Added new section about the different firewalls

Updated labels for the pages Added new pictures. Signed-off-by: Nephiaust <29741794+Nephiaust@users.noreply.github.com>
2025-12-13 09:02:02 +01:00 · 2023-09-18 01:08:00 +09:30 · 2023-09-18 01:08:00 +09:30 · 7d07926f37
commit 7d07926f37
parent d9a978cf58
7 changed files with 98 additions and 44 deletions
--- a/docs/_static/images/firewall-netfilter.png
+++ b/docs/_static/images/firewall-netfilter.png
--- a/docs/_static/images/firewall-traditional.png
+++ b/docs/_static/images/firewall-traditional.png
--- a/docs/_static/images/firewall-zonebased.png
+++ b/docs/_static/images/firewall-zonebased.png
--- a/docs/configuration/firewall/general-legacy.rst
+++ b/docs/configuration/firewall/general-legacy.rst
@ -1,10 +1,10 @@
 :lastproofread: 2021-06-29

-.. _firewall-legacy:
+.. _legacy-firewall:

-###############
-Firewall-Legacy
-###############
+###################################
+Firewall Configuration (Deprecated)
+###################################

 .. note:: **Important note:**
   This documentation is valid only for VyOS Sagitta prior to
--- a/docs/configuration/firewall/general.rst
+++ b/docs/configuration/firewall/general.rst
@ -1,10 +1,10 @@
-:lastproofread: 2021-06-29
+:lastproofread: 2023-09-17

-.. _firewall:
+.. _firewall-configuration:

-########
-Firewall
-########
+######################
+Firewall Configuration
+######################

 ********
 Overview
@ -17,48 +17,41 @@ The firewall supports the creation of groups for addresses, domains,
 interfaces, mac-addresses, networks and port groups. This groups can be used
 later in firewall ruleset as desired.

-.. note:: **Important note on usage of terms:**
-   The firewall makes use of the terms `forward`, `input`, and `output`
-   for firewall policy. More information of Netfilter hooks and Linux
-   networking packet flows can be found in `Netfilter-Hooks
-   <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_
-
-
 Main structure is shown next:

 .. code-block:: none

   - set firewall
       * global-options
-           + all-ping
-           + broadcast-ping
-           + ...
+            + all-ping
+            + broadcast-ping
+            + ...
       * group
-           - address-group
-           - ipv6-address-group
-           - network-group
-           - ipv6-network-group
-           - interface-group
-           - mac-group
-           - port-group
-           - domain-group
+            - address-group
+            - ipv6-address-group
+            - network-group
+            - ipv6-network-group
+            - interface-group
+            - mac-group
+            - port-group
+            - domain-group
       * ipv4
-           - forward
+            - forward
               + filter
-           - input
+            - input
               + filter
-           - output
+            - output
               + filter
-           - name
+            - name
               + custom_name
       * ipv6
-           - forward
+            - forward
               + filter
-           - input
+            - input
               + filter
-           - output
+            - output
               + filter
-           - ipv6-name
+            - ipv6-name
               + custom_name

 Where, main key words and configuration paths that needs to be understood:
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@ -1,24 +1,85 @@
+:lastproofread: 2023-09-17
+
 ########
 Firewall
 ########

-Starting from VyOS 1.4-rolling-202308040557, a new firewall structure
-can be found on all vyos installations. Documentation for most new firewall
-cli can be found here:
+.. attention:: 
+   Starting from VyOS 1.4-rolling-202308040557, a new firewall structure
+   can be found on all vyos installations.

+.. note:: 
+   The legacy and zone-based firewall configuration options is not longer
+   supported. They are here for reference purposes only.
+
+Netfilter based
+^^^^^^^^^^^^^^^
 .. toctree::
   :maxdepth: 1
   :includehidden:

   general

-Also, for those who haven't updated to newer version, legacy documentation is
-still present and valid for all sagitta version prior to VyOS
-1.4-rolling-202308040557:
+With VyOS being based on top of Linux and its kernel, the Netfilter project created
+the iptables and now the successor nftables for the Linux kernel to work directly
+on the data flows. This now extends the concept of zone-based security to allow
+for manipulating the data at multiple stages once accepted by the network interface
+and the driver before being handed off to the destination (e.g. a web server OR
+another device).

+To configure VyOS with the new :doc:`firewall configuration </configuration/firewall/general>`
+
+The only stages VyOS will process as part of the firewall configuration is the 
+`forward` (F4 stage), `input` (L4 stage), and `output` (L5 stage). All the other
+stages and steps are for reference and cant be manipulated through VyOS.
+
+In this example image, a simplifed traffic flow is shown to help provide context
+to the terms of `forward`, `input`, and `output` for the new firewall CLI format.
+
+.. figure:: /_static/images/firewall-netfilter.png
+
+.. note:: **For more information**
+   of Netfilter hooks and Linux networking packet flows can be
+   found in `Netfilter-Hooks
+   <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_
+
+Legacy Firewall
+^^^^^^^^^^^^^^^
 .. toctree::
   :maxdepth: 1
   :includehidden:

   general-legacy
+
+Traditionally firewalls weere configured with the concept of data going in and
+out of an interface. The router just listened to the data flowing through and
+responding as required if it was directed at the router itself.
+
+To configure VyOS with the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>`
+
+As the example image below shows, the device was configured with rules blocking
+inbound or outbound traffic on each interface.
+
+.. figure:: /_static/images/firewall-traditional.png
+
+Zone-based firewall
+^^^^^^^^^^^^^^^^^^^
+.. toctree::
+   :maxdepth: 1
+   :includehidden:
+
   zone
+
+With zone-based firewalls a new concept was implemented, in addtion to the standard
+in and out traffic flows, a local flow was added. This local was for traffic
+originating and destined to the router itself. Which means additional rules were 
+required to secure the firewall itself from the network, in addition to the existing
+inbound and outbound rules from the traditional concept above.
+
+To configure VyOS with the :doc:`zone-based firewall configuration </configuration/firewall/zone>`
+
+As the example image below shows, the device now needs rules to allow/block traffic
+to or from the services running on the device that have open connections on that
+interface.
+
+.. figure:: /_static/images/firewall-zonebased.png
--- a/docs/configuration/firewall/zone.rst
+++ b/docs/configuration/firewall/zone.rst
@ -2,9 +2,9 @@

 .. _firewall-zone:

-###################
-Zone Based Firewall
-###################
+################################
+Zone Based Firewall (Deprecated)
+################################

 .. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall
   structure can be found on all vyos instalations, and zone based firewall is