proofread and update firewall docs

2025-10-26 08:41:46 +01:00 · 2024-07-03 17:26:08 +01:00 · 2024-07-03 17:26:08 +01:00 · 8214ffe4c6
commit 8214ffe4c6
parent 63ee8dfafa
10 changed files with 247 additions and 250 deletions
--- a/docs/automation/cloud-init.rst
+++ b/docs/automation/cloud-init.rst
@ -1,4 +1,4 @@
-:lastproofread: 2021-07-12
+:lastproofread: 2024-07-03
 .. _cloud-init:
--- a/docs/configuration/container/index.rst
+++ b/docs/configuration/container/index.rst
@ -1,10 +1,10 @@
-:lastproofread: 2022-06-10
+:lastproofread: 2024-07-03
 #########
 Container
 #########
-The VyOS container implementation is based on `Podman<https://podman.io/>` as
+The VyOS container implementation is based on `Podman <https://podman.io/>`_ as
 a deamonless container engine.
 *************
--- a/docs/configuration/firewall/bridge.rst
+++ b/docs/configuration/firewall/bridge.rst
@ -1,4 +1,4 @@
-:lastproofread: 2023-11-08
+:lastproofread: 2024-07-03
 .. _firewall-configuration:
@ -12,13 +12,13 @@ Bridge Firewall Configuration
 Overview
 ********
-In this section there's useful information of all firewall configuration that
+In this section there's useful information on all firewall configuration that
-can be done regarding bridge, and appropriate op-mode commands.
+can be done regarding bridges, and appropriate op-mode commands.
 Configuration commands covered in this section:
 .. cfgcmd:: set firewall bridge ...
-From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>`
+From the main structure defined in :doc:`Firewall Overview</configuration/firewall/index>`
 in this section you can find detailed information only for the next part
 of the general structure:
@ -41,7 +41,7 @@ For traffic that needs to be forwarded internally by the bridge, base chain is
 is **forward**, and it's base command for filtering is ``set firewall bridge
 forward filter ...``, which happens in stage 4, highlighted with red color.
-Custom bridge firewall chains can be create with command ``set firewall bridge
+Custom bridge firewall chains can be created with the command ``set firewall bridge
 name <name> ...``. In order to use such custom chain, a rule with action jump,
 and the appropriate target should be defined in a base chain.
@ -55,9 +55,9 @@ and the appropriate target should be defined in a base chain.
 Bridge Rules
 ************
-For firewall filtering, firewall rules needs to be created. Each rule is
+For firewall filtering, firewall rules need to be created. Each rule is
 numbered, has an action to apply if the rule is matched, and the ability
-to specify multiple criteria matchers. Data packets go through the rules
+to specify multiple matching criteria. Data packets go through the rules
 from 1 - 999999, so order is crucial. At the first match the action of the
 rule will be executed.
@ -65,7 +65,7 @@ Actions
 =======
 If a rule is defined, then an action must be defined for it. This tells the
-firewall what to do if all criteria matchers defined for such rule do match.
+firewall what to do if all matching criterea in the rule are met.
 In firewall bridge rules, the action can be:
@ -101,7 +101,7 @@ In firewall bridge rules, the action can be:
   queue <0-65535>
   To be used only when action is set to ``queue``. Use this command to specify
-   queue target to use. Queue range is also supported.
+   the queue target to use. Queue range is also supported.
 .. cfgcmd:: set firewall bridge forward filter rule <1-999999>
   queue-options bypass
@ -121,7 +121,7 @@ In firewall bridge rules, the action can be:
   distribute packets between several queues.
 Also, **default-action** is an action that takes place whenever a packet does
-not match any rule in it's chain. For base chains, possible options for
+not match any rule in its' chain. For base chains, possible options for
 **default-action** are **accept** or **drop**.
 .. cfgcmd:: set firewall bridge forward filter default-action
@ -129,10 +129,10 @@ not match any rule in it's chain. For base chains, possible options for
 .. cfgcmd:: set firewall bridge name <name> default-action
   [accept | continue | drop | jump | queue | return]
-   This set the default action of the rule-set if no rule matched a packet
+   This sets the default action of the rule-set if a packet does not match
-   criteria. If default-action is set to ``jump``, then
+   any of the rules in that chain. If default-action is set to ``jump``, then
   ``default-jump-target`` is also needed. Note that for base chains, default
-   action can only be set to ``accept`` or ``drop``, while on custom chain,
+   action can only be set to ``accept`` or ``drop``, while on custom chains
   more actions are available.
 .. cfgcmd:: set firewall bridge name <name> default-jump-target <text>
@ -141,9 +141,9 @@ not match any rule in it's chain. For base chains, possible options for
   command to specify jump target for default rule.
 .. note:: **Important note about default-actions:**
-   If default action for any base chain is not defined, then the default
+   If the default action for any base chain is not defined, then the default
-   action is set to **accept** for that chain. For custom chains, if default
+   action is set to **accept** for that chain. For custom chains, if the 
-   action is not defined, then the default-action is set to **drop**.
+   default action is not defined, then the default-action is set to **drop**.
 Firewall Logs
 =============
@ -155,7 +155,7 @@ log options can be defined.
 .. cfgcmd:: set firewall bridge name <name> rule <1-999999> log
   Enable logging for the matched packet. If this configuration command is not
-   present, then log is not enabled.
+   present, then the log is not enabled.
