
+* :vytask:`T5564` ``(bug): Both show firewall group and show firewall summary fails``
+* :vytask:`T5559` ``(feature): Selective proxy-arp/proxy-ndp when doing SNAT/DNAT``
+* :vytask:`T5541` ``(bug): Zone-Based Firewalling in VyOS Sagitta 1.4``
+* :vytask:`T5513` ``(bug): Anomalies in show firewall command after refactoring``
+* :vytask:`T4864` ``(bug): `show firewall` command errors``
+
+
+2023-11-07
+==========
+
+* :vytask:`T5586` ``(feature): Disable by default SNMP for Keepalived VRRP``
+
+
+2023-11-06
+==========
+
+* :vytask:`T5705` ``(bug): rsyslog - Not working when using facility=all``
+* :vytask:`T5704` ``(feature): PPPoE-server add max-starting option``
+* :vytask:`T5707` ``(bug): Wireguard peer public key update leaves redundant peers and breaks connectivity``
+* :vytask:`T4269` ``(feature): node.def generator should automatically add default values``
+
+
2023-11-05
==========
diff --git a/docs/changelog/1.5.rst b/docs/changelog/1.5.rst
index 3cb54a85..145cf648 100644
--- a/docs/changelog/1.5.rst
+++ b/docs/changelog/1.5.rst
@@ -8,6 +8,74 @@
_ext/releasenotes.py
+2023-11-18
+==========
+
+* :vytask:`T1354` ``(feature): Add support for VLAN-Aware bridges``
+
+
+2023-11-16
+==========
+
+* :vytask:`T5726` ``(bug): HTTPS API image cannot be updated``
+* :vytask:`T5738` ``(feature): Extend XML building blocks``
+* :vytask:`T5736` ``(feature): igmp: migrate "protocols igmp" to "protocols pim"``
+* :vytask:`T5733` ``(feature): pim(6): rewrite FRR PIM daemon configuration to get_config_dict() and add missing IGMP features``
+* :vytask:`T5689` ``(default): FRR 9.0.1 in VyOS current segfaults on show rpki prefix $prefix``
+* :vytask:`T5595` ``(feature): Multicast - PIM bfd feature enable``
+
+
+2023-11-15
+==========
+
+* :vytask:`T5695` ``(feature): Build FRR with LUA scripts --enable-scripting option``
+* :vytask:`T5677` ``(bug): show lldp neighbors generates TypeError when neighbor has no `descr```
+* :vytask:`T5728` ``(bug): Improve compatibility between OpenVPN on VyOS 1.5 and OpenVPN Connect Client``
+* :vytask:`T5732` ``(bug): generate firewall rule-resequence drops geoip country-code from output``
+* :vytask:`T5661` ``(enhancment): Add show show ssh dynamic-protection attacker and show log ssh dynamic-protection``
+
+
+2023-11-13
+==========
+
+* :vytask:`T5698` ``(feature): EVPN ESI Multihoming``
+* :vytask:`T5563` ``(bug): container: Container environment variable cannot be set``
+* :vytask:`T5706` ``(bug): Systemd-udevd high CPU utilization for multiple dynamic ppp/l2tp/ipoe interfaces``
+
+
+2023-11-10
+==========
+
+* :vytask:`T5727` ``(bug): validator: Use native URL validator instead of regex-based validator``
+
+
+2023-11-08
+==========
+
+* :vytask:`T5720` ``(bug): PPPoE-server adding new interface does not work``
+* :vytask:`T5716` ``(bug): PPPoE-server shaper template bug down-limiter option does not rely on fwmark``
+* :vytask:`T5702` ``(feature): Add ability to set include_ifmib_iface_prefix and ifmib_max_num_ifaces for SNMP``
+* :vytask:`T5693` ``(feature): Adding variable vyos_persistence_dir (and improve variable vyos_rootfs_dir)``
+* :vytask:`T5648` ``(bug): ldpd neighbour template errors``
+* :vytask:`T5564` ``(bug): Both show firewall group and show firewall summary fails``
