diff options
| author | Robert Göhler <github@ghlr.de> | 2024-01-08 21:13:06 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-01-08 21:13:06 +0100 |
| commit | 1e0eda1e5741875859c4435d006809afb14de63b (patch) | |
| tree | 1d956e364775e9f08ede61423b0543e0ccbd9eac | |
| parent | 81a1d1910b81902839066db349fcb9a909825cf5 (diff) | |
| parent | 978261e479b800c7df6adb691fae1e0eac3878fd (diff) | |
| download | vyos-documentation-1e0eda1e5741875859c4435d006809afb14de63b.tar.gz vyos-documentation-1e0eda1e5741875859c4435d006809afb14de63b.zip | |
Merge pull request #1220 from vyos/mergify/bp/sagitta/pr-1217
Fix firewall syntax for refactor in PPPoE IPv6 example (backport #1217)
| -rw-r--r-- | docs/configexamples/pppoe-ipv6-basic.rst | 40 |
1 files changed, 22 insertions, 18 deletions
diff --git a/docs/configexamples/pppoe-ipv6-basic.rst b/docs/configexamples/pppoe-ipv6-basic.rst index f569d9c3..ad588def 100644 --- a/docs/configexamples/pppoe-ipv6-basic.rst +++ b/docs/configexamples/pppoe-ipv6-basic.rst @@ -89,24 +89,28 @@ To have basic protection while keeping IPv6 network functional, we need to: .. code-block:: none - set firewall ipv6-name WAN_IN default-action 'drop' - set firewall ipv6-name WAN_IN rule 10 action 'accept' - set firewall ipv6-name WAN_IN rule 10 state established 'enable' - set firewall ipv6-name WAN_IN rule 10 state related 'enable' - set firewall ipv6-name WAN_IN rule 20 action 'accept' - set firewall ipv6-name WAN_IN rule 20 protocol 'icmpv6' - set firewall ipv6-name WAN_LOCAL default-action 'drop' - set firewall ipv6-name WAN_LOCAL rule 10 action 'accept' - set firewall ipv6-name WAN_LOCAL rule 10 state established 'enable' - set firewall ipv6-name WAN_LOCAL rule 10 state related 'enable' - set firewall ipv6-name WAN_LOCAL rule 20 action 'accept' - set firewall ipv6-name WAN_LOCAL rule 20 protocol 'icmpv6' - set firewall ipv6-name WAN_LOCAL rule 30 action 'accept' - set firewall ipv6-name WAN_LOCAL rule 30 destination port '546' - set firewall ipv6-name WAN_LOCAL rule 30 protocol 'udp' - set firewall ipv6-name WAN_LOCAL rule 30 source port '547' - set interfaces pppoe pppoe0 firewall in ipv6-name 'WAN_IN' - set interfaces pppoe pppoe0 firewall local ipv6-name 'WAN_LOCAL' + set firewall ipv6 name WAN_IN default-action 'drop' + set firewall ipv6 name WAN_IN rule 10 action 'accept' + set firewall ipv6 name WAN_IN rule 10 state established 'enable' + set firewall ipv6 name WAN_IN rule 10 state related 'enable' + set firewall ipv6 name WAN_IN rule 20 action 'accept' + set firewall ipv6 name WAN_IN rule 20 protocol 'icmpv6' + set firewall ipv6 name WAN_LOCAL default-action 'drop' + set firewall ipv6 name WAN_LOCAL rule 10 action 'accept' + set firewall ipv6 name WAN_LOCAL rule 10 state established 'enable' + set firewall ipv6 name WAN_LOCAL rule 10 state related 'enable' + set firewall ipv6 name WAN_LOCAL rule 20 action 'accept' + set firewall ipv6 name WAN_LOCAL rule 20 protocol 'icmpv6' + set firewall ipv6 name WAN_LOCAL rule 30 action 'accept' + set firewall ipv6 name WAN_LOCAL rule 30 destination port '546' + set firewall ipv6 name WAN_LOCAL rule 30 protocol 'udp' + set firewall ipv6 name WAN_LOCAL rule 30 source port '547' + set firewall ipv6 forward filter rule 10 action jump + set firewall ipv6 forward filter rule 10 jump-target 'WAN_IN' + set firewall ipv6 forward filter rule 10 inbound-interface name 'pppoe0' + set firewall ipv6 input filter rule 10 action jump + set firewall ipv6 input filter rule 10 jump-target 'WAN_LOCAL' + set firewall ipv6 input filter rule 10 inbound-interface name 'pppoe0' Note to allow the router to receive DHCPv6 response from ISP. We need to allow packets with source port 547 (server) and destination port 546 (client). |