 .. cfgcmd:: set firewall bridge forward filter default-log
 .. cfgcmd:: set firewall bridge name <name> default-log
@ -170,14 +170,15 @@ log options can be defined.
   log-options level [emerg | alert | crit | err | warn | notice
   | info | debug]
-   Define log-level. Only applicable if rule log is enable.
+   Define log-level. Only applicable if rule log is enabled.
 .. cfgcmd:: set firewall bridge forward filter rule <1-999999>
   log-options group <0-65535>
 .. cfgcmd:: set firewall bridge name <name> rule <1-999999>
   log-options group <0-65535>
-   Define log group to send message to. Only applicable if rule log is enable.
+   Define the log group to send messages to. Only applicable if rule log is
   enabled.
 .. cfgcmd:: set firewall bridge forward filter rule <1-999999>
   log-options snapshot-length <0-9000>
@ -185,15 +186,16 @@ log options can be defined.
   log-options snapshot-length <0-9000>
   Define length of packet payload to include in netlink message. Only
-   applicable if rule log is enable and log group is defined.
+   applicable if rule log is enabled and the log group is defined.
 .. cfgcmd:: set firewall bridge forward filter rule <1-999999>
   log-options queue-threshold <0-65535>
 .. cfgcmd:: set firewall bridge name <name> rule <1-999999>
   log-options queue-threshold <0-65535>
-   Define number of packets to queue inside the kernel before sending them to
+   Define the number of packets to queue inside the kernel before sending them
-   userspace. Only applicable if rule log is enable and log group is defined.
+   to userspace. Only applicable if rule log is enabled and the log group is 
   defined.
 Firewall Description
 ====================
@ -207,7 +209,7 @@ For reference, a description can be defined for every defined custom chain.
 Rule Status
 ===========
-When defining a rule, it is enable by default. In some cases, it is useful to
+When defining a rule, it is enabled by default. In some cases, it is useful to
 just disable the rule, rather than removing it.
 .. cfgcmd:: set firewall bridge forward filter rule <1-999999> disable
--- a/docs/configuration/firewall/flowtables.rst
+++ b/docs/configuration/firewall/flowtables.rst
@ -1,4 +1,4 @@
-:lastproofread: 2024-06-20
+:lastproofread: 2024-07-02
 .. _firewall-flowtables-configuration:
@ -12,12 +12,12 @@ Flowtables Firewall Configuration
 Overview
 ********
-In this section there's useful information of all firewall configuration that
+In this section there's useful information on all firewall configuration that
 can be done regarding flowtables.
 .. cfgcmd:: set firewall flowtables ...
-From main structure defined in
+From the main structure defined in
 :doc:`Firewall Overview</configuration/firewall/index>`
 in this section you can find detailed information only for the next part
 of the general structure:
@ -30,7 +30,7 @@ of the general structure:
               + ...
-Flowtables  allows you to define a fastpath through the flowtable datapath.
+Flowtables allow you to define a fastpath through the flowtable datapath.
 The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP
 and UDP protocols.
@ -107,10 +107,10 @@ Things to be considered in this setup:
   * Minimum firewall ruleset is provided, which includes some filtering rules,
     and appropriate rules for using flowtable offload capabilities.
-As described, first packet will be evaluated by all the firewall path, so
+As described, the first packet will be evaluated by the firewall path, so a
 desired connection should be explicitly accepted. Same thing should be taken
 into account for traffic in reverse order. In most cases state policies are
-used in order to accept connection in reverse patch.
+used in order to accept a connection in the reverse path.
 We will only accept traffic coming from interface eth0, protocol tcp and
 destination port 1122. All other traffic trespassing the router should be
@ -142,7 +142,7 @@ Explanation
 Analysis on what happens for desired connection:
-   1. First packet is received on eth0, with destination address 192.0.2.100,
+   1. Firstly, a packet is received on eth0, with destination address 192.0.2.100,
   protocol tcp and destination port 1122. Assume such destination address is
   reachable through interface eth1.
@ -151,22 +151,22 @@ Analysis on what happens for desired connection:
   3. Rule 110 is hit, so connection is accepted.
-   4. Once answer from server 192.0.2.100 is seen in opposite direction,
+   4. Once an answer from server 192.0.2.100 is seen in opposite direction,
   connection state will be triggered to **established**, so this reply is
   accepted in rule 20.
-   5. Second packet for this connection is received by the router. Since
+   5. The second packet for this connection is received by the router. Since
   connection state is **established**, then rule 10 is hit, and a new entry
   in the flowtable FT01 is added for this connection.
-   6. All the following packets will skip traditional path, and will be offloaded
+   6. All the following packets will skip the traditional path, will be
-   and will use the **Fast Path**.
+   offloaded and use the **Fast Path**.
 Checks
 ------
-It's time to check conntrack table, to see if any connection was accepted,
+It's time to check the conntrack table, to see if any connections were accepted,
-and if was properly offloaded
+and if it was properly offloaded
 .. code-block:: none
--- a/docs/configuration/firewall/global-options.rst
+++ b/docs/configuration/firewall/global-options.rst
@ -1,4 +1,4 @@
-:lastproofread: 2023-12-26
+:lastproofread: 2024-07-03
 .. _firewall-global-options-configuration:
@ -25,7 +25,7 @@ Configuration
 .. cfgcmd:: set firewall global-options all-ping [enable | disable]
   By default, when VyOS receives an ICMP echo request packet destined for
-   itself, it will answer with an ICMP echo reply, unless you avoid it
+   itself, it will answer with an ICMP echo reply, unless you prevent it
   through its firewall.
