firewall: T2199: adjust to new 1.4 CLI syntax

"set zone-policy zone <name>" moved to "set firewall zone <name>".
author: Christian Poessinger <christian@poessinger.com> 2022-09-14 19:55:56 +0200
committer: Christian Poessinger <christian@poessinger.com> 2022-09-14 19:55:56 +0200
commit: 122ecb23fc35806b48836772423581cf66a2ee59 (patch)
tree: 1cdf7fd0c897abab30ec0fef84a1fc9f1213a674 /docs
parent: 6071376c03d34081f8e24c0e1b9093e9a7a1a1c4 (diff)
download: vyos-documentation-122ecb23fc35806b48836772423581cf66a2ee59.tar.gz
vyos-documentation-122ecb23fc35806b48836772423581cf66a2ee59.zip
9 files changed, 1007 insertions, 1040 deletions
diff --git a/docs/_include/interface-ip.txt b/docs/_include/interface-ip.txt
index 4164985b..6359aceb 100644
--- a/docs/_include/interface-ip.txt
+++ b/docs/_include/interface-ip.txt
@@ -12,7 +12,7 @@
   .. hint:: MSS value = MTU - 20 (IP header) - 20 (TCP header), resulting in
     1452 bytes on a 1492 byte MTU.
 
-  Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to 
+  Instead of a numerical MSS value `clamp-mss-to-pmtu` can be used to
   automatically set the proper value.
 
 .. cfgcmd:: set interfaces {{ var0 }} <interface> {{ var2 }} {{ var3 }}
diff --git a/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst b/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst
index b7621113..80076a0a 100644
--- a/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst
+++ b/docs/configexamples/autotest/tunnelbroker/tunnelbroker.rst
@@ -65,7 +65,7 @@ Now you should be able to ping a public IPv6 Address
    64 bytes from 2001:470:20::2: icmp_seq=2 ttl=64 time=30.5 ms
    64 bytes from 2001:470:20::2: icmp_seq=3 ttl=64 time=30.8 ms
    64 bytes from 2001:470:20::2: icmp_seq=4 ttl=64 time=90.5 ms
-   
+
    --- 2001:470:20::2 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3005ms
    rtt min/avg/max/mdev = 30.519/45.797/90.546/25.837 ms
@@ -89,7 +89,7 @@ You should now be able to ping something by IPv6 DNS name:
    64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=2 ttl=48 time=234 ms
    64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=3 ttl=48 time=182 ms
    64 bytes from tunnelbroker.net (2001:470:0:63::2): icmp_seq=4 ttl=48 time=183 ms
-   
+
    --- tunnelbroker.net ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3005ms
    rtt min/avg/max/mdev = 182.224/195.335/233.869/22.248 ms
@@ -152,7 +152,7 @@ Now the Client is able to ping a public IPv6 address
    64 bytes from 2001:470:20::2: icmp_seq=2 ttl=63 time=31.3 ms
    64 bytes from 2001:470:20::2: icmp_seq=3 ttl=63 time=31.7 ms
    64 bytes from 2001:470:20::2: icmp_seq=4 ttl=63 time=104 ms
-   
+
    --- 2001:470:20::2 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3005ms
    rtt min/avg/max/mdev = 31.331/56.908/104.282/29.764 ms
@@ -204,5 +204,4 @@ instead of `set firewall name NAME`, you would use `set firewall ipv6-name
 NAME`.
 
 Similarly, to attach the firewall, you would use `set interfaces ethernet eth0
-firewall in ipv6-name` or `set zone-policy zone LOCAL from WAN firewall
-ipv6-name`.
-\ No newline at end of file
+firewall in ipv6-name` or `set firewall zone LOCAL from WAN firewall ipv6-name`.
+\ No newline at end of file
diff --git a/docs/configexamples/zone-policy.rst b/docs/configexamples/zone-policy.rst
index 7d512797..90de8b24 100644
--- a/docs/configexamples/zone-policy.rst
+++ b/docs/configexamples/zone-policy.rst
@@ -5,6 +5,10 @@
 Zone-Policy example
 -------------------
 
+.. note:: In :vytask:`T2199` the syntax of the zone configuration was changed.
+   The zone configuration moved from ``zone-policy zone <name>`` to ``firewall
+   zone <name>``.
+
 Native IPv4 and IPv6
 ^^^^^^^^^^^^^^^^^^^^
 
@@ -171,14 +175,14 @@ the source/destination address is not explicit.
 
 .. code-block:: none
 
-  WAN – DMZ:192.168.200.200 – tcp/80
-  WAN – DMZ:192.168.200.200 – tcp/443
-  WAN – DMZ:192.168.200.200 – tcp/25
-  WAN – DMZ:192.168.200.200 – tcp/53
-  WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/80
-  WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/443
-  WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/25
-  WAN – DMZ:2001:0DB8:0:BBBB::200 – tcp/53
+  WAN - DMZ:192.168.200.200 - tcp/80
+  WAN - DMZ:192.168.200.200 - tcp/443
+  WAN - DMZ:192.168.200.200 - tcp/25
+  WAN - DMZ:192.168.200.200 - tcp/53
+  WAN - DMZ:2001:0DB8:0:BBBB::200 - tcp/80
+  WAN - DMZ:2001:0DB8:0:BBBB::200 - tcp/443
+  WAN - DMZ:2001:0DB8:0:BBBB::200 - tcp/25
+  WAN - DMZ:2001:0DB8:0:BBBB::200 - tcp/53
 
   DMZ - Local - tcp/53
   DMZ - Local - tcp/123
@@ -345,8 +349,8 @@ Start by setting the interface and default action for each zone.
 
 .. code-block:: none
 
-  set zone-policy zone dmz default-action drop
-  set zone-policy zone dmz interface eth0.30
+  set firewall zone dmz default-action drop
+  set firewall zone dmz interface eth0.30
 
 In this case, we are setting the v6 ruleset that represents traffic
 sourced from the LAN, destined for the DMZ. Because the zone-policy
@@ -355,7 +359,7 @@ it backwards.
 
 .. code-block:: none
 
-  set zone-policy zone dmz from lan firewall ipv6-name lan-dmz-6
+  set firewall zone dmz from lan firewall ipv6-name lan-dmz-6
 
