diff options
Diffstat (limited to 'docs/configuration/firewall/general-legacy.rst')
| -rw-r--r-- | docs/configuration/firewall/general-legacy.rst | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/docs/configuration/firewall/general-legacy.rst b/docs/configuration/firewall/general-legacy.rst index de91e54b..5d235eb8 100644 --- a/docs/configuration/firewall/general-legacy.rst +++ b/docs/configuration/firewall/general-legacy.rst @@ -1,14 +1,14 @@ :lastproofread: 2021-06-29 -.. _firewall: +.. _legacy-firewall: -############### -Firewall-Legacy -############### +################################### +Firewall Configuration (Deprecated) +################################### .. note:: **Important note:** This documentation is valid only for VyOS Sagitta prior to - 1.4-rolling-YYYYMMDDHHmm + 1.4-rolling-202308040557 ******** Overview @@ -153,7 +153,7 @@ Groups ****** Firewall groups represent collections of IP addresses, networks, ports, -mac addresses or domains. Once created, a group can be referenced by +mac addresses or domains. Once created, a group can be referenced by firewall, nat and policy route rules as either a source or destination matcher. Members can be added or removed from a group without changes to, or the need to reload, individual firewall rules. @@ -424,11 +424,13 @@ There are a lot of matching criteria against which the package can be tested. An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 and a zone-based firewall as rules will remain valid if the IPv6 prefix changes and the host - portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses - <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_) - + portion of systems IPv6 address is static (for example, with SLAAC or + `tokenised IPv6 addresses + <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_). + This functions for both individual addresses and address groups. + .. stop_vyoslinter .. code-block:: none # Match any IPv6 address with the suffix ::0000:0000:0000:beef @@ -442,6 +444,7 @@ There are a lot of matching criteria against which the package can be tested. set firewall group ipv6-address-group WEBSERVERS address ::2000 set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff + .. start_vyoslinter .. cfgcmd:: set firewall name <name> rule <1-999999> source fqdn <fqdn> .. cfgcmd:: set firewall name <name> rule <1-999999> destination fqdn <fqdn> @@ -1048,4 +1051,4 @@ Update geoip database .. opcmd:: update geoip - Command used to update GeoIP database and firewall sets.
\ No newline at end of file + Command used to update GeoIP database and firewall sets. |