+* :vytask:`T5559` ``(feature): Selective proxy-arp/proxy-ndp when doing SNAT/DNAT``
+* :vytask:`T5541` ``(bug): Zone-Based Firewalling in VyOS Sagitta 1.4``
+
+
+2023-11-07
+==========
+
+* :vytask:`T5586` ``(feature): Disable by default SNMP for Keepalived VRRP``
+
+
+2023-11-06
+==========
+
+* :vytask:`T5705` ``(bug): rsyslog - Not working when using facility=all``
+* :vytask:`T5704` ``(feature): PPPoE-server add max-starting option``
+* :vytask:`T5707` ``(bug): Wireguard peer public key update leaves redundant peers and breaks connectivity``
+
+
2023-11-03
==========
@@ -58,7 +126,6 @@
2023-10-23
==========
-* :vytask:`T5637` ``(bug): Firewall default-action log``
* :vytask:`T5299` ``(bug): QoS shaper ceiling does not work``
* :vytask:`T5667` ``(feature): BGP label-unicast - enable ecmp``
@@ -194,7 +261,6 @@
* :vytask:`T5588` ``(bug): Add kernel conntrack_bridge module``
* :vytask:`T5241` ``(feature): Support veth interfaces to working with netns``
* :vytask:`T5592` ``(feature): salt: upgrade minion to 3005.2``
-* :vytask:`T5590` ``(default): Firewall "log enable" logs every packet``
2023-09-19
diff --git a/docs/cli.rst b/docs/cli.rst
index 2e5d55fc..ee9c49ed 100644
--- a/docs/cli.rst
+++ b/docs/cli.rst
@@ -858,24 +858,27 @@ be ``config.boot-hostname.YYYYMMDD_HHMMSS``.
.. cfgcmd:: set system config-management commit-archive location <URI>
- Specify remote location of commit archive as any of the below
- :abbr:`URI (Uniform Resource Identifier)`
+ Specify remote location of commit archive as any of the below
+ :abbr:`URI (Uniform Resource Identifier)`
- * ``scp://<user>:<passwd>@<host>:/<dir>``
- * ``sftp://<user>:<passwd>@<host>/<dir>``
- * ``ftp://<user>:<passwd>@<host>/<dir>``
- * ``tftp://<host>/<dir>``
+ * ``http://<user>:<passwd>@<host>:/<dir>``
+ * ``https://<user>:<passwd>@<host>:/<dir>``
+ * ``ftp://<user>:<passwd>@<host>/<dir>``
+ * ``sftp://<user>:<passwd>@<host>/<dir>``
+ * ``scp://<user>:<passwd>@<host>:/<dir>``
+ * ``tftp://<host>/<dir>``
+ * ``git+https://<user>:<passwd>@<host>/<path>``
-.. note:: The number of revisions don't affect the commit-archive.
+ .. note:: The number of revisions don't affect the commit-archive.
-.. note:: You may find VyOS not allowing the secure connection because
- it cannot verify the legitimacy of the remote server. You can use
- the workaround below to quickly add the remote host's SSH
- fingerprint to your ``~/.ssh/known_hosts`` file:
+ .. note:: You may find VyOS not allowing the secure connection because
+ it cannot verify the legitimacy of the remote server. You can use
+ the workaround below to quickly add the remote host's SSH
+ fingerprint to your ``~/.ssh/known_hosts`` file:
- .. code-block:: none
+ .. code-block:: none
- vyos@vyos# ssh-keyscan <host> >> ~/.ssh/known_hosts
+ vyos@vyos# ssh-keyscan <host> >> ~/.ssh/known_hosts
Saving and loading manually
---------------------------
diff --git a/docs/configexamples/autotest/Wireguard/Wireguard.rst b/docs/configexamples/autotest/Wireguard/Wireguard.rst
index 93092afe..7e287bcf 100644
--- a/docs/configexamples/autotest/Wireguard/Wireguard.rst
+++ b/docs/configexamples/autotest/Wireguard/Wireguard.rst
@@ -44,7 +44,7 @@ After this, the public key can be displayed, to save for later.