 DMZ-LAN policy is LAN-DMZ. You can get a rhythm to it when you build out
 a bunch at one time.
diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst
new file mode 100644
index 00000000..cfd7a8ce
--- /dev/null
+++ b/docs/configuration/firewall/general.rst
@@ -0,0 +1,888 @@
+:lastproofread: 2021-06-29
+
+.. _firewall:
+
+########
+Firewall
+########
+
+********
+Overview
+********
+
+VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet
+filtering.
+
+The firewall supports the creation of groups for ports, addresses, and
+networks (implemented using netfilter ipset) and the option of interface
+or zone based firewall policy.
+
+.. note:: **Important note on usage of terms:**
+   The firewall makes use of the terms `in`, `out`, and `local`
+   for firewall policy. Users experienced with netfilter often confuse
+   `in` to be a reference to the `INPUT` chain, and `out` the `OUTPUT`
+   chain from netfilter. This is not the case. These instead indicate
+   the use of the `FORWARD` chain and either the input or output
+   interface. The `INPUT` chain, which is used for local traffic to the
+   OS, is a reference to as `local` with respect to its input interface.
+
+
+***************
+Global settings
+***************
+
+Some firewall settings are global and have an affect on the whole system.
+
+.. cfgcmd:: set firewall all-ping [enable | disable]
+
+   By default, when VyOS receives an ICMP echo request packet destined for
+   itself, it will answer with an ICMP echo reply, unless you avoid it
+   through its firewall.
+
+   With the firewall you can set rules to accept, drop or reject ICMP in,
+   out or local traffic. You can also use the general **firewall all-ping**
+   command. This command affects only to LOCAL (packets destined for your
+   VyOS system), not to IN or OUT traffic.
+
+   .. note:: **firewall all-ping** affects only to LOCAL and it always
+      behaves in the most restrictive way
+
+   .. code-block:: none
+
+      set firewall all-ping enable
+
+   When the command above is set, VyOS will answer every ICMP echo request
+   addressed to itself, but that will only happen if no other rule is
+   applied dropping or rejecting local echo requests. In case of conflict,
+   VyOS will not answer ICMP echo requests.
+
+   .. code-block:: none
+
+      set firewall all-ping disable
+
+   When the command above is set, VyOS will answer no ICMP echo request
+   addressed to itself at all, no matter where it comes from or whether
+   more specific rules are being applied to accept them.
+
+.. cfgcmd:: set firewall broadcast-ping [enable | disable]
+
+   This setting enable or disable the response of icmp broadcast
+   messages. The following system parameter will be altered:
+
+   * ``net.ipv4.icmp_echo_ignore_broadcasts``
+
+.. cfgcmd:: set firewall ip-src-route [enable | disable]
+.. cfgcmd:: set firewall ipv6-src-route [enable | disable]
+
+   This setting handle if VyOS accept packets with a source route
+   option. The following system parameter will be altered:
+
+   * ``net.ipv4.conf.all.accept_source_route``
+   * ``net.ipv6.conf.all.accept_source_route``
+
+.. cfgcmd:: set firewall receive-redirects [enable | disable]
+.. cfgcmd:: set firewall ipv6-receive-redirects [enable | disable]
+
+   enable or disable of ICMPv4 or ICMPv6 redirect messages accepted
+   by VyOS. The following system parameter will be altered:
+
+   * ``net.ipv4.conf.all.accept_redirects``
+   * ``net.ipv6.conf.all.accept_redirects``
+
+.. cfgcmd:: set firewall send-redirects [enable | disable]
+
+   enable or disable  ICMPv4 redirect messages send by VyOS
+   The following system parameter will be altered:
+
+   * ``net.ipv4.conf.all.send_redirects``
+
+.. cfgcmd:: set firewall log-martians [enable | disable]
+
+   enable or disable the logging of martian IPv4 packets.
+   The following system parameter will be altered:
+
+   * ``net.ipv4.conf.all.log_martians``
+
+.. cfgcmd:: set firewall source-validation [strict | loose | disable]
+
+   Set the IPv4 source validation mode.
+   The following system parameter will be altered:
+
+   * ``net.ipv4.conf.all.rp_filter``
+
+.. cfgcmd:: set firewall syn-cookies [enable | disable]
+
+   Enable or Disable if VyOS use IPv4 TCP SYN Cookies.
+   The following system parameter will be altered:
+
+   * ``net.ipv4.tcp_syncookies``
+
+.. cfgcmd:: set firewall twa-hazards-protection [enable | disable]
+
+   Enable or Disable VyOS to be :rfc:`1337` conform.
+   The following system parameter will be altered:
+
+   * ``net.ipv4.tcp_rfc1337``
+
+.. cfgcmd:: set firewall state-policy established action [accept | drop |
+   reject]
+
+.. cfgcmd:: set firewall state-policy established log enable
+
+   Set the global setting for an established connection.
+
+.. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject]
+
+.. cfgcmd:: set firewall state-policy invalid log enable
+
+   Set the global setting for invalid packets.
+
+.. cfgcmd:: set firewall state-policy related action [accept | drop | reject]
+
+.. cfgcmd:: set firewall state-policy related log enable
+
+   Set the global setting for related connections.
+
+
+******
+Groups
+******
+
+Firewall groups represent collections of IP addresses, networks, or
+ports. Once created, a group can be referenced by firewall rules as
+either a source or destination. Members can be added or removed from a
+group without changes to, or the need to reload, individual firewall
+rules.
+
+Groups need to have unique names. Even though some contain IPv4
+addresses and others contain IPv6 addresses, they still need to have
+unique names, so you may want to append "-v4" or "-v6" to your group
+names.
+
+
+Address Groups
+==============
+
+In an **address group** a single IP address or IP address ranges are
+defined.
+
+.. cfgcmd::  set firewall group address-group <name> address [address |
+   address range]
+.. cfgcmd::  set firewall group ipv6-address-group <name> address <address>
+
+   Define a IPv4 or a IPv6 address group
+
+   .. code-block:: none
+
+      set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1
+      set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8
+      set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1
+
+.. cfgcmd::  set firewall group address-group <name> description <text>
+.. cfgcmd::  set firewall group ipv6-address-group <name> description <text>
+
+   Provide a IPv4 or IPv6 address group description
+
+
+Network Groups
+==============
+
+While **network groups** accept IP networks in CIDR notation, specific
+IP addresses can be added as a 32-bit prefix. If you foresee the need
+to add a mix of addresses and networks, the network group is
+recommended.
+
+.. cfgcmd::  set firewall group network-group <name> network <CIDR>
+.. cfgcmd::  set firewall group ipv6-network-group <name> network <CIDR>
+
+   Define a IPv4 or IPv6 Network group.
+
+   .. code-block:: none
+
+      set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24
+      set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24
+      set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64
+
+.. cfgcmd::  set firewall group network-group <name> description <text>
+.. cfgcmd::  set firewall group ipv6-network-group <name> description <text>
+
+   Provide a IPv4 or IPv6 network group description.
+
+
+Port Groups
+===========
+
+A **port group** represents only port numbers, not the protocol. Port
+groups can be referenced for either TCP or UDP. It is recommended that
+TCP and UDP groups are created separately to avoid accidentally
+filtering unnecessary ports. Ranges of ports can be specified by using
+`-`.
+
+.. cfgcmd:: set firewall group port-group <name> port
+   [portname | portnumber | startport-endport]
+
+   Define a port group. A port name can be any name defined in
+   /etc/services. e.g.: http
+
+   .. code-block:: none
+
+      set firewall group port-group PORT-TCP-SERVER1 port http
+      set firewall group port-group PORT-TCP-SERVER1 port 443
+      set firewall group port-group PORT-TCP-SERVER1 port 5000-5010
+
+.. cfgcmd:: set firewall group port-group <name> description <text>
+
+   Provide a port group description.
+
+
+*********
+Rule-Sets
+*********
+
+A rule-set is a named collection of firewall rules that can be applied
+to an interface or a zone. Each rule is numbered, has an action to apply
+if the rule is matched, and the ability to specify the criteria to
+match. Data packets go through the rules from 1 - 999999, at the first match
+the action of the rule will be executed.
+
+.. cfgcmd:: set firewall name <name> description <text>
+.. cfgcmd:: set firewall ipv6-name <name> description <text>
+
+   Provide a rule-set description.
+
+.. cfgcmd:: set firewall name <name> default-action [drop | reject | accept]
+.. cfgcmd:: set firewall ipv6-name <name> default-action [drop | reject |
+   accept]
+
+   This set the default action of the rule-set if no rule matched a packet
+   criteria.
+
+.. cfgcmd:: set firewall name <name> enable-default-log
+.. cfgcmd:: set firewall ipv6-name <name> enable-default-log
+
+   Use this command to enable the logging of the default action.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> action [drop | reject |
+   accept]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [drop |
+   reject | accept]
+
+   This required setting defines the action of the current rule.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> description <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> description <text>
+
+   Provide a description for each rule.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> log [disable | enable]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable |
+   enable]
+
+   Enable or disable logging for the matched packet.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> log-level [emerg |
+   alert | crit | err | warn | notice | info | debug]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-level [emerg |
+   alert | crit | err | warn | notice | info | debug]
+
+   Define log-level. Only applicable if rule log is enable.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> disable
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> disable
+
+   If you want to disable a rule but let it in the configuration.
+
+Matching criteria
+=================
+
+There are a lot of matching criteria against which the package can be tested.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> connection-status nat
+   [destination | source]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-status
+   nat [destination | source]
+
+   Match criteria based on nat connection status.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source address
+   [address | addressrange | CIDR]
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination address
+   [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address
+   [address | addressrange | CIDR]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination address
+   [address | addressrange | CIDR]
+
+   This is similar to the network groups part, but here you are able to negate
+   the matching addresses.
+
+   .. code-block:: none
+
+      set firewall name WAN-IN-v4 rule 100 source address 192.0.2.10-192.0.2.11
+      # with a '!' the rule match everything except the specified subnet
+      set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24
+      set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code
+   <country>
+.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
+   country-code <country>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
+   inverse-match
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
+   country-code <country>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
+   inverse-match
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
+   country-code <country>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
+   inverse-match
+
+Match IP addresses based on its geolocation.
+More info: `geoip matching
+<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
+
+Use inverse-match to match anything except the given country-codes.
+
+Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
+permits redistribution so we can include a database in images(~3MB
+compressed). Includes cron script (manually callable by op-mode update
+geoip) to keep database and rules updated.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source mac-address
+   <mac-address>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source mac-address
+   <mac-address>
+
+   Only in the source criteria, you can specify a mac-address.
+
+   .. code-block:: none
+
+      set firewall name LAN-IN-v4 rule 100 source mac-address 00:53:00:11:22:33
+      set firewall name LAN-IN-v4 rule 101 source mac-address !00:53:00:aa:12:34
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source port
+   [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination port
+   [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source port
+   [1-65535 | portname | start-end]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination port
+   [1-65535 | portname | start-end]
+
+   A port can be set with a port number or a name which is here
+   defined: ``/etc/services``.
+
+   .. code-block:: none
+
+      set firewall name WAN-IN-v4 rule 10 source port '22'
+      set firewall name WAN-IN-v4 rule 11 source port '!http'
+      set firewall name WAN-IN-v4 rule 12 source port 'https'
+
+   Multiple source ports can be specified as a comma-separated list.
+   The whole list can also be "negated" using '!'. For example:
+
+   .. code-block:: none
+
+      set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338'
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source group
+   address-group <name | !name>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
+   address-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
+   address-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
+   address-group <name | !name>
+
+   Use a specific address-group. Prepend character '!' for inverted matching
+   criteria.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source group
+   network-group <name | !name>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
+   network-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
+   network-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
+   network-group <name | !name>
+
+   Use a specific network-group. Prepend character '!' for inverted matching
+   criteria.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source group
+   port-group <name | !name>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
+   port-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
+   port-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
+   port-group <name | !name>
+
+   Use a specific port-group. Prepend character '!' for inverted matching
