quick-start: add notice about changes to firewall backend

docs/configuration/firewall/general-legacy.rst

@@ -426,7 +426,7 @@ There are a lot of matching criteria against which the package can be tested.
    firewall as rules will remain valid if the IPv6 prefix changes and the host
    portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses
    <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_)
-   
+
    This functions for both individual addresses and address groups.
 
    .. code-block:: none
@@ -1048,4 +1048,4 @@ Update geoip database
 
 .. opcmd:: update geoip
 
-   Command used to update GeoIP database and firewall sets.
+   Command used to update GeoIP database and firewall sets.

docs/quick-start.rst

@@ -122,14 +122,12 @@ network via IP masquerade.
 Firewall
 ########
 
-.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall
+.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be
-   structure can be found on all vyos instalations. Documentation for most
+   found on all vyos instalations. Documentation for most of the new firewall CLI
-   of the new firewall CLI can be found in the `firewall
+   can be found in the :ref:`firewall` chapter. The legacy firewall is still available
-   <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_
+   for versions before 1.4-rolling-202308040557 and can be found in the
-   chapter. The legacy firewall is still available for versions before
+   :ref:`firewall-legacy` chapter. The examples in this section still use the
-   1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy`
+   legacy firewall configuration options.
-   chapter. The examples in this section use the new firewall configuration
-   commands.
 
 Add a set of firewall policies for our outside/WAN interface.
 
@@ -138,25 +136,19 @@ which was not initiated from the internal/LAN side first.
 
 .. code-block:: none
 
-  set firewall ipv4 forward filter default-action 'drop'
+  set firewall name OUTSIDE-IN default-action 'drop'
-  set firewall ipv4 forward filter rule 10 action 'accept'
+  set firewall name OUTSIDE-IN rule 10 action 'accept'
-  set firewall ipv4 forward filter rule 10 state established 'enable'
+  set firewall name OUTSIDE-IN rule 10 state established 'enable'
-  set firewall ipv4 forward filter rule 10 state related 'enable'
+  set firewall name OUTSIDE-IN rule 10 state related 'enable'
-  set firewall ipv4 forward filter rule 20 action 'drop'
-  set firewall ipv4 forward filter rule 20 state invalid 'enable'
-  set firewall ipv4 forward filter rule 30 inbound-interface interface-name 'eth1'
-  set firewall ipv4 forward filter rule 30 action 'accept'
 
-  set firewall ipv4 input filter default-action drop
+  set firewall name OUTSIDE-LOCAL default-action 'drop'
-  set firewall ipv4 input filter rule 10 action 'accept'
+  set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
-  set firewall ipv4 input filter rule 10 state established 'enable'
+  set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
-  set firewall ipv4 input filter rule 10 state related 'enable'
+  set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
-  set firewall ipv4 input filter rule 20 action 'drop'
+  set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
-  set firewall ipv4 input filter rule 20 state invalid 'enable'
+  set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
-  set firewall ipv4 input filter rule 30 action 'accept'
+  set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
-  set firewall ipv4 input filter rule 30 icmp type-name 'echo-request'
+  set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
-  set firewall ipv4 input filter rule 30 protocol 'icmp'
-  set firewall ipv4 input filter rule 30 state new 'enable'
 
 If you wanted to enable SSH access to your firewall from the outside/WAN
 interface, you could create some additional rules to allow that kind of
@@ -167,19 +159,24 @@ blocks brute-forcing attempts:
 
 .. code-block:: none
 
-  set firewall ipv4 input filter rule 40 action 'drop'
+  set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
-  set firewall ipv4 input filter rule 40 inbound-interface interface-name 'eth0'
+  set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
-  set firewall ipv4 input filter rule 40 destination port '22'
+  set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
-  set firewall ipv4 input filter rule 40 protocol 'tcp'
+  set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
-  set firewall ipv4 input filter rule 40 recent count '4'
+  set firewall name OUTSIDE-LOCAL rule 30 recent time 'minute'
-  set firewall ipv4 input filter rule 40 recent time 'minute'
+  set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
-  set firewall ipv4 input filter rule 40 state new 'enable'
 
-  set firewall ipv4 input filter rule 41 action 'accept'
+  set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
-  set firewall ipv4 input filter rule 41 destination port '22'
+  set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
-  set firewall ipv4 input filter rule 41 protocol 'tcp'
+  set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
-  set firewall ipv4 input filter rule 41 state new 'enable'
+  set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'
 
+Apply the firewall policies:
+
+.. code-block:: none
+
+  set firewall interface eth0 in name 'OUTSIDE-IN'
+  set firewall interface eth0 local name 'OUTSIDE-LOCAL'
 
 Commit changes, save the configuration, and exit configuration mode: