From 22ab45d01501f6f811926692e86f76b053f6630b Mon Sep 17 00:00:00 2001 From: currite Date: Mon, 16 Sep 2019 16:29:09 +0200 Subject: firewall_all-ping --- docs/firewall.rst | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/docs/firewall.rst b/docs/firewall.rst index f41bbcbb..f875ad12 100644 --- a/docs/firewall.rst +++ b/docs/firewall.rst @@ -102,6 +102,27 @@ first be created): set zone-policy zone INSIDE from OUTSIDE firewall name INSIDE-OUT +How VyOS replies when being pinged +---------------------------------- + +By default, when VyOS receives an ICMP echo request packet destined for itself, it will answer with an ICMP echo reply, unless you avoid it through its firewall. + +With the firewall you can set rules to accept, drop or reject ICMP in, out or local traffic. You can also use the general **firewall all-ping** command. This command affects only to LOCAL (packets destined for your VyOS system), not to IN or OUT traffic. + +.. note:: **firewall all-ping** affects only to LOCAL and it always behaves in the most restrictive way + +.. code-block:: sh + + set firewall all-ping enable + +When the command above is set, VyOS will answer every ICMP echo request addressed to itself, but that will only happen if no other rule is applied droping or rejecting local echo requests. In case of conflict, VyOS will not answer ICMP echo requests. + +.. code-block:: sh + + set firewall all-ping disable + +When the comand above is set, VyOS will answer no ICMP echo request addressed to itself at all, no matter where it comes from or whether more specific rules are being applied to accept them. + Example Partial Config ---------------------- @@ -170,4 +191,4 @@ Example Partial Config } } } - } \ No newline at end of file + } -- cgit v1.2.3 From 8a9b0b66cce423835674674daf44f2d00f4abe00 Mon Sep 17 00:00:00 2001 From: currite Date: Tue, 17 Sep 2019 01:32:05 +0200 Subject: add note on vpn-option -reneg-sec --- docs/vpn/openvpn.rst | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/vpn/openvpn.rst b/docs/vpn/openvpn.rst index 5a269b43..29104199 100644 --- a/docs/vpn/openvpn.rst +++ b/docs/vpn/openvpn.rst @@ -175,6 +175,10 @@ First we need to specify the basic settings. 1194/UDP is the default. The `persistent-tunnel` option is recommended, it prevents the TUN/TAP device from closing on connection resets or daemon reloads. + +.. note:: Using **openvpn-option -reneg-sec** can be tricky. This option is used to renegotiate data channel after n seconds. When used at both server and client, the lower value will trigger the renegotiation. If you set it to 0 on one side of the connection (to disable it), the chosen value on the other side will determine when the renegotiation will occur. + + .. code-block:: sh set interfaces openvpn vtun10 mode server -- cgit v1.2.3