From 8118c93687b89e267111069c475e02f8e89f648c Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Wed, 12 Jun 2024 09:13:08 -0300 Subject: Firewall: Add prerouting information --- docs/configuration/firewall/global-options.rst | 32 +++++++++++++++++++++++ docs/configuration/firewall/index.rst | 35 +++++++++++++++++++------- docs/configuration/firewall/ipv4.rst | 31 ++++++++++++++++++++--- docs/configuration/firewall/ipv6.rst | 31 ++++++++++++++++++++--- 4 files changed, 112 insertions(+), 17 deletions(-) (limited to 'docs/configuration/firewall') diff --git a/docs/configuration/firewall/global-options.rst b/docs/configuration/firewall/global-options.rst index b3f311aa..7c52045e 100644 --- a/docs/configuration/firewall/global-options.rst +++ b/docs/configuration/firewall/global-options.rst @@ -145,3 +145,35 @@ Configuration [emerg | alert | crit | err | warn | notice | info | debug] Set the global setting for related connections. + +VyOS supports setting timeouts for connections according to the +connection type. You can set timeout values for generic connections, for ICMP +connections, UDP connections, or for TCP connections in a number of different +states. + +.. cfgcmd:: set firewall global-options timeout icmp <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout other <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp close <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp close-wait <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp established <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp fin-wait <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp last-ack <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp syn-recv <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp syn-sent <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout tcp time-wait <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout udp other <1-21474836> + :defaultvalue: +.. cfgcmd:: set firewall global-options timeout udp stream <1-21474836> + :defaultvalue: + + Set the timeout in seconds for a protocol or state. \ No newline at end of file diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 1d904901..daf5f116 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -26,14 +26,23 @@ firewall are covered below: If the interface where the packet was received isn't part of a bridge, then packet is processed at the **IP Layer**: - * **Prerouting**: several actions can be done in this stage, and currently - these actions are defined in different parts in VyOS configuration. Order - is important, and all these actions are performed before any actions - defined under ``firewall`` section. Relevant configuration that acts in - this stage are: + * **Prerouting**: All packets that are received by the router + are processed in this stage, regardless of the destination of the packet. + Starting from vyos-1.5-rolling-202406120020, a new section was added to + firewall configuration. There are several actions that can be done in this + stage, and currently these actions are also defined in different parts in + VyOS configuration. Order is important, and relevant configuration that + acts in this stage are: + + * **Firewall prerouting**: rules defined under ``set firewall [ipv4 | + ipv6] prerouting raw...``. All rules defined in this section are + processed before connection tracking subsystem. * **Conntrack Ignore**: rules defined under ``set system conntrack ignore - [ipv4 | ipv6] ...``. + [ipv4 | ipv6] ...``. Starting from vyos-1.5-rolling-202406120020, + configuration done in this section can be done in ``firewall [ipv4 | + ipv6] prerouting ...``. For compatibility reasons, this feature is + still present, but it will be removed in the future. * **Policy Route**: rules defined under ``set policy [route | route6] ...``. @@ -67,11 +76,13 @@ packet is processed at the **IP Layer**: new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externally through **input** (for example response to an ssh login attempt to the router). - This includes ipv4 and ipv6 filtering rules, defined in: + This includes ipv4 and ipv6 rules, and two different sections are present: - * ``set firewall ipv4 output filter ...``. + * **Output Prerouting**: ``set firewall [ipv4 | ipv6] output filter ...``. + As described in **Prerouting**, rules defined in this section are + processed before connection tracking subsystem. - * ``set firewall ipv6 output filter ...``. + * **Output Filter**: ``set firewall [ipv4 | ipv6] output filter ...``. * **Postrouting**: as in **Prerouting**, several actions defined in different parts of VyOS configuration are performed in this @@ -120,6 +131,9 @@ The main structure of the VyOS firewall CLI is shown next: + filter - output + filter + + raw + - prerouting + + raw - name + custom_name * ipv6 @@ -129,6 +143,9 @@ The main structure of the VyOS firewall CLI is shown next: + filter - output + filter + + raw + - prerouting + + raw - ipv6-name + custom_name * zone diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst index f7f98dc7..e53f2480 100644 --- a/docs/configuration/firewall/ipv4.rst +++ b/docs/configuration/firewall/ipv4.rst @@ -31,17 +31,34 @@ of the general structure: + filter - output + filter + + raw + - prerouting + + raw - name + custom_name +First, all traffic is received by the router, and it is processed in the +**prerouting** section. + +This stage includes: + + * **Firewall Prerouting**: commands found under ``set firewall ipv4 + prerouting raw ...`` + * :doc:`Conntrack Ignore`: ``set system + conntrack ignore ipv4...`` + * :doc:`Policy Route`: commands found under + ``set policy route ...`` + * :doc:`Destination NAT`: commands found under + ``set nat destination ...`` + For transit traffic, which is received by the router and forwarded, base chain is **forward**. A simplified packet flow diagram for transit traffic is shown next: .. figure:: /_static/images/firewall-fwd-packet-flow.png -Where firewall base chain to configure firewall filtering rules for transit -traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, +Firewall base chain to configure firewall filtering rules for transit traffic +is ``set firewall ipv4 forward filter ...``, which happens in stage 5, highlighted with red color. For traffic towards the router itself, base chain is **input**, while traffic @@ -52,11 +69,17 @@ router (starting from circle number 6): .. figure:: /_static/images/firewall-input-packet-flow.png -Base chain is for traffic toward the router is ``set firewall ipv4 input +Base chain for traffic towards the router is ``set firewall ipv4 input filter ...`` And base chain for traffic generated by the router is ``set firewall ipv4 -output filter ...`` +output ...``, where two sub-chains are available: **filter** and **raw**: + +* **Output Prerouting**: ``set firewall ipv4 output raw ...``. + As described in **Prerouting**, rules defined in this section are + processed before connection tracking subsystem. +* **Output Filter**: ``set firewall ipv4 output filter ...``. Rules defined + in this section are processed after connection tracking subsystem. .. note:: **Important note about default-actions:** If default action for any base chain is not defined, then the default diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst index cbf18a7d..423f3e09 100644 --- a/docs/configuration/firewall/ipv6.rst +++ b/docs/configuration/firewall/ipv6.rst @@ -31,17 +31,34 @@ of the general structure: + filter - output + filter + + raw + - prerouting + + raw - name + custom_name +First, all traffic is received by the router, and it is processed in the +**prerouting** section. + +This stage includes: + + * **Firewall Prerouting**: commands found under ``set firewall ipv6 + prerouting raw ...`` + * :doc:`Conntrack Ignore`: ``set system + conntrack ignore ipv6...`` + * :doc:`Policy Route`: commands found under + ``set policy route6 ...`` + * :doc:`Destination NAT`: commands found under + ``set nat66 destination ...`` + For transit traffic, which is received by the router and forwarded, base chain is **forward**. A simplified packet flow diagram for transit traffic is shown next: .. figure:: /_static/images/firewall-fwd-packet-flow.png -Where firewall base chain to configure firewall filtering rules for transit -traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, +Firewall base chain to configure firewall filtering rules for transit traffic +is ``set firewall ipv6 forward filter ...``, which happens in stage 5, highlighted with red color. For traffic towards the router itself, base chain is **input**, while traffic @@ -52,11 +69,17 @@ router (starting from circle number 6): .. figure:: /_static/images/firewall-input-packet-flow.png -Base chain is for traffic toward the router is ``set firewall ipv6 input +Base chain for traffic towards the router is ``set firewall ipv6 input filter ...`` And base chain for traffic generated by the router is ``set firewall ipv6 -output filter ...`` +output filter ...``, where two sub-chains are available: **filter** and **raw**: + +* **Output Prerouting**: ``set firewall ipv6 output raw ...``. + As described in **Prerouting**, rules defined in this section are + processed before connection tracking subsystem. +* **Output Filter**: ``set firewall ipv6 output filter ...``. Rules defined + in this section are processed after connection tracking subsystem. .. note:: **Important note about default-actions:** If default action for any base chain is not defined, then the default -- cgit v1.2.3 From fe416b56cfa30494172a0310c16fd2787330c7bb Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Fri, 14 Jun 2024 11:14:53 -0300 Subject: Configuration Blueprints: add new example for firewall+vrf. Also, add note about usage of inbound and outbound interface when interface is attached to a non-default vrf. --- .../_static/images/firewall-and-vrf-blueprints.png | Bin 0 -> 84270 bytes docs/configexamples/firewall.rst | 12 ++ docs/configexamples/fwall-and-vrf.rst | 121 +++++++++++++++++++++ docs/configexamples/index.rst | 2 +- docs/configexamples/zone-policy.rst | 13 +-- docs/configuration/firewall/ipv4.rst | 8 ++ docs/configuration/firewall/ipv6.rst | 8 ++ 7 files changed, 151 insertions(+), 13 deletions(-) create mode 100644 docs/_static/images/firewall-and-vrf-blueprints.png create mode 100644 docs/configexamples/firewall.rst create mode 100644 docs/configexamples/fwall-and-vrf.rst (limited to 'docs/configuration/firewall') diff --git a/docs/_static/images/firewall-and-vrf-blueprints.png b/docs/_static/images/firewall-and-vrf-blueprints.png new file mode 100644 index 00000000..8c3bf9f2 Binary files /dev/null and b/docs/_static/images/firewall-and-vrf-blueprints.png differ diff --git a/docs/configexamples/firewall.rst b/docs/configexamples/firewall.rst new file mode 100644 index 00000000..e0a4ca55 --- /dev/null +++ b/docs/configexamples/firewall.rst @@ -0,0 +1,12 @@ +:lastproofread: 2024-06-14 + +Firewall Examples +================= + +This section contains examples of firewall configurations for various deployments. + +.. toctree:: + :maxdepth: 2 + + fwall-and-vrf + zone-policy diff --git a/docs/configexamples/fwall-and-vrf.rst b/docs/configexamples/fwall-and-vrf.rst new file mode 100644 index 00000000..38663a18 --- /dev/null +++ b/docs/configexamples/fwall-and-vrf.rst @@ -0,0 +1,121 @@ +VRF and firewall example +------------------------ + +Scenario and requirements +^^^^^^^^^^^^^^^^^^^^^^^^^ + +This example shows how to configure a VyOS router with VRFs and firewall rules. + +Diagram used in this example: + +.. image:: /_static/images/firewall-and-vrf-blueprints.png + :width: 80% + :align: center + :alt: Network Topology Diagram + +As exposed in the diagram, there are four VRFs. These VRFs are ``MGMT``, +``WAN``, ``LAN`` and ``PROD``, and their requirements are: + +* VRF MGMT: + * Allow connections to LAN and PROD. + * Deny connections to internet(WAN). + * Allow connections to the router. +* VRF LAN: + * Allow connections