   With the firewall you can set rules to accept, drop or reject ICMP in,
@ -55,7 +55,7 @@ Configuration
 .. cfgcmd:: set firewall global-options broadcast-ping [enable | disable]
-   This setting enable or disable the response of icmp broadcast
+   This setting enables or disables the response to icmp broadcast
   messages. The following system parameter will be altered:
   * ``net.ipv4.icmp_echo_ignore_broadcasts``
@ -63,8 +63,8 @@ Configuration
 .. cfgcmd:: set firewall global-options ip-src-route [enable | disable]
 .. cfgcmd:: set firewall global-options ipv6-src-route [enable | disable]
-   This setting handle if VyOS accept packets with a source route
+   This setting handles if VyOS accepts packets with a source route
-   option. The following system parameter will be altered:
+   option. The following system parameters will be altered:
   * ``net.ipv4.conf.all.accept_source_route``
   * ``net.ipv6.conf.all.accept_source_route``
@ -73,22 +73,22 @@ Configuration
 .. cfgcmd:: set firewall global-options ipv6-receive-redirects
   [enable | disable]
-   enable or disable of ICMPv4 or ICMPv6 redirect messages accepted
+   Enable or disable ICMPv4 or ICMPv6 redirect messages being accepted by
-   by VyOS. The following system parameter will be altered:
+   VyOS. The following system parameters will be altered:
   * ``net.ipv4.conf.all.accept_redirects``
   * ``net.ipv6.conf.all.accept_redirects``
 .. cfgcmd:: set firewall global-options send-redirects [enable | disable]
-   enable or disable ICMPv4 redirect messages send by VyOS
+   Enable or disable ICMPv4 redirect messages being sent by VyOS
   The following system parameter will be altered:
   * ``net.ipv4.conf.all.send_redirects``
 .. cfgcmd:: set firewall global-options log-martians [enable | disable]
-   enable or disable the logging of martian IPv4 packets.
+   Enable or disable the logging of martian IPv4 packets.
   The following system parameter will be altered:
   * ``net.ipv4.conf.all.log_martians``
@ -103,7 +103,7 @@ Configuration
 .. cfgcmd:: set firewall global-options syn-cookies [enable | disable]
-   Enable or Disable if VyOS use IPv4 TCP SYN Cookies.
+   Enable or disable if VyOS uses IPv4 TCP SYN Cookies.
   The following system parameter will be altered:
   * ``net.ipv4.tcp_syncookies``
@ -111,7 +111,7 @@ Configuration
 .. cfgcmd:: set firewall global-options twa-hazards-protection
   [enable | disable]
-   Enable or Disable VyOS to be :rfc:`1337` conform.
+   Enable or Disable VyOS to be :rfc:`1337` conformant.
   The following system parameter will be altered:
   * ``net.ipv4.tcp_rfc1337``
--- a/docs/configuration/firewall/groups.rst
+++ b/docs/configuration/firewall/groups.rst
@ -1,4 +1,4 @@
-:lastproofread: 2023-11-08
+:lastproofread: 2024-07-03
 .. _firewall-groups-configuration:
@ -18,8 +18,7 @@ matcher, and/or as inbound/outbound in the case of interface group.
 Address Groups
 ==============
-In an **address group** a single IP address or IP address ranges are
+In an **address group** a single IP address or IP address range is defined.
 defined.
 .. cfgcmd:: set firewall group address-group <name> address [address |
   address range]
@ -43,7 +42,7 @@ Network Groups
 While **network groups** accept IP networks in CIDR notation, specific
 IP addresses can be added as a 32-bit prefix. If you foresee the need
-to add a mix of addresses and networks, the network group is
+to add a mix of addresses and networks, then a network group is
 recommended.
 .. cfgcmd:: set firewall group network-group <name> network <CIDR>
@ -197,9 +196,9 @@ Commands used for this task are:
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> add-address-to-group
   source-address address-group <name>
-Also, specific timeout can be defined per rule. In case rule gets a hit,
+Also, specific timeouts can be defined per rule. In case rule gets a hit,
-source or destinatination address will be added to the group, and this
+a source or destinatination address will be added to the group, and this
-element will remain in the group until timeout expires. If no timeout
+element will remain in the group until the timeout expires. If no timeout
 is defined, then the element will remain in the group until next reboot,
 or until a new commit that changes firewall configuration is done.
@ -324,7 +323,7 @@ A 4 step port knocking example is shown next:
      set firewall ipv4 input filter rule 99 protocol 'tcp'
      set firewall ipv4 input filter rule 99 source group dynamic-address-group 'ALLOWED'
-Before testing, we can check members of firewall groups:
+Before testing, we can check the members of firewall groups:
   .. code-block:: none
@ -339,7 +338,7 @@ Before testing, we can check members of firewall groups:
      [edit]
      vyos@vyos#
-With this configuration, in order to get ssh access to the router, user
+With this configuration, in order to get ssh access to the router, the user
 needs to:
 1. Generate a new TCP connection with destination port 9990. As shown next,
@ -390,7 +389,7 @@ a new entry was added to dynamic firewall group **ALLOWED**
      [edit]
      vyos@vyos#
-4. Now user can connect through ssh to the router (assuming ssh is configured).
