diff options
author | whyrlpool <26317568+whyrlpool@users.noreply.github.com> | 2024-07-03 17:32:28 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2024-07-03 17:32:28 +0100 |
commit | b88448bb7b006a92d601053b9def83e16fc28cac (patch) | |
tree | 60459549f090c5a2cf6c1eabf66eaed2e60371d6 | |
parent | 63988391efed6c7f193c832abb649f996b8ea33a (diff) | |
parent | 8214ffe4c61f6a14bddf2fed43bff915f2503c6f (diff) | |
download | vyos-documentation-b88448bb7b006a92d601053b9def83e16fc28cac.tar.gz vyos-documentation-b88448bb7b006a92d601053b9def83e16fc28cac.zip |
Merge pull request #1 from whyrlpool:current
proofread and update firewall docs
-rw-r--r-- | docs/_locale/de/automation.pot | 4 | ||||
-rw-r--r-- | docs/_locale/de/configuration.pot | 4 | ||||
-rw-r--r-- | docs/_locale/es/automation.pot | 2 | ||||
-rw-r--r-- | docs/_locale/es/configuration.pot | 4 | ||||
-rw-r--r-- | docs/_locale/ja/automation.pot | 6 | ||||
-rw-r--r-- | docs/_locale/ja/configuration.pot | 4 | ||||
-rw-r--r-- | docs/_locale/pt/automation.pot | 4 | ||||
-rw-r--r-- | docs/_locale/pt/configuration.pot | 4 | ||||
-rw-r--r-- | docs/_locale/uk/automation.pot | 2 | ||||
-rw-r--r-- | docs/_locale/uk/configuration.pot | 4 | ||||
-rw-r--r-- | docs/configuration/container/index.rst | 4 | ||||
-rw-r--r-- | docs/configuration/firewall/bridge.rst | 48 | ||||
-rw-r--r-- | docs/configuration/firewall/flowtables.rst | 26 | ||||
-rw-r--r-- | docs/configuration/firewall/global-options.rst | 22 | ||||
-rw-r--r-- | docs/configuration/firewall/groups.rst | 19 | ||||
-rw-r--r-- | docs/configuration/firewall/index.rst | 26 | ||||
-rw-r--r-- | docs/configuration/firewall/ipv4.rst | 165 | ||||
-rw-r--r-- | docs/configuration/firewall/ipv6.rst | 167 | ||||
-rw-r--r-- | docs/configuration/firewall/zone.rst | 18 |
19 files changed, 265 insertions, 268 deletions
diff --git a/docs/_locale/de/automation.pot b/docs/_locale/de/automation.pot index acd55638..480bfa35 100644 --- a/docs/_locale/de/automation.pot +++ b/docs/_locale/de/automation.pot @@ -781,8 +781,8 @@ msgid "If command ends in a value, it must be inside single quotes." msgstr "If command ends in a value, it must be inside single quotes." #: ../../automation/cloud-init.rst:253 -msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bare in mind that this configuration will be inyected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." -msgstr "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bare in mind that this configuration will be inyected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." +msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bear in mind that this configuration will be injected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." +msgstr "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bear in mind that this configuration will be injected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." #: ../../automation/cloud-init.rst:228 msgid "If you encounter problems, verify that the cloud-config document contains valid YAML. Online resources such as https://www.yamllint.com/ provide a simple tool for validating YAML." diff --git a/docs/_locale/de/configuration.pot b/docs/_locale/de/configuration.pot index f0ae9a1d..dc70be5a 100644 --- a/docs/_locale/de/configuration.pot +++ b/docs/_locale/de/configuration.pot @@ -391,8 +391,8 @@ msgid "**Origin check**" msgstr "**Origin check**" #: ../../configuration/firewall/index.rst:64 -msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" -msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" #: ../../configuration/firewall/index.rst:65 msgid "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externaly through **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" diff --git a/docs/_locale/es/automation.pot b/docs/_locale/es/automation.pot index 1bef6c23..c98faa2f 100644 --- a/docs/_locale/es/automation.pot +++ b/docs/_locale/es/automation.pot @@ -781,7 +781,7 @@ msgid "If command ends in a value, it must be inside single quotes." msgstr "Si el comando termina en un valor, debe estar entre comillas simples." #: ../../automation/cloud-init.rst:253 -msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bare in mind that this configuration will be inyected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." +msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bear in mind that this configuration will be injected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." msgstr "Si no se proporciona una configuración de red, el cliente dhcp se habilitará en la primera interfaz. Tenga en cuenta que esta configuración se inyectará a nivel del sistema operativo, así que no espere encontrar la configuración del cliente dhcp en vyos cli. Debido a este comportamiento, en el siguiente laboratorio de ejemplo, deshabilitaremos la configuración de dhcp-client en eth0." #: ../../automation/cloud-init.rst:228 diff --git a/docs/_locale/es/configuration.pot b/docs/_locale/es/configuration.pot index b7b3a78a..821ecc6a 100644 --- a/docs/_locale/es/configuration.pot +++ b/docs/_locale/es/configuration.pot @@ -391,8 +391,8 @@ msgid "**Origin check**" msgstr "**Comprobación de origen**" #: ../../configuration/firewall/index.rst:64 -msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" -msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" #: ../../configuration/firewall/index.rst:65 msgid "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externaly through **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" diff --git a/docs/_locale/ja/automation.pot b/docs/_locale/ja/automation.pot index 741a317b..42bcff7a 100644 --- a/docs/_locale/ja/automation.pot +++ b/docs/_locale/ja/automation.pot @@ -239,7 +239,7 @@ msgstr "2.5 Type the commands :" #: ../../automation/terraform/terraformAZ.rst:44 msgid "2.6 Type the commands :" -msgstr "2.6 Type the commands :" +msgstr "2.6 Type the commands :in" #: ../../automation/terraform/terraformAWS.rst:31 msgid "2 Create a key pair_ and download your .pem key" @@ -781,8 +781,8 @@ msgid "If command ends in a value, it must be inside single quotes." msgstr "If command ends in a value, it must be inside single quotes." #: ../../automation/cloud-init.rst:253 -msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bare in mind that this configuration will be inyected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." -msgstr "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bare in mind that this configuration will be inyected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." +msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bear in mind that this configuration will be injected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." +msgstr "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bear in mind that this configuration will be injected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." #: ../../automation/cloud-init.rst:228 msgid "If you encounter problems, verify that the cloud-config document contains valid YAML. Online resources such as https://www.yamllint.com/ provide a simple tool for validating YAML." diff --git a/docs/_locale/ja/configuration.pot b/docs/_locale/ja/configuration.pot index 3518562b..19d6802f 100644 --- a/docs/_locale/ja/configuration.pot +++ b/docs/_locale/ja/configuration.pot @@ -391,8 +391,8 @@ msgid "**Origin check**" msgstr "**Origin check**" #: ../../configuration/firewall/index.rst:64 -msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" -msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" #: ../../configuration/firewall/index.rst:65 msgid "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externaly through **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" diff --git a/docs/_locale/pt/automation.pot b/docs/_locale/pt/automation.pot index 6494fae3..198dea36 100644 --- a/docs/_locale/pt/automation.pot +++ b/docs/_locale/pt/automation.pot @@ -781,8 +781,8 @@ msgid "If command ends in a value, it must be inside single quotes." msgstr "If command ends in a value, it must be inside single quotes." #: ../../automation/cloud-init.rst:253 -msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bare in mind that this configuration will be inyected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." -msgstr "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bare in mind that this configuration will be inyected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." +msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bear in mind that this configuration will be injected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." +msgstr "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bear in mind that this configuration will be injected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." #: ../../automation/cloud-init.rst:228 msgid "If you encounter problems, verify that the cloud-config document contains valid YAML. Online resources such