+   criteria.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source group
+   domain-group <name | !name>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
+   domain-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
+   domain-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
+   domain-group <name | !name>
+
+   Use a specific domain-group. Prepend character '!' for inverted matching
+   criteria.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> source group
+   mac-group <name | !name>
+.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
+   mac-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
+   mac-group <name | !name>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
+   mac-group <name | !name>
+
+   Use a specific mac-group. Prepend character '!' for inverted matching
+   criteria.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> fragment [match-frag |
+   match-non-frag]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> fragment [match-frag
+   | match-non-frag]
+
+   Match based on fragment criteria.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> icmp [code | type]
+   <0-255>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 [code | type]
+   <0-255>
+
+   Match based on icmp|icmpv6 code and type.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> icmp type-name <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 type-name
+   <text>
+
+   Match based on icmp|icmpv6 type-name criteria. Use tab for information
+   about what **type-name** criteria are supported.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> ipsec [match-ipsec
+   | match-none]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> ipsec [match-ipsec
+   | match-none]
+
+   Match based on ipsec criteria.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> limit burst
+   <0-4294967295>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit burst
+   <0-4294967295>
+
+   Match based on the maximum number of packets to allow in excess of rate.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> limit rate
+   <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit rate
+   <text>
+
+   Match based on the maximum average rate, specified as **integer/unit**.
+   For example **5/minutes**
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length
+   <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length
+   <text>
+.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length-exclude
+   <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length-exclude
+   <text>
+
+   Match based on packet length criteria. Multiple values from 1 to 65535
+   and ranges are supported.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> protocol [<text> |
+   <0-255> | all | tcp_udp]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> protocol [<text> |
+   <0-255> | all | tcp_udp]
+
+   Match a protocol criteria. A protocol number or a name which is here
+   defined: ``/etc/protocols``.
+   Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
+   based packets. The ``!`` negate the selected protocol.
+
+   .. code-block:: none
+
+      set firewall name WAN-IN-v4 rule 10 protocol tcp_udp
+      set firewall name WAN-IN-v4 rule 11 protocol !tcp_udp
+      set firewall ipv6-name WAN-IN-v6 rule 10 protocol tcp
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
+.. cfgcmd:: set firewall name <name> rule <1-999999> recent time
+   [second | minute | hour]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time
+   [second | minute | hour]
+
+   Match bases on recently seen sources.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> tcp flags <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> tcp flags <text>
+
+   Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``,
+   ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma
+   separated. The ``!`` negate the selected protocol.
+
+   .. code-block:: none
+
+      set firewall name WAN-IN-v4 rule 10 tcp flags 'ACK'
+      set firewall name WAN-IN-v4 rule 12 tcp flags 'SYN'
+      set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST'
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> state [established |
+   invalid | new | related] [enable | disable]
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> state [established |
+   invalid | new | related] [enable | disable]
+
+   Match against the state of a packet.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> time startdate <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time startdate <text>
+.. cfgcmd:: set firewall name <name> rule <1-999999> time starttime <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time starttime <text>
+.. cfgcmd:: set firewall name <name> rule <1-999999> time stopdate <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stopdate <text>
+.. cfgcmd:: set firewall name <name> rule <1-999999> time stoptime <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stoptime <text>
+.. cfgcmd:: set firewall name <name> rule <1-999999> time weekdays <text>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time weekdays <text>
+
+   Time to match the defined rule.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> ttl <eq | gt | lt> <0-255>
+
+   Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for
+   'greater than', and 'lt' stands for 'less than'.
+
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> hop-limit <eq | gt |
+   lt> <0-255>
+
+   Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
+   'greater than', and 'lt' stands for 'less than'.
+
+.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
+.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second |
+   minute | hour>
+.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second |
+   minute | hour>
+
+   Match when 'count' amount of connections are seen within 'time'. These
+   matching criteria can be used to block brute-force attempts.
+
+***********************************
+Applying a Rule-Set to an Interface
+***********************************
+
+A Rule-Set can be applied to every interface:
+
+* ``in``: Ruleset for forwarded packets on an inbound interface
+* ``out``: Ruleset for forwarded packets on an outbound interface
+* ``local``: Ruleset for packets destined for this router
+
+.. cfgcmd:: set interface ethernet <ethN> firewall [in | out | local]
+   [name | ipv6-name] <rule-set>
+
+   Here are some examples for applying a rule-set to an interface
+
+   .. code-block:: none
+
+      set interface ethernet eth1 vif 100 firewall in name LANv4-IN
+      set interface ethernet eth1 vif 100 firewall out name LANv4-OUT
+      set interface bonding bond0 firewall in name LANv4-IN
+      set interfaces openvpn vtun1 firewall in name Lanv4-IN
+
+   .. note::
+      As you can see in the example here, you can assign the same rule-set to
+      several interfaces. An interface can only have one rule-set per chain.
+
+***********************
+Operation-mode Firewall
+***********************
+
+Rule-set overview
+=================
+
+.. opcmd:: show firewall
+
+   This will show you a basic firewall overview
+
+   .. code-block:: none
+
+      vyos@vyos:~$ show firewall
+
+      ------------------------
+      Firewall Global Settings
+      ------------------------
+
+      Firewall state-policy for all IPv4 and Ipv6 traffic
+
+      state           action   log
+      -----           ------   ---
+      invalid         accept   disabled
+      established     accept   disabled
+      related         accept   disabled
+
+      -----------------------------
+      Rulesets Information
+      -----------------------------
+      --------------------------------------------------------------------------
+      IPv4 Firewall "DMZv4-1-IN":
+
+      Active on (eth0,IN)
+
+      rule  action   proto     packets  bytes
+      ----  ------   -----     -------  -----
+      10    accept   icmp      0        0
+      condition - saddr 10.1.0.0/24 daddr 0.0.0.0/0 LOG enabled
+
+      10000 drop     all       0        0
+      condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled
+
+      --------------------------------------------------------------------------
+      IPv4 Firewall "DMZv4-1-OUT":
+
+      Active on (eth0,OUT)
+
+      rule  action   proto     packets  bytes
+      ----  ------   -----     -------  -----
+      10    accept   tcp_udp   1        60
+      condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-DST-PORT-GROUP DMZ-Ports /*
+                  DMZv4-1-OUT-10 */LOG enabled
+
+      11    accept   icmp      1        84
+      condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* DMZv4-1-OUT-11 */LOG enabled
+
+      10000 drop     all       6        360
+      condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled
+
+      --------------------------------------------------------------------------
+      IPv4 Firewall "LANv4-IN":
+
+      Inactive - Not applied to any interfaces or zones.
+
+      rule  action   proto     packets  bytes
+      ----  ------   -----     -------  -----
+      10    accept   all       0        0
+      condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* LANv4-IN-10 */
+
+      10000 drop     all       0        0
+      condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0
+
+.. opcmd:: show firewall summary
+
+   This will show you a summary of rule-sets and groups
+
+   .. code-block:: none
+
+      vyos@vyos:~$ show firewall summary
+
+      ------------------------
+      Firewall Global Settings
+      ------------------------
+
+      Firewall state-policy for all IPv4 and Ipv6 traffic
+
+      state           action   log
+      -----           ------   ---
+      invalid         accept   disabled
+      related         accept   disabled
+      established     accept   disabled
+
+      ------------------------
+      Firewall Rulesets
+      ------------------------
+
+      IPv4 name:
+
+      Rule-set name             Description    References
+      -------------             -----------    ----------
+      DMZv4-1-OUT                              (eth0,OUT)
+      DMZv4-1-IN                               (eth0,IN)
+
+      ------------------------
+      Firewall Groups
+      ------------------------
+
+      Port Groups:
+
+      Group name                Description    References
+      ----------                -----------    ----------
+      DMZ-Ports                                DMZv4-1-OUT-10-destination
+
+      Network Groups:
+
+      Group name                Description    References
+      ----------                -----------    ----------
+      LANv4                                    LANv4-IN-10-source,
+                                                DMZv4-1-OUT-10-source,
+                                                DMZv4-1-OUT-11-source
+
+.. opcmd:: show firewall statistics
+
+   This will show you a statistic of all rule-sets since the last boot.
+
+.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999>
+
+   This command will give an overview of a rule in a single rule-set
+
+.. opcmd:: show firewall group <name>
+
+   Overview of defined groups. You see the type, the members, and where the
+   group is used.
+
+   .. code-block:: none
+
+      vyos@vyos:~$ show firewall group DMZ-Ports
+      Name       : DMZ-Ports
+      Type       : port
+      References : none
+      Members    :
+                  80
+                  443
+                  8080
+                  8443
+
+      vyos@vyos:~$ show firewall group LANv4
+      Name       : LANv4
+      Type       : network
+      References : LANv4-IN-10-source
+      Members    :
+                  10.10.0.0/16
+
+.. opcmd:: show firewall [name | ipv6name] <name>
+
+   This command will give an overview of a single rule-set.
+
+.. opcmd:: show firewall [name | ipv6name] <name> statistics
+
+   This will show you a rule-set statistic since the last boot.
+
+.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999>
+
+   This command will give an overview of a rule in a single rule-set.
+
+
+Zone-Policy Overview
+====================
+
+.. opcmd:: show zone-policy zone <name>
+
+   Use this command to get an overview of a zone.
+
+   .. code-block:: none
+
+      vyos@vyos:~$ show zone-policy zone DMZ
+      -------------------
+      Name: DMZ
+
+      Interfaces: eth0 eth1
+
+      From Zone:
+      name                                    firewall
+      ----                                    --------
+      LAN                                     DMZv4-1-OUT
+
+
+Show Firewall log
+=================
+
+.. opcmd:: show log firewall [name | ipv6name] <name>
+
+   Show the logs of a specific Rule-Set.
+
+.. note::
+   At the moment it not possible to look at the whole firewall log with VyOS
+   operational commands. All logs will save to ``/var/logs/messages``.
+   For example: ``grep '10.10.0.10' /var/log/messages``
+
+
+
+Example Partial Config
+======================
+
+.. code-block:: none
+
+  firewall {
+     all-ping enable
+     broadcast-ping disable
+     config-trap disable
+     group {
+         network-group BAD-NETWORKS {
+             network 198.51.100.0/24
+             network 203.0.113.0/24
+         }
+         network-group GOOD-NETWORKS {
+             network 192.0.2.0/24
+         }
+         port-group BAD-PORTS {
+             port 65535
+         }
+     }
+     name FROM-INTERNET {
+         default-action accept
+         description "From the Internet"
+         rule 10 {
+             action accept
+             description "Authorized Networks"
+             protocol all
+             source {
+                 group {
+                     network-group GOOD-NETWORKS
+                 }
+             }
+         }
+         rule 11 {
+             action drop
+             description "Bad Networks"
+             protocol all
+             source {
+                 group {
+                     network-group BAD-NETWORKS
+                 }
+             }
+         }
+         rule 30 {
+             action drop
+             description "BAD PORTS"
+             destination {
+                 group {
+                     port-group BAD-PORTS
+                 }
+             }
+             log enable
+             protocol all
+         }
+     }
+  }
+  interfaces {
+     ethernet eth1 {
+         address dhcp
+         description OUTSIDE
+         duplex auto
+         firewall {
+             in {
+                 name FROM-INTERNET
+             }
+         }
+     }
+  }
+
+
+Update geoip database
+=====================
+
+.. opcmd:: update geoip
+
+   Command used to update GeoIP database and firewall sets.
diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst
index 56477dfc..dfafa606 100644
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@@ -1,953 +1,10 @@
-:lastproofread: 2021-06-29
-
-.. _firewall:
-
 ########
 Firewall
 ########
 
