diff options
| author | Quill <69414602+teslazonda@users.noreply.github.com> | 2026-04-10 20:48:54 +0900 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2026-04-10 12:48:54 +0100 |
| commit | 71968b65b0f53dbf25963b11c640491c973d2896 (patch) | |
| tree | 09cb0487d34f7ab9359226bd590158c0a2accb83 /docs/configuration | |
| parent | 9f334f3d5547735fa8c83fd6b6e7bbafa589f11a (diff) | |
| download | vyos-documentation-71968b65b0f53dbf25963b11c640491c973d2896.tar.gz vyos-documentation-71968b65b0f53dbf25963b11c640491c973d2896.zip | |
Proofread files in the /configuration/firewall directory (#1810)
* Initial proofread
* Edit ipv6.rst
* Use cfgcmd command syntax
* Fix line length lint errors
* Implement feedback
Diffstat (limited to 'docs/configuration')
| -rw-r--r-- | docs/configuration/firewall/bridge.rst | 75 | ||||
| -rw-r--r-- | docs/configuration/firewall/flowtables.rst | 125 | ||||
| -rw-r--r-- | docs/configuration/firewall/global-options.rst | 78 | ||||
| -rw-r--r-- | docs/configuration/firewall/groups.rst | 138 | ||||
| -rw-r--r-- | docs/configuration/firewall/index.rst | 221 | ||||
| -rw-r--r-- | docs/configuration/firewall/ipv4.rst | 247 | ||||
| -rw-r--r-- | docs/configuration/firewall/ipv6.rst | 311 | ||||
| -rw-r--r-- | docs/configuration/firewall/zone.rst | 119 |
8 files changed, 670 insertions, 644 deletions
diff --git a/docs/configuration/firewall/bridge.rst b/docs/configuration/firewall/bridge.rst index 9c360d35..d0847801 100644 --- a/docs/configuration/firewall/bridge.rst +++ b/docs/configuration/firewall/bridge.rst @@ -1,4 +1,4 @@ -:lastproofread: 2024-08-05 +:lastproofread: 2026-03-28 .. _firewall-configuration: @@ -10,13 +10,15 @@ Bridge Firewall Configuration Overview ******** -In this section there's useful information on all firewall configuration that -can be done regarding bridges, and appropriate op-mode commands. -Configuration commands covered in this section: +Learn more about bridge firewall configuration +and related op-mode commands. -.. cfgcmd:: set firewall bridge ... +The following commands are covered in this section: -From the main structure defined in :doc:`Firewall Overview</configuration/firewall/index>` +.. cfgcmd:: set firewall bridge <options> + +From the main structure defined in +:doc:`Firewall Overview</configuration/firewall/index>` in this section you can find detailed information only for the next part of the general structure: @@ -35,7 +37,7 @@ of the general structure: - name + custom_name -Traffic which is received by the router on an interface which is member of a +Traffic that is received by the router on an interface that is a member of a bridge is processed on the **Bridge Layer**. Before the bridge decision is made, all packets are analyzed at **Prerouting**. First filters can be applied here, and also rules for ignoring connection tracking system can be configured. @@ -43,15 +45,16 @@ The relevant configuration that acts in **prerouting** is: * ``set firewall bridge prerouting filter ...``. -For traffic that needs to be switched internally by the bridge, base chain is -**forward**, and it's base command for filtering is ``set firewall bridge -forward filter ...``, which happens in stage 4, highlighted with red color. +For traffic that needs to be switched internally by the bridge, the base +chain is **forward**, and its base command for filtering is ``set firewall +bridge forward filter ...``, which happens in stage 4, highlighted with red +color. .. figure:: /_static/images/firewall-bridge-forward.png -For traffic destined to the router itself, or that needs to be routed (assuming -a layer3 bridge is configured), the base chain is **input**, the base command -is ``set firewall bridge input filter ...`` and the path is: +For traffic destined to the router itself or that needs to be routed +(assuming a layer3 bridge is configured), the base chain is **input**, and the +base command is ``set firewall bridge input filter ...`` and the path is: .. figure:: /_static/images/firewall-bridge-input.png @@ -60,15 +63,15 @@ processed by the **IP Layer** firewall: IPv4 or IPv6 ruleset. Check once again the :doc:`general packet flow diagram</configuration/firewall/index>` if needed. -And for traffic that originates from the bridge itself, the base chain is -**output**, base command is ``set firewall bridge output filter ...``, and -the path is: +For traffic that originates from the bridge itself, the base chain is +**output**, and the base command is ``set firewall bridge output filter +...``, and the path is: .. figure:: /_static/images/firewall-bridge-output.png -Custom bridge firewall chains can be created with the command ``set firewall bridge -name <name> ...``. In order to use such custom chain, a rule with action jump, -and the appropriate target should be defined in a base chain. +Custom bridge firewall chains can be created with the command ``set firewall +bridge name <name> ...``. To use such a custom chain, a rule with action jump +and the appropriate target must be defined in a base chain. ************ Bridge Rules @@ -83,8 +86,8 @@ rule will be executed. Actions ======= -If a rule is defined, then an action must be defined for it. This tells the -firewall what to do if all matching criterea in the rule are met. +If a rule is defined, an action must also be defined for it. This tells the +firewall what to do if all matching criteria in the rule are met. In firewall bridge rules, the action can be: @@ -169,7 +172,7 @@ In firewall bridge rules, the action can be: queue-options fanout Also, **default-action** is an action that takes place whenever a packet does -not match any rule in its' chain. For base chains, possible options for +not match any rule in its chain. For base chains, possible options for **default-action** are **accept** or **drop**. .. cfgcmd:: set firewall bridge forward filter default-action @@ -202,8 +205,8 @@ not match any rule in its' chain. For base chains, possible options for Firewall Logs ============= -Logging can be enable for every single firewall rule. If enabled, other -log options can be defined. +You can enable logging for every firewall rule. If enabled, other log options +can be configured. .. cfgcmd:: set firewall bridge forward filter rule <1-999999> log .. cfgcmd:: set firewall bridge input filter rule <1-999999> log @@ -287,7 +290,7 @@ log options can be defined. Firewall Description ==================== -For reference, a description can be defined for every defined custom chain. +You can define a description for reference for every custom chain. .. cfgcmd:: set firewall bridge name <name> description <text> @@ -309,8 +312,8 @@ For reference, a description can be defined for every defined custom chain. Rule Status =========== -When defining a rule, it is enabled by default. In some cases, it is useful to -just disable the rule, rather than removing it. +By default, when you define a rule, it is enabled. In some cases, it is +useful to disable the rule instead of removing it. .. cfgcmd:: set firewall bridge forward filter rule <1-999999> disable .. cfgcmd:: set firewall bridge input filter rule <1-999999> disable @@ -323,11 +326,11 @@ just disable the rule, rather than removing it. Matching criteria ================= -There are a lot of matching criteria against which the packet can be tested. -Please refer to :doc:`IPv4</configuration/firewall/ipv4>` and +There are many matching criteria against which a packet can be tested. Refer +to :doc:`IPv4</configuration/firewall/ipv4>` and :doc:`IPv6</configuration/firewall/ipv6>` matching criteria for more details. -Since bridges operats at layer 2, both matchers for IPv4 and IPv6 are +Since bridges operate at layer 2, both matchers for IPv4 and IPv6 are supported in bridge firewall configuration. Same applies to firewall groups. Same specific matching criteria that can be used in bridge firewall are @@ -434,15 +437,15 @@ are: .. cfgcmd:: set firewall global-options apply-to-bridged-traffic ipv4 - This command enables the IPv4 firewall for bridged traffic. If this - options is used, then packet will also be parsed by rules defined in ``set - firewall ipv4 ...`` + This command enables the IPv4 firewall for bridged traffic. If this option + is used, packets are also parsed by rules defined in ``set firewall ipv4 + ...`` .. cfgcmd:: set firewall global-options apply-to-bridged-traffic ipv6 - This command enables the IPv6 firewall for bridged traffic. If this - options is used, then packet will also be parsed by rules defined in ``set - firewall ipv6 ...`` + This command enables the IPv6 firewall for bridged traffic. If this option + is used, packets are also parsed by rules defined in ``set firewall ipv6 + ...`` *********************** Operation-mode Firewall diff --git a/docs/configuration/firewall/flowtables.rst b/docs/configuration/firewall/flowtables.rst index 915bf39d..152a4380 100644 --- a/docs/configuration/firewall/flowtables.rst +++ b/docs/configuration/firewall/flowtables.rst @@ -1,4 +1,4 @@ -:lastproofread: 2024-07-02 +:lastproofread: 2026-03-30 .. _firewall-flowtables-configuration: @@ -6,21 +6,18 @@ Flowtables Firewall Configuration ################################# -.. note:: **Documentation under development** +.. include:: /_include/need_improvement.txt ******** Overview ******** -In this section there's useful information on all firewall configuration that -can be done regarding flowtables. +This section provides information on firewall configuration for flowtables. -.. cfgcmd:: set firewall flowtables ... +.. cfgcmd:: set firewall flowtable ... -From the main structure defined in -:doc:`Firewall Overview</configuration/firewall/index>` -in this section you can find detailed information only for the next part -of the general structure: +To learn about the general traffic flow in VyOS firewalls, +see :doc:`Firewall </configuration/firewall/index>`. .. code-block:: none @@ -30,24 +27,23 @@ of the general structure: + ... -Flowtables allow you to define a fastpath through the flowtable datapath. -The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP -and UDP protocols. +Flowtables let you define a fastpath through the flowtable datapath. +Flowtables support layer 3 (IPv4 and IPv6) and layer 4 (TCP and UDP) +protocols. .. figure:: /_static/images/firewall-flowtable-packet-flow.png -Once the first packet of the flow successfully goes through the IP forwarding -path (black circles path), from the second packet on, you might decide to -offload the flow to the flowtable through your ruleset. The flowtable -infrastructure provides a rule action that allows you to specify when to add -a flow to the flowtable (On forward filtering, red circle number 6) +After the first packet successfully traverses the IP forwarding path (black +circles path), you can offload subsequent packets to the flowtable through your +ruleset. You specify when to add a flow to the flowtable during forward +filtering (red circle number 6). -A packet that finds a matching entry in the flowtable (flowtable hit) is -transmitted to the output netdevice, hence, packets bypass the classic IP -forwarding path and uses the **Fast Path** (orange circles path). The visible -effect is that you do not see these packets from any of the Netfilter -hooks coming after ingress. In case that there is no matching entry in the -flowtable (flowtable miss), the packet follows the classic IP forwarding path. +When a packet finds a matching entry in the flowtable (flowtable hit), the +system transmits it to the output netdevice. This means packets bypass the +classic IP forwarding path and use the **Fast Path** (orange circles path). +As a result, you do not see these packets from any Netfilter hooks after +ingress. If no matching entry exists in the flowtable (flowtable miss), the +packet traverses the classic IP forwarding path. .. note:: **Flowtable Reference:** https://docs.kernel.org/networking/nf_flowtable.html @@ -57,64 +53,68 @@ flowtable (flowtable miss), the packet follows the classic IP forwarding path. Flowtable Configuration *********************** -In order to use flowtables, the minimal configuration needed includes: +To use flowtables, you need to configure the following: - * Create flowtable: create flowtable, which includes the interfaces + * Create a flowtable that includes the interfaces that are going to be used by the flowtable. - * Create firewall rule: create a firewall rule, setting action to - ``offload`` and using desired flowtable for ``offload-target``. + * Create a firewall rule. Set the action to + ``offload`` and use your desired flowtable for ``offload-target``. Creating a flow table: .. cfgcmd:: set firewall flowtable <flow_table_name> interface <iface> - Define interfaces to be used in the flowtable. + Specify interfaces to use in the flowtable. .. cfgcmd:: set firewall flowtable <flow_table_name> description <text> -Provide a description to the flow table. +Provide a description for the flow table. .. cfgcmd:: set firewall flowtable <flow_table_name> offload <hardware | software> - Define type of offload to be used by the flowtable: ``hardware`` or - ``software``. By default, ``software`` offload is used. + Specify the offload type the flowtable uses: ``hardware`` or + ``software``. The default is ``software`` offload. -.. note:: **Hardware offload:** should be supported by the NICs used. +.. note:: **Hardware offload**: Make sure your network interface controller + (NIC) supports hardware offloading and that you have the necessary drivers + installed before enabling this option. Creating rules for using flow tables: .. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> action offload - Create firewall rule in forward chain, and set action to ``offload``. + Create a firewall rule in the forward chain with the action set to + ``offload``. .. