diff options
| author | whyrlpool <26317568+whyrlpool@users.noreply.github.com> | 2024-07-03 17:32:28 +0100 | 
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-07-03 17:32:28 +0100 | 
| commit | b88448bb7b006a92d601053b9def83e16fc28cac (patch) | |
| tree | 60459549f090c5a2cf6c1eabf66eaed2e60371d6 /docs/configuration/firewall | |
| parent | 63988391efed6c7f193c832abb649f996b8ea33a (diff) | |
| parent | 8214ffe4c61f6a14bddf2fed43bff915f2503c6f (diff) | |
| download | vyos-documentation-b88448bb7b006a92d601053b9def83e16fc28cac.tar.gz vyos-documentation-b88448bb7b006a92d601053b9def83e16fc28cac.zip | |
Merge pull request #1 from whyrlpool:current
proofread and update firewall docs
Diffstat (limited to 'docs/configuration/firewall')
| -rw-r--r-- | docs/configuration/firewall/bridge.rst | 48 | ||||
| -rw-r--r-- | docs/configuration/firewall/flowtables.rst | 26 | ||||
| -rw-r--r-- | docs/configuration/firewall/global-options.rst | 22 | ||||
| -rw-r--r-- | docs/configuration/firewall/groups.rst | 19 | ||||
| -rw-r--r-- | docs/configuration/firewall/index.rst | 26 | ||||
| -rw-r--r-- | docs/configuration/firewall/ipv4.rst | 165 | ||||
| -rw-r--r-- | docs/configuration/firewall/ipv6.rst | 167 | ||||
| -rw-r--r-- | docs/configuration/firewall/zone.rst | 18 | 
8 files changed, 244 insertions, 247 deletions
| diff --git a/docs/configuration/firewall/bridge.rst b/docs/configuration/firewall/bridge.rst index f84fd456..2e3d3634 100644 --- a/docs/configuration/firewall/bridge.rst +++ b/docs/configuration/firewall/bridge.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-08 +:lastproofread: 2024-07-03  .. _firewall-configuration: @@ -12,13 +12,13 @@ Bridge Firewall Configuration  Overview  ******** -In this section there's useful information of all firewall configuration that -can be done regarding bridge, and appropriate op-mode commands. +In this section there's useful information on all firewall configuration that +can be done regarding bridges, and appropriate op-mode commands.  Configuration commands covered in this section:  .. cfgcmd:: set firewall bridge ... -From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +From the main structure defined in :doc:`Firewall Overview</configuration/firewall/index>`  in this section you can find detailed information only for the next part  of the general structure: @@ -41,7 +41,7 @@ For traffic that needs to be forwarded internally by the bridge, base chain is  is **forward**, and it's base command for filtering is ``set firewall bridge  forward filter ...``, which happens in stage 4, highlighted with red color. -Custom bridge firewall chains can be create with command ``set firewall bridge +Custom bridge firewall chains can be created with the command ``set firewall bridge  name <name> ...``. In order to use such custom chain, a rule with action jump,  and the appropriate target should be defined in a base chain. @@ -55,9 +55,9 @@ and the appropriate target should be defined in a base chain.  Bridge Rules  ************ -For firewall filtering, firewall rules needs to be created. Each rule is +For firewall filtering, firewall rules need to be created. Each rule is  numbered, has an action to apply if the rule is matched, and the ability -to specify multiple criteria matchers. Data packets go through the rules +to specify multiple matching criteria. Data packets go through the rules  from 1 - 999999, so order is crucial. At the first match the action of the  rule will be executed. @@ -65,7 +65,7 @@ Actions  =======  If a rule is defined, then an action must be defined for it. This tells the -firewall what to do if all criteria matchers defined for such rule do match. +firewall what to do if all matching criterea in the rule are met.  In firewall bridge rules, the action can be: @@ -101,7 +101,7 @@ In firewall bridge rules, the action can be:     queue <0-65535>     To be used only when action is set to ``queue``. Use this command to specify -   queue target to use. Queue range is also supported. +   the queue target to use. Queue range is also supported.  .. cfgcmd:: set firewall bridge forward filter rule <1-999999>     queue-options bypass @@ -121,7 +121,7 @@ In firewall bridge rules, the action can be:     distribute packets between several queues.  Also, **default-action** is an action that takes place whenever a packet does -not match any rule in it's chain. For base chains, possible options for +not match any rule in its' chain. For base chains, possible options for  **default-action** are **accept** or **drop**.  .. cfgcmd:: set firewall bridge forward filter default-action @@ -129,10 +129,10 @@ not match any rule in it's chain. For base chains, possible options for  .. cfgcmd:: set firewall bridge name <name> default-action     [accept | continue | drop | jump | queue | return] -   This set the default action of the rule-set if no rule matched a packet -   criteria. If default-action is set to ``jump``, then +   This sets the default action of the rule-set if a packet does not match +   any of the rules in that chain. If default-action is set to ``jump``, then     ``default-jump-target`` is also needed. Note that for base chains, default -   action can only be set to ``accept`` or ``drop``, while on custom chain, +   action can only be set to ``accept`` or ``drop``, while on custom chains     more actions are available.  .. cfgcmd:: set firewall bridge name <name> default-jump-target <text> @@ -141,9 +141,9 @@ not match any rule in it's chain. For base chains, possible options for     command to specify jump target for default rule.  .. note:: **Important note about default-actions:** -   If default action for any base chain is not defined, then the default -   action is set to **accept** for that chain. For custom chains, if default -   action is not defined, then the default-action is set to **drop**. +   If the default action for any base chain is not defined, then the default +   action is set to **accept** for that chain. For custom chains, if the  +   default action is not defined, then the default-action is set to **drop**.  Firewall Logs  ============= @@ -155,7 +155,7 @@ log options can be defined.  .. cfgcmd:: set firewall bridge name <name> rule <1-999999> log     Enable logging for the matched packet. If this configuration command is not -   present, then log is not enabled. +   present, then the log is not enabled.  .. cfgcmd:: set firewall bridge forward filter default-log  .. cfgcmd:: set firewall bridge name <name> default-log @@ -170,14 +170,15 @@ log options can be defined.     log-options level [emerg | alert | crit | err | warn | notice     | info | debug] -   Define log-level. Only applicable if rule log is enable. +   Define log-level. Only applicable if rule log is enabled.  .. cfgcmd:: set firewall bridge forward filter rule <1-999999>     log-options group <0-65535>  .. cfgcmd:: set firewall bridge name <name> rule <1-999999>     log-options group <0-65535> -   Define log group to send message to. Only applicable if rule log is enable. +   Define the log group to send messages to. Only applicable if rule log is +   enabled.  .. cfgcmd:: set firewall bridge forward filter rule <1-999999>     log-options snapshot-length <0-9000> @@ -185,15 +186,16 @@ log options can be defined.     log-options snapshot-length <0-9000>     Define length of packet payload to include in netlink message. Only -   applicable if rule log is enable and log group is defined. +   applicable if rule log is enabled and the log group is defined.  .. cfgcmd:: set firewall bridge forward filter rule <1-999999>     log-options queue-threshold <0-65535>  .. cfgcmd:: set firewall bridge name <name> rule <1-999999>     log-options queue-threshold <0-65535> -   Define number of packets to queue inside the kernel before sending them to -   userspace. Only applicable if rule log is enable and log group is defined. +   Define the number of packets to queue inside the kernel before sending them +   to userspace. Only applicable if rule log is enabled and the log group is  +   defined.  Firewall Description  ==================== @@ -207,7 +209,7 @@ For reference, a description can be defined for every defined custom chain.  