-********
-Overview
-********
-
-VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet
-filtering.
-
-The firewall supports the creation of groups for ports, addresses, and
-networks (implemented using netfilter ipset) and the option of interface
-or zone based firewall policy.
-
-.. note:: **Important note on usage of terms:**
-   The firewall makes use of the terms `in`, `out`, and `local`
-   for firewall policy. Users experienced with netfilter often confuse
-   `in` to be a reference to the `INPUT` chain, and `out` the `OUTPUT`
-   chain from netfilter. This is not the case. These instead indicate
-   the use of the `FORWARD` chain and either the input or output
-   interface. The `INPUT` chain, which is used for local traffic to the
-   OS, is a reference to as `local` with respect to its input interface.
-
-
-***************
-Global settings
-***************
-
-Some firewall settings are global and have an affect on the whole system.
-
-.. cfgcmd:: set firewall all-ping [enable | disable]
-
-   By default, when VyOS receives an ICMP echo request packet destined for
-   itself, it will answer with an ICMP echo reply, unless you avoid it
-   through its firewall.
-
-   With the firewall you can set rules to accept, drop or reject ICMP in,
-   out or local traffic. You can also use the general **firewall all-ping**
-   command. This command affects only to LOCAL (packets destined for your
-   VyOS system), not to IN or OUT traffic.
-
-   .. note:: **firewall all-ping** affects only to LOCAL and it always
-      behaves in the most restrictive way
-
-   .. code-block:: none
-
-      set firewall all-ping enable
-
-   When the command above is set, VyOS will answer every ICMP echo request
-   addressed to itself, but that will only happen if no other rule is
-   applied dropping or rejecting local echo requests. In case of conflict,
-   VyOS will not answer ICMP echo requests.
-
-   .. code-block:: none
-
-      set firewall all-ping disable
-
-   When the command above is set, VyOS will answer no ICMP echo request
-   addressed to itself at all, no matter where it comes from or whether
-   more specific rules are being applied to accept them.
-
-.. cfgcmd:: set firewall broadcast-ping [enable | disable]
-
-   This setting enable or disable the response of icmp broadcast
-   messages. The following system parameter will be altered:
-
-   * ``net.ipv4.icmp_echo_ignore_broadcasts``
-
-.. cfgcmd:: set firewall ip-src-route [enable | disable]
-.. cfgcmd:: set firewall ipv6-src-route [enable | disable]
-
-   This setting handle if VyOS accept packets with a source route
-   option. The following system parameter will be altered:
-
-   * ``net.ipv4.conf.all.accept_source_route``
-   * ``net.ipv6.conf.all.accept_source_route``
-
-.. cfgcmd:: set firewall receive-redirects [enable | disable]
-.. cfgcmd:: set firewall ipv6-receive-redirects [enable | disable]
-
-   enable or disable of ICMPv4 or ICMPv6 redirect messages accepted
-   by VyOS. The following system parameter will be altered:
-
-   * ``net.ipv4.conf.all.accept_redirects``
-   * ``net.ipv6.conf.all.accept_redirects``
-
-.. cfgcmd:: set firewall send-redirects [enable | disable]
-
-   enable or disable  ICMPv4 redirect messages send by VyOS
-   The following system parameter will be altered:
-
-   * ``net.ipv4.conf.all.send_redirects``
-
-.. cfgcmd:: set firewall log-martians [enable | disable]
-
-   enable or disable the logging of martian IPv4 packets.
-   The following system parameter will be altered:
-
-   * ``net.ipv4.conf.all.log_martians``
-
-.. cfgcmd:: set firewall source-validation [strict | loose | disable]
-
-   Set the IPv4 source validation mode.
-   The following system parameter will be altered:
-
-   * ``net.ipv4.conf.all.rp_filter``
-
-.. cfgcmd:: set firewall syn-cookies [enable | disable]
-
-   Enable or Disable if VyOS use IPv4 TCP SYN Cookies.
-   The following system parameter will be altered:
-
-   * ``net.ipv4.tcp_syncookies``
-
-.. cfgcmd:: set firewall twa-hazards-protection [enable | disable]
-
-   Enable or Disable VyOS to be :rfc:`1337` conform.
-   The following system parameter will be altered:
-
-   * ``net.ipv4.tcp_rfc1337``
-
-.. cfgcmd:: set firewall state-policy established action [accept | drop |
-   reject]
-
-.. cfgcmd:: set firewall state-policy established log enable
-
-   Set the global setting for an established connection.
-
-.. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject]
-
-.. cfgcmd:: set firewall state-policy invalid log enable
-
-   Set the global setting for invalid packets.
-
-.. cfgcmd:: set firewall state-policy related action [accept | drop | reject]
-
-.. cfgcmd:: set firewall state-policy related log enable
-
-   Set the global setting for related connections.
-
-
-******
-Groups
-******
-
-Firewall groups represent collections of IP addresses, networks, or
-ports. Once created, a group can be referenced by firewall rules as
-either a source or destination. Members can be added or removed from a
-group without changes to, or the need to reload, individual firewall
-rules.
-
-Groups need to have unique names. Even though some contain IPv4
-addresses and others contain IPv6 addresses, they still need to have
-unique names, so you may want to append "-v4" or "-v6" to your group
-names.
-
-
-Address Groups
-==============
-
-In an **address group** a single IP address or IP address ranges are
-defined.
-
-.. cfgcmd::  set firewall group address-group <name> address [address |
-   address range]
-.. cfgcmd::  set firewall group ipv6-address-group <name> address <address>
-
-   Define a IPv4 or a IPv6 address group
-
-   .. code-block:: none
-
-      set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1
-      set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8
-      set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1
-
-.. cfgcmd::  set firewall group address-group <name> description <text>
-.. cfgcmd::  set firewall group ipv6-address-group <name> description <text>
-
-   Provide a IPv4 or IPv6 address group description
-
-
-Network Groups
-==============
-
-While **network groups** accept IP networks in CIDR notation, specific
-IP addresses can be added as a 32-bit prefix. If you foresee the need
-to add a mix of addresses and networks, the network group is
-recommended.
-
-.. cfgcmd::  set firewall group network-group <name> network <CIDR>
-.. cfgcmd::  set firewall group ipv6-network-group <name> network <CIDR>
-
-   Define a IPv4 or IPv6 Network group.
-
-   .. code-block:: none
-
-      set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24
-      set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24
-      set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64
-
-.. cfgcmd::  set firewall group network-group <name> description <text>
-.. cfgcmd::  set firewall group ipv6-network-group <name> description <text>
-
-   Provide a IPv4 or IPv6 network group description.
-
-
-Port Groups
-===========
-
-A **port group** represents only port numbers, not the protocol. Port
-groups can be referenced for either TCP or UDP. It is recommended that
-TCP and UDP groups are created separately to avoid accidentally
-filtering unnecessary ports. Ranges of ports can be specified by using
-`-`.
-
-.. cfgcmd:: set firewall group port-group <name> port
-   [portname | portnumber | startport-endport]
-
-   Define a port group. A port name can be any name defined in
-   /etc/services. e.g.: http
-
-   .. code-block:: none
-
-      set firewall group port-group PORT-TCP-SERVER1 port http
-      set firewall group port-group PORT-TCP-SERVER1 port 443
-      set firewall group port-group PORT-TCP-SERVER1 port 5000-5010
-
-.. cfgcmd:: set firewall group port-group <name> description <text>
-
-   Provide a port group description.
-
-
-*********
-Rule-Sets
-*********
-
-A rule-set is a named collection of firewall rules that can be applied
-to an interface or a zone. Each rule is numbered, has an action to apply
-if the rule is matched, and the ability to specify the criteria to
-match. Data packets go through the rules from 1 - 999999, at the first match
-the action of the rule will be executed.
-
-.. cfgcmd:: set firewall name <name> description <text>
-.. cfgcmd:: set firewall ipv6-name <name> description <text>
-
-   Provide a rule-set description.
-
-.. cfgcmd:: set firewall name <name> default-action [drop | reject | accept]
-.. cfgcmd:: set firewall ipv6-name <name> default-action [drop | reject |
-   accept]
-
-   This set the default action of the rule-set if no rule matched a packet
-   criteria.
-
-.. cfgcmd:: set firewall name <name> enable-default-log
-.. cfgcmd:: set firewall ipv6-name <name> enable-default-log
-
-   Use this command to enable the logging of the default action.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> action [drop | reject |
-   accept]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> action [drop |
-   reject | accept]
-
-   This required setting defines the action of the current rule.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> description <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> description <text>
-
-   Provide a description for each rule.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> log [disable | enable]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log [disable |
-   enable]
-
-   Enable or disable logging for the matched packet.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> log-level [emerg |
-   alert | crit | err | warn | notice | info | debug]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> log-level [emerg |
-   alert | crit | err | warn | notice | info | debug]
-
-   Define log-level. Only applicable if rule log is enable.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> disable
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> disable
-
-   If you want to disable a rule but let it in the configuration.
-
-Matching criteria
-=================
-
-There are a lot of matching criteria against which the package can be tested.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> connection-status nat
-   [destination | source]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> connection-status
-   nat [destination | source]
-
-   Match criteria based on nat connection status.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source address
-   [address | addressrange | CIDR]
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination address
-   [address | addressrange | CIDR]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source address
-   [address | addressrange | CIDR]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination address