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> offload-target <flowtable> - Create firewall rule in forward chain, and define which flowtbale - should be used. Only applicable if action is ``offload``. + Create a firewall rule in the forward chain and specify which flowtable + to use. Only applicable if the action is ``offload``. ********************* Configuration Example ********************* -Things to be considered in this setup: +Consider the following in this setup: - * Two interfaces are going to be used in the flowtables: eth0 and eth1 + * This example uses two interfaces in the flowtables: ``eth0`` and ``eth1``. - * Minimum firewall ruleset is provided, which includes some filtering rules, - and appropriate rules for using flowtable offload capabilities. + * The example provides a minimal firewall ruleset with filtering rules + and rules for using flowtable offload capabilities. -As described, the first packet will be evaluated by the firewall path, so a -desired connection should be explicitly accepted. Same thing should be taken -into account for traffic in reverse order. In most cases state policies are -used in order to accept a connection in the reverse path. +The first packet is evaluated by the firewall path, so a +desired connection should be explicitly accepted. +The same should occur for traffic in reverse order. +In most cases, state policies are +used to accept a connection in the reverse path. -We will only accept traffic coming from interface eth0, protocol tcp and -destination port 1122. All other traffic trespassing the router should be -blocked. +In the following example only traffic coming from interface ``eth0``, +TCP protocol, and destination port 1122 is accepted. +All other traffic to the router is dropped. Commands -------- @@ -140,33 +140,32 @@ Commands Explanation ----------- -Analysis on what happens for desired connection: +Here's what happens for a desired connection: - 1. Firstly, a packet is received on eth0, with destination address 192.0.2.100, - protocol tcp and destination port 1122. Assume such destination address is - reachable through interface eth1. + 1. A packet arrives on ``eth0`` with destination address ``192.0.2.100``, TCP + protocol, and destination port 1122. Assume this address is reachable + through interface ``eth1``. - 2. Since this is the first packet, connection status of this connection, - so far is **new**. So neither rule 10 nor 20 are valid. + 2. For this first packet, the connection state is **new**. Neither rule 10 + nor rule 20 applies. - 3. Rule 110 is hit, so connection is accepted. + 3. Rule 110 matches, so the connection is accepted. - 4. Once an answer from server 192.0.2.100 is seen in opposite direction, - connection state will be triggered to **established**, so this reply is - accepted in rule 20. + 4. When the server 192.0.2.100 replies, the connection state becomes + **established**, and rule 20 accepts the reply. - 5. The second packet for this connection is received by the router. Since - connection state is **established**, then rule 10 is hit, and a new entry - in the flowtable FT01 is added for this connection. + 5. The router receives the second packet for this connection. Because the + connection state is **established**, rule 10 matches and adds a new + entry in the flowtable FT01 for this connection. - 6. All the following packets will skip the traditional path, will be - offloaded and use the **Fast Path**. + 6. Subsequent packets skip the traditional path and use the **Fast Path** + for offloading. Checks ------ -It's time to check the conntrack table, to see if any connections were accepted, -and if it was properly offloaded +Check the conntrack table to verify that the system accepted and properly +offloaded connections. .. code-block:: none diff --git a/docs/configuration/firewall/global-options.rst b/docs/configuration/firewall/global-options.rst index 60addbe9..8eec5c3f 100644 --- a/docs/configuration/firewall/global-options.rst +++ b/docs/configuration/firewall/global-options.rst @@ -1,4 +1,4 @@ -:lastproofread: 2024-07-03 +:lastproofread: 2026-03-30 .. _firewall-global-options-configuration: @@ -10,9 +10,9 @@ Global Options Firewall Configuration Overview ******** -Some firewall settings are global and have an affect on the whole system. -In this section there's useful information about these global-options that can -be configured using vyos cli. +Some firewall settings are global and affect the entire system. This section +provides information about these global options that you can configure using +the VyOS CLI. Configuration commands covered in this section: @@ -25,51 +25,50 @@ Configuration .. cfgcmd:: set firewall global-options all-ping [enable | disable] By default, when VyOS receives an ICMP echo request packet destined for - itself, it will answer with an ICMP echo reply, unless you prevent it - through its firewall. + itself, it answers with an ICMP echo reply, unless your firewall prevents + it. - With the firewall you can set rules to accept, drop or reject ICMP in, - out or local traffic. You can also use the general **firewall all-ping** - command. This command affects only to LOCAL (packets destined for your - VyOS system), not to IN or OUT traffic. + You can set firewall rules to accept, drop, or reject ICMP in, out, or + local traffic. You can also use the **firewall global-options all-ping** + command. This command affects only LOCAL traffic (packets destined for your + VyOS system), not IN or OUT traffic. - .. note:: **firewall global-options all-ping** affects only to LOCAL - and it always behaves in the most restrictive way + .. note:: **firewall global-options all-ping** affects only LOCAL traffic + and always behaves in the most restrictive way .. code-block:: none set firewall global-options all-ping enable - When the command above is set, VyOS will answer every ICMP echo request - addressed to itself, but that will only happen if no other rule is - applied dropping or rejecting local echo requests. In case of conflict, - VyOS will not answer ICMP echo requests. + When you set this command, VyOS answers every ICMP echo request addressed + to itself, but that response occurs only if no other rule drops or rejects + local echo requests. In case of conflict, VyOS does not answer ICMP echo + requests. .. code-block:: none set firewall global-options all-ping disable - When the command above is set, VyOS will answer no ICMP echo request - addressed to itself at all, no matter where it comes from or whether - more specific rules are being applied to accept them. + When you set this command, VyOS answers no ICMP echo requests addressed to + itself, regardless of where they come from or what specific rules accept + them. .. cfgcmd:: set firewall global-options apply-to-bridged-traffic [ipv4 | ipv6] - Use these commands to also use IPv4, or IPv6 firewall rules for bridged - traffic + Apply IPv4 or IPv6 firewall rules to bridged traffic. .. cfgcmd:: set firewall global-options broadcast-ping [enable | disable] - This setting enables or disables the response to icmp broadcast - messages. The following system parameter will be altered: + Enable or disable the response to ICMP broadcast messages. The system + alters the following parameter: * ``net.ipv4.icmp_echo_ignore_broadcasts`` .. cfgcmd:: set firewall global-options ip-src-route [enable | disable] .. cfgcmd:: set firewall global-options ipv6-src-route [enable | disable] - This setting handles if VyOS accepts packets with a source route - option. The following system parameters will be altered: + Set whether VyOS accepts packets with a source route option. + The following sysctl parameters will be changed: * ``net.ipv4.conf.all.accept_source_route`` * ``net.ipv6.conf.all.accept_source_route`` @@ -78,23 +77,23 @@ Configuration .. cfgcmd:: set firewall global-options ipv6-receive-redirects [enable | disable] - Enable or disable ICMPv4 or ICMPv6 redirect messages being accepted by - VyOS. The following system parameters will be altered: + Allow VyOS to accept ICMPv4 and ICMPv6 redirect messages. + The following sysctl parameters will be changed: * ``net.ipv4.conf.all.accept_redirects`` * ``net.ipv6.conf.all.accept_redirects`` .. cfgcmd:: set firewall global-options send-redirects [enable | disable] - Enable or disable ICMPv4 redirect messages being sent by VyOS - The following system parameter will be altered: + Allow VyOS to send ICMPv4 redirect messages. + The following sysctl parameter will be changed: * ``net.ipv4.conf.all.send_redirects`` .. cfgcmd:: set firewall global-options log-martians [enable | disable] - Enable or disable the logging of martian IPv4 packets. - The following system parameter will be altered: + Allow VyOS to log martian IPv4 packets. + The following sysctl parameter will be changed: * ``net.ipv4.conf.all.log_martians`` @@ -102,22 +101,22 @@ Configuration [strict | loose | disable] Set the IPv4 source validation mode. - The following system parameter will be altered: + The following sysctl parameter will be changed: * ``net.ipv4.conf.all.rp_filter`` .. cfgcmd:: set firewall global-options syn-cookies [enable | disable] - Enable or disable if VyOS uses IPv4 TCP SYN Cookies. - The following system parameter will be altered: + Allow VyOS to use IPv4 TCP SYN Cookies. + The following sysctl parameter will be changed: * ``net.ipv4.tcp_syncookies`` .. cfgcmd:: set firewall global-options twa-hazards-protection [enable | disable] - Enable or Disable VyOS to be :rfc:`1337` conformant. - The following system parameter will be altered: + Enable or disable VyOS :rfc:`1337` conformance. + The following sysctl parameter will be changed: * ``net.ipv4.tcp_rfc1337`` @@ -151,10 +150,9 @@ Configuration Set the global setting for related connections. -VyOS supports setting timeouts for connections according to the -connection type. You can set timeout values for generic connections, for ICMP -connections, UDP connections, or for TCP connections in a number of different -states. +VyOS supports setting timeouts for connections by connection type. You can +set timeout values for generic connections, ICMP connections, UDP +connections, or TCP connections in various states. .. cfgcmd:: set firewall global-options timeout icmp <1-21474836> :defaultvalue: diff --git a/docs/configuration/firewall/groups.rst b/docs/configuration/firewall/groups.rst index b1accca5..9d29866e 100644 --- a/docs/configuration/firewall/groups.rst +++ b/docs/configuration/firewall/groups.rst @@ -1,4 +1,4 @@ -:lastproofread: 2024-07-03 +:lastproofread: 2026-03-30 .. _firewall-groups-configuration: @@ -11,20 +11,20 @@ Configuration ************* Firewall groups represent collections of IP addresses, networks, ports, -mac addresses, domains or interfaces. Once created, a group can be referenced -by firewall, nat and policy route rules as either a source or destination -matcher, and/or as inbound/outbound in the case of interface group. +MAC addresses, domains, or interfaces. You can reference a group in firewall, +NAT, and policy route rules as either a source or destination matcher, and/or +as inbound or outbound in the case of interface groups. Address Groups ============== -In an **address group** a single IP address or IP address range is defined. +An **address group** contains a single IP address or IP address range. .. cfgcmd:: set firewall group address-group <name> address [address | address range] .. cfgcmd:: set firewall group ipv6-address-group <name> address <address> - Define a IPv4 or a IPv6 address group + Define an IPv4 or IPv6 address group. .. code-block:: none @@ -35,30 +35,31 @@ In an **address group** a single IP address or IP address range is defined. .. cfgcmd:: set firewall group address-group <name> description <text> .. cfgcmd:: set firewall group ipv6-address-group <name> description <text> - Provide a IPv4 or IPv6 address group description + Provide an IPv4 or IPv6 address group description. Remote Groups ============== -A **remote-group** takes an argument of a URL hosting a linebreak-deliminated -list of IPv4 and/or IPv6 addresses, CIDRs and ranges. VyOS will pull this list periodicity -according to the frequency defined in the firewall **resolver-interval** and load -matching entries into the group for use in rules. The list will be cached in -persistent storage, so in cases of update failure rules will still function. +A **remote-group** uses a URL that hosts a newline-delimited list of IPv4 +and/or IPv6 addresses, CIDRs, and ranges. VyOS pulls this list periodically +according to the frequency you define in the firewall **resolver-interval** +and loads matching entries into the group for use in rules. The list is cached +in persistent storage, so rules continue to function if updates fail. .. cfgcmd:: set firewall group remote-group <name> url <http(s) url> - Define remote list of IPv4 and/or IPv6 addresses/ranges/CIDRs to fetch + Specify a remote list of IPv4 and/or IPv6 addresses, ranges, and CIDRs + to fetch. .. cfgcmd:: set firewall group remote-group <name> description <text> - Set a description for a remote group + Set a description for a remote group. -The format of the remote list is very flexible. VyOS will attempt to parse the -first word of each line as an entry, and will skip if it cannot find a valid -match. Lines that begin with an alphanumeric character but do not match valid IPv4 -or IPv6 addresses, ranges, or CIDRs will be logged to the system log. Below is a -list of acceptable matches that would be parsed correctly: +The remote list format is flexible. VyOS attempts to parse the first word of +each line as an entry and skips lines it cannot match. Lines that begin with +an alphanumeric character but do not match valid IPv4 or IPv6 addresses, +ranges, or CIDRs are logged to the system log. The following examples show +acceptable formats that VyOS parses correctly: .. code-block:: none @@ -72,15 +73,14 @@ list of acceptable matches that would be parsed correctly: Network Groups ============== -While **network groups** accept IP networks in CIDR notation, specific -IP addresses can be added as a 32-bit prefix. If you foresee the need -to add a mix of addresses and networks, then a network group is -recommended. +**Network groups** accept IP networks in CIDR notation. You can add specific +IP addresses as a 32-bit prefix. If you need to add a mix of addresses and +networks, use a network group. .. cfgcmd:: set firewall group network-group <name> network <CIDR> .. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR> - Define a IPv4 or IPv6 Network group. + Define an IPv4 or IPv6 network group. .. code-block:: none @@ -100,7 +100,9 @@ An **interface group** represents a collection of interfaces. .. cfgcmd:: set firewall group interface-group <name> interface <text> - Define an interface group. Wildcard are accepted too. + Define an interface group. + Wildcard ``*`` is supported. For example: ``eth3*``. + Prepend the character ``!`` to invert the criteria. For example: ``!eth2``. .. code-block:: none @@ -109,22 +111,21 @@ An **interface group** represents a collection of interfaces. .. cfgcmd:: set firewall group interface-group <name> description <text> - Provide an interface group description + Provide an interface group description. Port Groups =========== -A **port group** represents only port numbers, not the protocol. Port -groups can be referenced for either TCP or UDP. It is recommended that -TCP and UDP groups are created separately to avoid accidentally -filtering unnecessary ports. Ranges of ports can be specified by using -`-`. +A **port group** represents only port numbers, not the protocol. You can +reference port groups for either TCP or UDP. Create TCP and UDP groups +separately to avoid accidentally filtering unnecessary ports. Specify port +ranges by using `-`. .. cfgcmd:: set firewall group port-group <name> port [portname | portnumber | startport-endport] Define a port group. A port name can be any name defined in - /etc/services. e.g.: http + /etc/services. For example, ``http``. .. code-block:: none @@ -152,7 +153,7 @@ A **mac group** represents a collection of mac addresses. .. cfgcmd:: set firewall group mac-group <name> description <text> - Provide a mac group description. + Provide a MAC group description. Domain Groups ============= @@ -169,24 +170,21 @@ A **domain group** represents a collection of domains. .. cfgcmd:: set firewall group domain-group <name> description <text> - Provide a domain group description. + Provide a domain group description. Dynamic Groups ============== -Firewall dynamic groups are different from all the groups defined previously -because, not only they can be used as source/destination in firewall rules, -but members of these groups are not defined statically using vyos -configuration. - -Instead, members of these groups are added dynamically using firewall -rules. +Firewall dynamic groups differ from other groups because you can use them as +source/destination in firewall rules, and members are not defined statically +in VyOS configuration. Instead, firewall rules dynamically add members to +these groups. Defining Dynamic Address Groups ------------------------------- -Dynamic address group is supported by both IPv4 and IPv6 families. -Commands used to define dynamic IPv4|IPv6 address groups are: +Dynamic address groups support both IPv4 and IPv6 families. Use these +commands to define dynamic IPv4 and IPv6 address groups: .. cfgcmd:: set firewall group dynamic-group address-group <name> .. cfgcmd:: set firewall group dynamic-group ipv6-address-group <name> @@ -201,8 +199,8 @@ Add description to firewall groups: Adding elements to Dynamic Firewall Groups ------------------------------------------ -Once dynamic firewall groups are defined, they should be used in firewall -rules in order to dynamically add elements to it. +After you define dynamic firewall groups, use them in firewall rules to +dynamically add elements to them. Commands used for this task are: @@ -228,11 +226,11 @@ Commands used for this task are: .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> add-address-to-group source-address address-group <name> -Also, specific timeouts can be defined per rule. In case rule gets a hit, -a source or destinatination address will be added to the group, and this -element will remain in the group until the timeout expires. If no timeout -is defined, then the element will remain in the group until next reboot, -or until a new commit that changes firewall configuration is done. +You can define specific timeouts per rule. When a rule matches, the source or +destination address is added to the group, and the element remains in the group +until the timeout expires. If you do not define a timeout, the element remains +in the group until the next reboot or until you commit firewall configuration +changes. .. cfgcmd:: set firewall ipv4 [forward | input | output] filter rule <1-999999> add-address-to-group [destination-address | source-address] @@ -259,7 +257,7 @@ Timeout can be defined using seconds, minutes, hours or days: Using Dynamic Firewall Groups ----------------------------- -As any other firewall group, dynamic firewall groups can be used in firewall +Like other firewall groups, you can use dynamic firewall groups in firewall rules as matching options. For example: .. code-block:: none @@ -274,10 +272,9 @@ Examples General example =============== -As said before, once firewall groups are created, they can be referenced -either in firewall, nat, nat66 and/or policy-route rules. - -Here is an example were multiple groups are created: +After you create firewall groups, you can reference them in firewall, NAT, +NAT66, and/or policy-route rules. The following example creates multiple +groups: .. code-block:: none @@ -314,10 +311,9 @@ And next, some configuration example where groups are used: Port knocking example ===================== -Using dynamic firewall groups, we can secure access to the router, or any other -device if needed, by using the technique of port knocking. - -A 4 step port knocking example is shown next: +You can use dynamic firewall groups with port knocking to secure access to +the router or any other device. The following example shows a 4-step port +knocking configuration: .. code-block:: none @@ -371,11 +367,10 @@ Before testing, we can check the members of firewall groups: [edit] vyos@vyos# -With this configuration, in order to get ssh access to the router, the user -needs to: +With this configuration, to gain SSH access to the router, the user must: -1. Generate a new TCP connection with destination port 9990. As shown next, -a new entry was added to dynamic firewall group **PN_01** +1. Create a new TCP connection to destination port 9990. A new entry is added + to dynamic firewall group ``PN_01``. .. code-block:: none @@ -390,8 +385,8 @@ a new entry was added to dynamic firewall group **PN_01** [edit] vyos@vyos# -2. Generate a new TCP connection with destination port 9991. As shown next, -a new entry was added to dynamic firewall group **PN_02** +2. Create a new TCP connection to destination port 9991. A new entry is added + to dynamic firewall group ``PN_02``. .. code-block:: none @@ -406,8 +401,8 @@ a new entry was added to dynamic firewall group **PN_02** [edit] vyos@vyos# -3. Generate a new TCP connection with destination port 9992. As shown next, -a new entry was added to dynamic firewall group **ALLOWED** +3. Create a new TCP connection to destination port 9992. A new entry is added + to dynamic firewall group ``ALLOWED``. .. code-block:: none @@ -422,7 +417,8 @@ a new entry was added to dynamic firewall group **ALLOWED** [edit] vyos@vyos# -4. Now the user can connect through ssh to the router (assuming ssh is configured). +4. Now you can connect via SSH to the router (assuming SSH is + configured). ************** Operation-mode @@ -431,9 +427,9 @@ Operation-mode .. opcmd:: show firewall group .. opcmd:: show firewall group <name> - Overview of defined groups. You see the firewall group name, type, - references (where the group is used), members, timeout and expiration (last - two only present in dynamic firewall groups). + Display an overview of defined groups, including the firewall group name, + type, references (where the group is used), members, timeout, and + expiration (the last two only apply to dynamic firewall groups). Here is an example of such command: diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 79d59563..dc5af26f 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -1,131 +1,122 @@ -:lastproofread: 2024-08-05 +:lastproofread: 2026-03-30 ######## Firewall ######## -.. TODO:: Convert raw command blocks in this file to cfgcmd/opcmd - directives for command coverage tracking. +.. warning:: Due to a boot-time race condition, all interfaces initialize + before the firewall. This temporarily leaves the system open to all traffic + and poses a security risk. -.. warning:: Due to a race condition that can lead to a failure during boot - process, all interfaces are initialized before firewall is configured. This - leads to a situation where the system is open to all traffic, and can be - considered as a security risk. +VyOS uses Netfilter. The Netfilter +project developed ``iptables`` and its successor ``nftables`` for the Linux +kernel to process packet data flows directly. This extends the concept of +zone-based security to let you manipulate data at multiple stages after the +network interface and driver accept it, and before sending it to its +destination (for example, a web server or another device). -As VyOS is based on Linux it leverages its firewall. The Netfilter project -created iptables and its successor nftables for the Linux kernel to -work directly on packet data flows. This now extends the concept of -zone-based security to allow for manipulating the data at multiple stages once -accepted by the network interface and the driver before being handed off to -the destination (e.g., a web server OR another device). - -A simplified traffic flow diagram, based on Netfilter packet flow, is shown -next, in order to have a full view and understanding of how packets are -processed, and what possible paths traffic can take. +The following is a simplified traffic flow diagram based on Netfilter +packet flow. +This diagram provides an overview of how packets are processed and the +possible paths traffic can take. .. figure:: /_static/images/firewall-gral-packet-flow.png -The main points regarding this packet flow and terminology used in VyOS -firewall are covered below: +The main points regarding packet flow and terminology in VyOS firewall +are: - * **Bridge Port?**: choose appropriate path based on whether interface - where the packet was received is part of a bridge, or not. + * **Bridge Port?**: Choose the appropriate path based on whether the + interface where the packet was received is part of a bridge. -If the interface where the packet was received isn't part of a bridge, then +If the interface where the packet was received is not part of a bridge, the packet is processed at the **IP Layer**: - * **Prerouting**: All packets that are received by the router - are processed in this stage, regardless of the destination of the packet. - Starting from vyos-1.5-rolling-202406120020, a new section was added to - the firewall configuration. There are several actions that can be done in - this stage, and currently these actions are also defined in different - parts of the VyOS configuration. Order is important, and the relevant - configuration that acts in this stage are: + * **Prerouting**: The router processes all packets in this stage, + regardless of the destination. You can perform several actions in + this stage, and these actions are also defined in different parts of the + VyOS configuration. Order is important. The relevant configuration that + applies in this stage includes: - * **Firewall prerouting**: rules defined under ``set firewall [ipv4 | - ipv6] prerouting raw...``. All rules defined in this section are - processed before connection tracking subsystem. + * **Firewall prerouting**: Rules you define under ``set firewall + [ipv4 | ipv6] prerouting raw...``. The system processes all rules in + this section before the connection tracking subsystem. - * **Conntrack Ignore**: rules defined under ``set system conntrack ignore - [ipv4 | ipv6] ...``. Starting from vyos-1.5-rolling-202406120020, - configuration done in this section can be done in ``firewall [ipv4 | - ipv6] prerouting ...``. For compatibility reasons, this feature is - still present, but it will be removed in the future. + * **Conntrack Ignore**: Rules you define under ``set system conntrack + ignore [ipv4 | ipv6] ...``. You can configure this section with + ``firewall [ipv4 | ipv6] prerouting ...``. For compatibility reasons, + this feature is supported, but will be deprecated in the future. - * **Policy Route**: rules defined under ``set policy [route | route6] - ...``. + * **Policy Route**: Rules you define under ``set policy [route | + route6] ...``. - * **Destination NAT**: rules defined under ``set [nat | nat66] + * **Destination NAT**: Rules you define under ``set [nat | nat66] destination...``. - * **Destination is the router?**: choose an appropriate path based on - destination IP address. Transit forward continues to **forward**, - while traffic where the destination IP address is configured on the router - continues to **input**. + * **Destination is the router?