From be722bf1bd9b49666b1a632e07fc156f28ec225b Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Wed, 6 Mar 2024 08:45:01 -0300 Subject: Quickstart: manual backport to sagitta for firewall configuration in quickstart. --- docs/quick-start.rst | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/docs/quick-start.rst b/docs/quick-start.rst index d3291070..6935e951 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -141,7 +141,7 @@ networks, addresses, ports, and domains that describe different parts of our network. We can then use them for filtering within our firewall rulesets, allowing for more concise and readable configuration. -In this case, we will create two interface groups—a ``WAN`` group for our +In this case, we will create two interface groups — a ``WAN`` group for our interfaces connected to the public internet and a ``LAN`` group for the interfaces connected to our internal network. Additionally, we will create a network group, ``NET-INSIDE-v4``, that contains our internal subnet. @@ -156,7 +156,7 @@ Configure Stateful Packet Filtering ----------------------------------- With the new firewall structure, we have have a lot of flexibility in how we -group and order our rules, as shown by the two alternative approaches below. +group and order our rules, as shown by the three alternative approaches below. Option 1: Global State Policies ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -212,12 +212,11 @@ hooks as the first filtering rule in the respective chains: set firewall ipv4 input filter rule 10 action 'jump' set firewall ipv4 input filter rule 10 jump-target CONN_FILTER -Option 2: Per-Hook Chain +Option 3: Per-Hook Chain ^^^^^^^^^^^^^^^^^^^^^^^^ -Alternatively, instead of configuring the ``CONN_FILTER`` chain described above, -you can take the more traditional stateful connection filtering approach by -creating rules on each hook's chain: +Alternatively, you can take the more traditional stateful connection +filtering approach by creating rules on each base hook's chain: .. code-block:: none -- cgit v1.2.3