diff options
| author | Daniil Baturin <daniil@vyos.io> | 2024-02-09 09:30:53 +0000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-02-09 09:30:53 +0000 |
| commit | 9e9216768f0fac9a52aaa9ab368fcf11db362187 (patch) | |
| tree | 5c9646873fb40470984c3fa6c494b2b439aaf9bf /docs/quick-start.rst | |
| parent | 583988589f60c0d30ece4b7f740aad25622a6fc3 (diff) | |
| parent | 227125a387e16331a1fa3ad91e59436c0b7cb4cf (diff) | |
| download | vyos-documentation-9e9216768f0fac9a52aaa9ab368fcf11db362187.tar.gz vyos-documentation-9e9216768f0fac9a52aaa9ab368fcf11db362187.zip | |
Merge pull request #1251 from vyos/mergify/bp/sagitta/pr-1247
Fix some spell mistakes (backport #1247)
Diffstat (limited to 'docs/quick-start.rst')
| -rw-r--r-- | docs/quick-start.rst | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/docs/quick-start.rst b/docs/quick-start.rst index c8bb3f04..f0a3c828 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -158,8 +158,29 @@ Configure Stateful Packet Filtering With the new firewall structure, we have have a lot of flexibility in how we group and order our rules, as shown by the two alternative approaches below. +<<<<<<< HEAD Option 1: Common Chain ^^^^^^^^^^^^^^^^^^^^^^ +======= +Option 1: Global State Policies +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Using options defined in ``set firewall global-options state-policy``, state +policy rules that applies for both IPv4 and IPv6 are created. These global +state policies also applies for all traffic that passes through the router +(transit) and for traffic originated/destinated to/from the router itself, and +will be evaluated before any other rule defined in the firewall. + +Most installations would choose this option, and will contain: + +.. code-block:: none + + set firewall global-options state-policy established action accept + set firewall global-options state-policy related action accept + set firewall global-options state-policy invalid action drop + +Option 2: Common/Custom Chain +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +>>>>>>> 32460e70 (Fix typos in quick-start) We can create a common chain for stateful connection filtering of multiple interfaces (or multiple netfilter hooks on one interface). Those individual @@ -225,7 +246,7 @@ established and related connections, we can block all other incoming traffic addressed to our local network. Create a new chain (``OUTSIDE-IN``) which will drop all traffic that is not -explicity allowed at some point in the chain. Then, we can jump to that chain +explicitly allowed at some point in the chain. Then, we can jump to that chain from the ``forward`` hook when traffic is coming from the ``WAN`` interface group and is addressed to our local network. |