diff options
| author | Christian Poessinger <christian@poessinger.com> | 2022-09-14 19:55:56 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2022-09-14 19:55:56 +0200 |
| commit | 122ecb23fc35806b48836772423581cf66a2ee59 (patch) | |
| tree | 1cdf7fd0c897abab30ec0fef84a1fc9f1213a674 /docs/configexamples | |
| parent | 6071376c03d34081f8e24c0e1b9093e9a7a1a1c4 (diff) | |
| download | vyos-documentation-122ecb23fc35806b48836772423581cf66a2ee59.tar.gz vyos-documentation-122ecb23fc35806b48836772423581cf66a2ee59.zip | |
firewall: T2199: adjust to new 1.4 CLI syntax
"set zone-policy zone <name>" moved to "set firewall zone <name>".
Diffstat (limited to 'docs/configexamples')
| -rw-r--r-- | docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst | 9 | ||||
| -rw-r--r-- | docs/configexamples/zone-policy.rst | 26 |
2 files changed, 19 insertions, 16 deletions
diff --git a/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst b/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst index b7621113..80076a0a 100644 --- a/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst +++ b/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst @@ -65,7 +65,7 @@ Now you should be able to ping a public IPv6 Address 64 bytes from 2001:470:20::2: icmp_seq=2 ttl=64 time=30.5 ms 64 bytes from 2001:470:20::2: icmp_seq=3 ttl=64 time=30.8 ms 64 bytes from 2001:470:20::2: icmp_seq=4 ttl=64 time=90.5 ms - + --- 2001:470:20::2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 30.519/45.797/90.546/25.837 ms @@ -89,7 +89,7 @@ You should now be able to ping something by IPv6 DNS name: 64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=2 ttl=48 time=234 ms 64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=3 ttl=48 time=182 ms 64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=4 ttl=48 time=183 ms - + --- tunnelbroker.net ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 182.224/195.335/233.869/22.248 ms @@ -152,7 +152,7 @@ Now the Client is able to ping a public IPv6 address 64 bytes from 2001:470:20::2: icmp_seq=2 ttl=63 time=31.3 ms 64 bytes from 2001:470:20::2: icmp_seq=3 ttl=63 time=31.7 ms 64 bytes from 2001:470:20::2: icmp_seq=4 ttl=63 time=104 ms - + --- 2001:470:20::2 ping statistics --- 4 packets transmitted, 4 received, 0% packet loss, time 3005ms rtt min/avg/max/mdev = 31.331/56.908/104.282/29.764 ms @@ -204,5 +204,4 @@ instead of `set firewall name NAME`, you would use `set firewall ipv6-name NAME`. Similarly, to attach the firewall, you would use `set interfaces ethernet eth0 -firewall in ipv6-name` or `set zone-policy zone LOCAL from WAN firewall -ipv6-name`.
\ No newline at end of file +firewall in ipv6-name` or `set firewall zone LOCAL from WAN firewall ipv6-name`.
\ No newline at end of file diff --git a/docs/configexamples/zone-policy.rst b/docs/configexamples/zone-policy.rst index 7d512797..90de8b24 100644 --- a/docs/configexamples/zone-policy.rst +++ b/docs/configexamples/zone-policy.rst @@ -5,6 +5,10 @@ Zone-Policy example ------------------- +.. note:: In :vytask:`T2199` the syntax of the zone configuration was changed. + The zone configuration moved from ``zone-policy zone <name>`` to ``firewall + zone <name>``. + Native IPv4 and IPv6 ^^^^^^^^^^^^^^^^^^^^ @@ -171,14 +175,14 @@ the source/destination address is not explicit. .. code-block:: none - WAN – DMZ:192.168.200.200 – tcp/80 - WAN – DMZ:192.168.200.200 – tcp/443 - WAN – DMZ:192.168.200.200 – tcp/25 - WAN – DMZ:192.168.200.200 – tcp/53 - WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/80 - WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/443 - WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/25 - WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/53 + WAN - DMZ:192.168.200.200 - tcp/80 + WAN - DMZ:192.168.200.200 - tcp/443 + WAN - DMZ:192.168.200.200 - tcp/25 + WAN - DMZ:192.168.200.200 - tcp/53 + WAN - DMZ:2001:0DB8:0:BBBB::200 - tcp/80 + WAN - DMZ:2001:0DB8:0:BBBB::200 - tcp/443 + WAN - DMZ:2001:0DB8:0:BBBB::200 - tcp/25 + WAN - DMZ:2001:0DB8:0:BBBB::200 - tcp/53 DMZ - Local - tcp/53 DMZ - Local - tcp/123 @@ -345,8 +349,8 @@ Start by setting the interface and default action for each zone. .. code-block:: none - set zone-policy zone dmz default-action drop - set zone-policy zone dmz interface eth0.30 + set firewall zone dmz default-action drop + set firewall zone dmz interface eth0.30 In this case, we are setting the v6 ruleset that represents traffic sourced from the LAN, destined for the DMZ. Because the zone-policy @@ -355,7 +359,7 @@ it backwards. .. code-block:: none - set zone-policy zone dmz from lan firewall ipv6-name lan-dmz-6 + set firewall zone dmz from lan firewall ipv6-name lan-dmz-6 DMZ-LAN policy is LAN-DMZ. You can get a rhythm to it when you build out a bunch at one time. |