as https://www.yamllint.com/ provide a simple tool for validating YAML." diff --git a/docs/_locale/pt/configuration.pot b/docs/_locale/pt/configuration.pot index 098a9f01..f73095f6 100644 --- a/docs/_locale/pt/configuration.pot +++ b/docs/_locale/pt/configuration.pot @@ -391,8 +391,8 @@ msgid "**Origin check**" msgstr "**Origin check**" #: ../../configuration/firewall/index.rst:64 -msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" -msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" #: ../../configuration/firewall/index.rst:65 msgid "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externaly through **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" diff --git a/docs/_locale/uk/automation.pot b/docs/_locale/uk/automation.pot index 96148754..e8f049f7 100644 --- a/docs/_locale/uk/automation.pot +++ b/docs/_locale/uk/automation.pot @@ -781,7 +781,7 @@ msgid "If command ends in a value, it must be inside single quotes." msgstr "Якщо команда закінчується значенням, воно має бути в одинарних лапках." #: ../../automation/cloud-init.rst:253 -msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bare in mind that this configuration will be inyected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." +msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bear in mind that this configuration will be injected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." msgstr "Якщо конфігурація мережі не надається, клієнт dhcp буде ввімкнено на першому інтерфейсі. Майте на увазі, що цю конфігурацію буде введено на рівні ОС, тому не очікуйте знайти конфігурацію клієнта dhcp у vyos cli. Через таку поведінку в наступному прикладі лабораторної роботи ми вимкнемо конфігурацію dhcp-клієнта на eth0." #: ../../automation/cloud-init.rst:228 diff --git a/docs/_locale/uk/configuration.pot b/docs/_locale/uk/configuration.pot index 3f9e7bd2..5195191f 100644 --- a/docs/_locale/uk/configuration.pot +++ b/docs/_locale/uk/configuration.pot @@ -391,8 +391,8 @@ msgid "**Origin check**" msgstr "**Перевірка походження**" #: ../../configuration/firewall/index.rst:64 -msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" -msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" #: ../../configuration/firewall/index.rst:65 msgid "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externaly through **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" diff --git a/docs/configuration/container/index.rst b/docs/configuration/container/index.rst index a1672aa7..8be82e1b 100644 --- a/docs/configuration/container/index.rst +++ b/docs/configuration/container/index.rst @@ -1,10 +1,10 @@ -:lastproofread: 2022-06-10 +:lastproofread: 2024-07-03 ######### Container ######### -The VyOS container implementation is based on `Podman<https://podman.io/>` as +The VyOS container implementation is based on `Podman <https://podman.io/>`_ as a deamonless container engine. ************* diff --git a/docs/configuration/firewall/bridge.rst b/docs/configuration/firewall/bridge.rst index f84fd456..2e3d3634 100644 --- a/docs/configuration/firewall/bridge.rst +++ b/docs/configuration/firewall/bridge.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-08 +:lastproofread: 2024-07-03 .. _firewall-configuration: @@ -12,13 +12,13 @@ Bridge Firewall Configuration Overview ******** -In this section there's useful information of all firewall configuration that -can be done regarding bridge, and appropriate op-mode commands. +In this section there's useful information on all firewall configuration that +can be done regarding bridges, and appropriate op-mode commands. Configuration commands covered in this section: .. cfgcmd:: set firewall bridge ... -From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +From the main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` in this section you can find detailed information only for the next part of the general structure: @@ -41,7 +41,7 @@ For traffic that needs to be forwarded internally by the bridge, base chain is is **forward**, and it's base command for filtering is ``set firewall bridge forward filter ...``, which happens in stage 4, highlighted with red color. -Custom bridge firewall chains can be create with command ``set firewall bridge +Custom bridge firewall chains can be created with the command ``set firewall bridge name <name> ...``. In order to use such custom chain, a rule with action jump, and the appropriate target should be defined in a base chain. @@ -55,9 +55,9 @@ and the appropriate target should be defined in a base chain. Bridge Rules ************ -For firewall filtering, firewall rules needs to be created. Each rule is +For firewall filtering, firewall rules need to be created. Each rule is numbered, has an action to apply if the rule is matched, and the ability -to specify multiple criteria matchers. Data packets go through the rules +to specify multiple matching criteria. Data packets go through the rules from 1 - 999999, so order is crucial. At the first match the action of the rule will be executed. @@ -65,7 +65,7 @@ Actions ======= If a rule is defined, then an action must be defined for it. This tells the -firewall what to do if all criteria matchers defined for such rule do match. +firewall what to do if all matching criterea in the rule are met. In firewall bridge rules, the action can be: @@ -101,7 +101,7 @@ In firewall bridge rules, the action can be: queue <0-65535> To be used only when action is set to ``queue``. Use this command to specify - queue target to use. Queue range is also supported. + the queue target to use. Queue range is also supported. .. cfgcmd:: set firewall bridge forward filter rule <1-999999> queue-options bypass @@ -121,7 +121,7 @@ In firewall bridge rules, the action can be: distribute packets between several queues. Also, **default-action** is an action that takes place whenever a packet does -not match any rule in it's chain. For base chains, possible options for +not match any rule in its' chain. For base chains, possible options for **default-action** are **accept** or **drop**. .. cfgcmd:: set firewall bridge forward filter default-action @@ -129,10 +129,10 @@ not match any rule in it's chain. For base chains, possible options for .. cfgcmd:: set firewall bridge name <name> default-action [accept | continue | drop | jump | queue | return] - This set the default action of the rule-set if no rule matched a packet - criteria. If default-action is set to ``jump``, then + This sets the default action of the rule-set if a packet does not match + any of the rules in that chain. If default-action is set to ``jump``, then ``default-jump-target`` is also needed. Note that for base chains, default - action can only be set to ``accept`` or ``drop``, while on custom chain, + action can only be set to ``accept`` or ``drop``, while on custom chains more actions are available. .. cfgcmd:: set firewall bridge name <name> default-jump-target <text> @@ -141,9 +141,9 @@ not match any rule in it's chain. For base chains, possible options for command to specify jump target for default rule. .. note:: **Important note about default-actions:** - If default action for any base chain is not defined, then the default - action is set to **accept** for that chain. For custom chains, if default - action is not defined, then the default-action is set to **drop**. + If the default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if the + default action is not defined, then the default-action is set to **drop**. Firewall Logs ============= @@ -155,7 +155,7 @@ log options can be defined. .. cfgcmd:: set firewall bridge name <name> rule <1-999999> log Enable logging for the matched packet. If this configuration command is not - present, then log is not enabled. + present, then the log is not enabled. .. cfgcmd:: set firewall bridge forward filter default-log .. cfgcmd:: set firewall bridge name <name> default-log @@ -170,14 +170,15 @@ log options can be defined. log-options level [emerg | alert | crit | err | warn | notice | info | debug] - Define log-level. Only applicable if rule log is enable. + Define log-level. Only applicable if rule log is enabled. .. cfgcmd:: set firewall bridge forward filter rule <1-999999> log-options group <0-65535> .. cfgcmd:: set firewall bridge name <name> rule <1-999999> log-options group <0-65535> - Define log group to send message to. Only applicable if rule log is enable. + Define the log group to send messages to. Only applicable if rule log is + enabled. .. cfgcmd:: set firewall bridge forward filter rule <1-999999> log-options snapshot-length <0-9000> @@ -185,15 +186,16 @@ log options can be defined. log-options snapshot-length <0-9000> Define length of packet payload to include in netlink message. Only - applicable if rule log is enable and log group is defined. + applicable if rule log is enabled and the log group is defined. .. cfgcmd:: set firewall