2 files changed, 81 insertions, 43 deletions

diff --git a/docs/configuration/firewall/groups.rst b/docs/configuration/firewall/groups.rst
index 64221413..b1accca5 100644
--- a/docs/configuration/firewall/groups.rst
+++ b/docs/configuration/firewall/groups.rst
@@ -41,28 +41,33 @@ Remote Groups
 ==============
 
 A **remote-group** takes an argument of a URL hosting a linebreak-deliminated
-list of IPv4s addresses, CIDRs and ranges. VyOS will pull this list periodicity
+list of IPv4 and/or IPv6 addresses, CIDRs and ranges. VyOS will pull this list periodicity
 according to the frequency defined in the firewall **resolver-interval** and load
 matching entries into the group for use in rules. The list will be cached in
 persistent storage, so in cases of update failure rules will still function.
 
 .. cfgcmd:: set firewall group remote-group <name> url <http(s) url>
 
-   Define remote list of IPv4 addresses/ranges/CIDRs to fetch
+   Define remote list of IPv4 and/or IPv6 addresses/ranges/CIDRs to fetch
 
 .. cfgcmd:: set firewall group remote-group <name> description <text>
 
-    Set a description for a remote group
+   Set a description for a remote group
 
 The format of the remote list is very flexible. VyOS will attempt to parse the
 first word of each line as an entry, and will skip if it cannot find a valid
-match. Below is a list of acceptable matches that would be parsed correctly:
+match. Lines that begin with an alphanumeric character but do not match valid IPv4
+or IPv6 addresses, ranges, or CIDRs will be logged to the system log. Below is a
+list of acceptable matches that would be parsed correctly:
 
 .. code-block:: none
 
       127.0.0.1
       127.0.0.0/24
       127.0.0.1-127.0.0.254
+      2001:db8::1
+      2001:db8:cafe::/48
+      2001:db8:cafe::1-2001:db8:cafe::ffff
 
 Network Groups
 ==============
@@ -258,7 +263,7 @@ As any other firewall group, dynamic firewall groups can be used in firewall
 rules as matching options. For example:
 
 .. code-block:: none
-   
+
    set firewall ipv4 input filter rule 10 source group dynamic-address-group FOO
    set firewall ipv4 input filter rule 10 destination group dynamic-address-group BAR
 
@@ -272,10 +277,10 @@ General example
 As said before, once firewall groups are created, they can be referenced
 either in firewall, nat, nat66 and/or policy-route rules.
 
-Here is an example were multiple groups are created: 
+Here is an example were multiple groups are created:
 
    .. code-block:: none
-      
+
       set firewall group address-group SERVERS address 198.51.100.101
       set firewall group address-group SERVERS address 198.51.100.102
       set firewall group network-group TRUSTEDv4 network 192.0.2.0/30
@@ -290,7 +295,7 @@ Here is an example were multiple groups are created:
 And next, some configuration example where groups are used:
 
    .. code-block:: none
-      
+
       set firewall ipv4 output filter rule 10 action accept
       set firewall ipv4 output filter rule 10 outbound-interface group !LAN
       set firewall ipv4 forward filter rule 20 action accept
@@ -453,4 +458,4 @@ Here is an example of such command:
       PORT-SERVERS  port_group              route-PBR-201           443
                                             route-PBR-201           5000-5010
                                             nat-destination-101     http
-      vyos@vyos:~$
\ No newline at end of file
+      vyos@vyos:~$
diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst
index 0e659247..836d29fc 100644
--- a/docs/configuration/firewall/zone.rst
+++ b/docs/configuration/firewall/zone.rst
@@ -65,60 +65,94 @@ Configuration
 As an alternative to applying policy to an interface directly, a zone-based
 firewall can be created to simplify configuration when multiple interfaces
 belong to the same security zone. Instead of applying rule-sets to interfaces,
-they are applied to source zone-destination zone pairs.
+they are applied to source-destination zone pairs.
 
 A basic introduction to zone-based firewalls can be found `here
 <https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_,
 and an example at :ref:`examples-zone-policy`.
 
+The following steps are required to create a zone-based firewall:
+
+1. Define both the source and destination zones
+2. Define the rule-set
+3. Apply the rule-set to the zones
+
 Define a Zone
 =============
 
-To define a zone setup either one with interfaces or a local zone.
+To define a zone setup either one with interfaces or the local zone.
 
 .. cfgcmd:: set firewall zone <name> interface <interface>
 
-   Set interfaces to a zone. A zone can have multiple interfaces.
-   But an interface can only be a member in one zone.
+   Assign interfaces as a member of a zone.
+
+   .. note::
+
+      * An interface can only be a member of one zone.
+      * A zone can have multiple interfaces, with traffic between interfaces in
+        the same zone subject to the intra-zone-filtering policy (allowed by
+        default).
 