.. code-block:: none
- vyos@central:~$ generate pki wireguard
+ vyos@central:~$ generate pki wireguard key-pair
Private key: cMNGHtb5dW92ORG3HS8JJlvQF8pmVGt2Ydny8hTBLnY=
Public key: WyfLCTXi31gL+YbYOwoAHCl2RgS+y56cYHEK6pQsTQ8=
diff --git a/docs/configexamples/ha.rst b/docs/configexamples/ha.rst
index 1ceda8e9..1badf231 100644
--- a/docs/configexamples/ha.rst
+++ b/docs/configexamples/ha.rst
@@ -303,7 +303,7 @@ public interface.
.. code-block:: none
set nat source rule 10 destination address '!192.0.2.0/24'
- set nat source rule 10 outbound-interface 'eth0.50'
+ set nat source rule 10 outbound-interface name 'eth0.50'
set nat source rule 10 source address '10.200.201.0/24'
set nat source rule 10 translation address '203.0.113.1'
diff --git a/docs/configexamples/policy-based-ipsec-and-firewall.rst b/docs/configexamples/policy-based-ipsec-and-firewall.rst
index 1f969453..9b7ba73a 100644
--- a/docs/configexamples/policy-based-ipsec-and-firewall.rst
+++ b/docs/configexamples/policy-based-ipsec-and-firewall.rst
@@ -194,9 +194,9 @@ And NAT Configuration:
set nat source rule 10 destination group network-group 'REMOTE-NETS'
set nat source rule 10 exclude
- set nat source rule 10 outbound-interface 'eth0'
+ set nat source rule 10 outbound-interface name 'eth0'
set nat source rule 10 source group network-group 'LOCAL-NETS'
- set nat source rule 20 outbound-interface 'eth0'
+ set nat source rule 20 outbound-interface name 'eth0'
set nat source rule 20 source group network-group 'LOCAL-NETS'
set nat source rule 20 translation address 'masquerade'
diff --git a/docs/configuration/highavailability/index.rst b/docs/configuration/highavailability/index.rst
index 2f20e783..7f06faa8 100644
--- a/docs/configuration/highavailability/index.rst
+++ b/docs/configuration/highavailability/index.rst
@@ -450,7 +450,7 @@ Port "0" is required if multiple ports are used.
set high-availability virtual-server vyos real-server 192.0.2.12 health-check script '/config/scripts/check-real-server-second.sh'
set high-availability virtual-server vyos real-server 192.0.2.12 port '0'
- set nat source rule 100 outbound-interface 'eth0'
+ set nat source rule 100 outbound-interface name 'eth0'
set nat source rule 100 source address '192.0.2.0/24'
set nat source rule 100 translation address 'masquerade'
diff --git a/docs/configuration/nat/nat44.rst b/docs/configuration/nat/nat44.rst
index b42c6cfe..98b230a9 100644
--- a/docs/configuration/nat/nat44.rst
+++ b/docs/configuration/nat/nat44.rst
@@ -663,7 +663,7 @@ We will use source and destination address for hash generation.
.. code-block:: none
- set nat destination rule 10 inbound-interface inbound-interface eth0
+ set nat destination rule 10 inbound-interface name eth0
set nat destination rule 10 protocol tcp
set nat destination rule 10 destination port 80
set nat destination rule 10 load-balance hash source-address
diff --git a/docs/configuration/pki/index.rst b/docs/configuration/pki/index.rst
index e83272f5..66ad84a3 100644
--- a/docs/configuration/pki/index.rst
+++ b/docs/configuration/pki/index.rst
@@ -148,11 +148,11 @@ WireGuard
``interface`` is used for the VyOS CLI command to identify the WireGuard
interface where this private key is to be used.
-.. opcmd:: generate pki wireguard pre-shared-key
+.. opcmd:: generate pki wireguard preshared-key
Generate a WireGuard pre-shared secret used for peers to communicate.
