From 63ff118d8a39db9979125014be8a4d0b2bbb34ed Mon Sep 17 00:00:00 2001 From: Nick Anderegg Date: Thu, 24 Aug 2023 12:14:31 -0400 Subject: quick-start: add notice about changes to firewall backend --- docs/configuration/firewall/general-legacy.rst | 4 +- docs/quick-start.rst | 73 ++++++++++++-------------- 2 files changed, 37 insertions(+), 40 deletions(-) (limited to 'docs') diff --git a/docs/configuration/firewall/general-legacy.rst b/docs/configuration/firewall/general-legacy.rst index 2e6b0061..783f655e 100644 --- a/docs/configuration/firewall/general-legacy.rst +++ b/docs/configuration/firewall/general-legacy.rst @@ -426,7 +426,7 @@ There are a lot of matching criteria against which the package can be tested. firewall as rules will remain valid if the IPv6 prefix changes and the host portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses `_) - + This functions for both individual addresses and address groups. .. code-block:: none @@ -1048,4 +1048,4 @@ Update geoip database .. opcmd:: update geoip - Command used to update GeoIP database and firewall sets. \ No newline at end of file + Command used to update GeoIP database and firewall sets. diff --git a/docs/quick-start.rst b/docs/quick-start.rst index a6055576..d14a43ca 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -122,14 +122,12 @@ network via IP masquerade. Firewall ######## -.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall - structure can be found on all vyos instalations. Documentation for most - of the new firewall CLI can be found in the `firewall - `_ - chapter. The legacy firewall is still available for versions before - 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` - chapter. The examples in this section use the new firewall configuration - commands. +.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be + found on all vyos instalations. Documentation for most of the new firewall CLI + can be found in the :ref:`firewall` chapter. The legacy firewall is still available + for versions before 1.4-rolling-202308040557 and can be found in the + :ref:`firewall-legacy` chapter. The examples in this section still use the + legacy firewall configuration options. Add a set of firewall policies for our outside/WAN interface. @@ -138,25 +136,19 @@ which was not initiated from the internal/LAN side first. .. code-block:: none - set firewall ipv4 forward filter default-action 'drop' - set firewall ipv4 forward filter rule 10 action 'accept' - set firewall ipv4 forward filter rule 10 state established 'enable' - set firewall ipv4 forward filter rule 10 state related 'enable' - set firewall ipv4 forward filter rule 20 action 'drop' - set firewall ipv4 forward filter rule 20 state invalid 'enable' - set firewall ipv4 forward filter rule 30 inbound-interface interface-name 'eth1' - set firewall ipv4 forward filter rule 30 action 'accept' - - set firewall ipv4 input filter default-action drop - set firewall ipv4 input filter rule 10 action 'accept' - set firewall ipv4 input filter rule 10 state established 'enable' - set firewall ipv4 input filter rule 10 state related 'enable' - set firewall ipv4 input filter rule 20 action 'drop' - set firewall ipv4 input filter rule 20 state invalid 'enable' - set firewall ipv4 input filter rule 30 action 'accept' - set firewall ipv4 input filter rule 30 icmp type-name 'echo-request' - set firewall ipv4 input filter rule 30 protocol 'icmp' - set firewall ipv4 input filter rule 30 state new 'enable' + set firewall name OUTSIDE-IN default-action 'drop' + set firewall name OUTSIDE-IN rule 10 action 'accept' + set firewall name OUTSIDE-IN rule 10 state established 'enable' + set firewall name OUTSIDE-IN rule 10 state related 'enable' + + set firewall name OUTSIDE-LOCAL default-action 'drop' + set firewall name OUTSIDE-LOCAL rule 10 action 'accept' + set firewall name OUTSIDE-LOCAL rule 10 state established 'enable' + set firewall name OUTSIDE-LOCAL rule 10 state related 'enable' + set firewall name OUTSIDE-LOCAL rule 20 action 'accept' + set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request' + set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp' + set firewall name OUTSIDE-LOCAL rule 20 state new 'enable' If you wanted to enable SSH access to your firewall from the outside/WAN interface, you could create some additional rules to allow that kind of @@ -167,19 +159,24 @@ blocks brute-forcing attempts: .. code-block:: none - set firewall ipv4 input filter rule 40 action 'drop' - set firewall ipv4 input filter rule 40 inbound-interface interface-name 'eth0' - set firewall ipv4 input filter rule 40 destination port '22' - set firewall ipv4 input filter rule 40 protocol 'tcp' - set firewall ipv4 input filter rule 40 recent count '4' - set firewall ipv4 input filter rule 40 recent time 'minute' - set firewall ipv4 input filter rule 40 state new 'enable' + set firewall name OUTSIDE-LOCAL rule 30 action 'drop' + set firewall name OUTSIDE-LOCAL rule 30 destination port '22' + set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp' + set firewall name OUTSIDE-LOCAL rule 30 recent count '4' + set firewall name OUTSIDE-LOCAL rule 30 recent time 'minute' + set firewall name OUTSIDE-LOCAL rule 30 state new 'enable' + + set firewall name OUTSIDE-LOCAL rule 31 action 'accept' + set firewall name OUTSIDE-LOCAL rule 31 destination port '22' + set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp' + set firewall name OUTSIDE-LOCAL rule 31 state new 'enable' - set firewall ipv4 input filter rule 41 action 'accept' - set firewall ipv4 input filter rule 41 destination port '22' - set firewall ipv4 input filter rule 41 protocol 'tcp' - set firewall ipv4 input filter rule 41 state new 'enable' +Apply the firewall policies: + +.. code-block:: none + set firewall interface eth0 in name 'OUTSIDE-IN' + set firewall interface eth0 local name 'OUTSIDE-LOCAL' Commit changes, save the configuration, and exit configuration mode: -- cgit v1.2.3