-   [address | addressrange | CIDR]
-
-   This is similar to the network groups part, but here you are able to negate
-   the matching addresses.
-
-   .. code-block:: none
-
-      set firewall name WAN-IN-v4 rule 100 source address 192.0.2.10-192.0.2.11
-      # with a '!' the rule match everything except the specified subnet
-      set firewall name WAN-IN-v4 rule 101 source address !203.0.113.0/24
-      set firewall ipv6-name WAN-IN-v6 rule 100 source address 2001:db8::202
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip country-code
-   <country>
-.. cfgcmd:: set firewall name <name> rule <1-999999> source geoip inverse-match
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
-   country-code <country>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source geoip
-   inverse-match
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
-   country-code <country>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination geoip
-   inverse-match
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
-   country-code <country>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination geoip
-   inverse-match
-
-Match IP addresses based on its geolocation.
-More info: `geoip matching
-<https://wiki.nftables.org/wiki-nftables/index.php/GeoIP_matching>`_.
-
-Use inverse-match to match anything except the given country-codes.
-
-Data is provided by DB-IP.com under CC-BY-4.0 license. Attribution required,
-permits redistribution so we can include a database in images(~3MB
-compressed). Includes cron script (manually callable by op-mode update
-geoip) to keep database and rules updated.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source mac-address
-   <mac-address>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source mac-address
-   <mac-address>
-
-   Only in the source criteria, you can specify a mac-address.
-
-   .. code-block:: none
-
-      set firewall name LAN-IN-v4 rule 100 source mac-address 00:53:00:11:22:33
-      set firewall name LAN-IN-v4 rule 101 source mac-address !00:53:00:aa:12:34
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source port
-   [1-65535 | portname | start-end]
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination port
-   [1-65535 | portname | start-end]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source port
-   [1-65535 | portname | start-end]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination port
-   [1-65535 | portname | start-end]
-
-   A port can be set with a port number or a name which is here
-   defined: ``/etc/services``.
-
-   .. code-block:: none
-
-      set firewall name WAN-IN-v4 rule 10 source port '22'
-      set firewall name WAN-IN-v4 rule 11 source port '!http'
-      set firewall name WAN-IN-v4 rule 12 source port 'https'
-
-   Multiple source ports can be specified as a comma-separated list.
-   The whole list can also be "negated" using '!'. For example:
-
-   .. code-block:: none
-
-      set firewall ipv6-name WAN-IN-v6 rule 10 source port '!22,https,3333-3338'
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source group
-   address-group <name | !name>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
-   address-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
-   address-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
-   address-group <name | !name>
-
-   Use a specific address-group. Prepend character '!' for inverted matching
-   criteria.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source group
-   network-group <name | !name>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
-   network-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
-   network-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
-   network-group <name | !name>
-
-   Use a specific network-group. Prepend character '!' for inverted matching
-   criteria.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source group
-   port-group <name | !name>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
-   port-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
-   port-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
-   port-group <name | !name>
-
-   Use a specific port-group. Prepend character '!' for inverted matching
-   criteria.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source group
-   domain-group <name | !name>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
-   domain-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
-   domain-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
-   domain-group <name | !name>
-
-   Use a specific domain-group. Prepend character '!' for inverted matching
-   criteria.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> source group
-   mac-group <name | !name>
-.. cfgcmd:: set firewall name <name> rule <1-999999> destination group
-   mac-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> source group
-   mac-group <name | !name>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> destination group
-   mac-group <name | !name>
-
-   Use a specific mac-group. Prepend character '!' for inverted matching
-   criteria.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> fragment [match-frag |
-   match-non-frag]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> fragment [match-frag
-   | match-non-frag]
-
-   Match based on fragment criteria.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> icmp [code | type]
-   <0-255>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 [code | type]
-   <0-255>
-
-   Match based on icmp|icmpv6 code and type.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> icmp type-name <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> icmpv6 type-name
-   <text>
-
-   Match based on icmp|icmpv6 type-name criteria. Use tab for information
-   about what **type-name** criteria are supported.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> ipsec [match-ipsec
-   | match-none]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> ipsec [match-ipsec
-   | match-none]
-
-   Match based on ipsec criteria.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> limit burst
-   <0-4294967295>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit burst
-   <0-4294967295>
-
-   Match based on the maximum number of packets to allow in excess of rate.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> limit rate
-   <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> limit rate
-   <text>
-
-   Match based on the maximum average rate, specified as **integer/unit**.
-   For example **5/minutes**
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length
-   <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length
-   <text>
-.. cfgcmd:: set firewall name <name> rule <1-999999> packet-length-exclude
-   <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> packet-length-exclude
-   <text>
-
-   Match based on packet length criteria. Multiple values from 1 to 65535
-   and ranges are supported.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> protocol [<text> |
-   <0-255> | all | tcp_udp]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> protocol [<text> |
-   <0-255> | all | tcp_udp]
-
-   Match a protocol criteria. A protocol number or a name which is here
-   defined: ``/etc/protocols``.
-   Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
-   based packets. The ``!`` negate the selected protocol.
-
-   .. code-block:: none
-
-      set firewall name WAN-IN-v4 rule 10 protocol tcp_udp
-      set firewall name WAN-IN-v4 rule 11 protocol !tcp_udp
-      set firewall ipv6-name WAN-IN-v6 rule 10 protocol tcp
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
-.. cfgcmd:: set firewall name <name> rule <1-999999> recent time
-   [second | minute | hour]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time
-   [second | minute | hour]
-
-   Match bases on recently seen sources.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> tcp flags <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> tcp flags <text>
-
-   Allowed values fpr TCP flags: ``SYN``, ``ACK``, ``FIN``, ``RST``, ``URG``,
-   ``PSH``, ``ALL`` When specifying more than one flag, flags should be comma
-   separated. The ``!`` negate the selected protocol.
-
-   .. code-block:: none
-
-      set firewall name WAN-IN-v4 rule 10 tcp flags 'ACK'
-      set firewall name WAN-IN-v4 rule 12 tcp flags 'SYN'
-      set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST'
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> state [established |
-   invalid | new | related] [enable | disable]
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> state [established |
-   invalid | new | related] [enable | disable]
-
-   Match against the state of a packet.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> time startdate <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time startdate <text>
-.. cfgcmd:: set firewall name <name> rule <1-999999> time starttime <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time starttime <text>
-.. cfgcmd:: set firewall name <name> rule <1-999999> time stopdate <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stopdate <text>
-.. cfgcmd:: set firewall name <name> rule <1-999999> time stoptime <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time stoptime <text>
-.. cfgcmd:: set firewall name <name> rule <1-999999> time weekdays <text>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> time weekdays <text>
-
-   Time to match the defined rule.
-
-.. cfgcmd:: set firewall name <name> rule <1-999999> ttl <eq | gt | lt> <0-255>
-
-   Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for
-   'greater than', and 'lt' stands for 'less than'.
-
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> hop-limit <eq | gt |
-   lt> <0-255>
-
-   Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
-   'greater than', and 'lt' stands for 'less than'.
-   
-.. cfgcmd:: set firewall name <name> rule <1-999999> recent count <1-255>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent count <1-255>
-.. cfgcmd:: set firewall name <name> rule <1-999999> recent time <second | 
-   minute | hour>
-.. cfgcmd:: set firewall ipv6-name <name> rule <1-999999> recent time <second | 
-   minute | hour>
-
-   Match when 'count' amount of connections are seen within 'time'. These 
-   matching criteria can be used to block brute-force attempts.
-
-***********************************
-Applying a Rule-Set to an Interface
-***********************************
-
-A Rule-Set can be applied to every interface:
-
-* ``in``: Ruleset for forwarded packets on an inbound interface