-.. opcmd:: generate pki wireguard pre-shared-key install <peer>
+.. opcmd:: generate pki wireguard preshared-key install <peer>
Generate a WireGuard pre-shared secret used for peers to communicate.
diff --git a/docs/configuration/service/https.rst b/docs/configuration/service/https.rst
index 08b16575..b767cb77 100644
--- a/docs/configuration/service/https.rst
+++ b/docs/configuration/service/https.rst
@@ -20,23 +20,14 @@ Configuration
.. cfgcmd:: set service https api debug
- To enable debug messages. Available via :opcmd:`show log` or
+ To enable debug messages. Available via :opcmd:`show log` or
:opcmd:`monitor log`
-.. cfgcmd:: set service https api port
-
- Set the listen port of the local API, this has no effect on the
- webserver. The default is port 8080
-
-.. cfgcmd:: set service https api socket
-
- Use local socket for API
-
.. cfgcmd:: set service https api strict
Enforce strict path checking
-.. cfgcmd:: set service https virtual-host <vhost> listen-address
+.. cfgcmd:: set service https virtual-host <vhost> listen-address
<ipv4 or ipv6 address>
Address to listen for HTTPS requests
diff --git a/docs/configuration/vpn/l2tp.rst b/docs/configuration/vpn/l2tp.rst
index 6ea1cc7d..26de47b3 100644
--- a/docs/configuration/vpn/l2tp.rst
+++ b/docs/configuration/vpn/l2tp.rst
@@ -60,7 +60,7 @@ To allow VPN-clients access via your external address, a NAT rule is required:
.. code-block:: none
- set nat source rule 110 outbound-interface 'eth0'
+ set nat source rule 110 outbound-interface name 'eth0'
set nat source rule 110 source address '192.168.255.0/24'
set nat source rule 110 translation address masquerade
diff --git a/docs/configuration/vpn/site2site_ipsec.rst b/docs/configuration/vpn/site2site_ipsec.rst
index 2b3403f5..8c0af774 100644
--- a/docs/configuration/vpn/site2site_ipsec.rst
+++ b/docs/configuration/vpn/site2site_ipsec.rst
@@ -245,13 +245,13 @@ If there is SNAT rules on eth1, need to add exclude rule
# server side
set nat source rule 10 destination address '10.0.0.0/24'
set nat source rule 10 'exclude'
- set nat source rule 10 outbound-interface 'eth1'
+ set nat source rule 10 outbound-interface name 'eth1'
set nat source rule 10 source address '192.168.0.0/24'
# remote office side
set nat source rule 10 destination address '192.168.0.0/24'
set nat source rule 10 'exclude'
- set nat source rule 10 outbound-interface 'eth1'
+ set nat source rule 10 outbound-interface name 'eth1'
set nat source rule 10 source address '10.0.0.0/24'
To allow traffic to pass through to clients, you need to add the following
diff --git a/docs/configuration/vrf/index.rst b/docs/configuration/vrf/index.rst
index dea53321..7a50bfb2 100644
--- a/docs/configuration/vrf/index.rst
+++ b/docs/configuration/vrf/index.rst
@@ -295,11 +295,11 @@ Configuration
set nat destination rule 110 description 'NAT ssh- INSIDE'
set nat destination rule 110 destination port '2022'
- set nat destination rule 110 inbound-interface 'eth0'
+ set nat destination rule 110 inbound-interface name 'eth0'
set nat destination rule 110 protocol 'tcp'
set nat destination rule 110 translation address '192.168.130.40'
- set nat source rule 100 outbound-interface 'eth0'
+ set nat source rule 100 outbound-interface name 'eth0'
set nat source rule 100 protocol 'all'
set nat source rule 100 source address '192.168.130.0/24'
set nat source rule 100 translation address 'masquerade'
diff --git a/docs/quick-start.rst b/docs/quick-start.rst
index a3927560..d20a39f9 100644
--- a/docs/quick-start.rst
+++ b/docs/quick-start.rst
@@ -114,7 +114,7 @@ network via IP masquerade.
