diff options
Diffstat (limited to 'docs/configuration/firewall')
| -rw-r--r-- | docs/configuration/firewall/general-legacy.rst | 6 | ||||
| -rw-r--r-- | docs/configuration/firewall/general.rst | 7 | ||||
| -rw-r--r-- | docs/configuration/firewall/index.rst | 4 | ||||
| -rw-r--r-- | docs/configuration/firewall/zone.rst | 21 |
4 files changed, 25 insertions, 13 deletions
diff --git a/docs/configuration/firewall/general-legacy.rst b/docs/configuration/firewall/general-legacy.rst index de91e54b..2e6b0061 100644 --- a/docs/configuration/firewall/general-legacy.rst +++ b/docs/configuration/firewall/general-legacy.rst @@ -1,6 +1,6 @@ :lastproofread: 2021-06-29 -.. _firewall: +.. _firewall-legacy: ############### Firewall-Legacy @@ -8,7 +8,7 @@ Firewall-Legacy .. note:: **Important note:** This documentation is valid only for VyOS Sagitta prior to - 1.4-rolling-YYYYMMDDHHmm + 1.4-rolling-202308040557 ******** Overview @@ -153,7 +153,7 @@ Groups ****** Firewall groups represent collections of IP addresses, networks, ports, -mac addresses or domains. Once created, a group can be referenced by +mac addresses or domains. Once created, a group can be referenced by firewall, nat and policy route rules as either a source or destination matcher. Members can be added or removed from a group without changes to, or the need to reload, individual firewall rules. diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst index 3ef60263..0e172a24 100644 --- a/docs/configuration/firewall/general.rst +++ b/docs/configuration/firewall/general.rst @@ -78,10 +78,11 @@ Where, main key words and configuration paths that needs to be understood: .. note:: **Important note about default-actions:** If default action for any chain is not defined, then the default - action is set to **drop** for that chain. + action is set to **accept** for that chain. Only for custom chains, + the default action is set to **drop**. Custom firewall chains can be created, with commands -``set firewall [ipv4 | ipv6] [name | ipv6-name] <name> ...``. In Order to use +``set firewall [ipv4 | ipv6] [name | ipv6-name] <name> ...``. In order to use such custom chain, a rule with **action jump**, and the appropiate **target** should be defined in a base chain. @@ -1502,4 +1503,4 @@ Update geoip database .. opcmd:: update geoip - Command used to update GeoIP database and firewall sets.
\ No newline at end of file + Command used to update GeoIP database and firewall sets. diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 94ae6ca5..567e48a0 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -3,7 +3,7 @@ Firewall ######## Starting from VyOS 1.4-rolling-202308040557, a new firewall structure -can be found on all vyos instalations. Documentation for most new firewall +can be found on all vyos installations. Documentation for most new firewall cli can be found here: .. toctree:: @@ -12,7 +12,7 @@ cli can be found here: general -Also, for those who haven't update to newer version, legacy documentation is +Also, for those who haven't updated to newer version, legacy documentation is still present and valid for all sagitta version prior to VyOS 1.4-rolling-202308040557: diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst index 403de912..70ad7b65 100644 --- a/docs/configuration/firewall/zone.rst +++ b/docs/configuration/firewall/zone.rst @@ -6,13 +6,24 @@ Zone Based Firewall ################### -.. note:: **Important note:** - This documentation is valid only for VyOS Sagitta prior to - 1.4-rolling-YYYYMMDDHHmm +.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall + structure can be found on all vyos instalations, and zone based firewall is + no longer supported. Documentation for most of the new firewall CLI can be + found in the `firewall + <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ + chapter. The legacy firewall is still available for versions before + 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` + chapter. The examples in this section use the legacy firewall configuration + commands, since this feature has been removed in earlier releases. + +.. note:: For latest releases, refer the `firewall + <https://docs.vyos.io/en/latest/configuration/firewall/general.html#interface-groups>`_ + main page to configure zone based rules. New syntax was introduced here + :vytask:`T5160` In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to -firewall rules. A Zone is a group of interfaces that have similar functions or +firewall rules. A zone is a group of interfaces that have similar functions or features. It establishes the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network. @@ -40,7 +51,7 @@ firewall can be created to simplify configuration when multiple interfaces belong to the same security zone. Instead of applying rule-sets to interfaces, they are applied to source zone-destination zone pairs. -An basic introduction to zone-based firewalls can be found `here +A basic introduction to zone-based firewalls can be found `here <https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_, and an example at :ref:`examples-zone-policy`. |