diff options
| -rw-r--r-- | docs/changelog/index.rst | 3 | ||||
| -rw-r--r-- | docs/cli.rst | 9 | ||||
| -rw-r--r-- | docs/configuration/firewall/index.rst | 54 | ||||
| -rw-r--r-- | docs/configuration/protocols/static.rst | 11 | ||||
| -rw-r--r-- | docs/configuration/system/index.rst | 10 | ||||
| -rw-r--r-- | docs/configuration/vpn/index.rst | 13 | ||||
| -rw-r--r-- | docs/configuration/vpn/rsa-keys.rst | 4 | ||||
| -rw-r--r-- | docs/contributing/documentation.rst | 2 | 
8 files changed, 73 insertions, 33 deletions
| diff --git a/docs/changelog/index.rst b/docs/changelog/index.rst index 26262932..8d2e8a86 100644 --- a/docs/changelog/index.rst +++ b/docs/changelog/index.rst @@ -1,3 +1,6 @@ +.. _release-notes: + +  #########  Changelog  ######### diff --git a/docs/cli.rst b/docs/cli.rst index 34ab3df6..7964c490 100644 --- a/docs/cli.rst +++ b/docs/cli.rst @@ -12,8 +12,7 @@ Operational Mode  Operational mode allows for commands to perform operational system tasks and  view system and service status, while configuration mode allows for the -modification of system configuration. The list of all operational level commands -is available at :ref:`operational_level_commands`. +modification of system configuration.  The CLI provides a built-in help system. In the CLI the ``?`` key may be used  to display available commands. The ``TAB`` key can be used to auto-complete @@ -75,9 +74,6 @@ When viewing in page mode the following commands are available:  Configuration Mode  ################## -The list of all operational level commands is available at -:ref:`configuration_level_commands`. -  To enter configuration mode use the ``configure`` command:  .. code-block:: none @@ -112,7 +108,8 @@ thus also be easily cloned by simply copying the required configuration  files.  Terminology -=========== +########### +  live  A VyOS system has three major types of configurations: diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 2615774f..e95ecb53 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -1,11 +1,12 @@  .. _firewall: +########  Firewall -======== - +######## +********  Overview --------- +********  VyOS makes use of Linux `netfilter <https://netfilter.org/>`_ for packet  filtering. @@ -24,8 +25,9 @@ or zone based firewall policy.     OS, is a reference to as `local` with respect to its input interface. +***************  Global settings ---------------- +***************  Some firewall settings are global and have a affect on the whole system. @@ -140,8 +142,9 @@ Some firewall settings are global and have a affect on the whole system.     Set the global setting for related connections. +******  Groups ------- +******  Firewall groups represent collections of IP addresses, networks, or  ports. Once created, a group can be referenced by firewall rules as @@ -158,7 +161,7 @@ names.  Address Groups -************** +==============  In a **address group** a single IP adresses or IP address ranges are  definded. @@ -182,7 +185,7 @@ definded.  Network Groups -************** +==============  While **network groups** accept IP networks in CIDR notation, specific  IP addresses can be added as a 32-bit prefix. If you foresee the need @@ -207,7 +210,7 @@ recommended.  Port Groups -*********** +===========  A **port group** represents only port numbers, not the protocol. Port  groups can be referenced for either TCP or UDP. It is recommended that @@ -232,8 +235,9 @@ filtering unnecessary ports. Ranges of ports can be specified by using     Provide a port group description. +*********  Rule-Sets ----------- +*********  A rule-set is a named collection of firewall rules that can be applied  to an interface or zone. Each rule is numbered, has an action to apply @@ -281,7 +285,7 @@ the action of the rule will executed.     If you want to disable a rule but let it in the configuration.  Matching criteria -***************** +=================  There are a lot of matching criteria gainst which the package can be tested. @@ -413,8 +417,9 @@ There are a lot of matching criteria gainst which the package can be tested.     Match against the state of a packet. +***********************************  Applying a Rule-Set to an Interface ------------------------------------ +***********************************  A Rule-Set can be appliend to every inteface: @@ -439,8 +444,9 @@ A Rule-Set can be appliend to every inteface:        several interfaces. An interface can only have one rule-set per chain. +**************************  Zone-based Firewall Policy --------------------------- +**************************  As an alternative to applying policy to an interface directly, a  zone-based firewall can be created to simplify configuration when @@ -453,7 +459,7 @@ An basic introduction to zone-based firewalls can be found `here  and an example at :ref:`examples-zone-policy`.  