bridge forward filter rule <1-999999> log-options queue-threshold <0-65535> .. cfgcmd:: set firewall bridge name <name> rule <1-999999> log-options queue-threshold <0-65535> - Define number of packets to queue inside the kernel before sending them to - userspace. Only applicable if rule log is enable and log group is defined. + Define the number of packets to queue inside the kernel before sending them + to userspace. Only applicable if rule log is enabled and the log group is + defined. Firewall Description ==================== @@ -207,7 +209,7 @@ For reference, a description can be defined for every defined custom chain. Rule Status =========== -When defining a rule, it is enable by default. In some cases, it is useful to +When defining a rule, it is enabled by default. In some cases, it is useful to just disable the rule, rather than removing it. .. cfgcmd:: set firewall bridge forward filter rule <1-999999> disable diff --git a/docs/configuration/firewall/flowtables.rst b/docs/configuration/firewall/flowtables.rst index ae95a85f..915bf39d 100644 --- a/docs/configuration/firewall/flowtables.rst +++ b/docs/configuration/firewall/flowtables.rst @@ -1,4 +1,4 @@ -:lastproofread: 2024-06-20 +:lastproofread: 2024-07-02 .. _firewall-flowtables-configuration: @@ -12,12 +12,12 @@ Flowtables Firewall Configuration Overview ******** -In this section there's useful information of all firewall configuration that +In this section there's useful information on all firewall configuration that can be done regarding flowtables. .. cfgcmd:: set firewall flowtables ... -From main structure defined in +From the main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` in this section you can find detailed information only for the next part of the general structure: @@ -30,7 +30,7 @@ of the general structure: + ... -Flowtables allows you to define a fastpath through the flowtable datapath. +Flowtables allow you to define a fastpath through the flowtable datapath. The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP and UDP protocols. @@ -107,10 +107,10 @@ Things to be considered in this setup: * Minimum firewall ruleset is provided, which includes some filtering rules, and appropriate rules for using flowtable offload capabilities. -As described, first packet will be evaluated by all the firewall path, so +As described, the first packet will be evaluated by the firewall path, so a desired connection should be explicitly accepted. Same thing should be taken into account for traffic in reverse order. In most cases state policies are -used in order to accept connection in reverse patch. +used in order to accept a connection in the reverse path. We will only accept traffic coming from interface eth0, protocol tcp and destination port 1122. All other traffic trespassing the router should be @@ -142,7 +142,7 @@ Explanation Analysis on what happens for desired connection: - 1. First packet is received on eth0, with destination address 192.0.2.100, + 1. Firstly, a packet is received on eth0, with destination address 192.0.2.100, protocol tcp and destination port 1122. Assume such destination address is reachable through interface eth1. @@ -151,22 +151,22 @@ Analysis on what happens for desired connection: 3. Rule 110 is hit, so connection is accepted. - 4. Once answer from server 192.0.2.100 is seen in opposite direction, + 4. Once an answer from server 192.0.2.100 is seen in opposite direction, connection state will be triggered to **established**, so this reply is accepted in rule 20. - 5. Second packet for this connection is received by the router. Since + 5. The second packet for this connection is received by the router. Since connection state is **established**, then rule 10 is hit, and a new entry in the flowtable FT01 is added for this connection. - 6. All the following packets will skip traditional path, and will be offloaded - and will use the **Fast Path**. + 6. All the following packets will skip the traditional path, will be + offloaded and use the **Fast Path**. Checks ------ -It's time to check conntrack table, to see if any connection was accepted, -and if was properly offloaded +It's time to check the conntrack table, to see if any connections were accepted, +and if it was properly offloaded .. code-block:: none diff --git a/docs/configuration/firewall/global-options.rst b/docs/configuration/firewall/global-options.rst index 7c52045e..87fb755d 100644 --- a/docs/configuration/firewall/global-options.rst +++ b/docs/configuration/firewall/global-options.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-12-26 +:lastproofread: 2024-07-03 .. _firewall-global-options-configuration: @@ -25,7 +25,7 @@ Configuration .. cfgcmd:: set firewall global-options all-ping [enable | disable] By default, when VyOS receives an ICMP echo request packet destined for - itself, it will answer with an ICMP echo reply, unless you avoid it + itself, it will answer with an ICMP echo reply, unless you prevent it through its firewall. With the firewall you can set rules to accept, drop or reject ICMP in, @@ -55,7 +55,7 @@ Configuration .. cfgcmd:: set firewall global-options broadcast-ping [enable | disable] - This setting enable or disable the response of icmp broadcast + This setting enables or disables the response to icmp broadcast messages. The following system parameter will be altered: * ``net.ipv4.icmp_echo_ignore_broadcasts`` @@ -63,8 +63,8 @@ Configuration .. cfgcmd:: set firewall global-options ip-src-route [enable | disable] .. cfgcmd:: set firewall global-options ipv6-src-route [enable | disable] - This setting handle if VyOS accept packets with a source route - option. The following system parameter will be altered: + This setting handles if VyOS accepts packets with a source route + option. The following system parameters will be altered: * ``net.ipv4.conf.all.accept_source_route`` * ``net.ipv6.conf.all.accept_source_route`` @@ -73,22 +73,22 @@ Configuration .. cfgcmd:: set firewall global-options ipv6-receive-redirects [enable | disable] - enable or disable of ICMPv4 or ICMPv6 redirect messages accepted - by VyOS. The following system parameter will be altered: + Enable or disable ICMPv4 or ICMPv6 redirect messages being accepted by + VyOS. The following system parameters will be altered: * ``net.ipv4.conf.all.accept_redirects`` * ``net.ipv6.conf.all.accept_redirects`` .. cfgcmd:: set firewall global-options send-redirects [enable | disable] - enable or disable ICMPv4 redirect messages send by VyOS + Enable or disable ICMPv4 redirect messages being sent by VyOS The following system parameter will be altered: * ``net.ipv4.conf.all.send_redirects`` .. cfgcmd:: set firewall global-options log-martians [enable | disable] - enable or disable the logging of martian IPv4 packets. + Enable or disable the logging of martian IPv4 packets. The following system parameter will be altered: * ``net.ipv4.conf.all.log_martians`` @@ -103,7 +103,7 @@ Configuration .. cfgcmd:: set firewall global-options syn-cookies [enable | disable] - Enable or Disable if VyOS use IPv4 TCP SYN Cookies. + Enable or disable if VyOS uses IPv4 TCP SYN Cookies. The following system parameter will be altered: * ``net.ipv4.tcp_syncookies`` @@ -111,7 +111,7 @@ Configuration .. cfgcmd:: set firewall global-options twa-hazards-protection [enable | disable] - Enable or Disable VyOS to be :rfc:`1337` conform. + Enable or Disable VyOS to be :rfc:`1337` conformant. The following system parameter will be altered: * ``net.ipv4.tcp_rfc1337`` diff --git a/docs/configuration/firewall/groups.rst b/docs/configuration/firewall/groups.rst index 6111650a..fa32b98e 100644 --- a/docs/configuration/firewall/groups.rst +++ b/docs/configuration/firewall/groups.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-08 +:lastproofread: 2024-07-03 .. _firewall-groups-configuration: @@ -18,8 +18,7 @@ matcher, and/or as inbound/outbound in the case of interface group. Address Groups ============== -In an **address group** a single IP address or IP address ranges are -defined. +In an **address group** a single IP address or IP address range is defined. .. cfgcmd:: set firewall group address-group <name> address [address | address range] @@ -43,7 +42,7 @@ Network Groups While **network groups** accept IP networks in CIDR notation, specific IP addresses can be added as a 32-bit prefix. If you foresee the need -to add a mix of addresses and networks, the network group is +to add a mix of addresses and networks, then a network group is recommended. .. cfgcmd:: set firewall group network-group <name> network <CIDR> @@ -197,9 +196,9 @@ Commands used for this task are: .