From 63ff118d8a39db9979125014be8a4d0b2bbb34ed Mon Sep 17 00:00:00 2001 From: Nick Anderegg Date: Thu, 24 Aug 2023 12:14:31 -0400 Subject: quick-start: add notice about changes to firewall backend --- docs/configuration/firewall/general-legacy.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/firewall/general-legacy.rst b/docs/configuration/firewall/general-legacy.rst index 2e6b0061..783f655e 100644 --- a/docs/configuration/firewall/general-legacy.rst +++ b/docs/configuration/firewall/general-legacy.rst @@ -426,7 +426,7 @@ There are a lot of matching criteria against which the package can be tested. firewall as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses `_) - + This functions for both individual addresses and address groups. .. code-block:: none @@ -1048,4 +1048,4 @@ Update geoip database .. opcmd:: update geoip - Command used to update GeoIP database and firewall sets. \ No newline at end of file + Command used to update GeoIP database and firewall sets. -- cgit v1.2.3 From 1e8c862c55493799b51482cdc9d9eb8323784bff Mon Sep 17 00:00:00 2001 From: Nick Anderegg Date: Tue, 12 Sep 2023 21:36:25 -0400 Subject: chore: fix formatting and add linter comments --- docs/configuration/firewall/general-legacy.rst | 7 +++++-- docs/quick-start.rst | 4 ++-- 2 files changed, 7 insertions(+), 4 deletions(-) (limited to 'docs/configuration') diff --git a/docs/configuration/firewall/general-legacy.rst b/docs/configuration/firewall/general-legacy.rst index 783f655e..041dd8aa 100644 --- a/docs/configuration/firewall/general-legacy.rst +++ b/docs/configuration/firewall/general-legacy.rst @@ -424,11 +424,13 @@ There are a lot of matching criteria against which the package can be tested. An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 and a zone-based firewall as rules will remain valid if the IPv6 prefix changes and the host - portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses - `_) + portion of systems IPv6 address is static (for example, with SLAAC or + `tokenised IPv6 addresses + `_). This functions for both individual addresses and address groups. + .. stop_vyoslinter .. code-block:: none # Match any IPv6 address with the suffix ::0000:0000:0000:beef @@ -442,6 +444,7 @@ There are a lot of matching criteria against which the package can be tested. set firewall group ipv6-address-group WEBSERVERS address ::2000 set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff + .. start_vyoslinter .. cfgcmd:: set firewall name rule <1-999999> source fqdn .. cfgcmd:: set firewall name rule <1-999999> destination fqdn diff --git a/docs/quick-start.rst b/docs/quick-start.rst index 801089ee..221a8088 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -124,8 +124,8 @@ Firewall A new firewall structure—which uses the ``nftables`` backend, rather than ``iptables``—is available on all installations starting from VyOS ``1.4-rolling-202308040557``. The firewall supports creation of distinct, -interlinked chains for each -`Netfilter hook `_ +interlinked chains for each `Netfilter hook +`_ and allows for more granular control over the packet filtering process. .. note:: Documentation for most of the new firewall CLI can be found in -- cgit v1.2.3