to PROD. + * Allow connections to internet(WAN). +* VRF PROD: + * Only accepts connections. +* VRF WAN: + * Allow connection to PROD. + +Configuration +^^^^^^^^^^^^^ + +First, we need to configure the interfaces and VRFs: + +.. code-block:: none + + set interfaces ethernet eth1 address '10.100.100.1/24' + set interfaces ethernet eth1 vrf 'MGMT' + set interfaces ethernet eth2 vif 150 address '10.150.150.1/24' + set interfaces ethernet eth2 vif 150 vrf 'LAN' + set interfaces ethernet eth2 vif 160 address '10.160.160.1/24' + set interfaces ethernet eth2 vif 160 vrf 'LAN' + set interfaces ethernet eth2 vif 3500 address '172.16.20.1/24' + set interfaces ethernet eth2 vif 3500 vrf 'PROD' + set interfaces loopback lo + set interfaces pppoe pppoe0 authentication password 'p4ssw0rd' + set interfaces pppoe pppoe0 authentication username 'vyos' + set interfaces pppoe pppoe0 source-interface 'eth0' + set interfaces pppoe pppoe0 vrf 'WAN' + set vrf bind-to-all + set vrf name LAN protocols static route 0.0.0.0/0 interface pppoe0 vrf 'WAN' + set vrf name LAN protocols static route 10.100.100.0/24 interface eth1 vrf 'MGMT' + set vrf name LAN protocols static route 172.16.20.0/24 interface eth2.3500 vrf 'PROD' + set vrf name LAN table '103' + set vrf name MGMT protocols static route 10.150.150.0/24 interface eth2.150 vrf 'LAN' + set vrf name MGMT protocols static route 10.160.160.0/24 interface eth2.160 vrf 'LAN' + set vrf name MGMT protocols static route 172.16.20.0/24 interface eth2.3500 vrf 'PROD' + set vrf name MGMT table '102' + set vrf name PROD protocols static route 0.0.0.0/0 interface pppoe0 vrf 'WAN' + set vrf name PROD protocols static route 10.100.100.0/24 interface eth1 vrf 'MGMT' + set vrf name PROD protocols static route 10.150.150.0/24 interface eth2.150 vrf 'LAN' + set vrf name PROD protocols static route 10.160.160.0/24 interface eth2.160 vrf 'LAN' + set vrf name PROD table '104' + set vrf name WAN protocols static route 10.150.150.0/24 interface eth2.150 vrf 'LAN' + set vrf name WAN protocols static route 10.160.160.0/24 interface eth2.160 vrf 'LAN' + set vrf name WAN protocols static route 172.16.20.0/24 interface eth2.3500 vrf 'PROD' + set vrf name WAN table '101' + +And before firewall rules are shown, we need to pay attention how to configure +and match interfaces and VRFs. In case where an interface is assigned to a +non-default VRF, if we want to use inbound-interface or outbound-interface in +firewall rules, we need to: + +* For **inbound-interface**: use the interface name with the VRF name, like + ``MGMT`` or ``LAN``. +* For **outbound-interface**: use the interface name, like ``eth0``, ``vtun0``, + ``eth2*`` or similar. + +Next, we need to configure the firewall rules. First we will define all rules +for transit traffic between VRFs. + +.. code-block:: none + + set firewall ipv4 forward filter default-action 'drop' + set firewall ipv4 forward filter default-log + set firewall ipv4 forward filter rule 10 action 'accept' + set firewall ipv4 forward filter rule 10 description 'MGMT - Allow to LAN and PROD' + set firewall ipv4 forward filter rule 10 inbound-interface name 'MGMT' + set firewall ipv4 forward filter rule 10 outbound-interface name 'eth2*' + set firewall ipv4 forward filter rule 99 action 'drop' + set firewall ipv4 forward filter rule 99 description 'MGMT - Drop all going to mgmt' + set firewall ipv4 forward filter rule 99 outbound-interface name 'eth1' + set firewall ipv4 forward filter rule 120 action 'accept' + set firewall ipv4 forward filter rule 120 description 'LAN - Allow to PROD' + set firewall ipv4 forward filter rule 120 inbound-interface name 'LAN' + set firewall ipv4 forward filter rule 120 outbound-interface name 'eth2.3500' + set firewall ipv4 forward filter rule 130 action 'accept' + set firewall ipv4 forward filter rule 130 description 'LAN - Allow internet' + set firewall ipv4 forward filter rule 130 inbound-interface name 'LAN' + set firewall ipv4 forward filter rule 130 outbound-interface name 'pppoe0' + +Also, we are adding global state policies, in order to allow established and +related traffic, in order not to drop valid responses: + +.. code-block:: none + + set firewall global-options state-policy established action 'accept' + set firewall global-options state-policy invalid action 'drop' + set firewall global-options state-policy related action 'accept' + +And finally, we need to allow input connections to the router itself only from +vrf MGMT: + +.. code-block:: none + + set firewall ipv4 input filter default-action 'drop' + set firewall ipv4 input filter default-log + set firewall ipv4 input filter rule 10 action 'accept' + set firewall ipv4 input filter rule 10 description 'MGMT - Allow input' + set firewall ipv4 input filter rule 10 inbound-interface name 'MGMT' \ No newline at end of file diff --git a/docs/configexamples/index.rst b/docs/configexamples/index.rst index d5973eb2..11dee806 100644 --- a/docs/configexamples/index.rst +++ b/docs/configexamples/index.rst @@ -8,7 +8,7 @@ This chapter contains various configuration examples: .. toctree:: :maxdepth: 2 - zone-policy + firewall bgp-ipv6-unnumbered ospf-unnumbered azure-vpn-bgp diff --git a/docs/configexamples/zone-policy.rst b/docs/configexamples/zone-policy.rst index 95648e7a..d0101ebf 100644 --- a/docs/configexamples/zone-policy.rst +++ b/docs/configexamples/zone-policy.rst @@ -1,20 +1,10 @@ -:lastproofread: 2021-06-29 +:lastproofread: 2024-06-14 .. _examples-zone-policy: Zone-Policy example ------------------- -.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall - structure can be found on all vyos installations, and zone based firewall is - no longer supported. Documentation for most of the new firewall CLI can be - found in the `firewall - `_ - chapter. The legacy firewall is still available for versions before - 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` - chapter. The examples in this section use the legacy firewall configuration - commands, since this feature has been removed in earlier releases. - .. note:: In :vytask:`T2199` the syntax of the zone configuration was changed. The zone configuration moved from ``zone-policy zone `` to ``firewall zone ``. @@ -428,4 +418,3 @@ Something like: address ip.of.tunnel.broker } } - diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst index e53f2480..39370c86 100644 --- a/docs/configuration/firewall/ipv4.rst +++ b/docs/configuration/firewall/ipv4.rst @@ -732,6 +732,10 @@ geoip) to keep database and rules updated. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supported. For example ``!eth2`` +.. note:: If an interface is attached to a non-default vrf, when using + **inbound-interface**, vrf name must be used. For example ``set firewall + ipv4 forward filter rule 10 inbound-interface name MGMT`` + .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> inbound-interface group .. cfgcmd:: set firewall ipv4 input filter rule <1-999999> @@ -753,6 +757,10 @@ geoip) to keep database and rules updated. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supported. For example ``!eth2`` +.. note:: If an interface is attached to a non-default vrf, when using + **outbound-interface**, real interface name must be used. For example + ``set firewall ipv4 forward filter rule 10 outbound-interface name eth0`` + .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> outbound-interface group .. cfgcmd:: set firewall ipv4 output filter rule <1-999999> diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst index 423f3e09..511fd51f 100644 --- a/docs/configuration/firewall/ipv6.rst +++ b/docs/configuration/firewall/ipv6.rst @@ -723,6 +723,10 @@ geoip) to keep database and rules updated. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supported. For example ``!eth2`` +.. note:: If an interface is attached to a non-default vrf, when using + **inbound-interface**, vrf name must be used. For example ``set firewall + ipv6 forward filter rule 10 inbound-interface name MGMT`` + .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> inbound-interface group .. cfgcmd:: set firewall ipv6 input filter rule <1-999999> @@ -744,6 +748,10 @@ geoip) to keep database and rules updated. For example: ``eth2*``. Prepending character ``!`` for inverted matching criteria is also supported. For example ``!eth2`` +.. note:: If an interface is attached to a non-default vrf, when using + **outbound-interface**, real interface name must be used. For example + ``set firewall ipv6 forward filter rule 10 outbound-interface name eth0`` + .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> outbound-interface group .. cfgcmd:: set firewall ipv6 output filter rule <1-999999> -- cgit v1.2.3 From e2427a9c2515780a12fc3a6702cfc95793053605 Mon Sep 17 00:00:00 2001 From: Simon Novak Date: Thu, 20 Jun 2024 16:07:46 +0200 Subject: Update flowtables.rst chore(docs): fixed typos & relevant distinctions for ipv4, ipv6 --- docs/configuration/firewall/flowtables.rst | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'docs/configuration/firewall') diff --git a/docs/configuration/firewall/flowtables.rst b/docs/configuration/firewall/flowtables.rst index e8a5f2e8..ae95a85f 100644 --- a/docs/configuration/firewall/flowtables.rst +++ b/docs/configuration/firewall/flowtables.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-12-26 +:lastproofread: 2024-06-20 .. _firewall-flowtables-configuration: @@ -85,12 +85,12 @@ Provide a description to the flow table. Creating rules for using flow tables: -.. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999> +.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> action offload Create firewall rule in forward chain, and set action to ``offload``. -.. cfgcmd:: set firewall [ipv4 | ipv4] forward filter rule <1-999999> +.. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> offload-target Create firewall rule in forward chain, and define which flowtbale @@ -142,7 +142,7 @@ Explanation Analysis on what happens for desired connection: - 1. First packet is received on eht0, with destination address 192.0.2.100, + 1. First packet is received on eth0, with destination address 192.0.2.100, protocol tcp and destination port 1122. Assume such destination address is reachable through interface eth1. @@ -159,7 +159,7 @@ Analysis on what happens for desired connection: connection state is **established**, then rule 10 is hit, and a new entry in the flowtable FT01 is added for this connection. - 6. All subsecuent packets will skip traditional path, and will be offloaded + 6. All the following packets will skip traditional path, and will be offloaded and will use the **Fast Path**. Checks -- cgit v1.2.3 From fd7322695e28a89ce98dad7d726523f171313f5a Mon Sep 17 00:00:00 2001 From: whyrlpool <26317568+whyrlpool@users.noreply.github.com> Date: Wed, 3 Jul 2024 14:58:05 +0100 Subject: Update firewall index.rst change "bare in mind" to "bear in mind" re https://www.scribbr.co.uk/definition/bear-in-mind-meaning/ --- docs/configuration/firewall/index.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'docs/configuration/firewall') diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index daf5f116..30f3bfdf 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -72,7 +72,7 @@ packet is processed at the **IP Layer**: * ``set firewall ipv6 forward filter ...