+4. Now the user can connect through ssh to the router (assuming ssh is configured).
 **************
 Operation-mode
--- a/docs/configuration/firewall/index.rst
+++ b/docs/configuration/firewall/index.rst
@ -1,4 +1,4 @@
-:lastproofread: 2023-11-23
+:lastproofread: 2024-07-03
 ########
 Firewall
@ -28,11 +28,11 @@ packet is processed at the **IP Layer**:
   * **Prerouting**: All packets that are received by the router
     are processed in this stage, regardless of the destination of the packet.
-     Starting from vyos-1.5-rolling-202406120020, a new section was added to
+     Starting from vyos-1.5-rolling-202406120020, a new section was added to 
-     firewall configuration. There are several actions that can be done in this
+     the firewall configuration. There are several actions that can be done in
-     stage, and currently these actions are also defined in different parts in
+     this stage, and currently these actions are also defined in different
-     VyOS configuration. Order is important, and relevant configuration that
+     parts of the VyOS configuration. Order is important, and the relevant 
-     acts in this stage are:
+     configuration that acts in this stage are:
      * **Firewall prerouting**: rules defined under ``set firewall [ipv4 |
        ipv6] prerouting raw...``. All rules defined in this section are
@ -50,9 +50,9 @@ packet is processed at the **IP Layer**:
      * **Destination NAT**: rules defined under ``set [nat | nat66]
        destination...``.
-   * **Destination is the router?**: choose appropriate path based on
+   * **Destination is the router?**: choose an appropriate path based on
     destination IP address. Transit forward continues to **forward**,
-     while traffic that destination IP address is configured on the router
+     while traffic where the destination IP address is configured on the router
     continues to **input**.
   * **Input**: stage where traffic destined for the router itself can be
@ -73,7 +73,7 @@ packet is processed at the **IP Layer**:
   * **Output**: stage where traffic that originates from the router itself
     can be filtered and controlled. Bear in mind that this traffic can be a
-     new connection originated by a internal process running on VyOS router,
+     new connection originated by a internal process running on the VyOS router
     such as NTP, or a response to traffic received externally through
     **input** (for example response to an ssh login attempt to the router).
     This includes ipv4 and ipv6 rules, and two different sections are present:
@ -181,10 +181,10 @@ Zone-based firewall
   zone
 With zone-based firewalls a new concept was implemented, in addition to the
-standard in and out traffic flows, a local flow was added. This local was for
+standard in and out traffic flows, a local flow was added. This local flow was
-traffic originating and destined to the router itself. Which means additional
+for traffic originating and destined to the router itself. Which means that 
-rules were required to secure the firewall itself from the network, in
+additional rules were required to secure the firewall itself from the network,
-addition to the existing inbound and outbound rules from the traditional
+in addition to the existing inbound and outbound rules from the traditional
 concept above.
 To configure VyOS with the
--- a/docs/configuration/firewall/ipv4.rst
+++ b/docs/configuration/firewall/ipv4.rst
@ -1,4 +1,4 @@
-:lastproofread: 2023-11-08
+:lastproofread: 2024-07-03
 .. _firewall-ipv4-configuration:
@ -10,13 +10,13 @@ IPv4 Firewall Configuration
 Overview
 ********
-In this section there's useful information of all firewall configuration that
+In this section there's useful information on all firewall configuration that
 can be done regarding IPv4, and appropriate op-mode commands.
 Configuration commands covered in this section:
 .. cfgcmd:: set firewall ipv4 ...
-From main structure defined in
+From the main structure defined in
 :doc:`Firewall Overview</configuration/firewall/index>`
 in this section you can find detailed information only for the next part
 of the general structure:
@ -51,28 +51,28 @@ This stage includes:
   * :doc:`Destination NAT</configuration/nat/nat44>`: commands found under
     ``set nat destination ...``
-For transit traffic, which is received by the router and forwarded, base chain
+For transit traffic, which is received by the router and forwarded, the base
-is **forward**. A simplified packet flow diagram for transit traffic is shown
+chain is **forward**. A simplified packet flow diagram for transit traffic is
-next:
+shown next:
 .. figure:: /_static/images/firewall-fwd-packet-flow.png
-Firewall base chain to configure firewall filtering rules for transit traffic
+The base firewall chain to configure filtering rules for transit traffic
 is ``set firewall ipv4 forward filter ...``, which happens in stage 5,
-highlighted with red color.
+highlighted in the color red.
-For traffic towards the router itself, base chain is **input**, while traffic
+For traffic towards the router itself, the base chain is **input**, while
-originated by the router, base chain is **output**.
+traffic originated by the router has the base chain **output**.
 A new simplified packet flow diagram is shown next, which shows the path
 for traffic destined to the router itself, and traffic generated by the
 router (starting from circle number 6):
 .. figure:: /_static/images/firewall-input-packet-flow.png
-Base chain for traffic towards the router is ``set firewall ipv4 input
+The base chain for traffic towards the router is ``set firewall ipv4 input
 filter ...``
-And base chain for traffic generated by the router is ``set firewall ipv4
+And the base chain for traffic generated by the router is ``set firewall ipv4
 output ...``, where two sub-chains are available: **filter** and **raw**:
 * **Output Prerouting**: ``set firewall ipv4 output raw ...``.
@ -82,9 +82,9 @@ output ...``, where two sub-chains are available: **filter** and **raw**:
  in this section are processed after connection tracking subsystem.