-* ``out``: Ruleset for forwarded packets on an outbound interface
-* ``local``: Ruleset for packets destined for this router
-
-.. cfgcmd:: set interface ethernet <ethN> firewall [in | out | local]
-   [name | ipv6-name] <rule-set>
-
-   Here are some examples for applying a rule-set to an interface
-
-   .. code-block:: none
-
-      set interface ethernet eth1 vif 100 firewall in name LANv4-IN
-      set interface ethernet eth1 vif 100 firewall out name LANv4-OUT
-      set interface bonding bond0 firewall in name LANv4-IN
-      set interfaces openvpn vtun1 firewall in name Lanv4-IN
-
-   .. note::
-      As you can see in the example here, you can assign the same rule-set to
-      several interfaces. An interface can only have one rule-set per chain.
-
-
-**************************
-Zone-based Firewall Policy
-**************************
-
-As an alternative to applying policy to an interface directly, a
-zone-based firewall can be created to simplify configuration when
-multiple interfaces belong to the same security zone. Instead of
-applying rule-sets to interfaces, they are applied to source
-zone-destination zone pairs.
-
-An basic introduction to zone-based firewalls can be found `here
-<https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_,
-and an example at :ref:`examples-zone-policy`.
-
-Define a Zone
-=============
-
-To define a zone setup either one with interfaces or a local zone.
-
-.. cfgcmd:: set zone-policy zone <name> interface <interfacenames>
-
-   Set interfaces to a zone. A zone can have multiple interfaces.
-   But an interface can only be a member in one zone.
-
-.. cfgcmd:: set zone-policy zone <name> local-zone
-
-   Define the zone as a local zone. A local zone has no interfaces and
-   will be applied to the router itself.
-
-.. cfgcmd:: set zone-policy zone <name> default-action [drop | reject]
-
-   Change the default-action with this setting.
-
-.. cfgcmd:: set zone-policy zone <name> description
-
-   Set a meaningful description.
-
-
-Applying a Rule-Set to a Zone
-=============================
-
-Before you are able to apply a rule-set to a zone you have to create the zones
-first.
-
-It helps to think of the syntax as: (see below). The 'rule-set' should be
-written from the perspective of: *Source Zone*-to->*Destination Zone*
-
-.. cfgcmd::  set zone-policy zone <Destination Zone> from <Source Zone>
-   firewall name <rule-set>
-
-.. cfgcmd::  set zone-policy zone <name> from <name> firewall name
-   <rule-set>
-.. cfgcmd::  set zone-policy zone <name> from <name> firewall ipv6-name
-   <rule-set>
-
-   You apply a rule-set always to a zone from an other zone, it is recommended
-   to create one rule-set for each zone pair.
-
-   .. code-block:: none
-
-      set zone-policy zone DMZ from LAN firewall name LANv4-to-DMZv4
-      set zone-policy zone LAN from DMZ firewall name DMZv4-to-LANv4
-
-
-***********************
-Operation-mode Firewall
-***********************
-
-Rule-set overview
-=================
-
-.. opcmd:: show firewall
-
-   This will show you a basic firewall overview
-
-   .. code-block:: none
-
-      vyos@vyos:~$ show firewall
-
-      ------------------------
-      Firewall Global Settings
-      ------------------------
-
-      Firewall state-policy for all IPv4 and Ipv6 traffic
-
-      state           action   log
-      -----           ------   ---
-      invalid         accept   disabled
-      established     accept   disabled
-      related         accept   disabled
-
-      -----------------------------
-      Rulesets Information
-      -----------------------------
-      --------------------------------------------------------------------------
-      IPv4 Firewall "DMZv4-1-IN":
-
-      Active on (eth0,IN)
-
-      rule  action   proto     packets  bytes
-      ----  ------   -----     -------  -----
-      10    accept   icmp      0        0
-      condition - saddr 10.1.0.0/24 daddr 0.0.0.0/0 LOG enabled
-
-      10000 drop     all       0        0
-      condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled
-
-      --------------------------------------------------------------------------
-      IPv4 Firewall "DMZv4-1-OUT":
-
-      Active on (eth0,OUT)
-
-      rule  action   proto     packets  bytes
-      ----  ------   -----     -------  -----
-      10    accept   tcp_udp   1        60
-      condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 match-DST-PORT-GROUP DMZ-Ports /*
-                  DMZv4-1-OUT-10 */LOG enabled
-
-      11    accept   icmp      1        84
-      condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* DMZv4-1-OUT-11 */LOG enabled
-
-      10000 drop     all       6        360
-      condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 LOG enabled
-
-      --------------------------------------------------------------------------
-      IPv4 Firewall "LANv4-IN":
-
-      Inactive - Not applied to any interfaces or zones.
-
-      rule  action   proto     packets  bytes
-      ----  ------   -----     -------  -----
-      10    accept   all       0        0
-      condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 /* LANv4-IN-10 */
-
-      10000 drop     all       0        0
-      condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0
-
-.. opcmd:: show firewall summary
-
-   This will show you a summary of rule-sets and groups
-
-   .. code-block:: none
-
-      vyos@vyos:~$ show firewall summary
-
-      ------------------------
-      Firewall Global Settings
-      ------------------------
-
-      Firewall state-policy for all IPv4 and Ipv6 traffic
-
-      state           action   log
-      -----           ------   ---
-      invalid         accept   disabled
-      related         accept   disabled
-      established     accept   disabled
-
-      ------------------------
-      Firewall Rulesets
-      ------------------------
-
-      IPv4 name:
-
-      Rule-set name             Description    References
-      -------------             -----------    ----------
-      DMZv4-1-OUT                              (eth0,OUT)
-      DMZv4-1-IN                               (eth0,IN)
-
-      ------------------------
-      Firewall Groups
-      ------------------------
-
-      Port Groups:
-
-      Group name                Description    References
-      ----------                -----------    ----------
-      DMZ-Ports                                DMZv4-1-OUT-10-destination
-
-      Network Groups:
-
-      Group name                Description    References
-      ----------                -----------    ----------
-      LANv4                                    LANv4-IN-10-source,
-                                                DMZv4-1-OUT-10-source,
-                                                DMZv4-1-OUT-11-source
-
-.. opcmd:: show firewall statistics
-
-   This will show you a statistic of all rule-sets since the last boot.
-
-.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999>
-
-   This command will give an overview of a rule in a single rule-set
-
-.. opcmd:: show firewall group <name>
-
-   Overview of defined groups. You see the type, the members, and where the
-   group is used.
-
-   .. code-block:: none
-
-      vyos@vyos:~$ show firewall group DMZ-Ports
-      Name       : DMZ-Ports
-      Type       : port
-      References : none
-      Members    :
-                  80
-                  443
-                  8080
-                  8443
-
-      vyos@vyos:~$ show firewall group LANv4
-      Name       : LANv4
-      Type       : network
-      References : LANv4-IN-10-source
-      Members    :
-                  10.10.0.0/16
-
-.. opcmd:: show firewall [name | ipv6name] <name>
-
-   This command will give an overview of a single rule-set.
-
-.. opcmd:: show firewall [name | ipv6name] <name> statistics
-
-   This will show you a rule-set statistic since the last boot.
-
-.. opcmd:: show firewall [name | ipv6name] <name> rule <1-999999>
-
-   This command will give an overview of a rule in a single rule-set.
-
-
-Zone-Policy Overview
-====================
-
-.. opcmd:: show zone-policy zone <name>
-
-   Use this command to get an overview of a zone.
-
-   .. code-block:: none
-
-      vyos@vyos:~$ show zone-policy zone DMZ
-      -------------------
-      Name: DMZ
-
-      Interfaces: eth0 eth1
-
-      From Zone:
-      name                                    firewall
-      ----                                    --------
-      LAN                                     DMZv4-1-OUT
-
-
-Show Firewall log
-=================
-
-.. opcmd:: show log firewall [name | ipv6name] <name>
-
-   Show the logs of a specific Rule-Set.
-
-.. note::
-   At the moment it not possible to look at the whole firewall log with VyOS
-   operational commands. All logs will save to ``/var/logs/messages``.
-   For example: ``grep '10.10.0.10' /var/log/messages``
-
-
-
-Example Partial Config
-======================
-
-.. code-block:: none
-
-  firewall {
-     all-ping enable
-     broadcast-ping disable
-     config-trap disable
-     group {
-         network-group BAD-NETWORKS {
-             network 198.51.100.0/24
-             network 203.0.113.0/24
-         }
-         network-group GOOD-NETWORKS {
-             network 192.0.2.0/24
-         }
-         port-group BAD-PORTS {
-             port 65535
-         }
-     }
-     name FROM-INTERNET {
-         default-action accept
-         description "From the Internet"
-         rule 10 {
-             action accept
-             description "Authorized Networks"
-             protocol all
-             source {
-                 group {
-                     network-group GOOD-NETWORKS
-                 }
-             }
-         }
-         rule 11 {
-             action drop
-             description "Bad Networks"
-             protocol all
-             source {
-                 group {
-                     network-group BAD-NETWORKS
-                 }
-             }
-         }
-         rule 30 {
-             action drop
-             description "BAD PORTS"
-             destination {
-                 group {
-                     port-group BAD-PORTS
-                 }
-             }
-             log enable
-             protocol all
-         }
-     }
-  }
-  interfaces {
-     ethernet eth1 {
-         address dhcp
-         description OUTSIDE
-         duplex auto
-         firewall {
-             in {
-                 name FROM-INTERNET
-             }
-         }
-     }
-  }
-
-
-Update geoip database
-=====================
-
-.. opcmd:: update geoip
+.. toctree::
+   :maxdepth: 1
+   :includehidden:
 