``. * **Output**: stage where traffic that originates from the router itself - can be filtered and controlled. Bear in mind that this traffic can be a + can be filtered and controlled. Bare in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externally through **input** (for example response to an ssh login attempt to the router). -- cgit v1.2.3 From 63ee8dfafac3f9aef13d9e25b21216443d02c258 Mon Sep 17 00:00:00 2001 From: whyrlpool <26317568+whyrlpool@users.noreply.github.com> Date: Wed, 3 Jul 2024 15:17:27 +0100 Subject: s/bare/bear across docs, fix typo in proxmox cloud-init docs --- docs/_locale/de/automation.pot | 4 ++-- docs/_locale/de/configuration.pot | 4 ++-- docs/_locale/es/automation.pot | 2 +- docs/_locale/es/configuration.pot | 4 ++-- docs/_locale/ja/configuration.pot | 4 ++-- docs/_locale/pt/automation.pot | 4 ++-- docs/_locale/pt/configuration.pot | 4 ++-- docs/_locale/uk/automation.pot | 2 +- docs/_locale/uk/configuration.pot | 4 ++-- docs/automation/cloud-init.rst | 4 ++-- docs/configuration/firewall/index.rst | 2 +- 11 files changed, 19 insertions(+), 19 deletions(-) (limited to 'docs/configuration/firewall') diff --git a/docs/_locale/de/automation.pot b/docs/_locale/de/automation.pot index acd55638..480bfa35 100644 --- a/docs/_locale/de/automation.pot +++ b/docs/_locale/de/automation.pot @@ -781,8 +781,8 @@ msgid "If command ends in a value, it must be inside single quotes." msgstr "If command ends in a value, it must be inside single quotes." #: ../../automation/cloud-init.rst:253 -msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bare in mind that this configuration will be inyected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." -msgstr "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bare in mind that this configuration will be inyected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." +msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bear in mind that this configuration will be injected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." +msgstr "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bear in mind that this configuration will be injected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." #: ../../automation/cloud-init.rst:228 msgid "If you encounter problems, verify that the cloud-config document contains valid YAML. Online resources such as https://www.yamllint.com/ provide a simple tool for validating YAML." diff --git a/docs/_locale/de/configuration.pot b/docs/_locale/de/configuration.pot index f0ae9a1d..dc70be5a 100644 --- a/docs/_locale/de/configuration.pot +++ b/docs/_locale/de/configuration.pot @@ -391,8 +391,8 @@ msgid "**Origin check**" msgstr "**Origin check**" #: ../../configuration/firewall/index.rst:64 -msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" -msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" #: ../../configuration/firewall/index.rst:65 msgid "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externaly through **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" diff --git a/docs/_locale/es/automation.pot b/docs/_locale/es/automation.pot index 1bef6c23..c98faa2f 100644 --- a/docs/_locale/es/automation.pot +++ b/docs/_locale/es/automation.pot @@ -781,7 +781,7 @@ msgid "If command ends in a value, it must be inside single quotes." msgstr "Si el comando termina en un valor, debe estar entre comillas simples." #: ../../automation/cloud-init.rst:253 -msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bare in mind that this configuration will be inyected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." +msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bear in mind that this configuration will be injected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." msgstr "Si no se proporciona una configuración de red, el cliente dhcp se habilitará en la primera interfaz. Tenga en cuenta que esta configuración se inyectará a nivel del sistema operativo, así que no espere encontrar la configuración del cliente dhcp en vyos cli. Debido a este comportamiento, en el siguiente laboratorio de ejemplo, deshabilitaremos la configuración de dhcp-client en eth0." #: ../../automation/cloud-init.rst:228 diff --git a/docs/_locale/es/configuration.pot b/docs/_locale/es/configuration.pot index b7b3a78a..821ecc6a 100644 --- a/docs/_locale/es/configuration.pot +++ b/docs/_locale/es/configuration.pot @@ -391,8 +391,8 @@ msgid "**Origin check**" msgstr "**Comprobación de origen**" #: ../../configuration/firewall/index.rst:64 -msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" -msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" #: ../../configuration/firewall/index.rst:65 msgid "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externaly through **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" diff --git a/docs/_locale/ja/configuration.pot b/docs/_locale/ja/configuration.pot index 3518562b..19d6802f 100644 --- a/docs/_locale/ja/configuration.pot +++ b/docs/_locale/ja/configuration.pot @@ -391,8 +391,8 @@ msgid "**Origin check**" msgstr "**Origin check**" #: ../../configuration/firewall/index.rst:64 -msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" -msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" #: ../../configuration/firewall/index.rst:65 msgid "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externaly through **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" diff --git a/docs/_locale/pt/automation.pot b/docs/_locale/pt/automation.pot index 6494fae3..198dea36 100644 --- a/docs/_locale/pt/automation.pot +++ b/docs/_locale/pt/automation.pot @@ -781,8 +781,8 @@ msgid "If command ends in a value, it must be inside single quotes." msgstr "If command ends in a value, it must be inside single quotes." #: ../../automation/cloud-init.rst:253 -msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bare in mind that this configuration will be inyected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." -msgstr "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bare in mind that this configuration will be inyected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." +msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bear in mind that this configuration will be injected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." +msgstr "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bear in mind that this configuration will be injected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." #: ../../automation/cloud-init.rst:228 msgid "If you encounter problems, verify that the cloud-config document contains valid YAML. Online resources such as https://www.yamllint.com/ provide a simple tool for validating YAML." diff --git a/docs/_locale/pt/configuration.pot b/docs/_locale/pt/configuration.pot index 098a9f01..f73095f6 100644 --- a/docs/_locale/pt/configuration.pot +++ b/docs/_locale/pt/configuration.pot @@ -391,8 +391,8 @@ msgid "**Origin check**" msgstr "**Origin check**" #: ../../configuration/firewall/index.rst:64 -msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" -msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" #: ../../configuration/firewall/index.rst:65 msgid "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externaly through **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" diff --git a/docs/_locale/uk/automation.pot b/docs/_locale/uk/automation.pot index 96148754..e8f049f7 100644 --- a/docs/_locale/uk/automation.pot +++ b/docs/_locale/uk/automation.pot @@ -781,7 +781,7 @@ msgid "If command ends in a value, it must be inside single quotes." msgstr "Якщо команда закінчується значенням, воно має бути в одинарних лапках." #: ../../automation/cloud-init.rst:253 -msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bare in mind that this configuration will be inyected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." +msgid "If no networking configuration is provided, then dhcp client is going to be enabled on first interface. Bear in mind that this configuration will be injected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0." msgstr "Якщо конфігурація мережі не надається, клієнт dhcp буде ввімкнено на першому інтерфейсі. Майте на увазі, що цю конфігурацію буде введено на рівні ОС, тому не очікуйте знайти конфігурацію клієнта dhcp у vyos cli. Через таку поведінку в наступному прикладі лабораторної роботи ми вимкнемо конфігурацію dhcp-клієнта на eth0." #: ../../automation/cloud-init.rst:228 diff --git a/docs/_locale/uk/configuration.pot b/docs/_locale/uk/configuration.pot index 3f9e7bd2..5195191f 100644 --- a/docs/_locale/uk/configuration.pot +++ b/docs/_locale/uk/configuration.pot @@ -391,8 +391,8 @@ msgid "**Origin check**" msgstr "**Перевірка походження**" #: ../../configuration/firewall/index.rst:64 -msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" -msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bare in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgid "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" +msgstr "**Output**: stage where traffic that is originated by the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originted by a internal process running on VyOS router, such as NTP, or can be a response to traffic received externaly through **inputt** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" #: ../../configuration/firewall/index.rst:65 msgid "**Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externaly through **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 filtering rules, defined in:" diff --git a/docs/automation/cloud-init.rst b/docs/automation/cloud-init.rst index 0b9ee207..ef796f45 100644 --- a/docs/automation/cloud-init.rst +++ b/docs/automation/cloud-init.rst @@ -251,8 +251,8 @@ Most important keys that needs to be considered: * Networking configurations shouldn't be passed in user-data file. * If no networking configuration is provided, then dhcp client is going to be - enabled on first interface. Bare in mind that this configuration will be - inyected at an OS level, so don't expect to find dhcp client configuration + enabled on first interface. Bear in mind that this configuration will be + injected at an OS level, so don't expect to find dhcp client configuration on vyos cli. Because of this behavior, in next example lab we will disable dhcp-client configuration on eth0. diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 30f3bfdf..daf5f116 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -72,7 +72,7 @@ packet is processed at the **IP Layer**: * ``set firewall ipv6 forward filter ...``. * **Output**: stage where traffic that originates from the router itself - can be filtered and controlled. Bare in mind that this traffic can be a + can be filtered and controlled. Bear in mind that this traffic can be a new connection originated by a internal process running on VyOS router, such as NTP, or a response to traffic received externally through **input** (for example response to an ssh login attempt to the router). -- cgit v1.2.3 From 8214ffe4c61f6a14bddf2fed43bff915f2503c6f Mon Sep 17 00:00:00 2001 From: whyrlpool <26317568+whyrlpool@users.noreply.github.com> Date: Wed, 3 Jul 2024 17:26:08 +0100 Subject: proofread and update firewall docs --- docs/automation/cloud-init.rst | 2 +- docs/configuration/container/index.rst | 4 +- docs/configuration/firewall/bridge.rst | 48 +++---- docs/configuration/firewall/flowtables.rst | 26 ++-- docs/configuration/firewall/global-options.rst | 22 ++-- docs/configuration/firewall/groups.rst | 19 ++- docs/configuration/firewall/index.rst | 26 ++-- docs/configuration/firewall/ipv4.rst | 165 ++++++++++++------------ docs/configuration/firewall/ipv6.rst | 167 ++++++++++++------------- docs/configuration/firewall/zone.rst | 18 +-- 10 files changed, 247 insertions(+), 250 deletions(-) (limited to 'docs/configuration/firewall') diff --git a/docs/automation/cloud-init.rst b/docs/automation/cloud-init.rst index ef796f45..f2ecaa77 100644 --- a/docs/automation/cloud-init.rst +++ b/docs/automation/cloud-init.rst @@ -1,4 +1,4 @@ -:lastproofread: 2021-07-12 +:lastproofread: 2024-07-03 .. _cloud-init: diff --git a/docs/configuration/container/index.rst b/docs/configuration/container/index.rst index a1672aa7..8be82e1b 100644 --- a/docs/configuration/container/index.rst +++ b/docs/configuration/container/index.rst @@ -1,10 +1,10 @@ -:lastproofread: 2022-06-10 +:lastproofread: 2024-07-03 ######### Container ######### -The VyOS container implementation is based on `Podman` as +The VyOS container implementation is based on `Podman `_ as a deamonless container engine. ************* diff --git a/docs/configuration/firewall/bridge.rst b/docs/configuration/firewall/bridge.rst index f84fd456..2e3d3634 100644 --- a/docs/configuration/firewall/bridge.rst +++ b/docs/configuration/firewall/bridge.