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> add-address-to-group source-address address-group <name> -Also, specific timeout can be defined per rule. In case rule gets a hit, -source or destinatination address will be added to the group, and this -element will remain in the group until timeout expires. If no timeout +Also, specific timeouts can be defined per rule. In case rule gets a hit, +a source or destinatination address will be added to the group, and this +element will remain in the group until the timeout expires. If no timeout is defined, then the element will remain in the group until next reboot, or until a new commit that changes firewall configuration is done. @@ -324,7 +323,7 @@ A 4 step port knocking example is shown next: set firewall ipv4 input filter rule 99 protocol 'tcp' set firewall ipv4 input filter rule 99 source group dynamic-address-group 'ALLOWED' -Before testing, we can check members of firewall groups: +Before testing, we can check the members of firewall groups: .. code-block:: none @@ -339,7 +338,7 @@ Before testing, we can check members of firewall groups: [edit] vyos@vyos# -With this configuration, in order to get ssh access to the router, user +With this configuration, in order to get ssh access to the router, the user needs to: 1. Generate a new TCP connection with destination port 9990. As shown next, @@ -390,7 +389,7 @@ a new entry was added to dynamic firewall group **ALLOWED** [edit] vyos@vyos# -4. Now user can connect through ssh to the router (assuming ssh is configured). +4. Now the user can connect through ssh to the router (assuming ssh is configured). ************** Operation-mode diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index daf5f116..58e3463b 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-23 +:lastproofread: 2024-07-03 ######## Firewall @@ -28,11 +28,11 @@ packet is processed at the **IP Layer**: * **Prerouting**: All packets that are received by the router are processed in this stage, regardless of the destination of the packet. - Starting from vyos-1.5-rolling-202406120020, a new section was added to - firewall configuration. There are several actions that can be done in this - stage, and currently these actions are also defined in different parts in - VyOS configuration. Order is important, and relevant configuration that - acts in this stage are: + Starting from vyos-1.5-rolling-202406120020, a new section was added to + the firewall configuration. There are several actions that can be done in + this stage, and currently these actions are also defined in different + parts of the VyOS configuration. Order is important, and the relevant + configuration that acts in this stage are: * **Firewall prerouting**: rules defined under ``set firewall [ipv4 | ipv6] prerouting raw...``. All rules defined in this section are @@ -50,9 +50,9 @@ packet is processed at the **IP Layer**: * **Destination NAT**: rules defined under ``set [nat | nat66] destination...``. - * **Destination is the router?**: choose appropriate path based on + * **Destination is the router?**: choose an appropriate path based on destination IP address. Transit forward continues to **forward**, - while traffic that destination IP address is configured on the router + while traffic where the destination IP address is configured on the router continues to **input**. * **Input**: stage where traffic destined for the router itself can be @@ -73,7 +73,7 @@ packet is processed at the **IP Layer**: * **Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a - new connection originated by a internal process running on VyOS router, + new connection originated by a internal process running on the VyOS router such as NTP, or a response to traffic received externally through **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 rules, and two different sections are present: @@ -181,10 +181,10 @@ Zone-based firewall zone With zone-based firewalls a new concept was implemented, in addition to the -standard in and out traffic flows, a local flow was added. This local was for -traffic originating and destined to the router itself. Which means additional -rules were required to secure the firewall itself from the network, in -addition to the existing inbound and outbound rules from the traditional +standard in and out traffic flows, a local flow was added. This local flow was +for traffic originating and destined to the router itself. Which means that +additional rules were required to secure the firewall itself from the network, +in addition to the existing inbound and outbound rules from the traditional concept above. To configure VyOS with the diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst index 39370c86..abae31a5 100644 --- a/docs/configuration/firewall/ipv4.rst +++ b/docs/configuration/firewall/ipv4.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-08 +:lastproofread: 2024-07-03 .. _firewall-ipv4-configuration: @@ -10,13 +10,13 @@ IPv4 Firewall Configuration Overview ******** -In this section there's useful information of all firewall configuration that +In this section there's useful information on all firewall configuration that can be done regarding IPv4, and appropriate op-mode commands. Configuration commands covered in this section: .. cfgcmd:: set firewall ipv4 ... -From main structure defined in +From the main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` in this section you can find detailed information only for the next part of the general structure: @@ -51,28 +51,28 @@ This stage includes: * :doc:`Destination NAT</configuration/nat/nat44>`: commands found under ``set nat destination ...`` -For transit traffic, which is received by the router and forwarded, base chain -is **forward**. A simplified packet flow diagram for transit traffic is shown -next: +For transit traffic, which is received by the router and forwarded, the base +chain is **forward**. A simplified packet flow diagram for transit traffic is +shown next: .. figure:: /_static/images/firewall-fwd-packet-flow.png -Firewall base chain to configure firewall filtering rules for transit traffic +The base firewall chain to configure filtering rules for transit traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, -highlighted with red color. +highlighted in the color red. -For traffic towards the router itself, base chain is **input**, while traffic -originated by the router, base chain is **output**. +For traffic towards the router itself, the base chain is **input**, while +traffic originated by the router has the base chain **output**. A new simplified packet flow diagram is shown next, which shows the path for traffic destined to the router itself, and traffic generated by the router (starting from circle number 6): .. figure:: /_static/images/firewall-input-packet-flow.png -Base chain for traffic towards the router is ``set firewall ipv4 input +The base chain for traffic towards the router is ``set firewall ipv4 input filter ...`` -And base chain for traffic generated by the router is ``set firewall ipv4 +And the base chain for traffic generated by the router is ``set firewall ipv4 output ...``, where two sub-chains are available: **filter** and **raw**: * **Output Prerouting**: ``set firewall ipv4 output raw ...``. @@ -82,9 +82,9 @@ output ...``, where two sub-chains are available: **filter** and **raw**: in this section are processed after connection tracking subsystem. .. note:: **Important note about default-actions:** - If default action for any base chain is not defined, then the default - action is set to **accept** for that chain. For custom chains, if default - action is not defined, then the default-action is set to **drop** + If a default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if the + default action is not defined, then the default-action is set to **drop** Custom firewall chains can be created, with commands ``set firewall ipv4 name <name> ...``. In order to use @@ -95,9 +95,9 @@ should be defined in a base chain. Firewall - IPv4 Rules ********************* -For firewall filtering, firewall rules needs to be created. Each rule is +For firewall filtering, firewall rules need to be created. Each rule is numbered, has an action to apply if the rule is matched, and the ability -to specify multiple criteria matchers. Data packets go through the rules +to specify multiple matching criteria. Data packets go through the rules from 1 - 999999, so order is crucial. At the first match the action of the rule will be executed. @@ -105,7 +105,7 @@ Actions ======= If a rule is defined, then an action must be defined for it. This tells the -firewall what to do if all criteria matchers defined for such rule do match. +firewall what to do if all of the criteria defined for that rule match. The action can be : @@ -135,8 +135,8 @@ The action can be : .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action [accept | continue | drop | jump | queue | reject | return] - This required setting defines the action of the current rule. If action is - set to jump, then jump-target is also needed. + This required setting defines the action of the current rule. If the action + is set to jump, then a jump-target is also needed. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> jump-target <text> @@ -148,7 +148,7 @@ The action can be : jump-target <text> To be used only when action is set to ``jump``. Use this command to specify - jump target. + the jump target. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> queue <0-65535> @@ -160,7 +160,7 @@ The action can be : queue <0-65535> To be used only when action is set to ``queue``. Use this command to specify - queue target to use. Queue range is also supported. + the queue target to use. Queue range is also supported. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> queue-options bypass @@ -171,7 +171,7 @@ The action can be : .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> queue-options bypass - To be used only when action is set to ``queue``. Use this command to let + To be used only when action is set to ``queue``. Use this command to let the packet go through firewall when no userspace software is connected to the queue. @@ -200,21 +200,21 @@ not match any rule in it's chain. For base chains, possible options for .. cfgcmd:: set firewall ipv4 name <name> default-action [accept | drop | jump | queue | reject | return] - This set the default action of the rule-set if no rule matched a packet - criteria. If default-action is set to ``jump``, then - ``default-jump-target`` is also needed. Note that for base chains, default - action can only be set to ``accept`` or ``drop``, while on custom chain, - more actions are available. + This sets the default action of the rule-set if a packet does not match the + criteria of any rule. If default-action is set to ``jump``, then + ``default-jump-target`` is also needed. Note that for base chains, the + default action can only be set to ``accept`` or ``drop``, while on custom + chains, more actions are available. .. cfgcmd:: set firewall ipv4 name <name> default-jump-target <text> To be used only when ``default-action`` is set to ``jump``. Use this - command to specify jump target for default rule. + command to specify the jump target for the default rule. .. note:: **Important note about default-actions:** - If default action for any base chain is not defined, then the default - action is set to **accept** for that chain. For custom chains, if default - action is not defined, then the default-action is set to **drop**. + If the default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains if a default + action is not defined then the default-action is set to **drop**. Firewall Logs ============= @@ -228,7 +228,7 @@ log options can be defined. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log Enable logging for the matched packet. If this configuration command is not - present, then log is not enabled. + present, then the log is not enabled. .. cfgcmd:: set firewall ipv4 forward filter default-log .. cfgcmd:: set firewall ipv4 input filter default-log @@ -251,7 +251,7 @@ log options can be defined. log-options level [emerg | alert | crit | err | warn | notice | info | debug] - Define log-level. Only applicable if rule log is enable. + Define log-level. Only applicable if rule log is enabled. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log-options group <0-65535> @@ -262,7 +262,8 @@ log options can be defined. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log-options group <0-65535> - Define log group to send message to. Only applicable if rule log is enable. + Define the log group to send messages to. Only applicable if rule log is + enabled. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log-options snapshot-length <0-9000> @@ -273,8 +274,8 @@ log options can be defined. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log-options snapshot-length <0-9000> - Define length of packet payload to include in netlink message. Only - applicable if rule log is enable and log group is defined. + Define the length of packet payload to include in a netlink message. Only + applicable if rule log is enabled and log group is defined. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log-options queue-threshold <0-65535> @@ -285,8 +286,8 @@ log options can be defined. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log-options queue-threshold <0-65535> - Define number of packets to queue inside the kernel before sending them to - userspace. Only applicable if rule log is enable and log group is defined. + Define the number of packets to queue inside the kernel before sending them + to userspace. Only applicable if rule log is enabled and log group is defined. Firewall Description ==================== @@ -311,7 +312,7 @@ every defined custom chain. Rule Status =========== -When defining a rule, it is enable by default. In some cases, it is useful to +When defining a rule, it is enabled by default. In some cases, it is useful to just disable the rule, rather than removing it. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> disable @@ -335,7 +336,7 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> connection-status nat [destination | source] - Match criteria based on nat connection status. + Match based on nat connection status. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> connection-mark <1-2147483647> @@ -346,7 +347,7 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> connection-mark <1-2147483647> - Match criteria based on connection mark. + Match based on connection mark. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> conntrack-helper <module> @@ -445,8 +446,8 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> destination fqdn <fqdn> - Specify a Fully Qualified Domain Name as source/destination matcher. Ensure - router is able to resolve such dns query. + Specify a Fully Qualified Domain Name as source/destination to match. Ensure + that the router is able to resolve this dns query. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> source geoip country-code <country> @@ -503,14 +504,13 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> source mac-address <mac-address> - Only in the source criteria, you can specify a mac-address. + You can only specify a source mac-address to match. .. code-block:: none set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33 set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34 - .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> source port [1-65535 | portname | start-end] .. cfgcmd:: set firewall ipv4 input filter rule <1-999999> @@ -529,8 +529,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> destination port [1-65535 | portname | start-end] - A port can be set with a port number or a name which is here - defined: ``/etc/services``. + A port can be set by number or name as defined in ``/etc/services``. .. code-block:: none @@ -559,8 +558,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> destination group address-group <name | !name> - Use a specific address-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific address-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> source group dynamic-address-group <name | !name> @@ -580,8 +579,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> destination group dynamic-address-group <name | !name> - Use a specific dynamic-address-group. Prepend character ``!`` for inverted - matching criteria. + Use a specific dynamic-address-group. Prepending the character ``!`` to + invert the criteria to match is also supported. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> source group network-group <name | !name> @@ -601,8 +600,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> destination group network-group <name | !name> - Use a specific network-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific network-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> source group port-group <name | !name> @@ -622,8 +621,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> destination group port-group <name | !name> - Use a specific port-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific port-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> source group domain-group <name | !name> @@ -643,8 +642,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> destination group domain-group <name | !name> - Use a specific domain-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific domain-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> source group mac-group <name | !name> @@ -664,8 +663,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> destination group mac-group <name | !name> - Use a specific mac-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific mac-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> dscp [0-63 | start-end] @@ -696,7 +695,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> fragment [match-frag | match-non-frag] - Match based on fragment criteria. + Match based on fragmentation. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> icmp [code | type] <0-255> @@ -718,7 +717,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> icmp type-name <text> - Match based on icmp type-name criteria. Use tab for information + Match based on icmp type-name. Use tab for information about what **type-name** criteria are supported. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> @@ -729,11 +728,11 @@ geoip) to keep database and rules updated. inbound-interface name <iface> Match based on inbound interface. Wildcard ``*`` can be used. - For example: ``eth2*``. Prepending character ``!`` for inverted matching - criteria is also supported. For example ``!eth2`` + For example: ``eth2*``. Prepending the character ``!`` to invert the + criteria to match is also supported. For example ``!eth2`` .. note:: If an interface is attached to a non-default vrf, when using - **inbound-interface**, vrf name must be used. For example ``set firewall + **inbound-interface**, the vrf name must be used. For example ``set firewall ipv4 forward filter rule 10 inbound-interface name MGMT`` .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> @@ -743,8 +742,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> inbound-interface group <iface_group> - Match based on inbound interface group. Prepending character ``!`` for - inverted matching criteria is also supported. For example ``!IFACE_GROUP`` + Match based on the inbound interface group. Prepending the character ``!`` + to invert the criteria to match is also supported. For example ``!IFACE_GROUP`` .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> outbound-interface name <iface> @@ -754,11 +753,11 @@ geoip) to keep database and rules updated. outbound-interface name <iface> Match based on outbound interface. Wildcard ``*`` can be used. - For example: ``eth2*``. Prepending character ``!`` for inverted matching - criteria is also supported. For example ``!eth2`` + For example: ``eth2*``. Prepending the character ``!`` to invert the + criteria to match is also supported. For example ``!eth2`` .. note:: If an interface is attached to a non-default vrf, when using - **outbound-interface**, real interface name must be used. For example + **outbound-interface**, the real interface name must be used. For example ``set firewall ipv4 forward filter rule 10 outbound-interface name eth0`` .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> @@ -768,8 +767,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> outbound-interface group <iface_group> - Match based on outbound interface group. Prepending character ``!`` for - inverted matching criteria is also supported. For example ``!IFACE_GROUP`` + Match based on outbound interface group. Prepending the character ``!`` to + invert the criteria to match is also supported. For example ``!IFACE_GROUP`` .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> ipsec [match-ipsec | match-none] @@ -780,7 +779,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> ipsec [match-ipsec | match-none] - Match based on ipsec criteria. + Match based on ipsec. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> limit burst <0-4294967295> @@ -823,7 +822,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> packet-length-exclude <text> - Match based on packet length criteria. Multiple values from 1 to 65535 + Match based on the packet length. Multiple values from 1 to 65535 and ranges are supported. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> @@ -835,7 +834,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> packet-type [broadcast | host | multicast | other] - Match based on packet type criteria. + Match based on the packet type. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> protocol [<text> | <0-255> | all | tcp_udp] @@ -846,10 +845,9 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> protocol [<text> | <0-255> | all | tcp_udp] - Match a protocol criteria. A protocol number or a name which is here - defined: ``/etc/protocols``. + Match based on protocol number or name as defined in ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp - based packets. The ``!`` negate the selected protocol. + based packets. The ``!`` negates the selected protocol. .. code-block:: none @@ -874,7 +872,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> recent time [second | minute | hour] - Match bases on recently seen sources. + Match based on recently seen sources. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> tcp flags [not] <text> @@ -958,8 +956,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> ttl <eq | gt | lt> <0-255> - Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for - 'greater than', and 'lt' stands for 'less than'. + Match the time to live parameter, where 'eq' stands for 'equal'; 'gt' stands + for 'greater than', and 'lt' stands for 'less than'. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> recent count <1-255> @@ -994,7 +992,7 @@ Synproxy connections .. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535> - Set TCP-MSS (maximum segment size) for the connection + Set the TCP-MSS (maximum segment size) for the connection .. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14> @@ -1028,7 +1026,6 @@ Requirements to enable synproxy: set firewall ipv4 input filter rule 1000 action 'drop' set firewall ipv4 input filter rule 1000 state invalid - *********************** Operation-mode Firewall *********************** @@ -1038,7 +1035,7 @@ Rule-set overview .. opcmd:: show firewall - This will show you a basic firewall overview, for all ruleset, and not + This will show you a basic firewall overview, for all rule-sets, and not only for ipv4 .. code-block:: none diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst index 511fd51f..5f526dac 100644 --- a/docs/configuration/firewall/ipv6.rst +++ b/docs/configuration/firewall/ipv6.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-08 +:lastproofread: 2024-07-03 .. _firewall-ipv6-configuration: @@ -10,13 +10,13 @@ IPv6 Firewall Configuration Overview ******** -In this section there's useful information of all firewall configuration that +In this section there's useful information on all firewall configuration that can be done regarding IPv6, and appropriate op-mode commands. Configuration commands covered in this section: .. cfgcmd:: set firewall ipv6 ... -From main structure defined in +From the main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` in this section you can find detailed information only for the next part of the general structure: @@ -51,29 +51,29 @@ This stage includes: * :doc:`Destination NAT</configuration/nat/nat44>`: commands found under ``set nat66 destination ...`` -For transit traffic, which is received by the router and forwarded, base chain -is **forward**. A simplified packet flow diagram for transit traffic is shown -next: +For transit traffic, which is received by the router and forwarded, the base +chain is **forward**. A simplified packet flow diagram for transit traffic is +shown next: .. figure:: /_static/images/firewall-fwd-packet-flow.png -Firewall base chain to configure firewall filtering rules for transit traffic +The base firewall chain to configure filtering rules for transit traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, -highlighted with red color. +highlighted in the color red. -For traffic towards the router itself, base chain is **input**, while traffic -originated by the router, base chain is **output**. +For traffic towards the router itself, the base chain is **input**, while +traffic originated by the router has the base chain **output**. A new simplified packet flow diagram is shown next, which shows the path for traffic destined to the router itself, and traffic generated by the router (starting from circle number 6): .. figure:: /_static/images/firewall-input-packet-flow.png -Base chain for traffic towards the router is ``set firewall ipv6 input +The base chain for traffic towards the router is ``set firewall ipv6 input filter ...`` -And base chain for traffic generated by the router is ``set firewall ipv6 -output filter ...``, where two sub-chains are available: **filter** and **raw**: +And the base chain for traffic generated by the router is ``set firewall ipv6 +output ...``, where two sub-chains are available: **filter** and **raw**: * **Output Prerouting**: ``set firewall ipv6 output raw ...``. As described in **Prerouting**, rules defined in this section are @@ -82,9 +82,9 @@ output filter ...``, where two sub-chains are available: **filter** and **raw**: in this section are processed after connection tracking subsystem. .. note:: **Important note about default-actions:** - If default action for any base chain is not defined, then the default - action is set to **accept** for that chain. For custom chains, if default - action is not defined, then the default-action is set to **drop** + If a default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if the + default action is not defined, then the default-action is set to **drop** Custom firewall chains can be created, with commands ``set firewall ipv6 name <name> ...