.. code-block:: none
- set nat source rule 100 outbound-interface 'eth0'
+ set nat source rule 100 outbound-interface name 'eth0'
set nat source rule 100 source address '192.168.0.0/24'
set nat source rule 100 translation address masquerade
@@ -185,11 +185,11 @@ The chain we will create is called ``CONN_FILTER`` and has three rules:
set firewall ipv4 name CONN_FILTER default-action 'return'
set firewall ipv4 name CONN_FILTER rule 10 action 'accept'
- set firewall ipv4 name CONN_FILTER rule 10 state established 'enable'
- set firewall ipv4 name CONN_FILTER rule 10 state related 'enable'
+ set firewall ipv4 name CONN_FILTER rule 10 state established
+ set firewall ipv4 name CONN_FILTER rule 10 state related
set firewall ipv4 name CONN_FILTER rule 20 action 'drop'
- set firewall ipv4 name CONN_FILTER rule 20 state invalid 'enable'
+ set firewall ipv4 name CONN_FILTER rule 20 state invalid
Then, we can jump to the common chain from both the ``forward`` and ``input``
hooks as the first filtering rule in the respective chains:
@@ -212,16 +212,16 @@ creating rules on each hook's chain:
.. code-block:: none
set firewall ipv4 forward filter rule 5 action 'accept'
- set firewall ipv4 forward filter rule 5 state established 'enable'
- set firewall ipv4 forward filter rule 5 state related 'enable'
+ set firewall ipv4 forward filter rule 5 state established
+ set firewall ipv4 forward filter rule 5 state related
set firewall ipv4 forward filter rule 10 action 'drop'
- set firewall ipv4 forward filter rule 10 state invalid 'enable'
+ set firewall ipv4 forward filter rule 10 state invalid
set firewall ipv4 input filter rule 5 action 'accept'
- set firewall ipv4 input filter rule 5 state established 'enable'
- set firewall ipv4 input filter rule 5 state related 'enable'
+ set firewall ipv4 input filter rule 5 state established
+ set firewall ipv4 input filter rule 5 state related
set firewall ipv4 input filter rule 10 action 'drop'
- set firewall ipv4 input filter rule 10 state invalid 'enable'
+ set firewall ipv4 input filter rule 10 state invalid
Block Incoming Traffic
----------------------
@@ -241,7 +241,7 @@ group and is addressed to our local network.
set firewall ipv4 forward filter rule 100 action jump
set firewall ipv4 forward filter rule 100 jump-target OUTSIDE-IN
- set firewall ipv4 forward filter rule 100 inbound-interface interface-group WAN
+ set firewall ipv4 forward filter rule 100 inbound-interface group WAN
set firewall ipv4 forward filter rule 100 destination group network-group NET-INSIDE-v4
We should also block all traffic destinated to the router itself that isn't
@@ -285,17 +285,17 @@ interface group to 4 per minute:
.. code-block:: none
set firewall ipv4 name VyOS_MANAGEMENT rule 15 action 'accept'
- set firewall ipv4 name VyOS_MANAGEMENT rule 15 inbound-interface interface-group 'LAN'
+ set firewall ipv4 name VyOS_MANAGEMENT rule 15 inbound-interface group 'LAN'
set firewall ipv4 name VyOS_MANAGEMENT rule 20 action 'drop'
set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent count 4
set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent time minute
- set firewall ipv4 name VyOS_MANAGEMENT rule 20 state new enable
- set firewall ipv4 name VyOS_MANAGEMENT rule 20 inbound-interface interface-group 'WAN'
+ set firewall ipv4 name VyOS_MANAGEMENT rule 20 state new
+ set firewall ipv4 name VyOS_MANAGEMENT rule 20 inbound-interface group 'WAN'
set firewall ipv4 name VyOS_MANAGEMENT rule 21 action 'accept'
- set firewall ipv4 name VyOS_MANAGEMENT rule 21 state new enable
- set firewall ipv4 name VyOS_MANAGEMENT rule 21 inbound-interface interface-group 'WAN'
+ set firewall ipv4 name VyOS_MANAGEMENT rule 21 state new
+ set firewall ipv4 name VyOS_MANAGEMENT rule 21 inbound-interface group 'WAN'
Allow Access to Services
------------------------
@@ -309,7 +309,7 @@ all hosts on the ``NET-INSIDE-v4`` network:
set firewall ipv4 input filter rule 30 action 'accept'
set firewall ipv4 input filter rule 30 icmp type-name 'echo-request'
set firewall ipv4 input filter rule 30 protocol 'icmp'
- set firewall ipv4 input filter rule 30 state new 'enable'
+ set firewall ipv4 input filter rule 30 state new
set firewall ipv4 input filter rule 40 action 'accept'
set firewall ipv4 input filter rule 40 destination port '53'