**: Choose the appropriate path based on the + destination IP address. Transit traffic continues to **forward**, while + traffic destined for the router continues to **input**. - * **Input**: stage where traffic destined for the router itself can be - filtered and controlled. This is where all rules for securing the router - should take place. This includes ipv4 and ipv6 filtering rules, defined - in: + * **Input**: The stage where you filter and control traffic destined for + the router itself. This is where you enforce all rules for securing the + router. This includes IPv4 and IPv6 filtering rules, defined in: * ``set firewall ipv4 input filter ...``. * ``set firewall ipv6 input filter ...``. - * **Forward**: stage where transit traffic can be filtered and controlled. - This includes ipv4 and ipv6 filtering rules, defined in: + * **Forward**: The stage where you filter and control transit traffic. + This includes IPv4 and IPv6 filtering rules, defined in: * ``set firewall ipv4 forward filter ...``. * ``set firewall ipv6 forward filter ...``. - * **Output**: stage where traffic that originates from the router itself - can be filtered and controlled. Bear in mind that this traffic can be a - new connection originated by a internal process running on the VyOS router - such as NTP, or a response to traffic received externally through - **input** (for example response to an ssh login attempt to the router). - This includes ipv4 and ipv6 rules, and two different sections are present: + * **Output**: The stage where you filter and control traffic that the + router originates. Note that this traffic comes from either a new + connection that an internal process on the VyOS router (such as NTP) + originates or a response to traffic the router receives externally through + **input** (for example, a response to an SSH login attempt). This includes + IPv4 and IPv6 rules, and two different sections apply: - * **Output Prerouting**: ``set firewall [ipv4 | ipv6] output filter ...``. - As described in **Prerouting**, rules defined in this section are - processed before connection tracking subsystem. + * **Output Prerouting**: ``set firewall [ipv4 | ipv6] output + filter ...``. As described in **Prerouting**, the system processes + rules in this section before the connection tracking subsystem. * **Output Filter**: ``set firewall [ipv4 | ipv6] output filter ...``. - * **Postrouting**: as in **Prerouting**, several actions defined in - different parts of VyOS configuration are performed in this - stage. This includes: + * **Postrouting**: As in **Prerouting**, you can perform several actions + defined in different parts of VyOS configuration in this stage. This + includes: - * **Source NAT**: rules defined under ``set [nat | nat66] + * **Source NAT**: Rules you define under ``set [nat | nat66] destination...``. -If the interface where the packet was received is part of a bridge, then -the packet is processed at the **Bridge Layer**: +If the interface where the packet was received is part of a bridge, the +packet is processed at the **Bridge Layer**: - * **Prerouting (Bridge)**: all packets that are received by the bridge are - processed in this stage, regardless of the destination of the packet. - First filters can be applied here, and/or also configure rules for - ignoring connection tracking system. The relevant configuration that - acts in: + * **Prerouting (Bridge)**: The bridge processes all packets it receives in + this stage, regardless of the destination. First, you can apply filters + here, or you can configure rules that ignore the connection tracking + system. The relevant configuration that applies: * ``set firewall bridge prerouting filter ...``. - * **Forward (Bridge)**: stage where traffic that is trespassing through the - bridge is filtered and controlled: + * **Forward (Bridge)**: The stage where you filter and control traffic + that passes through the bridge: * ``set firewall bridge forward filter ...``. - * **Input (Bridge)**: stage where traffic destined for the bridge itself can - be filtered and controlled: + * **Input (Bridge)**: The stage where you filter and control traffic + destined for the bridge itself: * ``set firewall bridge input filter ...``. - * **Output (Bridge)**: stage where traffic that originates from the bridge - itself can be filtered and controlled: + * **Output (Bridge)**: The stage where you filter and control traffic that + the bridge originates: * ``set firewall bridge output filter ...``. -The main structure of the VyOS firewall CLI is shown next: +The following is the overall structure of the VyOS firewall CLI: .. code-block:: none @@ -185,8 +176,53 @@ The main structure of the VyOS firewall CLI is shown next: - custom_zone_name + ... -Please, refer to appropriate section for more information about firewall -configuration: +Here is a list of VyOS firewall CLI subcommands and their +corresponding pages in the documentation: + +.. cfgcmd:: set firewall bridge ... + + Configure bridge firewall rules for traffic at the bridge layer. For detailed + information, see + :doc:`Bridge Firewall Configuration</configuration/firewall/bridge>`. + +.. cfgcmd:: set firewall flowtable ... + + Configure firewall flowtables for stateful connection tracking and rules. + For detailed information, see + :doc:`Flowtables Firewall Configuration </configuration/firewall/flowtables>` + . + +.. cfgcmd:: set firewall global-options ... + + Configure global firewall options such as ``all-ping``, ``broadcast-ping``, + ``syn-cookies``, and other system-wide firewall settings. For detailed + information, see + :doc:`Global Firewall Options</configuration/firewall/global-options>`. + +.. cfgcmd:: set firewall group ... + + Organize firewall rules by creating reusable address, network, interface, + MAC, port, and domain groups. Use groups in multiple rules to simplify + configuration and maintenance. For detailed information, see + :doc:`Firewall Groups</configuration/firewall/groups>`. + +.. cfgcmd:: set firewall ipv4 ... + + Configure IPv4-specific firewall rules. For detailed information, see + :doc:`IPv4 Firewall Configuration</configuration/firewall/ipv4>`. + +.. cfgcmd:: set firewall ipv6 ... + + Configure IPv6-specific firewall rules. For detailed information, see + :doc:`IPv6 Firewall Configuration</configuration/firewall/ipv6>`. + +.. cfgcmd:: set firewall zone ... + + Configure zone-based firewall policies for controlling traffic between + different network zones. For detailed information, see + :doc:`Zone-Based Firewall Configuration</configuration/firewall/zone>`. + +For more information on firewall configuration, see the following pages: .. toctree:: :maxdepth: 1 @@ -199,31 +235,32 @@ configuration: ipv6 flowtables -.. note:: **For more information** - of Netfilter hooks and Linux networking packet flows can be - found in `Netfilter-Hooks +.. note:: + For more information on Netfilter hooks and Linux networking packet flows, + see the `Netfilter-Hooks <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_ + documentation. -Zone-based firewall +Zone-Based firewall ^^^^^^^^^^^^^^^^^^^ + .. toctree:: :maxdepth: 1 :includehidden: zone -With zone-based firewalls a new concept was implemented, in addition to the -standard in and out traffic flows, a local flow was added. This local flow was -for traffic originating and destined to the router itself. Which means that -additional rules were required to secure the firewall itself from the network, -in addition to the existing inbound and outbound rules from the traditional -concept above. +With zone-based firewalls, a new concept applies. In addition to the standard +in and out traffic flows, a local flow enables traffic originating from and +destined to the router itself. This means you must configure additional rules to +secure the firewall from the network, in addition to the existing inbound and +outbound rules. -To configure VyOS with the -:doc:`zone-based firewall configuration </configuration/firewall/zone>` +To configure VyOS with zone-based firewall, see +:doc:`Zone-Based Firewall Configuration </configuration/firewall/zone>`. -As the example image below shows, the device now needs rules to allow/block +As the following example image shows, you must configure rules to allow or block traffic to or from the services running on the device that have open connections on that interface. diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst index a9435fa8..0bac7e92 100644 --- a/docs/configuration/firewall/ipv4.rst +++ b/docs/configuration/firewall/ipv4.rst @@ -1,4 +1,4 @@ -:lastproofread: 2025-02-14 +:lastproofread: 2026-03-30 .. _firewall-ipv4-configuration: @@ -10,16 +10,14 @@ IPv4 Firewall Configuration Overview ******** -In this section there's useful information on all firewall configuration that -can be done regarding IPv4, and appropriate op-mode commands. -Configuration commands covered in this section: +This section provides information on IPv4 firewall configuration and +appropriate operation-mode commands. This section covers the following +configuration commands: .. cfgcmd:: set firewall ipv4 ... -From the main structure defined in -:doc:`Firewall Overview</configuration/firewall/index>` -in this section you can find detailed information only for the next part -of the general structure: +To learn about the general traffic flow in VyOS firewalls, +see :doc:`Firewall </configuration/firewall/index>`. .. code-block:: none @@ -37,8 +35,8 @@ of the general structure: - name + custom_name -First, all traffic is received by the router, and it is processed in the -**prerouting** section. +First, the router receives all traffic and processes it in the **prerouting** +stage. This stage includes: @@ -52,79 +50,78 @@ This stage includes: ``set nat destination ...`` For transit traffic, which is received by the router and forwarded, the base -chain is **forward**. A simplified packet flow diagram for transit traffic is -shown next: +chain is **forward**. The following is a simplified packet flow diagram for +transit traffic: .. figure:: /_static/images/firewall-fwd-packet-flow.png -The base firewall chain to configure filtering rules for transit traffic -is ``set firewall ipv4 forward filter ...``, which happens in stage 5, -highlighted in the color red. +The base firewall chain for configuring filtering rules for transit traffic is +``set firewall ipv4 forward filter ...``, which occurs in stage 5, highlighted +in red. -For traffic towards the router itself, the base chain is **input**, while -traffic originated by the router has the base chain **output**. -A new simplified packet flow diagram is shown next, which shows the path -for traffic destined to the router itself, and traffic generated by the -router (starting from circle number 6): +For traffic to the router itself, the base chain is **input**. For traffic +the router originates, the base chain is **output**. A simplified packet flow +diagram is shown next, which shows the path for traffic destined to the router +itself and traffic the router generates (starting from circle number 6): .. figure:: /_static/images/firewall-input-packet-flow.png -The base chain for traffic towards the router is ``set firewall ipv4 input -filter ...`` +The base chain for traffic towards the router is +``set firewall ipv4 input filter ...`` -And the base chain for traffic generated by the router is ``set firewall ipv4 +The base chain for traffic the router generates is ``set firewall ipv4 output ...``, where two sub-chains are available: **filter** and **raw**: -* **Output Prerouting**: ``set firewall ipv4 output raw ...``. - As described in **Prerouting**, rules defined in this section are - processed before connection tracking subsystem. -* **Output Filter**: ``set firewall ipv4 output filter ...``. Rules defined - in this section are processed after connection tracking subsystem. +* **Output Prerouting**: ``set firewall ipv4 output raw ...``. As described + in **Prerouting**, the system processes rules in this section before the + connection tracking subsystem. +* **Output Filter**: ``set firewall ipv4 output filter ...``. The system + processes rules in this section after the connection tracking subsystem. .. note:: **Important note about default-actions:** - If a default action for any base chain is not defined, then the default - action is set to **accept** for that chain. For custom chains, if the - default action is not defined, then the default-action is set to **drop** + If you do not define a default action for a base chain, the system sets + the default action to **accept** for that chain. For custom chains, if you + do not define a default action, the system sets the default-action to + **drop**. -Custom firewall chains can be created, with commands -``set firewall ipv4 name <name> ...``. In order to use -such custom chain, a rule with **action jump**, and the appropriate **target** -should be defined in a base chain. +You can create custom firewall chains using the following commands: +``set firewall ipv4 name <name> ...