 .. note:: **Important note about default-actions:**
-   If default action for any base chain is not defined, then the default
+   If a default action for any base chain is not defined, then the default
-   action is set to **accept** for that chain. For custom chains, if default
+   action is set to **accept** for that chain. For custom chains, if the 
-   action is not defined, then the default-action is set to **drop**
+   default action is not defined, then the default-action is set to **drop**
 Custom firewall chains can be created, with commands
 ``set firewall ipv4 name <name> ...``. In order to use
@ -95,9 +95,9 @@ should be defined in a base chain.
 Firewall - IPv4 Rules
 *********************
-For firewall filtering, firewall rules needs to be created. Each rule is
+For firewall filtering, firewall rules need to be created. Each rule is
 numbered, has an action to apply if the rule is matched, and the ability
-to specify multiple criteria matchers. Data packets go through the rules
+to specify multiple matching criteria. Data packets go through the rules
 from 1 - 999999, so order is crucial. At the first match the action of the
 rule will be executed.
@ -105,7 +105,7 @@ Actions
 =======
 If a rule is defined, then an action must be defined for it. This tells the
-firewall what to do if all criteria matchers defined for such rule do match.
+firewall what to do if all of the criteria defined for that rule match.
 The action can be :
@ -135,8 +135,8 @@ The action can be :
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action
   [accept | continue | drop | jump | queue | reject | return]
-   This required setting defines the action of the current rule. If action is
+   This required setting defines the action of the current rule. If the action
-   set to jump, then jump-target is also needed.
+   is set to jump, then a jump-target is also needed.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   jump-target <text>
@ -148,7 +148,7 @@ The action can be :
   jump-target <text>
   To be used only when action is set to ``jump``. Use this command to specify
-   jump target.
+   the jump target.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   queue <0-65535>
@ -160,7 +160,7 @@ The action can be :
   queue <0-65535>
   To be used only when action is set to ``queue``. Use this command to specify
-   queue target to use. Queue range is also supported.
+   the queue target to use. Queue range is also supported.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   queue-options bypass
@ -171,7 +171,7 @@ The action can be :
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   queue-options bypass
-   To be used only when action is set to ``queue``. Use this command to let
+   To be used only when action is set to ``queue``. Use this command to let the
   packet go through firewall when no userspace software is connected to the
   queue.
@ -200,21 +200,21 @@ not match any rule in it's chain. For base chains, possible options for
 .. cfgcmd:: set firewall ipv4 name <name> default-action
   [accept | drop | jump | queue | reject | return]
-   This set the default action of the rule-set if no rule matched a packet
+   This sets the default action of the rule-set if a packet does not match the
-   criteria. If default-action is set to ``jump``, then
+   criteria of any rule. If default-action is set to ``jump``, then
-   ``default-jump-target`` is also needed. Note that for base chains, default
+   ``default-jump-target`` is also needed. Note that for base chains, the
-   action can only be set to ``accept`` or ``drop``, while on custom chain,
+   default action can only be set to ``accept`` or ``drop``, while on custom 
-   more actions are available.
+   chains, more actions are available.
 .. cfgcmd:: set firewall ipv4 name <name> default-jump-target <text>
   To be used only when ``default-action`` is set to ``jump``. Use this
-   command to specify jump target for default rule.
+   command to specify the jump target for the default rule.
 .. note:: **Important note about default-actions:**
-   If default action for any base chain is not defined, then the default
+   If the default action for any base chain is not defined, then the default
-   action is set to **accept** for that chain. For custom chains, if default
+   action is set to **accept** for that chain. For custom chains if a default
-   action is not defined, then the default-action is set to **drop**.
+   action is not defined then the default-action is set to **drop**.
 Firewall Logs
 =============
@ -228,7 +228,7 @@ log options can be defined.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> log
   Enable logging for the matched packet. If this configuration command is not
-   present, then log is not enabled.
+   present, then the log is not enabled.
 .. cfgcmd:: set firewall ipv4 forward filter default-log
 .. cfgcmd:: set firewall ipv4 input filter default-log
@ -251,7 +251,7 @@ log options can be defined.
   log-options level [emerg | alert | crit | err | warn | notice
   | info | debug]
-   Define log-level. Only applicable if rule log is enable.
+   Define log-level. Only applicable if rule log is enabled.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   log-options group <0-65535>
@ -262,7 +262,8 @@ log options can be defined.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   log-options group <0-65535>
-   Define log group to send message to. Only applicable if rule log is enable.
+   Define the log group to send messages to. Only applicable if rule log is
   enabled.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   log-options snapshot-length <0-9000>
@ -273,8 +274,8 @@ log options can be defined.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   log-options snapshot-length <0-9000>
-   Define length of packet payload to include in netlink message. Only
+   Define the length of packet payload to include in a netlink message. Only
-   applicable if rule log is enable and log group is defined.
+   applicable if rule log is enabled and log group is defined.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   log-options queue-threshold <0-65535>
@ -285,8 +286,8 @@ log options can be defined.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   log-options queue-threshold <0-65535>
-   Define number of packets to queue inside the kernel before sending them to
+   Define the number of packets to queue inside the kernel before sending them
-   userspace. Only applicable if rule log is enable and log group is defined.
+   to userspace. Only applicable if rule log is enabled and log group is defined.
 Firewall Description
 ====================
@ -311,7 +312,7 @@ every defined custom chain.