``. In order to use @@ -95,9 +95,9 @@ should be defined in a base chain. Firewall - IPv6 Rules ****************************** -For firewall filtering, firewall rules needs to be created. Each rule is +For firewall filtering, firewall rules need to be created. Each rule is numbered, has an action to apply if the rule is matched, and the ability -to specify multiple criteria matchers. Data packets go through the rules +to specify multiple matching criteria. Data packets go through the rules from 1 - 999999, so order is crucial. At the first match the action of the rule will be executed. @@ -105,7 +105,7 @@ Actions ======= If a rule is defined, then an action must be defined for it. This tells the -firewall what to do if all criteria matchers defined for such rule do match. +firewall what to do if all of the criteria defined for that rule match. The action can be : @@ -135,8 +135,8 @@ The action can be : .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> action [accept | continue | drop | jump | queue | reject | return] - This required setting defines the action of the current rule. If action is - set to jump, then jump-target is also needed. + This required setting defines the action of the current rule. If the action + is set to jump, then a jump-target is also needed. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> jump-target <text> @@ -148,7 +148,7 @@ The action can be : jump-target <text> To be used only when action is set to ``jump``. Use this command to specify - jump target. + the jump target. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> queue <0-65535> @@ -160,7 +160,7 @@ The action can be : queue <0-65535> To be used only when action is set to ``queue``. Use this command to specify - queue target to use. Queue range is also supported. + the queue target to use. Queue range is also supported. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> queue-options bypass @@ -171,7 +171,7 @@ The action can be : .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> queue-options bypass - To be used only when action is set to ``queue``. Use this command to let + To be used only when action is set to ``queue``. Use this command to let the packet go through firewall when no userspace software is connected to the queue. @@ -200,21 +200,21 @@ not match any rule in it's chain. For base chains, possible options for .. cfgcmd:: set firewall ipv6 name <name> default-action [accept | drop | jump | queue | reject | return] - This set the default action of the rule-set if no rule matched a packet - criteria. If default-action is set to ``jump``, then - ``default-jump-target`` is also needed. Note that for base chains, default - action can only be set to ``accept`` or ``drop``, while on custom chain, - more actions are available. + This sets the default action of the rule-set if a packet does not match the + criteria of any rule. If default-action is set to ``jump``, then + ``default-jump-target`` is also needed. Note that for base chains, the + default action can only be set to ``accept`` or ``drop``, while on custom + chains, more actions are available. .. cfgcmd:: set firewall ipv6 name <name> default-jump-target <text> To be used only when ``default-action`` is set to ``jump``. Use this - command to specify jump target for default rule. + command to specify the jump target for the default rule. .. note:: **Important note about default-actions:** - If default action for any base chain is not defined, then the default - action is set to **accept** for that chain. For custom chains, if default - action is not defined, then the default-action is set to **drop**. + If the default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains if a default + action is not defined then the default-action is set to **drop**. Firewall Logs ============= @@ -228,7 +228,7 @@ log options can be defined. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> log Enable logging for the matched packet. If this configuration command is not - present, then log is not enabled. + present, then the log is not enabled. .. cfgcmd:: set firewall ipv6 forward filter default-log .. cfgcmd:: set firewall ipv6 input filter default-log @@ -251,7 +251,7 @@ log options can be defined. log-options level [emerg | alert | crit | err | warn | notice | info | debug] - Define log-level. Only applicable if rule log is enable. + Define log-level. Only applicable if rule log is enabled. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> log-options group <0-65535> @@ -262,7 +262,8 @@ log options can be defined. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> log-options group <0-65535> - Define log group to send message to. Only applicable if rule log is enable. + Define the log group to send messages to. Only applicable if rule log is + enabled. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> log-options snapshot-length <0-9000> @@ -273,8 +274,8 @@ log options can be defined. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> log-options snapshot-length <0-9000> - Define length of packet payload to include in netlink message. Only - applicable if rule log is enable and log group is defined. + Define the length of packet payload to include in a netlink message. Only + applicable if rule log is enabled and log group is defined. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> log-options queue-threshold <0-65535> @@ -285,8 +286,8 @@ log options can be defined. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> log-options queue-threshold <0-65535> - Define number of packets to queue inside the kernel before sending them to - userspace. Only applicable if rule log is enable and log group is defined. + Define the number of packets to queue inside the kernel before sending them + to userspace. Only applicable if rule log is enabled and log group is defined. Firewall Description ==================== @@ -311,7 +312,7 @@ every defined custom chain. Rule Status =========== -When defining a rule, it is enable by default. In some cases, it is useful to +When defining a rule, it is enabled by default. In some cases, it is useful to just disable the rule, rather than removing it. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> disable @@ -335,7 +336,7 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> connection-status nat [destination | source] - Match criteria based on nat connection status. + Match based on nat connection status. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> connection-mark <1-2147483647> @@ -346,7 +347,7 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> connection-mark <1-2147483647> - Match criteria based on connection mark. + Match based on connection mark. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source address [address | addressrange | CIDR] @@ -366,9 +367,8 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination address [address | addressrange | CIDR] - Match criteria based on source and/or destination address. This is similar - to the network groups part, but here you are able to negate the matching - addresses. + Match based on source and/or destination address. This is similar to the + network groups part, but here you are able to negate the matching addresses. .. code-block:: none @@ -433,8 +433,8 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination fqdn <fqdn> - Specify a Fully Qualified Domain Name as source/destination matcher. Ensure - router is able to resolve such dns query. + Specify a Fully Qualified Domain Name as source/destination to match. Ensure + that the router is able to resolve this dns query. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source geoip country-code <country> @@ -491,7 +491,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> source mac-address <mac-address> - Only in the source criteria, you can specify a mac-address. + You can only specify a source mac-address to match. .. code-block:: none @@ -516,8 +516,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination port [1-65535 | portname | start-end] - A port can be set with a port number or a name which is here - defined: ``/etc/services``. + A port can be set by number or name as defined in ``/etc/services``. .. code-block:: none @@ -550,8 +549,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination group address-group <name | !name> - Use a specific address-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific address-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source group dynamic-address-group <name | !name> @@ -571,8 +570,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination group dynamic-address-group <name | !name> - Use a specific dynamic-address-group. Prepend character ``!