Rule Status  =========== -When defining a rule, it is enable by default. In some cases, it is useful to +When defining a rule, it is enabled by default. In some cases, it is useful to  just disable the rule, rather than removing it.  .. cfgcmd:: set firewall bridge forward filter rule <1-999999> disable diff --git a/docs/configuration/firewall/flowtables.rst b/docs/configuration/firewall/flowtables.rst index ae95a85f..915bf39d 100644 --- a/docs/configuration/firewall/flowtables.rst +++ b/docs/configuration/firewall/flowtables.rst @@ -1,4 +1,4 @@ -:lastproofread: 2024-06-20 +:lastproofread: 2024-07-02  .. _firewall-flowtables-configuration: @@ -12,12 +12,12 @@ Flowtables Firewall Configuration  Overview  ******** -In this section there's useful information of all firewall configuration that +In this section there's useful information on all firewall configuration that  can be done regarding flowtables.  .. cfgcmd:: set firewall flowtables ... -From main structure defined in +From the main structure defined in  :doc:`Firewall Overview</configuration/firewall/index>`  in this section you can find detailed information only for the next part  of the general structure: @@ -30,7 +30,7 @@ of the general structure:                 + ... -Flowtables  allows you to define a fastpath through the flowtable datapath. +Flowtables allow you to define a fastpath through the flowtable datapath.  The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP  and UDP protocols. @@ -107,10 +107,10 @@ Things to be considered in this setup:     * Minimum firewall ruleset is provided, which includes some filtering rules,       and appropriate rules for using flowtable offload capabilities. -As described, first packet will be evaluated by all the firewall path, so +As described, the first packet will be evaluated by the firewall path, so a  desired connection should be explicitly accepted. Same thing should be taken  into account for traffic in reverse order. In most cases state policies are -used in order to accept connection in reverse patch. +used in order to accept a connection in the reverse path.  We will only accept traffic coming from interface eth0, protocol tcp and  destination port 1122. All other traffic trespassing the router should be @@ -142,7 +142,7 @@ Explanation  Analysis on what happens for desired connection: -   1. First packet is received on eth0, with destination address 192.0.2.100, +   1. Firstly, a packet is received on eth0, with destination address 192.0.2.100,     protocol tcp and destination port 1122. Assume such destination address is     reachable through interface eth1. @@ -151,22 +151,22 @@ Analysis on what happens for desired connection:     3. Rule 110 is hit, so connection is accepted. -   4. Once answer from server 192.0.2.100 is seen in opposite direction, +   4. Once an answer from server 192.0.2.100 is seen in opposite direction,     connection state will be triggered to **established**, so this reply is     accepted in rule 20. -   5. Second packet for this connection is received by the router. Since +   5. The second packet for this connection is received by the router. Since     connection state is **established**, then rule 10 is hit, and a new entry     in the flowtable FT01 is added for this connection. -   6. All the following packets will skip traditional path, and will be offloaded -   and will use the **Fast Path**. +   6. All the following packets will skip the traditional path, will be +   offloaded and use the **Fast Path**.  Checks  ------ -It's time to check conntrack table, to see if any connection was accepted, -and if was properly offloaded +It's time to check the conntrack table, to see if any connections were accepted, +and if it was properly offloaded  .. code-block:: none diff --git a/docs/configuration/firewall/global-options.rst b/docs/configuration/firewall/global-options.rst index 7c52045e..87fb755d 100644 --- a/docs/configuration/firewall/global-options.rst +++ b/docs/configuration/firewall/global-options.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-12-26 +:lastproofread: 2024-07-03  .. _firewall-global-options-configuration: @@ -25,7 +25,7 @@ Configuration  .. cfgcmd:: set firewall global-options all-ping [enable | disable]     By default, when VyOS receives an ICMP echo request packet destined for -   itself, it will answer with an ICMP echo reply, unless you avoid it +   itself, it will answer with an ICMP echo reply, unless you prevent it     through its firewall.     With the firewall you can set rules to accept, drop or reject ICMP in, @@ -55,7 +55,7 @@ Configuration  .. cfgcmd:: set firewall global-options broadcast-ping [enable | disable] -   This setting enable or disable the response of icmp broadcast +   This setting enables or disables the response to icmp broadcast     messages. The following system parameter will be altered:     * ``net.ipv4.icmp_echo_ignore_broadcasts`` @@ -63,8 +63,8 @@ Configuration  .. cfgcmd:: set firewall global-options ip-src-route [enable | disable]  .. cfgcmd:: set firewall global-options ipv6-src-route [enable | disable] -   This setting handle if VyOS accept packets with a source route -   option. The following system parameter will be altered: +   This setting handles if VyOS accepts packets with a source route +   option. The following system parameters will be altered:     * ``net.ipv4.conf.all.accept_source_route``     * ``net.ipv6.conf.all.accept_source_route`` @@ -73,22 +73,22 @@ Configuration  .. cfgcmd:: set firewall global-options ipv6-receive-redirects     [enable | disable] -   enable or disable of ICMPv4 or ICMPv6 redirect messages accepted -   by VyOS. The following system parameter will be altered: +   Enable or disable ICMPv4 or ICMPv6 redirect messages being accepted by +   VyOS. The following system parameters will be altered:     * ``net.ipv4.conf.all.accept_redirects``     * ``net.ipv6.conf.all.accept_redirects``  .. cfgcmd:: set firewall global-options send-redirects [enable | disable] -   enable or disable ICMPv4 redirect messages send by VyOS +   Enable or disable ICMPv4 redirect messages being sent by VyOS     The following system parameter will be altered:     * ``net.ipv4.conf.all.send_redirects``  .. cfgcmd:: set firewall global-options log-martians [enable | disable] -   enable or disable the logging of martian IPv4 packets. +   Enable or disable the logging of martian IPv4 packets.     The following system parameter will be altered:     * ``net.ipv4.conf.all.log_martians`` @@ -103,7 +103,7 @@ Configuration  .. cfgcmd:: set firewall global-options syn-cookies [enable | disable] -   Enable or Disable if VyOS use IPv4 TCP SYN Cookies. +   Enable or disable if VyOS uses IPv4 TCP SYN Cookies.     The following system parameter will be altered:     * ``net.ipv4.tcp_syncookies`` @@ -111,7 +111,7 @@ Configuration  .. cfgcmd:: set firewall global-options twa-hazards-protection     [enable | disable] -   Enable or Disable VyOS to be :rfc:`1337` conform. +   Enable or Disable VyOS to be :rfc:`1337` conformant.     The following system parameter will be altered:     * ``net.ipv4.tcp_rfc1337`` diff --git a/docs/configuration/firewall/groups.rst b/docs/configuration/firewall/groups.rst index 6111650a..fa32b98e 100644 --- a/docs/configuration/firewall/groups.rst +++ b/docs/configuration/firewall/groups.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-08 +:lastproofread: 2024-07-03  .. _firewall-groups-configuration: @@ -18,8 +18,7 @@ matcher, and/or as inbound/outbound in the case of interface group.  Address Groups  ============== -In an **address group** a single IP address or IP address ranges are -defined. +In an **address group** a single IP address or IP address range is defined.  .. cfgcmd:: set firewall group address-group <name> address [address |     address range] @@ -43,7 +42,7 @@ Network Groups  While **network groups** accept IP networks in CIDR notation, specific  IP addresses can be added as a 32-bit prefix. If you foresee the need -to add a mix of addresses and networks, the network group is +to add a mix of addresses and networks, then a network group is  recommended.  .. cfgcmd:: set firewall group network-group <name> network <CIDR> @@ -197,9 +196,9 @@ Commands used for this task are:  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> add-address-to-group     source-address address-group <name> -Also, specific timeout can be defined per rule. In case rule gets a hit, -source or destinatination address will be added to the group, and this -element will remain in the group until timeout expires. If no timeout +Also, specific timeouts can be defined per rule. In case rule gets a hit, +a source or destinatination address will be added to the group, and this +element will remain in the group until the timeout expires. If no timeout  is defined, then the element will remain in the group until next reboot,  or until a new commit that changes firewall configuration is done. @@ -324,7 +323,7 @@ A 4 step port knocking example is shown next:        set firewall ipv4 input filter rule 99 protocol 'tcp'        set firewall ipv4 input filter rule 99 source group dynamic-address-group 'ALLOWED' -Before testing, we can check members of firewall groups: +Before testing, we can check the members of firewall groups:     .. code-block:: none @@ -339,7 +338,7 @@ Before testing, we can check members of firewall groups:        [edit]        vyos@vyos# -With this configuration, in order to get ssh access to the router, user +With this configuration, in order to get ssh access to the router, the user  needs to:  1. Generate a new TCP connection with destination port 9990. As shown next, @@ -390,7 +389,7 @@ a new entry was added to dynamic firewall group **ALLOWED**        [edit]        vyos@vyos# -4. Now user can connect through ssh to the router (assuming ssh is configured). +4. Now the user can connect through ssh to the router (assuming ssh is configured).  **************  Operation-mode diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index daf5f116..58e3463b 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-23 +:lastproofread: 2024-07-03  ########  Firewall @@ -28,11 +28,11 @@ packet is processed at the **IP Layer**:     * **Prerouting**: All packets that are received by the router       are processed in this stage, regardless of the destination of the packet. -     Starting from vyos-1.5-rolling-202406120020, a new section was added to -     firewall configuration. There are several actions that can be done in this -     stage, and currently these actions are also defined in different parts in -     VyOS configuration. Order is important, and relevant configuration that -     acts in this stage are: +     Starting from vyos-1.5-rolling-202406120020, a new section was added to  +     the firewall configuration. There are several actions that can be done in +     this stage, and currently these actions are also defined in different +     parts of the VyOS configuration. Order is important, and the relevant  +     configuration that acts in this stage are:        * **Firewall prerouting**: rules defined under ``set firewall [ipv4 |          ipv6] prerouting raw...``. All rules defined in this section are @@ -50,9 +50,9 @@ packet is processed at the **IP Layer**:        * **Destination NAT**: rules defined under ``set [nat | nat66]          destination...``. -   * **Destination is the router?**: choose appropriate path based on +   * **Destination is the router?**: choose an appropriate path based on       destination IP address. Transit forward continues to **forward**, -     while traffic that destination IP address is configured on the router +     while traffic where the destination IP address is configured on the router       continues to **input**.     * **Input**: stage where traffic destined for the router itself can be @@ -73,7 +73,7 @@ packet is processed at the **IP Layer**:     * **Output**: stage where traffic that originates from the router itself       can be filtered and controlled. Bear in mind that this traffic can be a -     new connection originated by a internal process running on VyOS router, +     new connection originated by a internal process running on the VyOS router       such as NTP, or a response to traffic received externally through       **input** (for example response to an ssh login attempt to the router).       This includes ipv4 and ipv6 rules, and two different sections are present: @@ -181,10 +181,10 @@ Zone-based firewall     zone  With zone-based firewalls a new concept was implemented, in addition to the -standard in and out traffic flows, a local flow was added. This local was for -traffic originating and destined to the router itself. Which means additional -rules were required to secure the firewall itself from the network, in -addition to the existing inbound and outbound rules from the traditional +standard in and out traffic flows, a local flow was added. This local flow was +for traffic originating and destined to the router itself. Which means that  +additional rules were required to secure the firewall itself from the network, +in addition to the existing inbound and outbound rules from the traditional  concept above.  To configure VyOS with the diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst index 39370c86..abae31a5 100644 --- a/docs/configuration/firewall/ipv4.rst +++ b/docs/configuration/firewall/ipv4.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-08 +:lastproofread: 2024-07-03  .. _firewall-ipv4-configuration: @@ -10,13 +10,13 @@ IPv4 Firewall Configuration  Overview  ******** -In this section there's useful information of all firewall configuration that +In this section there's useful information on all firewall configuration that  can be done regarding IPv4, and appropriate op-mode commands.  Configuration commands covered in this section:  .. cfgcmd:: set firewall ipv4 ... -From main structure defined in +From the main structure defined in  :doc:`Firewall Overview</configuration/firewall/index>`  in this section you can find detailed information only for the next part  of the general structure: @@ -51,28 +51,28 @@ This stage includes:     * :doc:`Destination NAT</configuration/nat/nat44>`: commands found under       ``set nat destination ...`` -For transit traffic, which is received by the router and forwarded, base chain -is **forward**. A simplified packet flow diagram for transit traffic is shown -next: +For transit traffic, which is received by the router and forwarded, the base +chain is **forward**. A simplified packet flow diagram for transit traffic is +shown next:  .. figure:: /_static/images/firewall-fwd-packet-flow.png -Firewall base chain to configure firewall filtering rules for transit traffic +The base firewall chain to configure filtering rules for transit traffic  is ``set firewall ipv4 forward filter ...``, which happens in stage 5, -highlighted with red color. +highlighted in the color red. -For traffic towards the router itself, base chain is **input**, while traffic -originated by the router, base chain is **output**. +For traffic towards the router itself, the base chain is **input**, while +traffic originated by the router has the base chain **output**.  A new simplified packet flow diagram is shown next, which shows the path  for traffic destined to the router itself, and traffic generated by the  router (starting from circle number 6):  .. figure:: /_static/images/firewall-input-packet-flow.png -Base chain for traffic towards the router is ``set firewall ipv4 input +The base chain for traffic towards the router is ``set firewall ipv4 input  filter ...`` -And base chain for traffic generated by the router is ``set firewall ipv4 +And the base chain for traffic generated by the router is ``set firewall ipv4  output ...``, where two sub-chains are available: **filter** and **raw**:  * **Output Prerouting**: ``set firewall ipv4 output raw ...``. @@ -82,9 +82,9 @@ output ...``, where two sub-chains are available: **filter** and **raw**:    in this section are processed after connection tracking subsystem.  .. note:: **Important note about default-actions:** -   If default action for any base chain is not defined, then the default -   action is set to **accept** for that chain. For custom chains, if default -   action is not defined, then the default-action is set to **drop** +   If a default action for any base chain is not defined, then the default +   action is set to **accept** for that chain. For custom chains, if the  +   default action is not defined, then the default-action is set to **drop**  Custom firewall chains can be created, with commands  ``set firewall ipv4 name <name> ...``. In order to use @@ -95,9 +95,9 @@ should be defined in a base chain.  Firewall - IPv4 Rules  ********************* -For firewall filtering, firewall rules needs to be created. Each rule is +For firewall filtering, firewall rules need to be created. Each rule is  numbered, has an action to apply if the rule is matched, and the ability -to specify multiple criteria matchers. Data packets go through the rules +to specify multiple matching criteria. Data packets go through the rules  from 1 - 999999, so order is crucial. At the first match the action of the  rule will be executed. @@ -105,7 +105,7 @@ Actions  =======  If a rule is defined, then an action must be defined for it. This tells the -firewall what to do if all criteria matchers defined for such rule do match. +firewall what to do if all of the criteria defined for that rule match.  The action can be : @@ -135,8 +135,8 @@ The action can be :  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action     [accept | continue | drop | jump | queue | reject | return] -   This required setting defines the action of the current rule. If action is -   set to jump, then jump-target is also needed. +   This required setting defines the action of the current rule. If the action +   is set to jump, then a jump-target is also needed.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     jump-target <text> @@ -148,7 +148,7 @@ The action can be :     jump-target <text>     To be used only when action is set to ``jump``. Use this command to specify -   jump target. +   the jump target.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     queue <0-65535> @@ -160,7 +160,7 @@ The action can be :     queue <0-65535>     To be used only when action is set to ``queue``. Use this command to specify -   queue target to use. Queue range is also supported. +   the queue target to use. Queue range is also supported.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     queue-options bypass @@ -171,7 +171,7 @@ The action can be :  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     queue-options bypass -   To be used only when action is set to ``queue``. Use this command to let +   To be used only when action is set to ``queue``. Use this command to let the     packet go through firewall when no userspace software is connected to the     queue. @@ -200,21 +200,21 @@ not match any rule in it's chain. For base chains, possible options for  .. cfgcmd:: set firewall ipv4 name <name> default-action     [accept | drop | jump | queue | reject | return] -   This set the default action of the rule-set if no rule matched a packet -   criteria. If default-action is set to ``jump``, then -   ``default-jump-target`` is also needed. Note that for base chains, default -   action can only be set to ``accept`` or ``drop``, while on custom chain, -   more actions are available. +   This sets the default action of the rule-set if a packet does not match the +   criteria of any rule. If default-action is set to ``jump``, then +   ``default-jump-target`` is also needed. Note that for base chains, the +   default action can only be set to ``accept`` or ``drop``, while on custom  +   chains, more actions are available.  .. cfgcmd:: set firewall ipv4 name <name> default-jump-target <text>     To be used only when ``default-action`` is set to ``jump``. Use this -   command to specify jump target for default rule. +   command to specify the jump target for the default rule.  .. note:: **Important note about default-actions:** -   If default action for any base chain is not defined, then the default -   action is set to **accept** for that chain. For custom chains, if default -   action is not defined, then the default-action is set to **drop**. +   If the default action for any base chain is not defined, then the default +   action is set to **accept** for that chain. For custom chains if a default +   action is not defined then the default-action is set to **drop**.  Firewall Logs  ============= @@ -228,7 +228,7 @@ log options can be defined.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log     Enable logging for the matched packet. If this configuration command is not -   present, then log is not enabled. +   present, then the log is not enabled.  .. cfgcmd:: set firewall ipv4 forward filter default-log  .. cfgcmd:: set firewall ipv4 input filter default-log @@ -251,7 +251,7 @@ log options can be defined.     log-options level [emerg | alert | crit | err | warn | notice     | info | debug] -   Define log-level. Only applicable if rule log is enable. +   Define log-level. Only applicable if rule log is enabled.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     log-options group <0-65535> @@ -262,7 +262,8 @@ log options can be defined.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     log-options group <0-65535> -   Define log group to send message to. Only applicable if rule log is enable. +   Define the log group to send messages to. Only applicable if rule log is +   enabled.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     log-options snapshot-length <0-9000> @@ -273,8 +274,8 @@ log options can be defined.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     log-options snapshot-length <0-9000> -   Define length of packet payload to include in netlink message. Only -   applicable if rule log is enable and log group is defined. +   Define the length of packet payload to include in a netlink message. Only +   applicable if rule log is enabled and log group is defined.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     log-options queue-threshold <0-65535> @@ -285,8 +286,8 @@ log options can be defined.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     log-options queue-threshold <0-65535> -   Define number of packets to queue inside the kernel before sending them to -   userspace. Only applicable if rule log is enable and log group is defined. +   Define the number of packets to queue inside the kernel before sending them +   to userspace. Only applicable if rule log is enabled and log group is defined.  Firewall Description  ==================== @@ -311,7 +312,7 @@ every defined custom chain.  Rule Status  =========== -When defining a rule, it is enable by default. In some cases, it is useful to +When defining a rule, it is enabled by default. In some cases, it is useful to  just disable the rule, rather than removing it.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> disable @@ -335,7 +336,7 @@ There are a lot of matching criteria against which the packet can be tested.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     connection-status nat [destination | source] -   Match criteria based on nat connection status. +   Match based on nat connection status.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     connection-mark <1-2147483647> @@ -346,7 +347,7 @@ There are a lot of matching criteria against which the packet can be tested.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     connection-mark <1-2147483647> -   Match criteria based on connection mark. +   Match based on connection mark.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     conntrack-helper <module> @@ -445,8 +446,8 @@ There are a lot of matching criteria against which the packet can be tested.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     destination fqdn <fqdn> -   Specify a Fully Qualified Domain Name as source/destination matcher. Ensure -   router is able to resolve such dns query. +   Specify a Fully Qualified Domain Name as source/destination to match. Ensure +   that the router is able to resolve this dns query.