``. To use a custom chain, you must define +a rule with the **action jump** and the appropriate **target** in a base +chain. ********************* Firewall - IPv4 Rules ********************* -For firewall filtering, firewall rules need to be created. Each rule is -numbered, has an action to apply if the rule is matched, and the ability -to specify multiple matching criteria. Data packets go through the rules -from 1 - 999999, so order is crucial. At the first match the action of the -rule will be executed. +Each firewall rule has a +number, an action to apply if the rule matches, and the ability to specify +multiple matching criteria. Packets traverse rules numbered 1-999999, so order +is crucial. The system executes the rule action at the first match. Actions ======= -If a rule is defined, then an action must be defined for it. This tells the -firewall what to do if all of the criteria defined for that rule match. +If you define a rule, you must define an action for it. The action tells the +firewall what to do if all the criteria you define for that rule are met. -The action can be : +The action can be: - * ``accept``: accept the packet. + * ``accept``: Accept the packet. - * ``continue``: continue parsing next rule. + * ``continue``: Continue parsing the next rule. - * ``drop``: drop the packet. + * ``drop``: Drop the packet. - * ``reject``: reject the packet. + * ``reject``: Reject the packet. - * ``jump``: jump to another custom chain. + * ``jump``: Jump to another custom chain. * ``return``: Return from the current chain and continue at the next rule of the last chain. * ``queue``: Enqueue packet to userspace. - * ``synproxy``: synproxy the packet. + * ``synproxy``: Synproxy the packet. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> action [accept | continue | drop | jump | queue | reject | return | synproxy] @@ -135,8 +132,8 @@ The action can be : .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action [accept | continue | drop | jump | queue | reject | return] - This required setting defines the action of the current rule. If the action - is set to jump, then a jump-target is also needed. + This required setting defines the action of the current rule. If you set + the action to jump, you must also specify a jump-target. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> jump-target <text> @@ -147,8 +144,8 @@ The action can be : .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> jump-target <text> - To be used only when action is set to ``jump``. Use this command to specify - the jump target. + Use this command only when the action is set to ``jump``. Specify the + jump target. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> queue <0-65535> @@ -159,8 +156,8 @@ The action can be : .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> queue <0-65535> - To be used only when action is set to ``queue``. Use this command to specify - the queue target to use. Queue range is also supported. + Use this command only when the action is set to ``queue``. Specify the + queue target to use. Queue range is also supported. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> queue-options bypass @@ -171,8 +168,8 @@ The action can be : .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> queue-options bypass - To be used only when action is set to ``queue``. Use this command to let the - packet go through firewall when no userspace software is connected to the + Use this command only when the action is set to ``queue``. Allow the packet + to pass through the firewall when no userspace software is connected to the queue. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> @@ -184,11 +181,11 @@ The action can be : .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> queue-options fanout - To be used only when action is set to ``queue``. Use this command to - distribute packets between several queues. + Use this command only when the action is set to ``queue``. Distribute + packets between several queues. -Also, **default-action** is an action that takes place whenever a packet does -not match any rule in its chain. For base chains, possible options for +Also, **default-action** is an action that applies when a packet does not +match any rule in its chain. For base chains, possible options for **default-action** are **accept** or **drop**. .. cfgcmd:: set firewall ipv4 forward filter default-action @@ -200,43 +197,44 @@ not match any rule in its chain. For base chains, possible options for .. cfgcmd:: set firewall ipv4 name <name> default-action [accept | drop | jump | queue | reject | return] - This sets the default action of the rule-set if a packet does not match the - criteria of any rule. If default-action is set to ``jump``, then - ``default-jump-target`` is also needed. Note that for base chains, the - default action can only be set to ``accept`` or ``drop``, while on custom - chains, more actions are available. + This command sets the default action of the rule-set if a packet does not + match the criteria of any rule. If you set the default-action to ``jump``, + you must also specify ``default-jump-target``. Note that for base chains, + you can set the default action only to ``accept`` or ``drop``, while on + custom chains, more actions are available. .. cfgcmd:: set firewall ipv4 name <name> default-jump-target <text> - To be used only when ``default-action`` is set to ``jump``. Use this - command to specify the jump target for the default rule. + Use this command only when you set ``default-action`` to ``jump``. Specify + the jump target for the default rule. .. note:: **Important note about default-actions:** - If the default action for any base chain is not defined, then the default - action is set to **accept** for that chain. For custom chains if a default - action is not defined then the default-action is set to **drop**. + If you do not define a default action for a base chain, the system sets + the default action to **accept** for that chain. For custom chains, if you + do not define a default action, the system sets the default-action to + **drop**. Firewall Logs ============= -Logging can be enabled for every single firewall rule. If enabled, other -log options can be defined. +You can enable logging for every single firewall rule. If you enable logging, +you can define other log options. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log .. cfgcmd:: set firewall ipv4 input filter rule <1-999999> log .. cfgcmd:: set firewall ipv4 output filter rule <1-999999> log .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log - Enable logging for the matched packet. If this configuration command is not - present, then the log is not enabled. + Enable logging for the matched packet. If this command is not present, then + logging is not enabled. .. cfgcmd:: set firewall ipv4 forward filter default-log .. cfgcmd:: set firewall ipv4 input filter default-log .. cfgcmd:: set firewall ipv4 output filter default-log .. cfgcmd:: set firewall ipv4 name <name> default-log - Use this command to enable the logging of the default action on - the specified chain. + Use this command to enable logging of the default action on the specified + chain. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log-options level [emerg | alert | crit | err | warn | notice @@ -251,7 +249,7 @@ log options can be defined. log-options level [emerg | alert | crit | err | warn | notice | info | debug] - Define log-level. Only applicable if rule log is enabled. + Define the log level. Only applicable if you enable rule logging. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log-options group <0-65535> @@ -262,8 +260,8 @@ log options can be defined. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log-options group <0-65535> - Define the log group to send messages to. Only applicable if rule log is - enabled. + Define the log group to send messages to. Only applicable if you enable rule + logging. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log-options snapshot-length <0-9000> @@ -275,7 +273,7 @@ log options can be defined. log-options snapshot-length <0-9000> Define the length of packet payload to include in a netlink message. Only - applicable if rule log is enabled and log group is defined. + applicable if you enable rule logging and define the log group. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log-options queue-threshold <0-65535> @@ -287,17 +285,18 @@ log options can be defined. log-options queue-threshold <0-65535> Define the number of packets to queue inside the kernel before sending them - to userspace. Only applicable if rule log is enabled and log group is defined. + to userspace. Only applicable if you enable rule logging and define the log + group. Firewall Description ==================== -For reference, a description can be defined for every single rule, and for -every defined custom chain. +You can add a description for reference for every single rule and for every +defined custom chain. .. cfgcmd:: set firewall ipv4 name <name> description <text> - Provide a rule-set description to a custom firewall chain. + Provide a rule-set description for a custom firewall chain. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> description <text> @@ -312,15 +311,15 @@ every defined custom chain. Rule Status =========== -When defining a rule, it is enabled by default. In some cases, it is useful to -just disable the rule, rather than removing it. +When you define a rule, it is enabled by default. In some cases, it is useful +to disable the rule rather than removing it. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> disable .. cfgcmd:: set firewall ipv4 input filter rule <1-999999> disable .. cfgcmd:: set firewall ipv4 output filter rule <1-999999> disable .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> disable - Command for disabling a rule but keep it in the configuration. + Command for disabling a rule but keeping it in the configuration. Matching criteria ================= @@ -727,9 +726,9 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> inbound-interface name <iface> - Match based on inbound interface. Wildcard ``*`` can be used. - For example: ``eth2*``. Prepending the character ``!`` to invert the - criteria to match is also supported. For example ``!eth2`` + Match based on inbound interface. Wildcard ``*`` is supported. For example: + ``eth2*``. Prepend the character ``!`` to invert the criteria. For example: + ``!eth2`` .. note:: If an interface is attached to a non-default vrf, when using **inbound-interface**, the vrf name must be used. For example ``set firewall @@ -742,8 +741,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> inbound-interface group <iface_group> - Match based on the inbound interface group. Prepending the character ``!`` - to invert the criteria to match is also supported. For example ``!IFACE_GROUP`` + Match based on the inbound interface group. Prepend the character ``!`` to + invert the criteria. For example, ``!IFACE_GROUP`` .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> outbound-interface name <iface> @@ -752,9 +751,9 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> outbound-interface name <iface> - Match based on outbound interface. Wildcard ``*`` can be used. - For example: ``eth2*``. Prepending the character ``!`` to invert the - criteria to match is also supported. For example ``!eth2`` + Match based on outbound interface. Wildcard ``*`` is supported. For example: + ``eth2*``. Prepend the character ``!`` to invert the criteria. For example: + ``!eth2`` .. note:: If an interface is attached to a non-default vrf, when using **outbound-interface**, the real interface name must be used. For example @@ -767,8 +766,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> outbound-interface group <iface_group> - Match based on outbound interface group. Prepending the character ``!`` to - invert the criteria to match is also supported. For example ``!IFACE_GROUP`` + Match based on outbound interface group. Prepend the character ``!`` to + invert the criteria. For example: ``!IFACE_GROUP`` .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> ipsec [match-ipsec-in | match-ipsec-out | match-none-in | match-none-out] @@ -801,8 +800,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> limit rate <text> - Match based on the maximum average rate, specified as **integer/unit**. - For example **5/minutes** + Specify the maximum average rate as **integer/unit**. For example: + **5/minutes** .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> packet-length <text> @@ -822,8 +821,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> packet-length-exclude <text> - Match based on the packet length. Multiple values from 1 to 65535 - and ranges are supported. + Match based on packet length. Specify multiple values from 1 to 65535 and + ranges. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> packet-type [broadcast | host | multicast | other] @@ -846,13 +845,13 @@ geoip) to keep database and rules updated. protocol [<text> | <0-255> | all | tcp_udp] Match based on protocol number or name as defined in ``/etc/protocols``. - Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp - based packets. The ``!`` negates the selected protocol. + Special names are ``all`` for all protocols and ``tcp_udp`` for TCP and UDP + based packets. The ``!`` character negates the selected protocol. .. code-block:: none - set firewall ipv4 forward fitler rule 10 protocol tcp_udp - set firewall ipv4 forward fitler rule 11 protocol !tcp_udp + set firewall ipv4 forward filter rule 10 protocol tcp_udp + set firewall ipv4 forward filter rule 11 protocol !tcp_udp .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> recent count <1-255> @@ -883,9 +882,9 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> tcp flags [not] <text> - Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, - ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for - inverted selection use ``not``, as shown in the example. + Specify TCP flags. Allowed values are ``ack``, ``cwr``, ``ecn``, ``fin``, + ``psh``, ``rst``, ``syn``, and ``urg``. Specify multiple values, and use + ``not`` for inverted selection, as shown in the example. .. code-block:: none @@ -956,8 +955,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> ttl <eq | gt | lt> <0-255> - Match the time to live parameter, where 'eq' stands for 'equal'; 'gt' stands - for 'greater than', and 'lt' stands for 'less than'. + Match the time to live parameter, where 'eq' means 'equal', 'gt' means + 'greater than', and 'lt' means 'less than'. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> recent count <1-255> @@ -977,14 +976,14 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> recent time <second | minute | hour> - Match when 'count' amount of connections are seen within 'time'. These - matching criteria can be used to block brute-force attempts. + Match when 'count' amount of connections appear within 'time'. Use these + matching criteria to block brute-force attempts. Packet Modifications ==================== Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify -packets before they are sent out. This feaure provides more flexibility in +packets before sending them out. This feature provides more flexibility in packet handling. .. cfgcmd:: set firewall ipv4 prerouting raw rule <1-999999> @@ -1053,9 +1052,9 @@ Example synproxy ================ Requirements to enable synproxy: - * Traffic must be symmetric - * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled - * Disable conntrack loose track option + * Traffic must be symmetric. + * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled. + * Disable conntrack loose track option. .. code-block:: none @@ -1085,8 +1084,8 @@ Rule-set overview .. opcmd:: show firewall - This will show you a basic firewall overview, for all rule-sets, and not - only for ipv4 + This will show you a basic firewall overview, for all rule-sets, not + only for IPv4. .. code-block:: none @@ -1140,7 +1139,7 @@ Rule-set overview .. opcmd:: show firewall summary - This will show you a summary of rule-sets and groups + This shows you a summary of rule-sets and groups. .. code-block:: none @@ -1215,7 +1214,7 @@ Rule-set overview filter rule <1-999999> .. opcmd:: show firewall ipv4 name <name> rule <1-999999> - This command will give an overview of a rule in a single rule-set, plus + This command gives an overview of a rule in a single rule-set, plus information for default action. .. code-block:: none @@ -1249,9 +1248,9 @@ Show Firewall log .. opcmd:: show log firewall ipv4 [forward | input | output] filter rule <rule> .. opcmd:: show log firewall ipv4 name <name> rule <rule> - Show the logs of all firewall; show all ipv4 firewall logs; show all logs + Show the logs of all firewall; show all IPv4 firewall logs; show all logs for particular hook; show all logs for particular hook and priority; - show all logs for particular custom chain; show logs for specific Rule-Set. + show all logs for particular custom chain; show logs for specific rule-set. Example Partial Config ====================== @@ -1303,4 +1302,4 @@ Update geoip database .. opcmd:: update geoip - Command used to update GeoIP database and firewall sets. + Command to update GeoIP database and firewall sets. diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst index 95502f4a..b1249e3d 100644 --- a/docs/configuration/firewall/ipv6.rst +++ b/docs/configuration/firewall/ipv6.rst @@ -1,4 +1,4 @@ -:lastproofread: 2025-02-14 +:lastproofread: 2026-04-01 .. _firewall-ipv6-configuration: @@ -10,16 +10,15 @@ IPv6 Firewall Configuration Overview ******** -In this section there's useful information on all firewall configuration that -can be done regarding IPv6, and appropriate op-mode commands. -Configuration commands covered in this section: +This section covers useful information about IPv6 firewall configuration and +appropriate operation-mode commands. + +This section describes the following configuration commands: .. cfgcmd:: set firewall ipv6 ... -From the main structure defined in -:doc:`Firewall Overview</configuration/firewall/index>` -in this section you can find detailed information only for the next part -of the general structure: +To learn about the general traffic flow in VyOS firewalls, +see :doc:`Firewall </configuration/firewall/index>`. .. code-block:: none @@ -37,8 +36,8 @@ of the general structure: - name + custom_name -First, all traffic is received by the router, and it is processed in the -**prerouting** section. +The router first receives all traffic and processes it in the **prerouting** +section. This stage includes: @@ -51,61 +50,59 @@ This stage includes: * :doc:`Destination NAT</configuration/nat/nat44>`: commands found under ``set nat66 destination ...`` -For transit traffic, which is received by the router and forwarded, the base -chain is **forward**. A simplified packet flow diagram for transit traffic is -shown next: +For transit traffic that the router receives and forwards, the base chain is +**forward**. The following diagram shows a simplified packet flow for transit +traffic: .. figure:: /_static/images/firewall-fwd-packet-flow.png -The base firewall chain to configure filtering rules for transit traffic -is ``set firewall ipv6 forward filter ...``, which happens in stage 5, -highlighted in the color red. +Use ``set firewall ipv6 forward filter ...`` to configure filtering rules for +transit traffic. This command corresponds to stage 5 and is highlighted in red +in the diagram. -For traffic towards the router itself, the base chain is **input**, while -traffic originated by the router has the base chain **output**. -A new simplified packet flow diagram is shown next, which shows the path -for traffic destined to the router itself, and traffic generated by the +For traffic destined to the router, use the **input** chain. For traffic the +router generates, use the **output** chain. The following diagram shows the +packet flow for traffic destined to the router and traffic generated by the router (starting from circle number 6): .. figure:: /_static/images/firewall-input-packet-flow.png -The base chain for traffic towards the router is ``set firewall ipv6 input -filter ...`` +Use ``set firewall ipv6 input filter ...`` to configure traffic destined to +the router. -And the base chain for traffic generated by the router is ``set firewall ipv6 -output ...``, where two sub-chains are available: **filter** and **raw**: +Use ``set firewall ipv6 output ...`` to configure traffic the router generates. +Two sub-chains are available: **filter** and **raw**: * **Output Prerouting**: ``set firewall ipv6 output raw ...``. - As described in **Prerouting**, rules defined in this section are - processed before connection tracking subsystem. -* **Output Filter**: ``set firewall ipv6 output filter ...``. Rules defined - in this section are processed after connection tracking subsystem. + As described in **Prerouting**, the firewall processes rules in this + section before the connection tracking subsystem. +* **Output Filter**: ``set firewall ipv6 output filter ...``. The firewall + processes rules in this section after the connection tracking subsystem. .. note:: **Important note about default-actions:** - If a default action for any base chain is not defined, then the default - action is set to **accept** for that chain. For custom chains, if the - default action is not defined, then the default-action is set to **drop** + If you do not define a default action for a base chain, the system sets + the default action to **accept** for that chain. For custom chains, if you + do not define a default action, the system sets the default-action to + **drop** -Custom firewall chains can be created, with commands -``set firewall ipv6 name <name> ...``. In order to use -such custom chain, a rule with **action jump**, and the appropriate **target** -should be defined in a base chain. +Create custom firewall chains using the commands +``set firewall ipv6 name <name> ...``. To use the custom chain, define a +rule with **action jump** and the appropriate **target** in a base chain. ****************************** Firewall - IPv6 Rules ****************************** -For firewall filtering, firewall rules need to be created. Each rule is -numbered, has an action to apply if the rule is matched, and the ability -to specify multiple matching criteria. Data packets go through the rules -from 1 - 999999, so order is crucial. At the first match the action of the -rule will be executed. +Create firewall rules for firewall filtering. Each rule is numbered and has +an action to apply when the rule is matched. You can specify multiple matching +criteria. Packets go through rules from 1 - 999999, so order is crucial. The +firewall executes the action of the first matching rule. Actions ======= -If a rule is defined, then an action must be defined for it. This tells the -firewall what to do if all of the criteria defined for that rule match. +If you define a rule, you must define an action for it. The action tells the +firewall what to do when all criteria for that rule are met. The action can be : @@ -135,8 +132,8 @@ The action can be : .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> action [accept | continue | drop | jump | queue | reject | return] - This required setting defines the action of the current rule. If the action - is set to jump, then a jump-target is also needed. + This required setting defines the action of the current rule. If you set + the action to jump, you must also define a jump-target. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> jump-target <text> @@ -147,8 +144,8 @@ The action can be : .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> jump-target <text> - To be used only when action is set to ``jump``. Use this command to specify - the jump target. + Use this command only when action is set to ``jump``. Specify the jump + target. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> queue <0-65535> @@ -159,8 +156,8 @@ The action can be : .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> queue <0-65535> - To be used only when action is set to ``queue``. Use this command to specify - the queue target to use. Queue range is also supported. + Use this command only when action is set to ``queue``. Specify the queue + target. Queue ranges are also supported. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> queue-options bypass @@ -171,9 +168,9 @@ The action can be : .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> queue-options bypass - To be used only when action is set to ``queue``. Use this command to let the - packet go through firewall when no userspace software is connected to the - queue. + Use this command only when action is set to ``queue``. This command allows + the packet to go through the firewall when no userspace software is connected + to the queue. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> queue-options fanout @@ -184,8 +181,8 @@ The action can be : .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> queue-options fanout - To be used only when action is set to ``queue``. Use this command to - distribute packets between several queues. + Use this command only when action is set to ``queue``. This command + distributes packets among multiple queues. Also, **default-action** is an action that takes place whenever a packet does not match any rule in its chain. For base chains, possible options for @@ -200,11 +197,11 @@ not match any rule in its chain. For base chains, possible options for .. cfgcmd:: set firewall ipv6 name <name> default-action [accept | drop | jump | queue | reject | return] - This sets the default action of the rule-set if a packet does not match the - criteria of any rule. If default-action is set to ``jump``, then - ``default-jump-target`` is also needed. Note that for base chains, the - default action can only be set to ``accept`` or ``drop``, while on custom - chains, more actions are available. + Set the default action of the rule-set if a packet does not match any rule + criteria. If you set default-action to ``jump``, you must also define + ``default-jump-target``. For base chains, you can only set the default + action to ``accept`` or ``drop``. For custom chains, more actions are + available. .. cfgcmd:: set firewall ipv6 name <name> default-jump-target <text> @@ -212,23 +209,24 @@ not match any rule in its chain. For base chains, possible options for command to specify the jump target for the default rule. .. note:: **Important note about default-actions:** - If the default action for any base chain is not defined, then the default - action is set to **accept** for that chain. For custom chains if a default - action is not defined then the default-action is set to **drop**. + If you do not define the default action for a base chain, the system sets + the default action to **accept** for that chain. For custom chains, if you + do not define a default action, the system sets the default-action to + **drop**. Firewall Logs ============= -Logging can be enabled for every single firewall rule. If enabled, other -log options can be defined. +You can enable logging for each firewall rule. When enabled, you can also +define other log options. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> log .. cfgcmd:: set firewall ipv6 input filter rule <1-999999> log .. cfgcmd:: set firewall ipv6 output filter rule <1-999999> log .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> log - Enable logging for the matched packet. If this configuration command is not - present, then the log is not enabled. + Enable logging for matched packets. If this configuration command is not + present, logging is disabled. .. cfgcmd:: set firewall ipv6 forward filter default-log .. cfgcmd:: set firewall ipv6 input filter default-log @@ -275,7 +273,7 @@ log options can be defined. log-options snapshot-length <0-9000> Define the length of packet payload to include in a netlink message. Only - applicable if rule log is enabled and log group is defined. + applicable when rule logging is enabled and log group is defined. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> log-options queue-threshold <0-65535> @@ -287,13 +285,13 @@ log options can be defined. log-options queue-threshold <0-65535> Define the number of packets to queue inside the kernel before sending them - to userspace. Only applicable if rule log is enabled and log group is defined. + to userspace. Only applicable when rule logging is enabled and log group is + defined. Firewall Description ==================== -For reference, a description can be defined for every single rule, and for -every defined custom chain. +For reference, you can define descriptions on every rule and custom chain. .. cfgcmd:: set firewall ipv6 name <name> description <text> @@ -312,8 +310,8 @@ every defined custom chain. Rule Status =========== -When defining a rule, it is enabled by default. In some cases, it is useful to -just disable the rule, rather than removing it. +New rules are enabled by default. In some cases, you may want to disable a +rule rather than remove it. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> disable .. cfgcmd:: set firewall ipv6 input filter rule <1-999999> disable @@ -336,7 +334,7 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> connection-status nat [destination | source] - Match based on nat connection status. + Match packets based on NAT connection status. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> connection-mark <1-2147483647> @@ -347,7 +345,7 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> connection-mark <1-2147483647> - Match based on connection mark. + Match packets based on connection mark. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source address [address | addressrange | CIDR] @@ -367,8 +365,8 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination address [address | addressrange | CIDR] - Match based on source and/or destination address. This is similar to the - network groups part, but here you are able to negate the matching addresses. + Match based on source or destination address. This is similar to network + groups, but you can negate the matching addresses here. .. code-block:: none @@ -392,15 +390,14 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination address-mask [address] - An arbitrary netmask can be applied to mask addresses to only match against - a specific portion. This is particularly useful with IPv6 as rules will - remain valid if the IPv6 prefix changes and the host - portion of systems IPv6 address is static (for example, with SLAAC or - `tokenised IPv6 addresses - <https://datatracker.ietf.org - /doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_) + Apply an arbitrary netmask to mask addresses and match only a specific + portion. This is useful for IPv6 because rules remain valid when the IPv6 + prefix changes if the host portion of the system's IPv6 address is static. + Examples include SLAAC and `tokenised IPv6 addresses + <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6- + identifiers-02.txt>`_ - This functions for both individual addresses and address groups. + This function works for both individual addresses and address groups. .. stop_vyoslinter .. code-block:: none @@ -433,8 +430,8 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination fqdn <fqdn> - Specify a Fully Qualified Domain Name as source/destination to match. Ensure - that the router is able to resolve this dns query. + Specify a Fully Qualified Domain Name as source or destination to match. + Ensure that the router can resolve the DNS query. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source geoip country-code <country> @@ -472,14 +469,16 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination geoip inverse-match - Match IP addresses based on its geolocation. More info: `geoip matching - <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_. - Use inverse-match to match anything except the given country-codes. + Match IP addresses based on their geolocation. For more information, see + `GeoIP matching <https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_ + matching>`_. Use inverse-match to match anything except the specified + country codes. -Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required, -permits redistribution so we can include a database in images(~3MB -compressed). Includes cron script (manually callable by op-mode update -geoip) to keep database and rules updated. +DB-IP.com provides data under CC-BY-4.0 license. Attribution is required and +redistribution is permitted, allowing VyOS to include a database in images +(approximately 3 MB compressed). The package includes a cron script that you +can manually call through op-mode update geoip to keep the database and rules +updated. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> @@ -491,7 +490,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> source mac-address <mac-address> - You can only specify a source mac-address to match. + You can specify only a source MAC address to match. .. code-block:: none @@ -516,7 +515,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination port [1-65535 | portname | start-end] - A port can be set by number or name as defined in ``/etc/services``. + Specify a port by number or by name as defined in ``/etc/services``. .. code-block:: none @@ -549,8 +548,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination group address-group <name | !name> - Use a specific address-group. Prepending the character ``!`` to invert the - criteria to match is also supported. + Specify an address group. You can prepend the character ``!`` to invert the + matching criteria. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source group dynamic-address-group <name | !name> @@ -570,8 +569,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination group dynamic-address-group <name | !name> - Use a specific dynamic-address-group. Prepending the character ``!`` to - invert the criteria to match is also supported. + Specify a dynamic address group. You can prepend the character ``!`` to + invert the matching criteria. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source group network-group <name | !name> @@ -591,8 +590,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination group network-group <name | !name> - Use a specific network-group. Prepending the character ``!`` to invert the - criteria to match is also supported. + Specify a network group. You can prepend the character ``!`` to invert the + matching criteria. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source group port-group <name | !name> @@ -612,8 +611,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination group port-group <name | !name> - Use a specific port-group. Prepending the character ``!`` to invert the - criteria to match is also supported. + Specify a port group. You can prepend the character ``!`` to invert the + matching criteria. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source group domain-group <name | !name> @@ -633,8 +632,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination group domain-group <name | !name> - Use a specific domain-group. Prepending the character ``!`` to invert the - criteria to match is also supported. + Specify a domain group. You can prepend the character ``!`` to invert the + matching criteria. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source group mac-group <name | !name> @@ -654,8 +653,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> destination group mac-group <name | !name> - Use a specific mac-group. Prepending the character ``!`` to invert the - criteria to match is also supported. + Specify a MAC group. You can prepend the character ``!`` to invert the + matching criteria. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> dscp [0-63 | start-end] @@ -686,7 +685,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> fragment [match-frag | match-non-frag] - Match based on fragmentation. + Match packets based on fragmentation. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> icmpv6 [code | type] <0-255> @@ -697,7 +696,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> icmpv6 [code | type] <0-255> - Match based on icmp|icmpv6 code and type. + Match packets based on ICMP or ICMPv6 code and type. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> icmpv6 type-name <text> @@ -708,8 +707,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> icmpv6 type-name <text> - Match based on icmpv6 type-name. Use tab for information - about what **type-name** criteria are supported. + Match based on ICMPv6 type-name. Press **Tab** for information about + supported **type-name** criteria. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> inbound-interface name <iface> @@ -718,13 +717,13 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> inbound-interface name <iface> - Match based on inbound interface. Wildcard ``*`` can be used. - For example: ``eth2*``. Prepending the character ``!`` to invert the - criteria to match is also supported. For example ``!eth2`` + Match based on inbound interface. You can use the wildcard ``*``. For + example: ``eth2*``. You can prepend the character ``!`` to invert the + matching criteria. For example ``!eth2`` -.. note:: If an interface is attached to a non-default vrf, when using - **inbound-interface**, the vrf name must be used. For example ``set firewall - ipv6 forward filter rule 10 inbound-interface name MGMT`` +.. note:: If an interface is attached to a non-default VRF, when using + **inbound-interface**, use the VRF name. For example: + ``set firewall ipv6 forward filter rule 10 inbound-interface name MGMT`` .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> inbound-interface group <iface_group> @@ -733,8 +732,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> inbound-interface group <iface_group> - Match based on the inbound interface group. Prepending the character ``!`` - to invert the criteria to match is also supported. For example ``!IFACE_GROUP`` + Match based on the inbound interface group. You can prepend the character + ``!`` to invert the matching criteria. For example ``!IFACE_GROUP`` .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> outbound-interface name <iface> @@ -743,12 +742,12 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> outbound-interface name <iface> - Match based on outbound interface. Wildcard ``*`` can be used. - For example: ``eth2*``. Prepending the character ``!`` to invert the - criteria to match is also supported. For example ``!eth2`` + Match based on outbound interface. You can use the wildcard ``*``. For + example: ``eth2*``. You can prepend the character ``!`` to invert the + matching criteria. For example ``!eth2`` -.. note:: If an interface is attached to a non-default vrf, when using - **outbound-interface**, the real interface name must be used. For example +.. note:: If an interface is attached to a non-default VRF, when using + **outbound-interface**, use the physical interface name. For example: ``set firewall ipv6 forward filter rule 10 outbound-interface name eth0`` .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> @@ -758,8 +757,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> outbound-interface group <iface_group> - Match based on outbound interface group. Prepending the character ``!`` to - invert the criteria to match is also supported. For example ``!IFACE_GROUP`` + Match based on outbound interface group. You can prepend the character ``!`` + to invert the matching criteria. For example ``!IFACE_GROUP`` .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> ipsec [match-ipsec-in | match-ipsec-out | match-none-in | match-none-out] @@ -770,7 +769,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> ipsec [match-ipsec-in | match-ipsec-out | match-none-in | match-none-out] - Match based on ipsec. + Match packets based on IPsec. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> limit burst <0-4294967295> @@ -781,7 +780,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> limit burst <0-4294967295> - Match based on the maximum number of packets to allow in excess of rate. + Match based on the maximum number of packets allowed to exceed the rate + limit. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> limit rate <text> @@ -792,8 +792,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> limit rate <text> - Match based on the maximum average rate, specified as **integer/unit**. - For example **5/minutes** + Match based on the maximum average rate, specified as ``integer/unit``. + For example, specify ``5/minutes``. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> packet-length <text> @@ -813,8 +813,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> packet-length-exclude <text> - Match based on the packet length. Multiple values from 1 to 65535 - and ranges are supported. + Match based on packet length. You can specify multiple values from 1 to + 65535 and ranges. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> packet-type [broadcast | host | multicast | other] @@ -825,7 +825,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> packet-type [broadcast | host | multicast | other] - Match based on the packet type. + Match based on packet type. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> protocol [<text> | <0-255> | all | tcp_udp] @@ -837,8 +837,8 @@ geoip) to keep database and rules updated. protocol [<text> | <0-255> | all | tcp_udp] Match based on protocol number or name as defined in ``/etc/protocols``. - Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp - based packets. The ``!`` negates the selected protocol. + Specify ``all`` for all protocols and ``tcp_udp`` for TCP and UDP packets. + Prepend ``!