-   Command used to update GeoIP database and firewall sets.
+   general
+   zone
diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst
new file mode 100644
index 00000000..6ed3e9f1
--- /dev/null
+++ b/docs/configuration/firewall/zone.rst
@@ -0,0 +1,91 @@
+:lastproofread: 2022-09-14
+
+.. _firewall-zone:
+
+###################
+Zone Based Firewall
+###################
+
+In zone-based policy, interfaces are assigned to zones, and inspection policy
+is applied to traffic moving between the zones and acted on according to
+firewall rules. A Zone is a group of interfaces that have similar functions or
+features. It establishes the security borders of a network. A zone defines a
+boundary where traffic is subjected to policy restrictions as it crosses to
+another region of a network.
+
+Key Points:
+
+* A zone must be configured before an interface is assigned to it and an
+  interface can be assigned to only a single zone.
+* All traffic to and from an interface within a zone is permitted.
+* All traffic between zones is affected by existing policies
+* Traffic cannot flow between zone member interface and any interface that is
+  not a zone member.
+* You need 2 separate firewalls to define traffic: one for each direction.
+
+.. note:: In :vytask:`T2199` the syntax of the zone configuration was changed.
+   The zone configuration moved from ``zone-policy zone <name>`` to ``firewall
+   zone <name>``.
+
+*************
+Configuration
+*************
+
+As an alternative to applying policy to an interface directly, a zone-based
+firewall can be created to simplify configuration when multiple interfaces
+belong to the same security zone. Instead of applying rule-sets to interfaces,
+they are applied to source zone-destination zone pairs.
+
+An basic introduction to zone-based firewalls can be found `here
+<https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_,
+and an example at :ref:`examples-zone-policy`.
+
+Define a Zone
+=============
+
+To define a zone setup either one with interfaces or a local zone.
+
+.. cfgcmd:: set firewall zone <name> interface <interface>
+
+   Set interfaces to a zone. A zone can have multiple interfaces.
+   But an interface can only be a member in one zone.
+
+.. cfgcmd:: set firewall zone <name> local-zone
+
+   Define the zone as a local zone. A local zone has no interfaces and
+   will be applied to the router itself.
+
+.. cfgcmd:: set firewall zone <name> default-action [drop |�reject]
+
+   Change the default-action with this setting.
+
+.. cfgcmd:: set firewall zone <name> description
+
+   Set a meaningful description.
+
+Applying a Rule-Set to a Zone
+=============================
+
+Before you are able to apply a rule-set to a zone you have to create the zones
+first.
+
+It helps to think of the syntax as: (see below). The 'rule-set' should be
+written from the perspective of: *Source Zone*-to->*Destination Zone*
+
+.. cfgcmd::  set firewall zone <Destination Zone> from <Source Zone>
+   firewall name <rule-set>
+
+.. cfgcmd::  set firewall zone <name> from <name> firewall name
+   <rule-set>
+
+.. cfgcmd::  set firewall zone <name> from <name> firewall ipv6-name
+   <rule-set>
+
+   You apply a rule-set always to a zone from an other zone, it is recommended
+   to create one rule-set for each zone pair.
+
+   .. code-block:: none
+
+      set firewall zone DMZ from LAN firewall name LANv4-to-DMZv4
+      set firewall zone LAN from DMZ firewall name DMZv4-to-LANv4
+
diff --git a/docs/configuration/index.rst b/docs/configuration/index.rst
index 35b6fa5b..f607d4d7 100644
--- a/docs/configuration/index.rst
+++ b/docs/configuration/index.rst
@@ -22,4 +22,3 @@ The following structure respresent the cli structure.
    trafficpolicy/index
    vpn/index
    vrf/index
-   zonepolicy/index
diff --git a/docs/configuration/zonepolicy/index.rst b/docs/configuration/zonepolicy/index.rst
deleted file mode 100644
index 8fe18778..00000000
--- a/docs/configuration/zonepolicy/index.rst
+++ /dev/null
@@ -1,71 +0,0 @@
-
-###########
-Zone Policy
-###########
-
-
-.. toctree::
-   :maxdepth: 1
-   :includehidden:
-
-In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to firewall rules. 
-A Zone is a group of interfaces that have similar functions or features. It establishes the security borders of a network. 
-A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network.
-
-Key Points:
-
-* A zone must be configured before an interface is assigned to it and an interface can be assigned to only a single zone.
-* All traffic to and from an interface within a zone is permitted.
-* All traffic between zones is affected by existing policies
-* Traffic cannot flow between zone member interface and any interface that is not a zone member. 
-* You need 2 separate firewalls to define traffic: one for each direction.
-
-Example: LAN Network is given SSH access to VyOS box.
-
-Firewall rules:
-
-.. code-block:: none
-
-  set firewall name lan-local default-action 'drop'
-  set firewall name lan-local rule 1 action 'accept'
-  set firewall name lan-local rule 1 state established 'enable'
-  set firewall name lan-local rule 1 state related 'enable'
-  set firewall name lan-local rule 2 action 'drop'
-  set firewall name lan-local rule 2 state invalid 'enable'
-  set firewall name lan-local rule 2 log enable
-  set firewall name lan-local rule 100 action 'accept'
-  set firewall name lan-local rule 100 destination port '22'
-  set firewall name lan-local rule 100 log 'enable'
-  set firewall name lan-local rule 100 protocol 'tcp'
-  set firewall name local-lan default-action 'drop'
-  set firewall name local-lan rule 1 action 'accept'
-  set firewall name local-lan rule 1 state established 'enable'
-  set firewall name local-lan rule 1 state related 'enable'
-  set firewall name local-lan rule 2 action 'drop'
-  set firewall name local-lan rule 2 state invalid 'enable'
-  set firewall name local-lan rule 2 log enable
-  set firewall name local-lan rule 100 action 'accept'
-  set firewall name local-lan rule 100 destination address '192.168.0.0/24'
-  set firewall name local-lan rule 100 log 'enable'
-  set firewall name local-lan rule 100 protocol 'tcp'
-  
-Zone-policy Config: 
-
-.. code-block:: none
- 
-  set zone-policy zone lan default-action 'drop'
-  set zone-policy zone lan description 'Local Area Network'
-  set zone-policy zone lan interface 'eth2'
-  set zone-policy zone lan from local firewall name 'lan-local'
-  set zone-policy zone local default-action 'drop'
-  set zone-policy zone local description 'system-defined zone'
-  set zone-policy zone local from lan firewall name 'local-lan'
-  set zone-policy zone local local-zone
-
-A detailed zone-based policy example is written in the Configuration-Blueprints_ section.
-
-.. stop_vyoslinter
-
-.. _Configuration-Blueprints: https://docs.vyos.io/en/latest/configexamples/zone-policy.html
-
-.. start_vyoslinter
diff --git a/docs/documentation.rst b/docs/documentation.rst
index 2d530439..1ecc170b 100644
--- a/docs/documentation.rst
+++ b/docs/documentation.rst
@@ -196,7 +196,7 @@ to use an alternative hyperlink use it this way:
 handle build errors
 """""""""""""""""""
 
