From 4aa0865d9fa00ddb5dc12dddf7208bf53f14075a Mon Sep 17 00:00:00 2001 From: rebortg Date: Thu, 23 Nov 2023 21:09:57 +0100 Subject: backport Firewall docs from master --- docs/configuration/firewall/general-legacy.rst | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-) (limited to 'docs/configuration/firewall/general-legacy.rst') diff --git a/docs/configuration/firewall/general-legacy.rst b/docs/configuration/firewall/general-legacy.rst index 2e6b0061..5d235eb8 100644 --- a/docs/configuration/firewall/general-legacy.rst +++ b/docs/configuration/firewall/general-legacy.rst @@ -1,10 +1,10 @@ :lastproofread: 2021-06-29 -.. _firewall-legacy: +.. _legacy-firewall: -############### -Firewall-Legacy -############### +################################### +Firewall Configuration (Deprecated) +################################### .. note:: **Important note:** This documentation is valid only for VyOS Sagitta prior to @@ -424,11 +424,13 @@ There are a lot of matching criteria against which the package can be tested. An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 and a zone-based firewall as rules will remain valid if the IPv6 prefix changes and the host - portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses - `_) - + portion of systems IPv6 address is static (for example, with SLAAC or + `tokenised IPv6 addresses + `_). + This functions for both individual addresses and address groups. + .. stop_vyoslinter .. code-block:: none # Match any IPv6 address with the suffix ::0000:0000:0000:beef @@ -442,6 +444,7 @@ There are a lot of matching criteria against which the package can be tested. set firewall group ipv6-address-group WEBSERVERS address ::2000 set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff + .. start_vyoslinter .. cfgcmd:: set firewall name rule <1-999999> source fqdn .. cfgcmd:: set firewall name rule <1-999999> destination fqdn @@ -1048,4 +1051,4 @@ Update geoip database .. opcmd:: update geoip - Command used to update GeoIP database and firewall sets. \ No newline at end of file + Command used to update GeoIP database and firewall sets. -- cgit v1.2.3