 Rule Status
 ===========
-When defining a rule, it is enable by default. In some cases, it is useful to
+When defining a rule, it is enabled by default. In some cases, it is useful to
 just disable the rule, rather than removing it.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999> disable
@ -335,7 +336,7 @@ There are a lot of matching criteria against which the packet can be tested.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   connection-status nat [destination | source]
-   Match criteria based on nat connection status.
+   Match based on nat connection status.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   connection-mark <1-2147483647>
@ -346,7 +347,7 @@ There are a lot of matching criteria against which the packet can be tested.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   connection-mark <1-2147483647>
-   Match criteria based on connection mark.
+   Match based on connection mark.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   conntrack-helper <module>
@ -445,8 +446,8 @@ There are a lot of matching criteria against which the packet can be tested.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   destination fqdn <fqdn>
-   Specify a Fully Qualified Domain Name as source/destination matcher. Ensure
+   Specify a Fully Qualified Domain Name as source/destination to match. Ensure
-   router is able to resolve such dns query.
+   that the router is able to resolve this dns query.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   source geoip country-code <country>
@ -503,14 +504,13 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   source mac-address <mac-address>
-   Only in the source criteria, you can specify a mac-address.
+   You can only specify a source mac-address to match.
   .. code-block:: none
      set firewall ipv4 input filter rule 100 source mac-address 00:53:00:11:22:33
      set firewall ipv4 input filter rule 101 source mac-address !00:53:00:aa:12:34
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   source port [1-65535 | portname | start-end]
 .. cfgcmd:: set firewall ipv4 input filter rule <1-999999>
@ -529,8 +529,7 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   destination port [1-65535 | portname | start-end]
-   A port can be set with a port number or a name which is here
+   A port can be set by number or name as defined in ``/etc/services``.
   defined: ``/etc/services``.
   .. code-block:: none
@ -559,8 +558,8 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   destination group address-group <name | !name>
-   Use a specific address-group. Prepend character ``!`` for inverted matching
+   Use a specific address-group. Prepending the character ``!`` to invert the
-   criteria.
+   criteria to match is also supported.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   source group dynamic-address-group <name | !name>
@ -580,8 +579,8 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   destination group dynamic-address-group <name | !name>
-   Use a specific dynamic-address-group. Prepend character ``!`` for inverted
+   Use a specific dynamic-address-group. Prepending the character ``!`` to
-   matching criteria.
+   invert the criteria to match is also supported.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   source group network-group <name | !name>
@ -601,8 +600,8 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   destination group network-group <name | !name>
-   Use a specific network-group. Prepend character ``!`` for inverted matching
+   Use a specific network-group. Prepending the character ``!`` to invert the
-   criteria.
+   criteria to match is also supported.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   source group port-group <name | !name>
@ -622,8 +621,8 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   destination group port-group <name | !name>
-   Use a specific port-group. Prepend character ``!`` for inverted matching
+   Use a specific port-group. Prepending the character ``!`` to invert the
-   criteria.
+   criteria to match is also supported.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   source group domain-group <name | !name>
@ -643,8 +642,8 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   destination group domain-group <name | !name>
-   Use a specific domain-group. Prepend character ``!`` for inverted matching
+   Use a specific domain-group. Prepending the character ``!`` to invert the
-   criteria.
+   criteria to match is also supported.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   source group mac-group <name | !name>
@ -664,8 +663,8 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   destination group mac-group <name | !name>
-   Use a specific mac-group. Prepend character ``!`` for inverted matching
+   Use a specific mac-group. Prepending the character ``!`` to invert the
-   criteria.
+   criteria to match is also supported.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   dscp [0-63 | start-end]
@ -696,7 +695,7 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   fragment [match-frag | match-non-frag]
-   Match based on fragment criteria.
+   Match based on fragmentation.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   icmp [code | type] <0-255>
@ -718,7 +717,7 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   icmp type-name <text>
-   Match based on icmp type-name criteria. Use tab for information
+   Match based on icmp type-name. Use tab for information
   about what **type-name** criteria are supported.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
@ -729,11 +728,11 @@ geoip) to keep database and rules updated.
   inbound-interface name <iface>
   Match based on inbound interface. Wildcard ``*`` can be used.
-   For example: ``eth2*``. Prepending character ``!`` for inverted matching
+   For example: ``eth2*``. Prepending the character ``!`` to invert the
-   criteria is also supported. For example ``!eth2``
+   criteria to match is also supported. For example ``!eth2``
 .. note:: If an interface is attached to a non-default vrf, when using
-   **inbound-interface**, vrf name must be used. For example ``set firewall
+   **inbound-interface**, the vrf name must be used. For example ``set firewall
   ipv4 forward filter rule 10 inbound-interface name MGMT``
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
@ -743,8 +742,8 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   inbound-interface group <iface_group>
-   Match based on inbound interface group. Prepending character ``!`` for
+   Match based on the inbound interface group. Prepending the character ``!`` 
-   inverted matching criteria is also supported. For example ``!IFACE_GROUP``
+   to invert the criteria to match is also supported. For example ``!IFACE_GROUP``
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   outbound-interface name <iface>
@ -754,11 +753,11 @@ geoip) to keep database and rules updated.
   outbound-interface name <iface>
   Match based on outbound interface. Wildcard ``*`` can be used.