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     source geoip country-code <country> @@ -503,14 +504,13 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     source mac-address <mac-address> -   Only in the source criteria, you can specify a mac-address. +   You can only specify a source mac-address to match.     .. code-block:: none        set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33        set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34 -  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     source port [1-65535 | portname | start-end]  .. cfgcmd:: set firewall ipv4 input filter rule <1-999999> @@ -529,8 +529,7 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     destination port [1-65535 | portname | start-end] -   A port can be set with a port number or a name which is here -   defined: ``/etc/services``. +   A port can be set by number or name as defined in ``/etc/services``.     .. code-block:: none @@ -559,8 +558,8 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     destination group address-group <name | !name> -   Use a specific address-group. Prepend character ``!`` for inverted matching -   criteria. +   Use a specific address-group. Prepending the character ``!`` to invert the +   criteria to match is also supported.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     source group dynamic-address-group <name | !name> @@ -580,8 +579,8 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     destination group dynamic-address-group <name | !name> -   Use a specific dynamic-address-group. Prepend character ``!`` for inverted -   matching criteria. +   Use a specific dynamic-address-group. Prepending the character ``!`` to +   invert the criteria to match is also supported.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     source group network-group <name | !name> @@ -601,8 +600,8 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     destination group network-group <name | !name> -   Use a specific network-group. Prepend character ``!`` for inverted matching -   criteria. +   Use a specific network-group. Prepending the character ``!`` to invert the +   criteria to match is also supported.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     source group port-group <name | !name> @@ -622,8 +621,8 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     destination group port-group <name | !name> -   Use a specific port-group. Prepend character ``!`` for inverted matching -   criteria. +   Use a specific port-group. Prepending the character ``!`` to invert the +   criteria to match is also supported.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     source group domain-group <name | !name> @@ -643,8 +642,8 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     destination group domain-group <name | !name> -   Use a specific domain-group. Prepend character ``!`` for inverted matching -   criteria. +   Use a specific domain-group. Prepending the character ``!`` to invert the +   criteria to match is also supported.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     source group mac-group <name | !name> @@ -664,8 +663,8 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     destination group mac-group <name | !name> -   Use a specific mac-group. Prepend character ``!`` for inverted matching -   criteria. +   Use a specific mac-group. Prepending the character ``!`` to invert the +   criteria to match is also supported.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     dscp [0-63 | start-end] @@ -696,7 +695,7 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     fragment [match-frag | match-non-frag] -   Match based on fragment criteria. +   Match based on fragmentation.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     icmp [code | type] <0-255> @@ -718,7 +717,7 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     icmp type-name <text> -   Match based on icmp type-name criteria. Use tab for information +   Match based on icmp type-name. Use tab for information     about what **type-name** criteria are supported.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> @@ -729,11 +728,11 @@ geoip) to keep database and rules updated.     inbound-interface name <iface>     Match based on inbound interface. Wildcard ``*`` can be used. -   For example: ``eth2*``. Prepending character ``!`` for inverted matching -   criteria is also supported. For example ``!eth2`` +   For example: ``eth2*``. Prepending the character ``!`` to invert the +   criteria to match is also supported. For example ``!eth2``  .. note:: If an interface is attached to a non-default vrf, when using -   **inbound-interface**, vrf name must be used. For example ``set firewall +   **inbound-interface**, the vrf name must be used. For example ``set firewall     ipv4 forward filter rule 10 inbound-interface name MGMT``  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> @@ -743,8 +742,8 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     inbound-interface group <iface_group> -   Match based on inbound interface group. Prepending character ``!`` for -   inverted matching criteria is also supported. For example ``!IFACE_GROUP`` +   Match based on the inbound interface group. Prepending the character ``!``  +   to invert the criteria to match is also supported. For example ``!IFACE_GROUP``  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     outbound-interface name <iface> @@ -754,11 +753,11 @@ geoip) to keep database and rules updated.     outbound-interface name <iface>     Match based on outbound interface. Wildcard ``*`` can be used. -   For example: ``eth2*``. Prepending character ``!`` for inverted matching -   criteria is also supported. For example ``!eth2`` +   For example: ``eth2*``. Prepending the character ``!`` to invert the +   criteria to match is also supported. For example ``!eth2``  .. note:: If an interface is attached to a non-default vrf, when using -   **outbound-interface**, real interface name must be used. For example +   **outbound-interface**, the real interface name must be used. For example     ``set firewall ipv4 forward filter rule 10 outbound-interface name eth0``  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> @@ -768,8 +767,8 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     outbound-interface group <iface_group> -   Match based on outbound interface group. Prepending character ``!`` for -   inverted matching criteria is also supported. For example ``!IFACE_GROUP`` +   Match based on outbound interface group. Prepending the character ``!`` to +   invert the criteria to match is also supported. For example ``!IFACE_GROUP``  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     ipsec [match-ipsec | match-none] @@ -780,7 +779,7 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     ipsec [match-ipsec | match-none] -   Match based on ipsec criteria. +   Match based on ipsec.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     limit burst <0-4294967295> @@ -823,7 +822,7 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     packet-length-exclude <text> -   Match based on packet length criteria. Multiple values from 1 to 65535 +   Match based on the packet length. Multiple values from 1 to 65535     and ranges are supported.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> @@ -835,7 +834,7 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     packet-type [broadcast | host | multicast | other] -   Match based on packet type criteria. +   Match based on the packet type.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     protocol [<text> | <0-255> | all | tcp_udp] @@ -846,10 +845,9 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     protocol [<text> | <0-255> | all | tcp_udp] -   Match a protocol criteria. A protocol number or a name which is here -   defined: ``/etc/protocols``. +   Match based on protocol number or name as defined in ``/etc/protocols``.     Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp -   based packets. The ``!`` negate the selected protocol. +   based packets. The ``!`` negates the selected protocol.     .. code-block:: none @@ -874,7 +872,7 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     recent time [second | minute | hour] -   Match bases on recently seen sources. +   Match based on recently seen sources.