diff options
| author | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-09-08 09:49:02 -0300 | 
|---|---|---|
| committer | Nicolas Fort <nicolasfort1988@gmail.com> | 2023-09-08 09:49:02 -0300 | 
| commit | 24d9c9b9d08dedd46e6a7f39b8587656ee6a112c (patch) | |
| tree | bfada762e4f5c7b8182a031bde4ec01d6f2590d8 /docs | |
| parent | d4feb684165f5276890f878bb4cc569f58c4ef4f (diff) | |
| download | vyos-documentation-24d9c9b9d08dedd46e6a7f39b8587656ee6a112c.tar.gz vyos-documentation-24d9c9b9d08dedd46e6a7f39b8587656ee6a112c.zip | |
Firewall refactor: add visible note in firewall docs: zone, quick-start and config blueprint zone-policy
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/configexamples/zone-policy.rst | 10 | ||||
| -rw-r--r-- | docs/configuration/firewall/general-legacy.rst | 6 | ||||
| -rw-r--r-- | docs/configuration/firewall/zone.rst | 10 | ||||
| -rw-r--r-- | docs/quick-start.rst | 68 | 
4 files changed, 62 insertions, 32 deletions
| diff --git a/docs/configexamples/zone-policy.rst b/docs/configexamples/zone-policy.rst index 90de8b24..08db13b9 100644 --- a/docs/configexamples/zone-policy.rst +++ b/docs/configexamples/zone-policy.rst @@ -5,6 +5,16 @@  Zone-Policy example  ------------------- +.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall +   structure can be found on all vyos instalations, and zone based firewall is +   no longer supported. Documentation for most of the new firewall CLI can be +   found in the `firewall +   <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ +   chapter. The legacy firewall is still available for versions before +   1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` +   chapter. The examples in this section use the legacy firewall configuration +   commands, since this feature has been removed in earlier releases. +  .. note:: In :vytask:`T2199` the syntax of the zone configuration was changed.     The zone configuration moved from ``zone-policy zone <name>`` to ``firewall     zone <name>``. diff --git a/docs/configuration/firewall/general-legacy.rst b/docs/configuration/firewall/general-legacy.rst index de91e54b..2e6b0061 100644 --- a/docs/configuration/firewall/general-legacy.rst +++ b/docs/configuration/firewall/general-legacy.rst @@ -1,6 +1,6 @@  :lastproofread: 2021-06-29 -.. _firewall: +.. _firewall-legacy:  ###############  Firewall-Legacy @@ -8,7 +8,7 @@ Firewall-Legacy  .. note:: **Important note:**     This documentation is valid only for VyOS Sagitta prior to -   1.4-rolling-YYYYMMDDHHmm +   1.4-rolling-202308040557  ********  Overview @@ -153,7 +153,7 @@ Groups  ******  Firewall groups represent collections of IP addresses, networks, ports, -mac addresses or domains. Once created, a group can be referenced by  +mac addresses or domains. Once created, a group can be referenced by  firewall, nat and policy route rules as either a source or destination  matcher. Members can be added or removed from a group without changes to,  or the need to reload, individual firewall rules. diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst index 6afd47e9..70ad7b65 100644 --- a/docs/configuration/firewall/zone.rst +++ b/docs/configuration/firewall/zone.rst @@ -6,6 +6,16 @@  Zone Based Firewall  ################### +.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall +   structure can be found on all vyos instalations, and zone based firewall is +   no longer supported. Documentation for most of the new firewall CLI can be +   found in the `firewall +   <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ +   chapter. The legacy firewall is still available for versions before +   1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` +   chapter. The examples in this section use the legacy firewall configuration +   commands, since this feature has been removed in earlier releases. +  .. note:: For latest releases, refer the `firewall      <https://docs.vyos.io/en/latest/configuration/firewall/general.html#interface-groups>`_      main page to configure zone based rules. New syntax was introduced here  diff --git a/docs/quick-start.rst b/docs/quick-start.rst index 19be7b66..a6055576 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -122,6 +122,15 @@ network via IP masquerade.  Firewall  ######## +.