-   For example: ``eth2*``. Prepending character ``!`` for inverted matching
+   For example: ``eth2*``. Prepending the character ``!`` to invert the
-   criteria is also supported. For example ``!eth2``
+   criteria to match is also supported. For example ``!eth2``
 .. note:: If an interface is attached to a non-default vrf, when using
-   **outbound-interface**, real interface name must be used. For example
+   **outbound-interface**, the real interface name must be used. For example
   ``set firewall ipv4 forward filter rule 10 outbound-interface name eth0``
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
@ -768,8 +767,8 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   outbound-interface group <iface_group>
-   Match based on outbound interface group. Prepending character ``!`` for
+   Match based on outbound interface group. Prepending the character ``!`` to
-   inverted matching criteria is also supported. For example ``!IFACE_GROUP``
+   invert the criteria to match is also supported. For example ``!IFACE_GROUP``
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   ipsec [match-ipsec | match-none]
@ -780,7 +779,7 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   ipsec [match-ipsec | match-none]
-   Match based on ipsec criteria.
+   Match based on ipsec.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   limit burst <0-4294967295>
@ -823,7 +822,7 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   packet-length-exclude <text>
-   Match based on packet length criteria. Multiple values from 1 to 65535
+   Match based on the packet length. Multiple values from 1 to 65535
   and ranges are supported.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
@ -835,7 +834,7 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   packet-type [broadcast | host | multicast | other]
-   Match based on packet type criteria.
+   Match based on the packet type.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   protocol [<text> | <0-255> | all | tcp_udp]
@ -846,10 +845,9 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   protocol [<text> | <0-255> | all | tcp_udp]
-   Match a protocol criteria. A protocol number or a name which is here
+   Match based on protocol number or name as defined in ``/etc/protocols``.
   defined: ``/etc/protocols``.
   Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
-   based packets. The ``!`` negate the selected protocol.
+   based packets. The ``!`` negates the selected protocol.
   .. code-block:: none
@ -874,7 +872,7 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   recent time [second | minute | hour]
-   Match bases on recently seen sources.
+   Match based on recently seen sources.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   tcp flags [not] <text>
@ -958,8 +956,8 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999>
   ttl <eq | gt | lt> <0-255>
-   Match time to live parameter, where 'eq' stands for 'equal'; 'gt' stands for
+   Match the time to live parameter, where 'eq' stands for 'equal'; 'gt' stands
-   'greater than', and 'lt' stands for 'less than'.
+   for 'greater than', and 'lt' stands for 'less than'.
 .. cfgcmd:: set firewall ipv4 forward filter rule <1-999999>
   recent count <1-255>
@ -994,7 +992,7 @@ Synproxy connections
 .. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999>
   synproxy tcp mss <501-65535>
-    Set TCP-MSS (maximum segment size) for the connection
+    Set the TCP-MSS (maximum segment size) for the connection
 .. cfgcmd:: set firewall ipv4 [input | forward] filter rule <1-999999>
   synproxy tcp window-scale <1-14>
@ -1028,7 +1026,6 @@ Requirements to enable synproxy:
  set firewall ipv4 input filter rule 1000 action 'drop'
  set firewall ipv4 input filter rule 1000 state invalid
 ***********************
 Operation-mode Firewall
 ***********************
@ -1038,7 +1035,7 @@ Rule-set overview
 .. opcmd:: show firewall
-   This will show you a basic firewall overview, for all ruleset, and not
+   This will show you a basic firewall overview, for all rule-sets, and not
   only for ipv4
   .. code-block:: none
--- a/docs/configuration/firewall/ipv6.rst
+++ b/docs/configuration/firewall/ipv6.rst
@ -1,4 +1,4 @@
-:lastproofread: 2023-11-08
+:lastproofread: 2024-07-03
 .. _firewall-ipv6-configuration:
@ -10,13 +10,13 @@ IPv6 Firewall Configuration
 Overview
 ********
-In this section there's useful information of all firewall configuration that
+In this section there's useful information on all firewall configuration that
 can be done regarding IPv6, and appropriate op-mode commands.
 Configuration commands covered in this section:
 .. cfgcmd:: set firewall ipv6 ...
-From main structure defined in
+From the main structure defined in
 :doc:`Firewall Overview</configuration/firewall/index>`
 in this section you can find detailed information only for the next part
 of the general structure:
@ -51,29 +51,29 @@ This stage includes:
   * :doc:`Destination NAT</configuration/nat/nat44>`: commands found under
     ``set nat66 destination ...``
-For transit traffic, which is received by the router and forwarded, base chain
+For transit traffic, which is received by the router and forwarded, the base
-is **forward**. A simplified packet flow diagram for transit traffic is shown
+chain is **forward**. A simplified packet flow diagram for transit traffic is
-next:
+shown next:
 .. figure:: /_static/images/firewall-fwd-packet-flow.png
-Firewall base chain to configure firewall filtering rules for transit traffic
+The base firewall chain to configure filtering rules for transit traffic
 is ``set firewall ipv6 forward filter ...``, which happens in stage 5,
-highlighted with red color.
+highlighted in the color red.
-For traffic towards the router itself, base chain is **input**, while traffic
+For traffic towards the router itself, the base chain is **input**, while
-originated by the router, base chain is **output**.
+traffic originated by the router has the base chain **output**.