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     tcp flags [not] <text> @@ -958,8 +956,8 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>     ttl <eq | gt | lt> <0-255> -   Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for -   'greater than', and 'lt' stands for 'less than'. +   Match the time to live parameter, where 'eq' stands for 'equal'; 'gt' stands +   for 'greater than', and 'lt' stands for 'less than'.  .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>     recent count <1-255> @@ -994,7 +992,7 @@ Synproxy connections  .. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999>     synproxy tcp mss <501-65535> -    Set TCP-MSS (maximum segment size) for the connection +    Set the TCP-MSS (maximum segment size) for the connection  .. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999>     synproxy tcp window-scale <1-14> @@ -1028,7 +1026,6 @@ Requirements to enable synproxy:    set firewall ipv4 input filter rule 1000 action 'drop'    set firewall ipv4 input filter rule 1000 state invalid -  ***********************  Operation-mode Firewall  *********************** @@ -1038,7 +1035,7 @@ Rule-set overview  .. opcmd:: show firewall -   This will show you a basic firewall overview, for all ruleset, and not +   This will show you a basic firewall overview, for all rule-sets, and not     only for ipv4     .. code-block:: none diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst index 511fd51f..5f526dac 100644 --- a/docs/configuration/firewall/ipv6.rst +++ b/docs/configuration/firewall/ipv6.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-08 +:lastproofread: 2024-07-03  .. _firewall-ipv6-configuration: @@ -10,13 +10,13 @@ IPv6 Firewall Configuration  Overview  ******** -In this section there's useful information of all firewall configuration that +In this section there's useful information on all firewall configuration that  can be done regarding IPv6, and appropriate op-mode commands.  Configuration commands covered in this section:  .. cfgcmd:: set firewall ipv6 ... -From main structure defined in +From the main structure defined in  :doc:`Firewall Overview</configuration/firewall/index>`  in this section you can find detailed information only for the next part  of the general structure: @@ -51,29 +51,29 @@ This stage includes:     * :doc:`Destination NAT</configuration/nat/nat44>`: commands found under       ``set nat66 destination ...`` -For transit traffic, which is received by the router and forwarded, base chain -is **forward**. A simplified packet flow diagram for transit traffic is shown -next: +For transit traffic, which is received by the router and forwarded, the base +chain is **forward**. A simplified packet flow diagram for transit traffic is +shown next:  .. figure:: /_static/images/firewall-fwd-packet-flow.png -Firewall base chain to configure firewall filtering rules for transit traffic +The base firewall chain to configure filtering rules for transit traffic  is ``set firewall ipv6 forward filter ...``, which happens in stage 5, -highlighted with red color. +highlighted in the color red. -For traffic towards the router itself, base chain is **input**, while traffic -originated by the router, base chain is **output**. +For traffic towards the router itself, the base chain is **input**, while +traffic originated by the router has the base chain **output**.  A new simplified packet flow diagram is shown next, which shows the path  for traffic destined to the router itself, and traffic generated by the  router (starting from circle number 6):  .. figure:: /_static/images/firewall-input-packet-flow.png -Base chain for traffic towards the router is ``set firewall ipv6 input +The base chain for traffic towards the router is ``set firewall ipv6 input  filter ...`` -And base chain for traffic generated by the router is ``set firewall ipv6 -output filter ...``, where two sub-chains are available: **filter** and **raw**: +And the base chain for traffic generated by the router is ``set firewall ipv6 +output ...``, where two sub-chains are available: **filter** and **raw**:  * **Output Prerouting**: ``set firewall ipv6 output raw ...``.    As described in **Prerouting**, rules defined in this section are @@ -82,9 +82,9 @@ output filter ...``, where two sub-chains are available: **filter** and **raw**:    in this section are processed after connection tracking subsystem.  .. note:: **Important note about default-actions:** -   If default action for any base chain is not defined, then the default -   action is set to **accept** for that chain. For custom chains, if default -   action is not defined, then the default-action is set to **drop** +   If a default action for any base chain is not defined, then the default +   action is set to **accept** for that chain. For custom chains, if the +   default action is not defined, then the default-action is set to **drop**  Custom firewall chains can be created, with commands  ``set firewall ipv6 name <name> ...``. In order to use @@ -95,9 +95,9 @@ should be defined in a base chain.  Firewall - IPv6 Rules  ****************************** -For firewall filtering, firewall rules needs to be created. Each rule is +For firewall filtering, firewall rules need to be created. Each rule is  numbered, has an action to apply if the rule is matched, and the ability -to specify multiple criteria matchers. Data packets go through the rules +to specify multiple matching criteria. Data packets go through the rules  from 1 - 999999, so order is crucial. At the first match the action of the  rule will be executed. @@ -105,7 +105,7 @@ Actions  =======  If a rule is defined, then an action must be defined for it. This tells the -firewall what to do if all criteria matchers defined for such rule do match. +firewall what to do if all of the criteria defined for that rule match.  The action can be : @@ -135,8 +135,8 @@ The action can be :  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> action     [accept | continue | drop | jump | queue | reject | return] -   This required setting defines the action of the current rule. If action is -   set to jump, then jump-target is also needed. +   This required setting defines the action of the current rule. If the action +   is set to jump, then a jump-target is also needed.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     jump-target <text> @@ -148,7 +148,7 @@ The action can be :     jump-target <text>     To be used only when action is set to ``jump``. Use this command to specify -   jump target. +   the jump target.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     queue <0-65535> @@ -160,7 +160,7 @@ The action can be :     queue <0-65535>     To be used only when action is set to ``queue``. Use this command to specify -   queue target to use. Queue range is also supported. +   the queue target to use. Queue range is also supported.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     queue-options bypass @@ -171,7 +171,7 @@ The action can be :  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     queue-options bypass -   To be used only when action is set to ``queue``. Use this command to let +   To be used only when action is set to ``queue``. Use this command to let the     packet go through firewall when no userspace software is connected to the     queue. @@ -200,21 +200,21 @@ not match any rule in it's chain. For base chains, possible options for  .. cfgcmd:: set firewall ipv6 name <name> default-action     [accept | drop | jump | queue | reject | return] -   This set the default action of the rule-set if no rule matched a packet -   criteria. If default-action is set to ``jump``, then -   ``default-jump-target`` is also needed. Note that for base chains, default -   action can only be set to ``accept`` or ``drop``, while on custom chain, -   more actions are available. +   This sets the default action of the rule-set if a packet does not match the +   criteria of any rule. If default-action is set to ``jump``, then +   ``default-jump-target`` is also needed. Note that for base chains, the +   default action can only be set to ``accept`` or ``drop``, while on custom  +   chains, more actions are available.  .. cfgcmd:: set firewall ipv6 name <name> default-jump-target <text>     To be used only when ``default-action`` is set to ``jump``. Use this -   command to specify jump target for default rule. +   command to specify the jump target for the default rule.  .. note:: **Important note about default-actions:** -   If default action for any base chain is not defined, then the default -   action is set to **accept** for that chain. For custom chains, if default -   action is not defined, then the default-action is set to **drop**. +   If the default action for any base chain is not defined, then the default +   action is set to **accept** for that chain. For custom chains if a default +   action is not defined then the default-action is set to **drop**.  Firewall Logs  ============= @@ -228,7 +228,7 @@ log options can be defined.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> log     Enable logging for the matched packet. If this configuration command is not -   present, then log is not enabled. +   present, then the log is not enabled.  .. cfgcmd:: set firewall ipv6 forward filter default-log  .. cfgcmd:: set firewall ipv6 input filter default-log @@ -251,7 +251,7 @@ log options can be defined.     log-options level [emerg | alert | crit | err | warn | notice     | info | debug] -   Define log-level. Only applicable if rule log is enable. +   Define log-level. Only applicable if rule log is enabled.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     log-options group <0-65535> @@ -262,7 +262,8 @@ log options can be defined.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     log-options group <0-65535> -   Define log group to send message to. Only applicable if rule log is enable. +   Define the log group to send messages to. Only applicable if rule log is +   enabled.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     log-options snapshot-length <0-9000> @@ -273,8 +274,8 @@ log options can be defined.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     log-options snapshot-length <0-9000> -   Define length of packet payload to include in netlink message. Only -   applicable if rule log is enable and log group is defined. +   Define the length of packet payload to include in a netlink message. Only +   applicable if rule log is enabled and log group is defined.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     log-options queue-threshold <0-65535> @@ -285,8 +286,8 @@ log options can be defined.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     log-options queue-threshold <0-65535> -   Define number of packets to queue inside the kernel before sending them to -   userspace. Only applicable if rule log is enable and log group is defined. +   Define the number of packets to queue inside the kernel before sending them +   to userspace. Only applicable if rule log is enabled and log group is defined.  Firewall Description  ==================== @@ -311,7 +312,7 @@ every defined custom chain.  Rule Status  =========== -When defining a rule, it is enable by default. In some cases, it is useful to +When defining a rule, it is enabled by default. In some cases, it is useful to  just disable the rule, rather than removing it.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> disable @@ -335,7 +336,7 @@ There are a lot of matching criteria against which the packet can be tested.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     connection-status nat [destination | source] -   Match criteria based on nat connection status. +   Match based on nat connection status.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     connection-mark <1-2147483647> @@ -346,7 +347,7 @@ There are a lot of matching criteria against which the packet can be tested.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     connection-mark <1-2147483647> -   Match criteria based on connection mark. +   Match based on connection mark.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     source address [address | addressrange | CIDR] @@ -366,9 +367,8 @@ There are a lot of matching criteria against which the packet can be tested.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     destination address [address | addressrange | CIDR] -   Match criteria based on source and/or destination address. This is similar -   to the network groups part, but here you are able to negate the matching -   addresses. +   Match based on source and/or destination address. This is similar to the +   network groups part, but here you are able to negate the matching addresses.     .. code-block:: none @@ -433,8 +433,8 @@ There are a lot of matching criteria against which the packet can be tested.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     destination fqdn <fqdn> -   Specify a Fully Qualified Domain Name as source/destination matcher. Ensure -   router is able to resolve such dns query. +   Specify a Fully Qualified Domain Name as source/destination to match. Ensure +   that the router is able to resolve this dns query.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     source geoip country-code <country> @@ -491,7 +491,7 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     source mac-address <mac-address> -   Only in the source criteria, you can specify a mac-address. +   You can only specify a source mac-address to match.     .. code-block:: none @@ -516,8 +516,7 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     destination port [1-65535 | portname | start-end] -   A port can be set with a port number or a name which is here -   defined: ``/etc/services``. +   A port can be set by number or name as defined in ``/etc/services``.     .. code-block:: none @@ -550,8 +549,8 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     destination group address-group <name | !name> -   Use a specific address-group. Prepend character ``!`` for inverted matching -   criteria. +   Use a specific address-group. Prepending the character ``!`` to invert the +   criteria to match is also supported.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     source group dynamic-address-group <name | !name> @@ -571,8 +570,8 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     destination group dynamic-address-group <name | !name> -   Use a specific dynamic-address-group. Prepend character ``!`` for inverted -   matching criteria. +   Use a specific dynamic-address-group. Prepending the character ``!`` to +   invert the criteria to match is also supported.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     source group network-group <name | !name> @@ -592,8 +591,8 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     destination group network-group <name | !name> -   Use a specific network-group. Prepend character ``!`` for inverted matching -   criteria. +   Use a specific network-group. Prepending the character ``!`` to invert the +   criteria to match is also supported.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     source group port-group <name | !name> @@ -613,8 +612,8 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     destination group port-group <name | !name> -   Use a specific port-group. Prepend character ``!`` for inverted matching -   criteria. +   Use a specific port-group. Prepending the character ``!`` to invert the +   criteria to match is also supported.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     source group domain-group <name | !name> @@ -634,8 +633,8 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     destination group domain-group <name | !name> -   Use a specific domain-group. Prepend character ``!`` for inverted matching -   criteria. +   Use a specific domain-group. Prepending the character ``!`` to invert the +   criteria to match is also supported.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     source group mac-group <name | !name> @@ -655,8 +654,8 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     destination group mac-group <name | !name> -   Use a specific mac-group. Prepend character ``!