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-08 +:lastproofread: 2024-07-03 .. _firewall-configuration: @@ -12,13 +12,13 @@ Bridge Firewall Configuration Overview ******** -In this section there's useful information of all firewall configuration that -can be done regarding bridge, and appropriate op-mode commands. +In this section there's useful information on all firewall configuration that +can be done regarding bridges, and appropriate op-mode commands. Configuration commands covered in this section: .. cfgcmd:: set firewall bridge ... -From main structure defined in :doc:`Firewall Overview` +From the main structure defined in :doc:`Firewall Overview` in this section you can find detailed information only for the next part of the general structure: @@ -41,7 +41,7 @@ For traffic that needs to be forwarded internally by the bridge, base chain is is **forward**, and it's base command for filtering is ``set firewall bridge forward filter ...``, which happens in stage 4, highlighted with red color. -Custom bridge firewall chains can be create with command ``set firewall bridge +Custom bridge firewall chains can be created with the command ``set firewall bridge name ...``. In order to use such custom chain, a rule with action jump, and the appropriate target should be defined in a base chain. @@ -55,9 +55,9 @@ and the appropriate target should be defined in a base chain. Bridge Rules ************ -For firewall filtering, firewall rules needs to be created. Each rule is +For firewall filtering, firewall rules need to be created. Each rule is numbered, has an action to apply if the rule is matched, and the ability -to specify multiple criteria matchers. Data packets go through the rules +to specify multiple matching criteria. Data packets go through the rules from 1 - 999999, so order is crucial. At the first match the action of the rule will be executed. @@ -65,7 +65,7 @@ Actions ======= If a rule is defined, then an action must be defined for it. This tells the -firewall what to do if all criteria matchers defined for such rule do match. +firewall what to do if all matching criterea in the rule are met. In firewall bridge rules, the action can be: @@ -101,7 +101,7 @@ In firewall bridge rules, the action can be: queue <0-65535> To be used only when action is set to ``queue``. Use this command to specify - queue target to use. Queue range is also supported. + the queue target to use. Queue range is also supported. .. cfgcmd:: set firewall bridge forward filter rule <1-999999> queue-options bypass @@ -121,7 +121,7 @@ In firewall bridge rules, the action can be: distribute packets between several queues. Also, **default-action** is an action that takes place whenever a packet does -not match any rule in it's chain. For base chains, possible options for +not match any rule in its' chain. For base chains, possible options for **default-action** are **accept** or **drop**. .. cfgcmd:: set firewall bridge forward filter default-action @@ -129,10 +129,10 @@ not match any rule in it's chain. For base chains, possible options for .. cfgcmd:: set firewall bridge name default-action [accept | continue | drop | jump | queue | return] - This set the default action of the rule-set if no rule matched a packet - criteria. If default-action is set to ``jump``, then + This sets the default action of the rule-set if a packet does not match + any of the rules in that chain. If default-action is set to ``jump``, then ``default-jump-target`` is also needed. Note that for base chains, default - action can only be set to ``accept`` or ``drop``, while on custom chain, + action can only be set to ``accept`` or ``drop``, while on custom chains more actions are available. .. cfgcmd:: set firewall bridge name default-jump-target @@ -141,9 +141,9 @@ not match any rule in it's chain. For base chains, possible options for command to specify jump target for default rule. .. note:: **Important note about default-actions:** - If default action for any base chain is not defined, then the default - action is set to **accept** for that chain. For custom chains, if default - action is not defined, then the default-action is set to **drop**. + If the default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if the + default action is not defined, then the default-action is set to **drop**. Firewall Logs ============= @@ -155,7 +155,7 @@ log options can be defined. .. cfgcmd:: set firewall bridge name rule <1-999999> log Enable logging for the matched packet. If this configuration command is not - present, then log is not enabled. + present, then the log is not enabled. .. cfgcmd:: set firewall bridge forward filter default-log .. cfgcmd:: set firewall bridge name default-log @@ -170,14 +170,15 @@ log options can be defined. log-options level [emerg | alert | crit | err | warn | notice | info | debug] - Define log-level. Only applicable if rule log is enable. + Define log-level. Only applicable if rule log is enabled. .. cfgcmd:: set firewall bridge forward filter rule <1-999999> log-options group <0-65535> .. cfgcmd:: set firewall bridge name rule <1-999999> log-options group <0-65535> - Define log group to send message to. Only applicable if rule log is enable. + Define the log group to send messages to. Only applicable if rule log is + enabled. .. cfgcmd:: set firewall bridge forward filter rule <1-999999> log-options snapshot-length <0-9000> @@ -185,15 +186,16 @@ log options can be defined. log-options snapshot-length <0-9000> Define length of packet payload to include in netlink message. Only - applicable if rule log is enable and log group is defined. + applicable if rule log is enabled and the log group is defined. .. cfgcmd:: set firewall bridge forward filter rule <1-999999> log-options queue-threshold <0-65535> .. cfgcmd:: set firewall bridge name rule <1-999999> log-options queue-threshold <0-65535> - Define number of packets to queue inside the kernel before sending them to - userspace. Only applicable if rule log is enable and log group is defined. + Define the number of packets to queue inside the kernel before sending them + to userspace. Only applicable if rule log is enabled and the log group is + defined. Firewall Description ==================== @@ -207,7 +209,7 @@ For reference, a description can be defined for every defined custom chain. Rule Status =========== -When defining a rule, it is enable by default. In some cases, it is useful to +When defining a rule, it is enabled by default. In some cases, it is useful to just disable the rule, rather than removing it. .. cfgcmd:: set firewall bridge forward filter rule <1-999999> disable diff --git a/docs/configuration/firewall/flowtables.rst b/docs/configuration/firewall/flowtables.rst index ae95a85f..915bf39d 100644 --- a/docs/configuration/firewall/flowtables.rst +++ b/docs/configuration/firewall/flowtables.rst @@ -1,4 +1,4 @@ -:lastproofread: 2024-06-20 +:lastproofread: 2024-07-02 .. _firewall-flowtables-configuration: @@ -12,12 +12,12 @@ Flowtables Firewall Configuration Overview ******** -In this section there's useful information of all firewall configuration that +In this section there's useful information on all firewall configuration that can be done regarding flowtables. .. cfgcmd:: set firewall flowtables ... -From main structure defined in +From the main structure defined in :doc:`Firewall Overview` in this section you can find detailed information only for the next part of the general structure: @@ -30,7 +30,7 @@ of the general structure: + ... -Flowtables allows you to define a fastpath through the flowtable datapath. +Flowtables allow you to define a fastpath through the flowtable datapath. The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP and UDP protocols. @@ -107,10 +107,10 @@ Things to be considered in this setup: * Minimum firewall ruleset is provided, which includes some filtering rules, and appropriate rules for using flowtable offload capabilities. -As described, first packet will be evaluated by all the firewall path, so +As described, the first packet will be evaluated by the firewall path, so a desired connection should be explicitly accepted. Same thing should be taken into account for traffic in reverse order. In most cases state policies are -used in order to accept connection in reverse patch. +used in order to accept a connection in the reverse path. We will only accept traffic coming from interface eth0, protocol tcp and destination port 1122. All other traffic trespassing the router should be @@ -142,7 +142,7 @@ Explanation Analysis on what happens for desired connection: - 1. First packet is received on eth0, with destination address 192.0.2.100, + 1. Firstly, a packet is received on eth0, with destination address 192.0.2.100, protocol tcp and destination port 1122. Assume such destination address is reachable through interface eth1. @@ -151,22 +151,22 @@ Analysis on what happens for desired connection: 3. Rule 110 is hit, so connection is accepted. - 4. Once answer from server 192.0.2.100 is seen in opposite direction, + 4. Once an answer from server 192.0.2.100 is seen in opposite direction, connection state will be triggered to **established**, so this reply is accepted in rule 20. - 5. Second packet for this connection is received by the router. Since + 5. The second packet for this connection is received by the router. Since connection state is **established**, then rule 10 is hit, and a new entry in the flowtable FT01 is added for this connection. - 6. All the following packets will skip traditional path, and will be offloaded - and will use the **Fast Path**. + 6. All the following packets will skip the traditional path, will be + offloaded and use the **Fast Path**. Checks ------ -It's time to check conntrack table, to see if any connection was accepted, -and if was properly offloaded +It's time to check the conntrack table, to see if any connections were accepted, +and if it was properly offloaded .. code-block:: none diff --git a/docs/configuration/firewall/global-options.rst b/docs/configuration/firewall/global-options.rst index 7c52045e..87fb755d 100644 --- a/docs/configuration/firewall/global-options.rst +++ b/docs/configuration/firewall/global-options.