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall +   structure can be found on all vyos instalations. Documentation for most +   of the new firewall CLI can be found in the `firewall +   <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ +   chapter. The legacy firewall is still available for versions before +   1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` +   chapter. The examples in this section use the new firewall configuration +   commands. +  Add a set of firewall policies for our outside/WAN interface.  This configuration creates a proper stateful firewall that blocks all traffic @@ -129,19 +138,25 @@ which was not initiated from the internal/LAN side first.  .. code-block:: none -  set firewall name OUTSIDE-IN default-action 'drop' -  set firewall name OUTSIDE-IN rule 10 action 'accept' -  set firewall name OUTSIDE-IN rule 10 state established 'enable' -  set firewall name OUTSIDE-IN rule 10 state related 'enable' - -  set firewall name OUTSIDE-LOCAL default-action 'drop' -  set firewall name OUTSIDE-LOCAL rule 10 action 'accept' -  set firewall name OUTSIDE-LOCAL rule 10 state established 'enable' -  set firewall name OUTSIDE-LOCAL rule 10 state related 'enable' -  set firewall name OUTSIDE-LOCAL rule 20 action 'accept' -  set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request' -  set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp' -  set firewall name OUTSIDE-LOCAL rule 20 state new 'enable' +  set firewall ipv4 forward filter default-action 'drop' +  set firewall ipv4 forward filter rule 10 action 'accept' +  set firewall ipv4 forward filter rule 10 state established 'enable' +  set firewall ipv4 forward filter rule 10 state related 'enable' +  set firewall ipv4 forward filter rule 20 action 'drop' +  set firewall ipv4 forward filter rule 20 state invalid 'enable' +  set firewall ipv4 forward filter rule 30 inbound-interface interface-name 'eth1' +  set firewall ipv4 forward filter rule 30 action 'accept' + +  set firewall ipv4 input filter default-action drop +  set firewall ipv4 input filter rule 10 action 'accept' +  set firewall ipv4 input filter rule 10 state established 'enable' +  set firewall ipv4 input filter rule 10 state related 'enable' +  set firewall ipv4 input filter rule 20 action 'drop' +  set firewall ipv4 input filter rule 20 state invalid 'enable' +  set firewall ipv4 input filter rule 30 action 'accept' +  set firewall ipv4 input filter rule 30 icmp type-name 'echo-request' +  set firewall ipv4 input filter rule 30 protocol 'icmp' +  set firewall ipv4 input filter rule 30 state new 'enable'  If you wanted to enable SSH access to your firewall from the outside/WAN  interface, you could create some additional rules to allow that kind of @@ -152,24 +167,19 @@ blocks brute-forcing attempts:  .. code-block:: none -  set firewall name OUTSIDE-LOCAL rule 30 action 'drop' -  set firewall name OUTSIDE-LOCAL rule 30 destination port '22' -  set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp' -  set firewall name OUTSIDE-LOCAL rule 30 recent count '4' -  set firewall name OUTSIDE-LOCAL rule 30 recent time 'minute' -  set firewall name OUTSIDE-LOCAL rule 30 state new 'enable' - -  set firewall name OUTSIDE-LOCAL rule 31 action 'accept' -  set firewall name OUTSIDE-LOCAL rule 31 destination port '22' -  set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp' -  set firewall name OUTSIDE-LOCAL rule 31 state new 'enable' +  set firewall ipv4 input filter rule 40 action 'drop' +  set firewall ipv4 input filter rule 40 inbound-interface interface-name 'eth0' +  set firewall ipv4 input filter rule 40 destination port '22' +  set firewall ipv4 input filter rule 40 protocol 'tcp' +  set firewall ipv4 input filter rule 40 recent count '4' +  set firewall ipv4 input filter rule 40 recent time 'minute' +  set firewall ipv4 input filter rule 40 state new 'enable' -Apply the firewall policies: - -.. code-block:: none +  set firewall ipv4 input filter rule 41 action 'accept' +  set firewall ipv4 input filter rule 41 destination port '22' +  set firewall ipv4 input filter rule 41 protocol 'tcp' +  set firewall ipv4 input filter rule 41 state new 'enable' -  set firewall interface eth0 in name 'OUTSIDE-IN' -  set firewall interface eth0 local name 'OUTSIDE-LOCAL'  Commit changes, save the configuration, and exit configuration mode: | 