 .. cfgcmd:: set firewall zone <name> local-zone
 
-   Define the zone as a local zone. A local zone has no interfaces and
-   will be applied to the router itself.
+   Define the zone as the local zone, for traffic originating from and destined
+   to the router itself.
+
+   .. note::
+
+      * A local zone cannot have any member interfaces
+      * There cannot be multiple local zones
 
 .. cfgcmd:: set firewall zone <name> default-action [drop | reject]
 
-   Change the default-action with this setting.
+   Change the zone default-action, which applies to traffic destined to this
+   zone that doesn't match any of the source zone rulesets applied.
+
+.. cfgcmd:: set firewall zone <name> default-log
+
+   Enable logging of packets that hit this zone's default-action (disabled by
+   default).
 
 .. cfgcmd:: set firewall zone <name> description
 
    Set a meaningful description.
 
-Applying a Rule-Set to a Zone
+Defining a Rule-Set
 =============================
 
-Before you are able to apply a rule-set to a zone you have to create the zones
-first.
+Zone-based firewall rule-sets are for traffic from a *Source Zone* to a
+*Destination Zone*.
 
-It helps to think of the syntax as: (see below). The 'rule-set' should be
-written from the perspective of: *Source Zone*-to->*Destination Zone*
+The rule-sets are created as a custom firewall chain using the commands below
+(refer to the firewall IPv4/IPv6 sections for the full syntax):
 
-.. cfgcmd::  set firewall zone <Destination Zone> from <Source Zone>
-   firewall name <rule-set>
+* For :ref:`IPv4<configuration/firewall/ipv4:Firewall - IPv4 Rules>`:
+  ``set firewall ipv4 name <name> ...``
+* For :ref:`IPv6<configuration/firewall/ipv6:Firewall - IPv6 Rules>`:
+  ``set firewall ipv6 name <name> ...``
 
-.. cfgcmd::  set firewall zone <name> from <name> firewall name
-   <rule-set>
+It can be helpful to name the rule-sets in the format
+``<Sourze Zone>-<Destination Zone>-<v4 | v6>`` to make them easily identifiable.
 
-.. cfgcmd::  set firewall zone <name> from <name> firewall ipv6-name
-   <rule-set>
+Applying a Rule-Set to a Zone
+=============================
 
-   You apply a rule-set always to a zone from an other zone, it is recommended
-   to create one rule-set for each zone pair.
+Once a rule-set has been defined, it can then be applied to the source and
+destination zones. The configuration syntax is anchored on the destination
+zone, with each of the source zone rulesets listed against the destination.
 
-   .. code-block:: none
+.. cfgcmd::  set firewall zone <Destination Zone> from <Source Zone>
+   firewall name <ipv4-rule-set-name>
+
+.. cfgcmd::  set firewall zone <Destination Zone> from <Source Zone>
+   firewall ipv6-name <ipv6-rule-set-name>
+
+It is recommended to create two rule-sets for each source-destination zone pair.
 
-      set firewall zone DMZ from LAN firewall name LANv4-to-DMZv4
-      set firewall zone LAN from DMZ firewall name DMZv4-to-LANv4
+.. code-block:: none
+
+   set firewall zone DMZ from LAN firewall name LAN-DMZ-v4
+   set firewall zone LAN from DMZ firewall name DMZ-LAN-v4
 
 **************
 Operation-mode
@@ -133,13 +167,12 @@ Operation-mode
       vyos@vyos:~$ show firewall zone-policy
       Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6
       ------  ------------  -----------  ---------------  ---------------
-      LAN     eth1          WAN          WAN_to_LAN
+      LAN     eth1          WAN          WAN-LAN-v4
               eth2
-      LOCAL   LOCAL         LAN          LAN_to_LOCAL
-                            WAN          WAN_to_LOCAL     WAN_to_LOCAL_v6
-      WAN     eth3          LAN          LAN_to_WAN
-              eth0          LOCAL        LOCAL_to_WAN
-      vyos@vyos:~$
+      LOCAL   LOCAL         LAN          LAN-LOCAL-v4
+                            WAN          WAN-LOCAL-v4     WAN-LOCAL-v6
+      WAN     eth3          LAN          LAN-WAN-v4
+              eth0          LOCAL        LOCAL-WAN-v4
 
 .. opcmd:: show firewall zone-policy zone <zone>
 
@@ -150,11 +183,11 @@ Operation-mode
       vyos@vyos:~$ show firewall zone-policy zone WAN
       Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6
       ------  ------------  -----------  ---------------  ---------------
-      WAN     eth3          LAN          LAN_to_WAN
-              eth0          LOCAL        LOCAL_to_WAN
+      WAN     eth3          LAN          LAN-WAN-v4
+              eth0          LOCAL        LOCAL-WAN-v4
+
       vyos@vyos:~$ show firewall zone-policy zone LOCAL
       Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6
       ------  ------------  -----------  ---------------  ---------------
-      LOCAL   LOCAL         LAN          LAN_to_LOCAL
-                            WAN          WAN_to_LOCAL     WAN_to_LOCAL_v6
-      vyos@vyos:~$
+      LOCAL   LOCAL         LAN          LAN-LOCAL-v4
+                            WAN          WAN-LOCAL-v4     WAN-LOCAL-v6