`` to negate the protocol selection. .. code-block:: none @@ -862,7 +862,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> recent time [second | minute | hour] - Match bases on recently seen sources. + Match packets based on recently seen sources. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> tcp flags [not] <text> @@ -873,9 +873,9 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> tcp flags [not] <text> - Allowed values fpr TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, - ``rst``, ``syn`` and ``urg``. Multiple values are supported, and for - inverted selection use ``not``, as shown in the example. + Allowed values for TCP flags: ``ack``, ``cwr``, ``ecn``, ``fin``, ``psh``, + ``rst``, ``syn``, and ``urg``. You can specify multiple values. To invert + the selection, use ``not``, as shown in the following example. .. code-block:: none @@ -892,7 +892,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> state [established | invalid | new | related] - Match against the state of a packet. + Match based on packet state. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> time startdate <text> @@ -935,7 +935,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> time weekdays <text> - Time to match the defined rule. + Match packets based on time criteria. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> hop-limit <eq | gt | lt> <0-255> @@ -946,8 +946,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> hop-limit <eq | gt | lt> <0-255> - Match the hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for - 'greater than', and 'lt' stands for 'less than'. + Match the hop-limit parameter. Use ``eq`` for equal, ``gt`` for greater than, + and ``lt`` for less than. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> recent count <1-255> @@ -967,15 +967,14 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> recent time <second | minute | hour> - Match when 'count' amount of connections are seen within 'time'. These - matching criteria can be used to block brute-force attempts. + Match when the specified number of connections occur within the specified + time period. Use these criteria to block brute-force attempts. Packet Modifications ==================== -Starting from **VyOS-1.5-rolling-202410060007**, the firewall can modify -packets before they are sent out. This feaure provides more flexibility in -packet handling. +The firewall can modify packets before sending them. +This feature provides more flexibility for packet handling. .. cfgcmd:: set firewall ipv6 prerouting raw rule <1-999999> set dscp <0-63> @@ -1032,12 +1031,12 @@ Synproxy connections .. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535> - Set the TCP-MSS (maximum segment size) for the connection + Set the TCP MSS (maximum segment size) for the connection. .. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14> - Set the window scale factor for TCP window scaling + Set the window scale factor for TCP window scaling. Example synproxy ================ @@ -1075,8 +1074,7 @@ Rule-set overview .. opcmd:: show firewall - This will show you a basic firewall overview, for all rule-sets, and not - only for ipv6 + Show a basic firewall overview for all rule-sets, not only for IPv6: .. code-block:: none @@ -1224,8 +1222,8 @@ Rule-set overview .. opcmd:: show firewall group <name> - Overview of defined groups. You see the type, the members, and where the - group is used. + Show an overview of defined groups, including the type, members, and where + the group is used. .. code-block:: none @@ -1242,7 +1240,7 @@ Rule-set overview .. opcmd:: show firewall statistics - This will show you statistics of all rule-sets since the last boot. + Show statistics of all rule-sets since the last boot. Show Firewall log ================= @@ -1255,9 +1253,8 @@ Show Firewall log .. opcmd:: show log firewall ipv6 [forward | input | output] filter rule <rule> .. opcmd:: show log firewall ipv6 name <name> rule <rule> - Show the logs of all firewall; show all ipv6 firewall logs; show all logs - for particular hook; show all logs for particular hook and priority; - show all logs for particular custom chain; show logs for specific Rule-Set. + Show firewall logs for all firewalls, all IPv6 firewalls, specific hooks, + specific priorities, specific custom chains, or specific rule-sets. Example Partial Config ====================== diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst index fde6c162..f3b12473 100644 --- a/docs/configuration/firewall/zone.rst +++ b/docs/configuration/firewall/zone.rst @@ -1,34 +1,27 @@ -:lastproofread: 2024-07-03 +:lastproofread: 2026-03-30 .. _firewall-zone: ################### -Zone Based Firewall +Zone-Based Firewall ################### ******** Overview ******** -.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall - structure can be found on all VyOS installations. The Zone based firewall - was removed in that version, but re introduced in VyOS 1.4 and 1.5. All - versions built after 2023-10-22 have this feature. - Documentation for most of the new firewall CLI can be - found in the `firewall - <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ - chapter. +.. note:: + All VyOS versions built after 2023-10-22 (VyOS 1.4 and 1.5) support + this feature. -In this section there's useful information on all firewall configuration that -is needed for the zone-based firewall. -Configuration commands covered in this section: +This section provides information on firewall configuration for the +zone-based firewall. This section covers the following configuration +commands: .. cfgcmd:: set firewall zone ... -From the main structure defined in -:doc:`Firewall Overview</configuration/firewall/index>` -in this section you can find detailed information only for the next part -of the general structure: +To learn about the general traffic flow in VyOS firewalls, +see :doc:`Firewall </configuration/firewall/index>`. .. code-block:: none @@ -37,22 +30,23 @@ of the general structure: - custom_zone_name + ... -In zone-based policy, interfaces are assigned to zones, and inspection policy -is applied to traffic moving between the zones and acted on according to -firewall rules. A zone is a group of interfaces that have similar functions or -features. It establishes the security borders of a network. A zone defines a -boundary where traffic is subjected to policy restrictions as it crosses to -another region of a network. +In zone-based policy, you assign interfaces to zones and apply inspection +policy to traffic moving between zones. The firewall acts on traffic +according to rules. A zone is a group of interfaces that have similar +functions or features. It establishes the security borders of a network. +A zone defines a boundary where the system subjects traffic to policy +restrictions as it crosses to another region of a network. Key Points: -* A zone must be configured before an interface is assigned to it and an - interface can be assigned to only a single zone. -* All traffic to and from an interface within a zone is permitted. -* All traffic between zones is affected by existing policies -* Traffic cannot flow between a zone member interface and any interface that is - not a zone member. -* You need 2 separate firewalls to define traffic: one for each direction. +* A zone must be configured before you assign an interface to it, and you + can assign an interface to only a single zone. +* All traffic to and from an interface within a zone flows freely. +* Existing policies affect all traffic between zones. +* Traffic cannot flow between a zone member interface and any interface that + is not a zone member. +* You must define 2 separate firewalls to define traffic: one for each + direction. .. note:: In :vytask:`T2199` the syntax of the zone configuration was changed. The zone configuration moved from ``zone-policy zone <name>`` to ``firewall @@ -62,12 +56,13 @@ Key Points: Configuration ************* -As an alternative to applying policy to an interface directly, a zone-based -firewall can be created to simplify configuration when multiple interfaces -belong to the same security zone. Instead of applying rule-sets to interfaces, -they are applied to source-destination zone pairs. +As an alternative to applying policy to an interface directly, you can +create a zone-based firewall to simplify configuration when multiple +interfaces belong to the same security zone. Instead of applying rule-sets +to interfaces, you apply them to source-destination zone pairs. -A basic introduction to zone-based firewalls can be found `here +You can find a basic introduction to zone-based firewalls in the +`VyOS Knowledge Base <https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_, and an example at :ref:`examples-zone-policy`. @@ -80,7 +75,7 @@ The following steps are required to create a zone-based firewall: Define a Zone ============= -To define a zone setup either one with interfaces or the local zone. +To define a zone, set up either one with interfaces or as the local zone. .. cfgcmd:: set firewall zone <name> interface <interface> @@ -89,41 +84,41 @@ To define a zone setup either one with interfaces or the local zone. .. note:: * An interface can only be a member of one zone. - * A zone can have multiple interfaces, with traffic between interfaces in - the same zone subject to the intra-zone-filtering policy (allowed by - default). + * You can have multiple interfaces in a zone. Traffic between + interfaces in the same zone follows the intra-zone-filtering + policy (allowed by default). .. cfgcmd:: set firewall zone <name> local-zone - Define the zone as the local zone, for traffic originating from and destined - to the router itself. + Define the zone as the local zone for traffic that originates from or is + destined to the router itself. .. note:: * A local zone cannot have any member interfaces - * There cannot be multiple local zones + * You cannot have multiple local zones .. cfgcmd:: set firewall zone <name> default-action [drop | reject] - Change the zone default-action, which applies to traffic destined to this - zone that doesn't match any of the source zone rulesets applied. + Modify the zone default-action, which applies to traffic destined to this + zone that does not match any of the source zone rulesets applied. .. cfgcmd:: set firewall zone <name> default-log - Enable logging of packets that hit this zone's default-action (disabled by - default). + Enable logging of packets that match this zone's default-action (disabled + by default). .. cfgcmd:: set firewall zone <name> description - Set a meaningful description. + Add a meaningful description. Defining a Rule-Set ============================= -Zone-based firewall rule-sets are for traffic from a *Source Zone* to a +Zone-based firewall rule-sets define traffic from a *Source Zone* to a *Destination Zone*. -The rule-sets are created as a custom firewall chain using the commands below +You create rule-sets as a custom firewall chain using the commands below (refer to the firewall IPv4/IPv6 sections for the full syntax): * For :ref:`IPv4<configuration/firewall/ipv4:Firewall - IPv4 Rules>`: @@ -131,15 +126,16 @@ The rule-sets are created as a custom firewall chain using the commands below * For :ref:`IPv6<configuration/firewall/ipv6:Firewall - IPv6 Rules>`: ``set firewall ipv6 name <name> ...`` -It can be helpful to name the rule-sets in the format -``<Sourze Zone>-<Destination Zone>-<v4 | v6>`` to make them easily identifiable. +It is helpful to name the rule-sets in the format +``<Source Zone>-<Destination Zone>-<v4 | v6>`` to make them easily +identifiable. Applying a Rule-Set to a Zone ============================= -Once a rule-set has been defined, it can then be applied to the source and -destination zones. The configuration syntax is anchored on the destination -zone, with each of the source zone rule-sets listed against the destination. +After you define a rule-set, apply it to the source and destination zones. +The configuration syntax anchors to the destination zone, with each of the +source zone rule-sets listed against the destination. .. cfgcmd:: set firewall zone <Destination Zone> from <Source Zone> firewall name <ipv4-rule-set-name> @@ -147,7 +143,8 @@ zone, with each of the source zone rule-sets listed against the destination. .. cfgcmd:: set firewall zone <Destination Zone> from <Source Zone> firewall ipv6-name <ipv6-rule-set-name> -It is recommended to create two rule-sets for each source-destination zone pair. +You should create two rule-sets for each source-destination zone +pair. .. code-block:: none @@ -157,10 +154,10 @@ It is recommended to create two rule-sets for each source-destination zone pair. Applying a Default Rule-Set to a Zone ===================================== -When a destination zone shares a common rule-set for multiple source zones or -a complex set of default policies are required, an optional default rule-set -can be applied. The default rule-set applies to all zones that do not have a -rule-set configured as defined in +When a destination zone shares a common rule-set for multiple source zones, +or when you require a complex set of default policies, you can apply an +optional default rule-set. The default rule-set applies to all zones that do +not have a rule-set configured as defined in :ref:`IPv4<configuration/firewall/zone:Applying a Rule-Set to a Zone>` .. cfgcmd:: set firewall zone <Destination Zone> default-firewall name @@ -175,7 +172,7 @@ Operation-mode .. opcmd:: show firewall zone-policy - This will show you a basic summary of the zone configuration. + Display a basic summary of the zone configuration. .. code-block:: none @@ -191,7 +188,7 @@ Operation-mode .. opcmd:: show firewall zone-policy zone <zone> - This will show you a basic summary of a particular zone. + Display a basic summary of a particular zone. .. code-block:: none |