`` for inverted matching -   criteria. +   Use a specific mac-group. Prepending the character ``!`` to invert the +   criteria to match is also supported.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     dscp [0-63 | start-end] @@ -687,7 +686,7 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     fragment [match-frag | match-non-frag] -   Match based on fragment criteria. +   Match based on fragmentation.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     icmpv6 [code | type] <0-255> @@ -709,7 +708,7 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     icmpv6 type-name <text> -   Match based on icmpv6 type-name criteria. Use tab for information +   Match based on icmpv6 type-name. Use tab for information     about what **type-name** criteria are supported.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> @@ -720,11 +719,11 @@ geoip) to keep database and rules updated.     inbound-interface name <iface>     Match based on inbound interface. Wildcard ``*`` can be used. -   For example: ``eth2*``. Prepending character ``!`` for inverted matching -   criteria is also supported. For example ``!eth2`` +   For example: ``eth2*``. Prepending the character ``!`` to invert the +   criteria to match is also supported. For example ``!eth2``  .. note:: If an interface is attached to a non-default vrf, when using -   **inbound-interface**, vrf name must be used. For example ``set firewall +   **inbound-interface**, the vrf name must be used. For example ``set firewall     ipv6 forward filter rule 10 inbound-interface name MGMT``  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> @@ -734,8 +733,8 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     inbound-interface group <iface_group> -   Match based on inbound interface group. Prepending character ``!`` for -   inverted matching criteria is also supported. For example ``!IFACE_GROUP`` +   Match based on the inbound interface group. Prepending the character ``!``  +   to invert the criteria to match is also supported. For example ``!IFACE_GROUP``  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     outbound-interface name <iface> @@ -745,11 +744,11 @@ geoip) to keep database and rules updated.     outbound-interface name <iface>     Match based on outbound interface. Wildcard ``*`` can be used. -   For example: ``eth2*``. Prepending character ``!`` for inverted matching -   criteria is also supported. For example ``!eth2`` +   For example: ``eth2*``. Prepending the character ``!`` to invert the +   criteria to match is also supported. For example ``!eth2``  .. note:: If an interface is attached to a non-default vrf, when using -   **outbound-interface**, real interface name must be used. For example +   **outbound-interface**, the real interface name must be used. For example     ``set firewall ipv6 forward filter rule 10 outbound-interface name eth0``  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> @@ -759,8 +758,8 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     outbound-interface group <iface_group> -   Match based on outbound interface group. Prepending character ``!`` for -   inverted matching criteria is also supported. For example ``!IFACE_GROUP`` +   Match based on outbound interface group. Prepending the character ``!`` to +   invert the criteria to match is also supported. For example ``!IFACE_GROUP``  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     ipsec [match-ipsec | match-none] @@ -771,7 +770,7 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     ipsec [match-ipsec | match-none] -   Match based on ipsec criteria. +   Match based on ipsec.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     limit burst <0-4294967295> @@ -814,7 +813,7 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     packet-length-exclude <text> -   Match based on packet length criteria. Multiple values from 1 to 65535 +   Match based on the packet length. Multiple values from 1 to 65535     and ranges are supported.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> @@ -826,7 +825,7 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     packet-type [broadcast | host | multicast | other] -   Match based on packet type criteria. +   Match based on the packet type.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>     protocol [<text> | <0-255> | all | tcp_udp] @@ -837,10 +836,9 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     protocol [<text> | <0-255> | all | tcp_udp] -   Match a protocol criteria. A protocol number or a name which is here -   defined: ``/etc/protocols``. +   Match based on protocol number or name as defined in ``/etc/protocols``.     Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp -   based packets. The ``!`` negate the selected protocol. +   based packets. The ``!`` negates the selected protocol.     .. code-block:: none @@ -948,7 +946,7 @@ geoip) to keep database and rules updated.  .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>     hop-limit <eq | gt | lt> <0-255> -   Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for +   Match the hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for     'greater than', and 'lt' stands for 'less than'.  .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> @@ -984,7 +982,7 @@ Synproxy connections  .. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>     synproxy tcp mss <501-65535> -    Set TCP-MSS (maximum segment size) for the connection +    Set the TCP-MSS (maximum segment size) for the connection  .. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>     synproxy tcp window-scale <1-14> @@ -1027,7 +1025,8 @@ Rule-set overview  .. opcmd:: show firewall -   This will show you a basic firewall overview +   This will show you a basic firewall overview, for all rule-sets, and not +   only for ipv6     .. code-block:: none diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst index f71ad8c1..73ce0a4d 100644 --- a/docs/configuration/firewall/zone.rst +++ b/docs/configuration/firewall/zone.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-01 +:lastproofread: 2024-07-03  .. _firewall-zone: @@ -11,9 +11,9 @@ Overview  ********  .. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall -   structure can be found on all VyOS installations. Zone based firewall was -   removed in that version, but re introduced in VyOS 1.4 and 1.5. All -   versions built after 2023-10-22 has this feature. +   structure can be found on all VyOS installations. The Zone based firewall +   was removed in that version, but re introduced in VyOS 1.4 and 1.5. All +   versions built after 2023-10-22 have this feature.     Documentation for most of the new firewall CLI can be     found in the `firewall     <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ @@ -22,13 +22,13 @@ Overview     :doc:`legacy firewall configuration </configuration/firewall/general-legacy>`     chapter. -In this section there's useful information of all firewall configuration that -is needed for zone-based firewall. +In this section there's useful information on all firewall configuration that +is needed for the zone-based firewall.  Configuration commands covered in this section:  .. cfgcmd:: set firewall zone ... -From main structure defined in +From the main structure defined in  :doc:`Firewall Overview</configuration/firewall/index>`  in this section you can find detailed information only for the next part  of the general structure: @@ -53,7 +53,7 @@ Key Points:    interface can be assigned to only a single zone.  * All traffic to and from an interface within a zone is permitted.  * All traffic between zones is affected by existing policies -* Traffic cannot flow between zone member interface and any interface that is +* Traffic cannot flow between a zone member interface and any interface that is    not a zone member.  * You need 2 separate firewalls to define traffic: one for each direction. @@ -129,7 +129,7 @@ Operation-mode  .. opcmd:: show firewall zone-policy -   This will show you a basic summary of zones configuration. +   This will show you a basic summary of the zone configuration.     .. code-block:: none | 