Define a Zone -************* +=============  To define a zone setup either one with interfaces or a local zone. @@ -477,7 +483,7 @@ To define a zone setup either one with interfaces or a local zone.  Applying a Rule-Set to a Zone -***************************** +=============================  Before you are able to apply a rule-set to a zone you have to create the zones   first.  @@ -496,11 +502,12 @@ first.        set zone-policy zone LAN from DMZ firewall name DMZv4-to-LANv4 +***********************  Operation-mode Firewall ------------------------ +***********************  Rule-set overview -***************** +=================  .. opcmd:: show firewall @@ -663,7 +670,7 @@ Rule-set overview  Zone-Policy Overview -******************** +====================  .. opcmd:: show zone-policy zone <name> @@ -684,7 +691,7 @@ Zone-Policy Overview  Show Firewall log -***************** +=================  .. opcmd:: show log firewall [name | ipv6name] <name> @@ -698,7 +705,7 @@ Show Firewall log  Example Partial Config ----------------------- +======================  .. code-block:: none @@ -770,9 +777,10 @@ Example Partial Config  .. _routing-mss-clamp: -################ + +****************  TCP-MSS Clamping -################ +****************  As Internet wide PMTU discovery rarely works, we sometimes need to clamp  our TCP MSS value to a specific value. This is a field in the TCP @@ -788,9 +796,11 @@ value for IPv4 and IPv6.     in 1452 bytes on a 1492 byte MTU. +  IPv4  ==== +  .. cfgcmd:: set firewall options interface <interface> adjust-mss <number-of-bytes>     Use this command to set the maximum segment size for IPv4 transit @@ -808,6 +818,8 @@ for your WireGuard `wg02` tunnel.    set firewall options interface pppoe0 adjust-mss '1452'    set firewall options interface wg02 adjust-mss '1372' + +  IPv6  ==== diff --git a/docs/configuration/protocols/static.rst b/docs/configuration/protocols/static.rst index fbde8228..43b77c41 100644 --- a/docs/configuration/protocols/static.rst +++ b/docs/configuration/protocols/static.rst @@ -15,8 +15,9 @@ collection of all routes the router has learned from its configuration or from  its dynamic routing protocols is stored in the RIB. Unicast routes are directly  used to determine the forwarding table used for unicast packet forwarding. +*************  Static Routes -############# +*************  .. cfgcmd:: set protocols static route <subnet> next-hop <address> @@ -152,8 +153,9 @@ provided by the Neighbor Discovery Protocol (NDP).  To manipulate or display ARP_ table entries, the following commands are  implemented. +*********  Configure -========= +*********  .. cfgcmd:: set protocols static arp <address> hwaddr <mac> @@ -166,8 +168,11 @@ Configure       set protocols static arp 192.0.2.100 hwaddr 00:53:27:de:23:aa + +*********  Operation -========= +********* +  .. opcmd:: show protocols static arp diff --git a/docs/configuration/system/index.rst b/docs/configuration/system/index.rst index ecf09a64..4bb16c42 100644 --- a/docs/configuration/system/index.rst +++ b/docs/configuration/system/index.rst @@ -22,7 +22,7 @@ System     name-server     name-servers-dhcp     ntp -   options +   option     proxy     static-host-mapping     sysctl @@ -30,3 +30,11 @@ System     task-scheduler     time-zone     wifi-requlatory-domain + + +.. toctree:: +   :maxdepth: 1 +   :includehidden: + +   default-route +   eventhandler diff --git a/docs/configuration/vpn/index.rst b/docs/configuration/vpn/index.rst index 397093c2..abaca198 100644 --- a/docs/configuration/vpn/index.rst +++ b/docs/configuration/vpn/index.rst @@ -12,4 +12,15 @@ VPN     openconnect     pptp     rsa-keys -   sstp
\ No newline at end of file +   sstp + + + +pages to sort + +.. toctree:: +   :maxdepth: 1 +   :includehidden: + +   dmvpn +   site2site_ipsec
\ No newline at end of file diff --git a/docs/configuration/vpn/rsa-keys.rst b/docs/configuration/vpn/rsa-keys.rst new file mode 100644 index 00000000..9f289d0d --- /dev/null +++ b/docs/configuration/vpn/rsa-keys.rst @@ -0,0 +1,4 @@ + +######## +RSA-Keys +########
\ No newline at end of file diff --git a/docs/contributing/documentation.rst b/docs/contributing/documentation.rst index 197f5b03..f15595bf 100644 --- a/docs/contributing/documentation.rst +++ b/docs/contributing/documentation.rst @@ -261,7 +261,7 @@ Page content  The documentation have 3 different types of pages, the same kind of pages must   have the same structure to achieve a recognition factor. -For all *.rst files must follow the same TOC Level syntax and have to start with +For all rst files must follow the same TOC Level syntax and have to start with  .. code-block:: | 