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-12-26 +:lastproofread: 2024-07-03 .. _firewall-global-options-configuration: @@ -25,7 +25,7 @@ Configuration .. cfgcmd:: set firewall global-options all-ping [enable | disable] By default, when VyOS receives an ICMP echo request packet destined for - itself, it will answer with an ICMP echo reply, unless you avoid it + itself, it will answer with an ICMP echo reply, unless you prevent it through its firewall. With the firewall you can set rules to accept, drop or reject ICMP in, @@ -55,7 +55,7 @@ Configuration .. cfgcmd:: set firewall global-options broadcast-ping [enable | disable] - This setting enable or disable the response of icmp broadcast + This setting enables or disables the response to icmp broadcast messages. The following system parameter will be altered: * ``net.ipv4.icmp_echo_ignore_broadcasts`` @@ -63,8 +63,8 @@ Configuration .. cfgcmd:: set firewall global-options ip-src-route [enable | disable] .. cfgcmd:: set firewall global-options ipv6-src-route [enable | disable] - This setting handle if VyOS accept packets with a source route - option. The following system parameter will be altered: + This setting handles if VyOS accepts packets with a source route + option. The following system parameters will be altered: * ``net.ipv4.conf.all.accept_source_route`` * ``net.ipv6.conf.all.accept_source_route`` @@ -73,22 +73,22 @@ Configuration .. cfgcmd:: set firewall global-options ipv6-receive-redirects [enable | disable] - enable or disable of ICMPv4 or ICMPv6 redirect messages accepted - by VyOS. The following system parameter will be altered: + Enable or disable ICMPv4 or ICMPv6 redirect messages being accepted by + VyOS. The following system parameters will be altered: * ``net.ipv4.conf.all.accept_redirects`` * ``net.ipv6.conf.all.accept_redirects`` .. cfgcmd:: set firewall global-options send-redirects [enable | disable] - enable or disable ICMPv4 redirect messages send by VyOS + Enable or disable ICMPv4 redirect messages being sent by VyOS The following system parameter will be altered: * ``net.ipv4.conf.all.send_redirects`` .. cfgcmd:: set firewall global-options log-martians [enable | disable] - enable or disable the logging of martian IPv4 packets. + Enable or disable the logging of martian IPv4 packets. The following system parameter will be altered: * ``net.ipv4.conf.all.log_martians`` @@ -103,7 +103,7 @@ Configuration .. cfgcmd:: set firewall global-options syn-cookies [enable | disable] - Enable or Disable if VyOS use IPv4 TCP SYN Cookies. + Enable or disable if VyOS uses IPv4 TCP SYN Cookies. The following system parameter will be altered: * ``net.ipv4.tcp_syncookies`` @@ -111,7 +111,7 @@ Configuration .. cfgcmd:: set firewall global-options twa-hazards-protection [enable | disable] - Enable or Disable VyOS to be :rfc:`1337` conform. + Enable or Disable VyOS to be :rfc:`1337` conformant. The following system parameter will be altered: * ``net.ipv4.tcp_rfc1337`` diff --git a/docs/configuration/firewall/groups.rst b/docs/configuration/firewall/groups.rst index 6111650a..fa32b98e 100644 --- a/docs/configuration/firewall/groups.rst +++ b/docs/configuration/firewall/groups.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-08 +:lastproofread: 2024-07-03 .. _firewall-groups-configuration: @@ -18,8 +18,7 @@ matcher, and/or as inbound/outbound in the case of interface group. Address Groups ============== -In an **address group** a single IP address or IP address ranges are -defined. +In an **address group** a single IP address or IP address range is defined. .. cfgcmd:: set firewall group address-group address [address | address range] @@ -43,7 +42,7 @@ Network Groups While **network groups** accept IP networks in CIDR notation, specific IP addresses can be added as a 32-bit prefix. If you foresee the need -to add a mix of addresses and networks, the network group is +to add a mix of addresses and networks, then a network group is recommended. .. cfgcmd:: set firewall group network-group network @@ -197,9 +196,9 @@ Commands used for this task are: .. cfgcmd:: set firewall ipv6 name rule <1-999999> add-address-to-group source-address address-group -Also, specific timeout can be defined per rule. In case rule gets a hit, -source or destinatination address will be added to the group, and this -element will remain in the group until timeout expires. If no timeout +Also, specific timeouts can be defined per rule. In case rule gets a hit, +a source or destinatination address will be added to the group, and this +element will remain in the group until the timeout expires. If no timeout is defined, then the element will remain in the group until next reboot, or until a new commit that changes firewall configuration is done. @@ -324,7 +323,7 @@ A 4 step port knocking example is shown next: set firewall ipv4 input filter rule 99 protocol 'tcp' set firewall ipv4 input filter rule 99 source group dynamic-address-group 'ALLOWED' -Before testing, we can check members of firewall groups: +Before testing, we can check the members of firewall groups: .. code-block:: none @@ -339,7 +338,7 @@ Before testing, we can check members of firewall groups: [edit] vyos@vyos# -With this configuration, in order to get ssh access to the router, user +With this configuration, in order to get ssh access to the router, the user needs to: 1. Generate a new TCP connection with destination port 9990. As shown next, @@ -390,7 +389,7 @@ a new entry was added to dynamic firewall group **ALLOWED** [edit] vyos@vyos# -4. Now user can connect through ssh to the router (assuming ssh is configured). +4. Now the user can connect through ssh to the router (assuming ssh is configured). ************** Operation-mode diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index daf5f116..58e3463b 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-23 +:lastproofread: 2024-07-03 ######## Firewall @@ -28,11 +28,11 @@ packet is processed at the **IP Layer**: * **Prerouting**: All packets that are received by the router are processed in this stage, regardless of the destination of the packet. - Starting from vyos-1.5-rolling-202406120020, a new section was added to - firewall configuration. There are several actions that can be done in this - stage, and currently these actions are also defined in different parts in - VyOS configuration. Order is important, and relevant configuration that - acts in this stage are: + Starting from vyos-1.5-rolling-202406120020, a new section was added to + the firewall configuration. There are several actions that can be done in + this stage, and currently these actions are also defined in different + parts of the VyOS configuration. Order is important, and the relevant + configuration that acts in this stage are: * **Firewall prerouting**: rules defined under ``set firewall [ipv4 | ipv6] prerouting raw...``. All rules defined in this section are @@ -50,9 +50,9 @@ packet is processed at the **IP Layer**: * **Destination NAT**: rules defined under ``set [nat | nat66] destination...``. - * **Destination is the router?**: choose appropriate path based on + * **Destination is the router?**: choose an appropriate path based on destination IP address. Transit forward continues to **forward**, - while traffic that destination IP address is configured on the router + while traffic where the destination IP address is configured on the router continues to **input**. * **Input**: stage where traffic destined for the router itself can be @@ -73,7 +73,7 @@ packet is processed at the **IP Layer**: * **Output**: stage where traffic that originates from the router itself can be filtered and controlled. Bear in mind that this traffic can be a - new connection originated by a internal process running on VyOS router, + new connection originated by a internal process running on the VyOS router such as NTP, or a response to traffic received externally through **input** (for example response to an ssh login attempt to the router). This includes ipv4 and ipv6 rules, and two different sections are present: @@ -181,10 +181,10 @@ Zone-based firewall zone With zone-based firewalls a new concept was implemented, in addition to the -standard in and out traffic flows, a local flow was added. This local was for -traffic originating and destined to the router itself. Which means additional -rules were required to secure the firewall itself from the network, in -addition to the existing inbound and outbound rules from the traditional +standard in and out traffic flows, a local flow was added. This local flow was +for traffic originating and destined to the router itself. Which means that +additional rules were required to secure the firewall itself from the network, +in addition to the existing inbound and outbound rules from the traditional concept above. To configure VyOS with the diff --git a/docs/configuration/firewall/ipv4.rst b/docs/configuration/firewall/ipv4.rst index 39370c86..abae31a5 100644 --- a/docs/configuration/firewall/ipv4.rst +++ b/docs/configuration/firewall/ipv4.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-08 +:lastproofread: 2024-07-03 .. _firewall-ipv4-configuration: @@ -10,13 +10,13 @@ IPv4 Firewall Configuration Overview ******** -In this section there's useful information of all firewall configuration that +In this section there's useful information on all firewall configuration that can be done regarding IPv4, and appropriate op-mode commands. Configuration commands covered in this section: .. cfgcmd:: set firewall ipv4 ... -From main structure defined in +From the main structure defined in :doc:`Firewall Overview` in this section you can find detailed information only for the next part of the general structure: @@ -51,28 +51,28 @@ This stage includes: * :doc:`Destination NAT`: commands found under ``set nat destination ...`` -For transit traffic, which is received by the router and forwarded, base chain -is **forward**. A simplified packet flow diagram for transit traffic is shown -next: +For transit traffic, which is received by the router and forwarded, the base +chain is **forward**. A simplified packet flow diagram for transit traffic is +shown next: .. figure:: /_static/images/firewall-fwd-packet-flow.png -Firewall base chain to configure firewall filtering rules for transit traffic +The base firewall chain to configure filtering rules for transit traffic is ``set firewall ipv4 forward filter ...``, which happens in stage 5, -highlighted with red color. +highlighted in the color red. -For traffic towards the router itself, base chain is **input**, while traffic -originated by the router, base chain is **output**. +For traffic towards the router itself, the base chain is **input**, while +traffic originated by the router has the base chain **output**. A new simplified packet flow diagram is shown next, which shows the path for traffic destined to the router itself, and traffic generated by the router (starting from circle number 6): .. figure:: /_static/images/firewall-input-packet-flow.png -Base chain for traffic towards the router is ``set firewall ipv4 input +The base chain for traffic towards the router is ``set firewall ipv4 input filter ...`` -And base chain for traffic generated by the router is ``set firewall ipv4 +And the base chain for traffic generated by the router is ``set firewall ipv4 output ...``, where two sub-chains are available: **filter** and **raw**: * **Output Prerouting**: ``set firewall ipv4 output raw ...``. @@ -82,9 +82,9 @@ output ...``, where two sub-chains are available: **filter** and **raw**: in this section are processed after connection tracking subsystem. .. note:: **Important note about default-actions:** - If default action for any base chain is not defined, then the default - action is set to **accept** for that chain. For custom chains, if default - action is not defined, then the default-action is set to **drop** + If a default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if the + default action is not defined, then the default-action is set to **drop** Custom firewall chains can be created, with commands ``set firewall ipv4 name ...``. In order to use @@ -95,9 +95,9 @@ should be defined in a base chain. Firewall - IPv4 Rules ********************* -For firewall filtering, firewall rules needs to be created. Each rule is +For firewall filtering, firewall rules need to be created. Each rule is numbered, has an action to apply if the rule is matched, and the ability -to specify multiple criteria matchers. Data packets go through the rules +to specify multiple matching criteria. Data packets go through the rules from 1 - 999999, so order is crucial. At the first match the action of the rule will be executed. @@ -105,7 +105,7 @@ Actions ======= If a rule is defined, then an action must be defined for it. This tells the -firewall what to do if all criteria matchers defined for such rule do match. +firewall what to do if all of the criteria defined for that rule match. The action can be : @@ -135,8 +135,8 @@ The action can be : .. cfgcmd:: set firewall ipv4 name rule <1-999999> action [accept | continue | drop | jump | queue | reject | return] - This required setting defines the action of the current rule. If action is - set to jump, then jump-target is also needed. + This required setting defines the action of the current rule. If the action + is set to jump, then a jump-target is also needed. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> jump-target @@ -148,7 +148,7 @@ The action can be : jump-target To be used only when action is set to ``jump``. Use this command to specify - jump target. + the jump target. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> queue <0-65535> @@ -160,7 +160,7 @@ The action can be : queue <0-65535> To be used only when action is set to ``queue``. Use this command to specify - queue target to use. Queue range is also supported. + the queue target to use. Queue range is also supported. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> queue-options bypass @@ -171,7 +171,7 @@ The action can be : .. cfgcmd:: set firewall ipv4 name rule <1-999999> queue-options bypass - To be used only when action is set to ``queue``. Use this command to let + To be used only when action is set to ``queue``. Use this command to let the packet go through firewall when no userspace software is connected to the queue. @@ -200,21 +200,21 @@ not match any rule in it's chain. For base chains, possible options for .. cfgcmd:: set firewall ipv4 name default-action [accept | drop | jump | queue | reject | return] - This set the default action of the rule-set if no rule matched a packet - criteria. If default-action is set to ``jump``, then - ``default-jump-target`` is also needed. Note that for base chains, default - action can only be set to ``accept`` or ``drop``, while on custom chain, - more actions are available. + This sets the default action of the rule-set if a packet does not match the + criteria of any rule. If default-action is set to ``jump``, then + ``default-jump-target`` is also needed. Note that for base chains, the + default action can only be set to ``accept`` or ``drop``, while on custom + chains, more actions are available. .. cfgcmd:: set firewall ipv4 name default-jump-target To be used only when ``default-action`` is set to ``jump``. Use this - command to specify jump target for default rule. + command to specify the jump target for the default rule. .. note:: **Important note about default-actions:** - If default action for any base chain is not defined, then the default - action is set to **accept** for that chain. For custom chains, if default - action is not defined, then the default-action is set to **drop**. + If the default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains if a default + action is not defined then the default-action is set to **drop**. Firewall Logs ============= @@ -228,7 +228,7 @@ log options can be defined. .. cfgcmd:: set firewall ipv4 name rule <1-999999> log Enable logging for the matched packet. If this configuration command is not - present, then log is not enabled. + present, then the log is not enabled. .. cfgcmd:: set firewall ipv4 forward filter default-log .. cfgcmd:: set firewall ipv4 input filter default-log @@ -251,7 +251,7 @@ log options can be defined. log-options level [emerg | alert | crit | err | warn | notice | info | debug] - Define log-level. Only applicable if rule log is enable. + Define log-level. Only applicable if rule log is enabled. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log-options group <0-65535> @@ -262,7 +262,8 @@ log options can be defined. .. cfgcmd:: set firewall ipv4 name rule <1-999999> log-options group <0-65535> - Define log group to send message to. Only applicable if rule log is enable. + Define the log group to send messages to. Only applicable if rule log is + enabled. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log-options snapshot-length <0-9000> @@ -273,8 +274,8 @@ log options can be defined. .. cfgcmd:: set firewall ipv4 name rule <1-999999> log-options snapshot-length <0-9000> - Define length of packet payload to include in netlink message. Only - applicable if rule log is enable and log group is defined. + Define the length of packet payload to include in a netlink message. Only + applicable if rule log is enabled and log group is defined. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> log-options queue-threshold <0-65535> @@ -285,8 +286,8 @@ log options can be defined. .. cfgcmd:: set firewall ipv4 name rule <1-999999> log-options queue-threshold <0-65535> - Define number of packets to queue inside the kernel before sending them to - userspace. Only applicable if rule log is enable and log group is defined. + Define the number of packets to queue inside the kernel before sending them + to userspace. Only applicable if rule log is enabled and log group is defined. Firewall Description ==================== @@ -311,7 +312,7 @@ every defined custom chain. Rule Status =========== -When defining a rule, it is enable by default. In some cases, it is useful to +When defining a rule, it is enabled by default. In some cases, it is useful to just disable the rule, rather than removing it. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> disable @@ -335,7 +336,7 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv4 name rule <1-999999> connection-status nat [destination | source] - Match criteria based on nat connection status. + Match based on nat connection status. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> connection-mark <1-2147483647> @@ -346,7 +347,7 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv4 name rule <1-999999> connection-mark <1-2147483647> - Match criteria based on connection mark. + Match based on connection mark. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> conntrack-helper @@ -445,8 +446,8 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv4 name rule <1-999999> destination fqdn - Specify a Fully Qualified Domain Name as source/destination matcher. Ensure - router is able to resolve such dns query. + Specify a Fully Qualified Domain Name as source/destination to match. Ensure + that the router is able to resolve this dns query. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> source geoip country-code @@ -503,14 +504,13 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name rule <1-999999> source mac-address - Only in the source criteria, you can specify a mac-address. + You can only specify a source mac-address to match. .. code-block:: none set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33 set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34 - .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> source port [1-65535 | portname | start-end] .. cfgcmd:: set firewall ipv4 input filter rule <1-999999> @@ -529,8 +529,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name rule <1-999999> destination port [1-65535 | portname | start-end] - A port can be set with a port number or a name which is here - defined: ``/etc/services``. + A port can be set by number or name as defined in ``/etc/services``. .. code-block:: none @@ -559,8 +558,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name rule <1-999999> destination group address-group - Use a specific address-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific address-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> source group dynamic-address-group @@ -580,8 +579,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name rule <1-999999> destination group dynamic-address-group - Use a specific dynamic-address-group. Prepend character ``!`` for inverted - matching criteria. + Use a specific dynamic-address-group. Prepending the character ``!`` to + invert the criteria to match is also supported. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> source group network-group @@ -601,8 +600,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name rule <1-999999> destination group network-group - Use a specific network-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific network-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> source group port-group @@ -622,8 +621,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name rule <1-999999> destination group port-group - Use a specific port-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific port-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> source group domain-group @@ -643,8 +642,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name rule <1-999999> destination group domain-group - Use a specific domain-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific domain-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> source group mac-group @@ -664,8 +663,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name rule <1-999999> destination group mac-group - Use a specific mac-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific mac-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> dscp [0-63 | start-end] @@ -696,7 +695,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name rule <1-999999> fragment [match-frag | match-non-frag] - Match based on fragment criteria. + Match based on fragmentation. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> icmp [code | type] <0-255> @@ -718,7 +717,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name rule <1-999999> icmp type-name - Match based on icmp type-name criteria. Use tab for information + Match based on icmp type-name. Use tab for information about what **type-name** criteria are supported. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> @@ -729,11 +728,11 @@ geoip) to keep database and rules updated. inbound-interface name Match based on inbound interface. Wildcard ``*`` can be used. - For example: ``eth2*``. Prepending character ``!`` for inverted matching - criteria is also supported. For example ``!eth2`` + For example: ``eth2*``. Prepending the character ``!`` to invert the + criteria to match is also supported. For example ``!eth2`` .. note:: If an interface is attached to a non-default vrf, when using - **inbound-interface**, vrf name must be used. For example ``set firewall + **inbound-interface**, the vrf name must be used. For example ``set firewall ipv4 forward filter rule 10 inbound-interface name MGMT`` .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> @@ -743,8 +742,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name rule <1-999999> inbound-interface group - Match based on inbound interface group. Prepending character ``!`` for - inverted matching criteria is also supported. For example ``!IFACE_GROUP`` + Match based on the inbound interface group. Prepending the character ``!`` + to invert the criteria to match is also supported. For example ``!IFACE_GROUP`` .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> outbound-interface name @@ -754,11 +753,11 @@ geoip) to keep database and rules updated. outbound-interface name Match based on outbound interface. Wildcard ``*`` can be used. - For example: ``eth2*``. Prepending character ``!`` for inverted matching - criteria is also supported. For example ``!eth2`` + For example: ``eth2*``. Prepending the character ``!`` to invert the + criteria to match is also supported. For example ``!eth2`` .. note:: If an interface is attached to a non-default vrf, when using - **outbound-interface**, real interface name must be used. For example + **outbound-interface**, the real interface name must be used. For example ``set firewall ipv4 forward filter rule 10 outbound-interface name eth0`` .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> @@ -768,8 +767,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name rule <1-999999> outbound-interface group - Match based on outbound interface group. Prepending character ``!`` for - inverted matching criteria is also supported. For example ``!IFACE_GROUP`` + Match based on outbound interface group. Prepending the character ``!`` to + invert the criteria to match is also supported. For example ``!IFACE_GROUP`` .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> ipsec [match-ipsec | match-none] @@ -780,7 +779,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name rule <1-999999> ipsec [match-ipsec | match-none] - Match based on ipsec criteria. + Match based on ipsec. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> limit burst <0-4294967295> @@ -823,7 +822,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name rule <1-999999> packet-length-exclude - Match based on packet length criteria. Multiple values from 1 to 65535 + Match based on the packet length. Multiple values from 1 to 65535 and ranges are supported. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> @@ -835,7 +834,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name rule <1-999999> packet-type [broadcast | host | multicast | other] - Match based on packet type criteria. + Match based on the packet type. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> protocol [ | <0-255> | all | tcp_udp] @@ -846,10 +845,9 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name rule <1-999999> protocol [ | <0-255> | all | tcp_udp] - Match a protocol criteria. A protocol number or a name which is here - defined: ``/etc/protocols``. + Match based on protocol number or name as defined in ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp - based packets. The ``!`` negate the selected protocol. + based packets. The ``!`` negates the selected protocol. .. code-block:: none @@ -874,7 +872,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name rule <1-999999> recent time [second | minute | hour] - Match bases on recently seen sources. + Match based on recently seen sources. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> tcp flags [not] @@ -958,8 +956,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv4 name rule <1-999999> ttl <0-255> - Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for - 'greater than', and 'lt' stands for 'less than'. + Match the time to live parameter, where 'eq' stands for 'equal'; 'gt' stands + for 'greater than', and 'lt' stands for 'less than'. .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> recent count <1-255> @@ -994,7 +992,7 @@ Synproxy connections .. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535> - Set TCP-MSS (maximum segment size) for the connection + Set the TCP-MSS (maximum segment size) for the connection .. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14> @@ -1028,7 +1026,6 @@ Requirements to enable synproxy: set firewall ipv4 input filter rule 1000 action 'drop' set firewall ipv4 input filter rule 1000 state invalid - *********************** Operation-mode Firewall *********************** @@ -1038,7 +1035,7 @@ Rule-set overview .. opcmd:: show firewall - This will show you a basic firewall overview, for all ruleset, and not + This will show you a basic firewall overview, for all rule-sets, and not only for ipv4 .. code-block:: none diff --git a/docs/configuration/firewall/ipv6.rst b/docs/configuration/firewall/ipv6.rst index 511fd51f..5f526dac 100644 --- a/docs/configuration/firewall/ipv6.rst +++ b/docs/configuration/firewall/ipv6.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-08 +:lastproofread: 2024-07-03 .. _firewall-ipv6-configuration: @@ -10,13 +10,13 @@ IPv6 Firewall Configuration Overview ******** -In this section there's useful information of all firewall configuration that +In this section there's useful information on all firewall configuration that can be done regarding IPv6, and appropriate op-mode commands. Configuration commands covered in this section: .. cfgcmd:: set firewall ipv6 ... -From main structure defined in +From the main structure defined in :doc:`Firewall Overview` in this section you can find detailed information only for the next part of the general structure: @@ -51,29 +51,29 @@ This stage includes: * :doc:`Destination NAT`: commands found under ``set nat66 destination ...`` -For transit traffic, which is received by the router and forwarded, base chain -is **forward**. A simplified packet flow diagram for transit traffic is shown -next: +For transit traffic, which is received by the router and forwarded, the base +chain is **forward**. A simplified packet flow diagram for transit traffic is +shown next: .. figure:: /_static/images/firewall-fwd-packet-flow.png -Firewall base chain to configure firewall filtering rules for transit traffic +The base firewall chain to configure filtering rules for transit traffic is ``set firewall ipv6 forward filter ...``, which happens in stage 5, -highlighted with red color. +highlighted in the color red. -For traffic towards the router itself, base chain is **input**, while traffic -originated by the router, base chain is **output**. +For traffic towards the router itself, the base chain is **input**, while +traffic originated by the router has the base chain **output**. A new simplified packet flow diagram is shown next, which shows the path for traffic destined to the router itself, and traffic generated by the router (starting from circle number 6): .. figure:: /_static/images/firewall-input-packet-flow.png -Base chain for traffic towards the router is ``set firewall ipv6 input +The base chain for traffic towards the router is ``set firewall ipv6 input filter ...`` -And base chain for traffic generated by the router is ``set firewall ipv6 -output filter ...``, where two sub-chains are available: **filter** and **raw**: +And the base chain for traffic generated by the router is ``set firewall ipv6 +output ...``, where two sub-chains are available: **filter** and **raw**: * **Output Prerouting**: ``set firewall ipv6 output raw ...``. As described in **Prerouting**, rules defined in this section are @@ -82,9 +82,9 @@ output filter ...``, where two sub-chains are available: **filter** and **raw**: in this section are processed after connection tracking subsystem. .. note:: **Important note about default-actions:** - If default action for any base chain is not defined, then the default - action is set to **accept** for that chain. For custom chains, if default - action is not defined, then the default-action is set to **drop** + If a default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains, if the + default action is not defined, then the default-action is set to **drop** Custom firewall chains can be created, with commands ``set firewall ipv6 name ...``. In order to use @@ -95,9 +95,9 @@ should be defined in a base chain. Firewall - IPv6 Rules ****************************** -For firewall filtering, firewall rules needs to be created. Each rule is +For firewall filtering, firewall rules need to be created. Each rule is numbered, has an action to apply if the rule is matched, and the ability -to specify multiple criteria matchers. Data packets go through the rules +to specify multiple matching criteria. Data packets go through the rules from 1 - 999999, so order is crucial. At the first match the action of the rule will be executed. @@ -105,7 +105,7 @@ Actions ======= If a rule is defined, then an action must be defined for it. This tells the -firewall what to do if all criteria matchers defined for such rule do match. +firewall what to do if all of the criteria defined for that rule match. The action can be : @@ -135,8 +135,8 @@ The action can be : .. cfgcmd:: set firewall ipv6 name rule <1-999999> action [accept | continue | drop | jump | queue | reject | return] - This required setting defines the action of the current rule. If action is - set to jump, then jump-target is also needed. + This required setting defines the action of the current rule. If the action + is set to jump, then a jump-target is also needed. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> jump-target @@ -148,7 +148,7 @@ The action can be : jump-target To be used only when action is set to ``jump``. Use this command to specify - jump target. + the jump target. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> queue <0-65535> @@ -160,7 +160,7 @@ The action can be : queue <0-65535> To be used only when action is set to ``queue``. Use this command to specify - queue target to use. Queue range is also supported. + the queue target to use. Queue range is also supported. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> queue-options bypass @@ -171,7 +171,7 @@ The action can be : .. cfgcmd:: set firewall ipv6 name rule <1-999999> queue-options bypass - To be used only when action is set to ``queue``. Use this command to let + To be used only when action is set to ``queue``. Use this command to let the packet go through firewall when no userspace software is connected to the queue. @@ -200,21 +200,21 @@ not match any rule in it's chain. For base chains, possible options for .. cfgcmd:: set firewall ipv6 name default-action [accept | drop | jump | queue | reject | return] - This set the default action of the rule-set if no rule matched a packet - criteria. If default-action is set to ``jump``, then - ``default-jump-target`` is also needed. Note that for base chains, default - action can only be set to ``accept`` or ``drop``, while on custom chain, - more actions are available. + This sets the default action of the rule-set if a packet does not match the + criteria of any rule. If default-action is set to ``jump``, then + ``default-jump-target`` is also needed. Note that for base chains, the + default action can only be set to ``accept`` or ``drop``, while on custom + chains, more actions are available. .. cfgcmd:: set firewall ipv6 name default-jump-target To be used only when ``default-action`` is set to ``jump``. Use this - command to specify jump target for default rule. + command to specify the jump target for the default rule. .. note:: **Important note about default-actions:** - If default action for any base chain is not defined, then the default - action is set to **accept** for that chain. For custom chains, if default - action is not defined, then the default-action is set to **drop**. + If the default action for any base chain is not defined, then the default + action is set to **accept** for that chain. For custom chains if a default + action is not defined then the default-action is set to **drop**. Firewall Logs ============= @@ -228,7 +228,7 @@ log options can be defined. .. cfgcmd:: set firewall ipv6 name rule <1-999999> log Enable logging for the matched packet. If this configuration command is not - present, then log is not enabled. + present, then the log is not enabled. .. cfgcmd:: set firewall ipv6 forward filter default-log .. cfgcmd:: set firewall ipv6 input filter default-log @@ -251,7 +251,7 @@ log options can be defined. log-options level [emerg | alert | crit | err | warn | notice | info | debug] - Define log-level. Only applicable if rule log is enable. + Define log-level. Only applicable if rule log is enabled. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> log-options group <0-65535> @@ -262,7 +262,8 @@ log options can be defined. .. cfgcmd:: set firewall ipv6 name rule <1-999999> log-options group <0-65535> - Define log group to send message to. Only applicable if rule log is enable. + Define the log group to send messages to. Only applicable if rule log is + enabled. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> log-options snapshot-length <0-9000> @@ -273,8 +274,8 @@ log options can be defined. .. cfgcmd:: set firewall ipv6 name rule <1-999999> log-options snapshot-length <0-9000> - Define length of packet payload to include in netlink message. Only - applicable if rule log is enable and log group is defined. + Define the length of packet payload to include in a netlink message. Only + applicable if rule log is enabled and log group is defined. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> log-options queue-threshold <0-65535> @@ -285,8 +286,8 @@ log options can be defined. .. cfgcmd:: set firewall ipv6 name rule <1-999999> log-options queue-threshold <0-65535> - Define number of packets to queue inside the kernel before sending them to - userspace. Only applicable if rule log is enable and log group is defined. + Define the number of packets to queue inside the kernel before sending them + to userspace. Only applicable if rule log is enabled and log group is defined. Firewall Description ==================== @@ -311,7 +312,7 @@ every defined custom chain. Rule Status =========== -When defining a rule, it is enable by default. In some cases, it is useful to +When defining a rule, it is enabled by default. In some cases, it is useful to just disable the rule, rather than removing it. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> disable @@ -335,7 +336,7 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv6 name rule <1-999999> connection-status nat [destination | source] - Match criteria based on nat connection status. + Match based on nat connection status. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> connection-mark <1-2147483647> @@ -346,7 +347,7 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv6 name rule <1-999999> connection-mark <1-2147483647> - Match criteria based on connection mark. + Match based on connection mark. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source address [address | addressrange | CIDR] @@ -366,9 +367,8 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv6 name rule <1-999999> destination address [address | addressrange | CIDR] - Match criteria based on source and/or destination address. This is similar - to the network groups part, but here you are able to negate the matching - addresses. + Match based on source and/or destination address. This is similar to the + network groups part, but here you are able to negate the matching addresses. .. code-block:: none @@ -433,8 +433,8 @@ There are a lot of matching criteria against which the packet can be tested. .. cfgcmd:: set firewall ipv6 name rule <1-999999> destination fqdn - Specify a Fully Qualified Domain Name as source/destination matcher. Ensure - router is able to resolve such dns query. + Specify a Fully Qualified Domain Name as source/destination to match. Ensure + that the router is able to resolve this dns query. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source geoip country-code @@ -491,7 +491,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name rule <1-999999> source mac-address - Only in the source criteria, you can specify a mac-address. + You can only specify a source mac-address to match. .. code-block:: none @@ -516,8 +516,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name rule <1-999999> destination port [1-65535 | portname | start-end] - A port can be set with a port number or a name which is here - defined: ``/etc/services``. + A port can be set by number or name as defined in ``/etc/services``. .. code-block:: none @@ -550,8 +549,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name rule <1-999999> destination group address-group - Use a specific address-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific address-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source group dynamic-address-group @@ -571,8 +570,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name rule <1-999999> destination group dynamic-address-group - Use a specific dynamic-address-group. Prepend character ``!`` for inverted - matching criteria. + Use a specific dynamic-address-group. Prepending the character ``!`` to + invert the criteria to match is also supported. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source group network-group @@ -592,8 +591,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name rule <1-999999> destination group network-group - Use a specific network-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific network-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source group port-group @@ -613,8 +612,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name rule <1-999999> destination group port-group - Use a specific port-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific port-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source group domain-group @@ -634,8 +633,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name rule <1-999999> destination group domain-group - Use a specific domain-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific domain-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> source group mac-group @@ -655,8 +654,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name rule <1-999999> destination group mac-group - Use a specific mac-group. Prepend character ``!`` for inverted matching - criteria. + Use a specific mac-group. Prepending the character ``!`` to invert the + criteria to match is also supported. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> dscp [0-63 | start-end] @@ -687,7 +686,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name rule <1-999999> fragment [match-frag | match-non-frag] - Match based on fragment criteria. + Match based on fragmentation. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> icmpv6 [code | type] <0-255> @@ -709,7 +708,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name rule <1-999999> icmpv6 type-name - Match based on icmpv6 type-name criteria. Use tab for information + Match based on icmpv6 type-name. Use tab for information about what **type-name** criteria are supported. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> @@ -720,11 +719,11 @@ geoip) to keep database and rules updated. inbound-interface name Match based on inbound interface. Wildcard ``*`` can be used. - For example: ``eth2*``. Prepending character ``!`` for inverted matching - criteria is also supported. For example ``!eth2`` + For example: ``eth2*``. Prepending the character ``!`` to invert the + criteria to match is also supported. For example ``!eth2`` .. note:: If an interface is attached to a non-default vrf, when using - **inbound-interface**, vrf name must be used. For example ``set firewall + **inbound-interface**, the vrf name must be used. For example ``set firewall ipv6 forward filter rule 10 inbound-interface name MGMT`` .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> @@ -734,8 +733,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name rule <1-999999> inbound-interface group - Match based on inbound interface group. Prepending character ``!`` for - inverted matching criteria is also supported. For example ``!IFACE_GROUP`` + Match based on the inbound interface group. Prepending the character ``!`` + to invert the criteria to match is also supported. For example ``!IFACE_GROUP`` .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> outbound-interface name @@ -745,11 +744,11 @@ geoip) to keep database and rules updated. outbound-interface name Match based on outbound interface. Wildcard ``*`` can be used. - For example: ``eth2*``. Prepending character ``!`` for inverted matching - criteria is also supported. For example ``!eth2`` + For example: ``eth2*``. Prepending the character ``!`` to invert the + criteria to match is also supported. For example ``!eth2`` .. note:: If an interface is attached to a non-default vrf, when using - **outbound-interface**, real interface name must be used. For example + **outbound-interface**, the real interface name must be used. For example ``set firewall ipv6 forward filter rule 10 outbound-interface name eth0`` .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> @@ -759,8 +758,8 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name rule <1-999999> outbound-interface group - Match based on outbound interface group. Prepending character ``!`` for - inverted matching criteria is also supported. For example ``!IFACE_GROUP`` + Match based on outbound interface group. Prepending the character ``!`` to + invert the criteria to match is also supported. For example ``!IFACE_GROUP`` .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> ipsec [match-ipsec | match-none] @@ -771,7 +770,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name rule <1-999999> ipsec [match-ipsec | match-none] - Match based on ipsec criteria. + Match based on ipsec. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> limit burst <0-4294967295> @@ -814,7 +813,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name rule <1-999999> packet-length-exclude - Match based on packet length criteria. Multiple values from 1 to 65535 + Match based on the packet length. Multiple values from 1 to 65535 and ranges are supported. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> @@ -826,7 +825,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name rule <1-999999> packet-type [broadcast | host | multicast | other] - Match based on packet type criteria. + Match based on the packet type. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> protocol [ | <0-255> | all | tcp_udp] @@ -837,10 +836,9 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name rule <1-999999> protocol [ | <0-255> | all | tcp_udp] - Match a protocol criteria. A protocol number or a name which is here - defined: ``/etc/protocols``. + Match based on protocol number or name as defined in ``/etc/protocols``. Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp - based packets. The ``!`` negate the selected protocol. + based packets. The ``!`` negates the selected protocol. .. code-block:: none @@ -948,7 +946,7 @@ geoip) to keep database and rules updated. .. cfgcmd:: set firewall ipv6 name rule <1-999999> hop-limit <0-255> - Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for + Match the hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for 'greater than', and 'lt' stands for 'less than'. .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> @@ -984,7 +982,7 @@ Synproxy connections .. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535> - Set TCP-MSS (maximum segment size) for the connection + Set the TCP-MSS (maximum segment size) for the connection .. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14> @@ -1027,7 +1025,8 @@ Rule-set overview .. opcmd:: show firewall - This will show you a basic firewall overview + This will show you a basic firewall overview, for all rule-sets, and not + only for ipv6 .. code-block:: none diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst index f71ad8c1..73ce0a4d 100644 --- a/docs/configuration/firewall/zone.rst +++ b/docs/configuration/firewall/zone.rst @@ -1,4 +1,4 @@ -:lastproofread: 2023-11-01 +:lastproofread: 2024-07-03 .. _firewall-zone: @@ -11,9 +11,9 @@ Overview ******** .. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall - structure can be found on all VyOS installations. Zone based firewall was - removed in that version, but re introduced in VyOS 1.4 and 1.5. All - versions built after 2023-10-22 has this feature. + structure can be found on all VyOS installations. The Zone based firewall + was removed in that version, but re introduced in VyOS 1.4 and 1.5. All + versions built after 2023-10-22 have this feature. Documentation for most of the new firewall CLI can be found in the `firewall `_ @@ -22,13 +22,13 @@ Overview :doc:`legacy firewall configuration ` chapter. -In this section there's useful information of all firewall configuration that -is needed for zone-based firewall. +In this section there's useful information on all firewall configuration that +is needed for the zone-based firewall. Configuration commands covered in this section: .. cfgcmd:: set firewall zone ... -From main structure defined in +From the main structure defined in :doc:`Firewall Overview` in this section you can find detailed information only for the next part of the general structure: @@ -53,7 +53,7 @@ Key Points: interface can be assigned to only a single zone. * All traffic to and from an interface within a zone is permitted. * All traffic between zones is affected by existing policies -* Traffic cannot flow between zone member interface and any interface that is +* Traffic cannot flow between a zone member interface and any interface that is not a zone member. * You need 2 separate firewalls to define traffic: one for each direction. @@ -129,7 +129,7 @@ Operation-mode .. opcmd:: show firewall zone-policy - This will show you a basic summary of zones configuration. + This will show you a basic summary of the zone configuration. .. code-block:: none -- cgit v1.2.3