From 8214ffe4c61f6a14bddf2fed43bff915f2503c6f Mon Sep 17 00:00:00 2001 From: whyrlpool <26317568+whyrlpool@users.noreply.github.com> Date: Wed, 3 Jul 2024 17:26:08 +0100 Subject: proofread and update firewall docs --- docs/configuration/firewall/groups.rst | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) (limited to 'docs/configuration/firewall/groups.rst') diff --git a/docs/configuration/firewall/groups.rst b/docs/configuration/firewall/groups.rst index 6111650a..fa32b98e 100644 --- a/docs/configuration/firewall/groups.rst +++ b/docs/configuration/firewall/groups.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-08 +:lastproofread: 2024-07-03 .. _firewall-groups-configuration: @@ -18,8 +18,7 @@ matcher, and/or as inbound/outbound in the case of interface group. Address Groups ============== -In an **address group** a single IP address or IP address ranges are -defined. +In an **address group** a single IP address or IP address range is defined. .. cfgcmd:: set firewall group address-group address [address | address range] @@ -43,7 +42,7 @@ Network Groups While **network groups** accept IP networks in CIDR notation, specific IP addresses can be added as a 32-bit prefix. If you foresee the need -to add a mix of addresses and networks, the network group is +to add a mix of addresses and networks, then a network group is recommended. .. cfgcmd:: set firewall group network-group network @@ -197,9 +196,9 @@ Commands used for this task are: .. cfgcmd:: set firewall ipv6 name rule <1-999999> add-address-to-group source-address address-group -Also, specific timeout can be defined per rule. In case rule gets a hit, -source or destinatination address will be added to the group, and this -element will remain in the group until timeout expires. If no timeout +Also, specific timeouts can be defined per rule. In case rule gets a hit, +a source or destinatination address will be added to the group, and this +element will remain in the group until the timeout expires. If no timeout is defined, then the element will remain in the group until next reboot, or until a new commit that changes firewall configuration is done. @@ -324,7 +323,7 @@ A 4 step port knocking example is shown next: set firewall ipv4 input filter rule 99 protocol 'tcp' set firewall ipv4 input filter rule 99 source group dynamic-address-group 'ALLOWED' -Before testing, we can check members of firewall groups: +Before testing, we can check the members of firewall groups: .. code-block:: none @@ -339,7 +338,7 @@ Before testing, we can check members of firewall groups: [edit] vyos@vyos# -With this configuration, in order to get ssh access to the router, user +With this configuration, in order to get ssh access to the router, the user needs to: 1. Generate a new TCP connection with destination port 9990. As shown next, @@ -390,7 +389,7 @@ a new entry was added to dynamic firewall group **ALLOWED** [edit] vyos@vyos# -4. Now user can connect through ssh to the router (assuming ssh is configured). +4. Now the user can connect through ssh to the router (assuming ssh is configured). ************** Operation-mode -- cgit v1.2.3