-The plugin will warn on build if a headline has a duplicate name in the 
+The plugin will warn on build if a headline has a duplicate name in the
 same document. To prevent this warning, you have to put a custom link on
 top of the headline.
 
@@ -216,7 +216,7 @@ top of the headline.
    ==========
 
    Lorem ipsum dolor sit amet, consetetur sadipscing elitr
-   
+
    .. _section B example:
 
    Example
@@ -404,7 +404,7 @@ stability for URLs used in the forum or blogpost.
 
 For example:
 
-  * ``set zone-policy`` is written in ``zone-policy/index.rst``
+  * ``set firewall zone`` is written in ``firewall/zone.rst``
   * ``set interfaces ethernet`` is written in ``interfaces/ethernet.rst``
 
 The article starts with a short introduction about the command or the
author	Christian Poessinger <christian@poessinger.com>	2022-09-14 19:55:56 +0200
committer	Christian Poessinger <christian@poessinger.com>	2022-09-14 19:55:56 +0200
commit	122ecb23fc35806b48836772423581cf66a2ee59 (patch)
tree	1cdf7fd0c897abab30ec0fef84a1fc9f1213a674 /docs
parent	6071376c03d34081f8e24c0e1b9093e9a7a1a1c4 (diff)
download	vyos-documentation-122ecb23fc35806b48836772423581cf66a2ee59.tar.gz vyos-documentation-122ecb23fc35806b48836772423581cf66a2ee59.zip