`` for inverted - matching criteria. + Use a specific dynamic-address-group. Prepending the character ``!`` to + invert the criteria to match is also supported. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source group network-group <name | !name> @@ -592,8 +591,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination group network-group <name | !name> - Use a specific network-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific network-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source group port-group <name | !name> @@ -613,8 +612,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination group port-group <name | !name> - Use a specific port-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific port-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source group domain-group <name | !name> @@ -634,8 +633,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination group domain-group <name | !name> - Use a specific domain-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific domain-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source group mac-group <name | !name> @@ -655,8 +654,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination group mac-group <name | !name> - Use a specific mac-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific mac-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> dscp [0-63 | start-end] @@ -687,7 +686,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> fragment [match-frag | match-non-frag] - Match based on fragment criteria. + Match based on fragmentation. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> icmpv6 [code | type] <0-255> @@ -709,7 +708,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> icmpv6 type-name <text> - Match based on icmpv6 type-name criteria. Use tab for information + Match based on icmpv6 type-name. Use tab for information about what **type-name** criteria are supported. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> @@ -720,11 +719,11 @@ geoip) to keep database and rules updated. inbound-interface name <iface> Match based on inbound interface. Wildcard ``*`` can be used. - For example: ``eth2*``. Prepending character ``!`` for inverted matching - criteria is also supported. For example ``!eth2`` + For example: ``eth2*``. Prepending the character ``!`` to invert the + criteria to match is also supported. For example ``!eth2`` .. note:: If an interface is attached to a non-default vrf, when using - **inbound-interface**, vrf name must be used. For example ``set firewall + **inbound-interface**, the vrf name must be used. For example ``set firewall ipv6 forward filter rule 10 inbound-interface name MGMT`` .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> @@ -734,8 +733,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> inbound-interface group <iface_group> - Match based on inbound interface group. Prepending character ``!`` for - inverted matching criteria is also supported. For example ``!IFACE_GROUP`` + Match based on the inbound interface group. Prepending the character ``!`` + to invert the criteria to match is also supported. For example ``!IFACE_GROUP`` .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> outbound-interface name <iface> @@ -745,11 +744,11 @@ geoip) to keep database and rules updated. outbound-interface name <iface> Match based on outbound interface. Wildcard ``*`` can be used. - For example: ``eth2*``. Prepending character ``!`` for inverted matching - criteria is also supported. For example ``!eth2`` + For example: ``eth2*``. Prepending the character ``!`` to invert the + criteria to match is also supported. For example ``!eth2`` .. note:: If an interface is attached to a non-default vrf, when using - **outbound-interface**, real interface name must be used. For example + **outbound-interface**, the real interface name must be used. For example ``set firewall ipv6 forward filter rule 10 outbound-interface name eth0`` .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> @@ -759,8 +758,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> outbound-interface group <iface_group> - Match based on outbound interface group. Prepending character ``!`` for - inverted matching criteria is also supported. For example ``!IFACE_GROUP`` + Match based on outbound interface group. Prepending the character ``!`` to + invert the criteria to match is also supported. For example ``!IFACE_GROUP`` .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> ipsec [match-ipsec | match-none] @@ -771,7 +770,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> ipsec [match-ipsec | match-none] - Match based on ipsec criteria. + Match based on ipsec. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> limit burst <0-4294967295> @@ -814,7 +813,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> packet-length-exclude <text> - Match based on packet length criteria. Multiple values from 1 to 65535 + Match based on the packet length. Multiple values from 1 to 65535 and ranges are supported. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> @@ -826,7 +825,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> packet-type [broadcast | host | multicast | other] - Match based on packet type criteria. + Match based on the packet type. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> protocol [<text> | <0-255> | all | tcp_udp] @@ -837,10 +836,9 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> protocol [<text> | <0-255> | all | tcp_udp] - Match a protocol criteria. A protocol number or a name which is here - defined: ``/etc/protocols``. + Match based on protocol number or name as defined in ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp - based packets. The ``!`` negate the selected protocol. + based packets. The ``!`` negates the selected protocol. .. code-block:: none @@ -948,7 +946,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> hop-limit <eq | gt | lt> <0-255> - Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for + Match the hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> @@ -984,7 +982,7 @@ Synproxy connections .. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535> - Set TCP-MSS (maximum segment size) for the connection + Set the TCP-MSS (maximum segment size) for the connection .. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14> @@ -1027,7 +1025,8 @@ Rule-set overview .. opcmd:: show firewall - This will show you a basic firewall overview + This will show you a basic firewall overview, for all rule-sets, and not + only for ipv6 .. code-block:: none diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst index f71ad8c1..73ce0a4d 100644 --- a/docs/configuration/firewall/zone.rst +++ b/docs/configuration/firewall/zone.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-01 +:lastproofread: 2024-07-03 .. _firewall-zone: @@ -11,9 +11,9 @@ Overview ******** .. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall - structure can be found on all VyOS installations. Zone based firewall was - removed in that version, but re introduced in VyOS 1.4 and 1.5. All - versions built after 2023-10-22 has this feature. + structure can be found on all VyOS installations. The Zone based firewall + was removed in that version, but re introduced in VyOS 1.4 and 1.5. All + versions built after 2023-10-22 have this feature. Documentation for most of the new firewall CLI can be found in the `firewall <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ @@ -22,13 +22,13 @@ Overview :doc:`legacy firewall configuration </configuration/firewall/general-legacy>` chapter. -In this section there's useful information of all firewall configuration that -is needed for zone-based firewall. +In this section there's useful information on all firewall configuration that +is needed for the zone-based firewall. Configuration commands covered in this section: .. cfgcmd:: set firewall zone ... -From main structure defined in +From the main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` in this section you can find detailed information only for the next part of the general structure: @@ -53,7 +53,7 @@ Key Points: interface can be assigned to only a single zone. * All traffic to and from an interface within a zone is permitted. * All traffic between zones is affected by existing policies -* Traffic cannot flow between zone member interface and any interface that is +* Traffic cannot flow between a zone member interface and any interface that is not a zone member. * You need 2 separate firewalls to define traffic: one for each direction. @@ -129,7 +129,7 @@ Operation-mode .. opcmd:: show firewall zone-policy - This will show you a basic summary of zones configuration. + This will show you a basic summary of the zone configuration. .. code-block:: none |