 A new simplified packet flow diagram is shown next, which shows the path
 for traffic destined to the router itself, and traffic generated by the
 router (starting from circle number 6):
 .. figure:: /_static/images/firewall-input-packet-flow.png
-Base chain for traffic towards the router is ``set firewall ipv6 input
+The base chain for traffic towards the router is ``set firewall ipv6 input
 filter ...``
-And base chain for traffic generated by the router is ``set firewall ipv6
+And the base chain for traffic generated by the router is ``set firewall ipv6
-output filter ...``, where two sub-chains are available: **filter** and **raw**:
+output ...``, where two sub-chains are available: **filter** and **raw**:
 * **Output Prerouting**: ``set firewall ipv6 output raw ...``.
  As described in **Prerouting**, rules defined in this section are
@ -82,9 +82,9 @@ output filter ...``, where two sub-chains are available: **filter** and **raw**:
  in this section are processed after connection tracking subsystem.
 .. note:: **Important note about default-actions:**
-   If default action for any base chain is not defined, then the default
+   If a default action for any base chain is not defined, then the default
-   action is set to **accept** for that chain. For custom chains, if default
+   action is set to **accept** for that chain. For custom chains, if the
-   action is not defined, then the default-action is set to **drop**
+   default action is not defined, then the default-action is set to **drop**
 Custom firewall chains can be created, with commands
 ``set firewall ipv6 name <name> ...``. In order to use
@ -95,9 +95,9 @@ should be defined in a base chain.
 Firewall - IPv6 Rules
 ******************************
-For firewall filtering, firewall rules needs to be created. Each rule is
+For firewall filtering, firewall rules need to be created. Each rule is
 numbered, has an action to apply if the rule is matched, and the ability
-to specify multiple criteria matchers. Data packets go through the rules
+to specify multiple matching criteria. Data packets go through the rules
 from 1 - 999999, so order is crucial. At the first match the action of the
 rule will be executed.
@ -105,7 +105,7 @@ Actions
 =======
 If a rule is defined, then an action must be defined for it. This tells the
-firewall what to do if all criteria matchers defined for such rule do match.
+firewall what to do if all of the criteria defined for that rule match.
 The action can be :
@ -135,8 +135,8 @@ The action can be :
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> action
   [accept | continue | drop | jump | queue | reject | return]
-   This required setting defines the action of the current rule. If action is
+   This required setting defines the action of the current rule. If the action
-   set to jump, then jump-target is also needed.
+   is set to jump, then a jump-target is also needed.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   jump-target <text>
@ -148,7 +148,7 @@ The action can be :
   jump-target <text>
   To be used only when action is set to ``jump``. Use this command to specify
-   jump target.
+   the jump target.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   queue <0-65535>
@ -160,7 +160,7 @@ The action can be :
   queue <0-65535>
   To be used only when action is set to ``queue``. Use this command to specify
-   queue target to use. Queue range is also supported.
+   the queue target to use. Queue range is also supported.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   queue-options bypass
@ -171,7 +171,7 @@ The action can be :
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   queue-options bypass
-   To be used only when action is set to ``queue``. Use this command to let
+   To be used only when action is set to ``queue``. Use this command to let the
   packet go through firewall when no userspace software is connected to the
   queue.
@ -200,21 +200,21 @@ not match any rule in it's chain. For base chains, possible options for
 .. cfgcmd:: set firewall ipv6 name <name> default-action
   [accept | drop | jump | queue | reject | return]
-   This set the default action of the rule-set if no rule matched a packet
+   This sets the default action of the rule-set if a packet does not match the
-   criteria. If default-action is set to ``jump``, then
+   criteria of any rule. If default-action is set to ``jump``, then
-   ``default-jump-target`` is also needed. Note that for base chains, default
+   ``default-jump-target`` is also needed. Note that for base chains, the
-   action can only be set to ``accept`` or ``drop``, while on custom chain,
+   default action can only be set to ``accept`` or ``drop``, while on custom 
-   more actions are available.
+   chains, more actions are available.
 .. cfgcmd:: set firewall ipv6 name <name> default-jump-target <text>
   To be used only when ``default-action`` is set to ``jump``. Use this
-   command to specify jump target for default rule.
+   command to specify the jump target for the default rule.
 .. note:: **Important note about default-actions:**
-   If default action for any base chain is not defined, then the default
+   If the default action for any base chain is not defined, then the default
-   action is set to **accept** for that chain. For custom chains, if default
+   action is set to **accept** for that chain. For custom chains if a default
-   action is not defined, then the default-action is set to **drop**.
+   action is not defined then the default-action is set to **drop**.
 Firewall Logs
 =============
@ -228,7 +228,7 @@ log options can be defined.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> log
   Enable logging for the matched packet. If this configuration command is not
-   present, then log is not enabled.
+   present, then the log is not enabled.
 .. cfgcmd:: set firewall ipv6 forward filter default-log
 .. cfgcmd:: set firewall ipv6 input filter default-log
@ -251,7 +251,7 @@ log options can be defined.
   log-options level [emerg | alert | crit | err | warn | notice
   | info | debug]
-   Define log-level. Only applicable if rule log is enable.
+   Define log-level. Only applicable if rule log is enabled.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   log-options group <0-65535>
@ -262,7 +262,8 @@ log options can be defined.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   log-options group <0-65535>
-   Define log group to send message to. Only applicable if rule log is enable.
+   Define the log group to send messages to. Only applicable if rule log is
   enabled.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   log-options snapshot-length <0-9000>
@ -273,8 +274,8 @@ log options can be defined.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   log-options snapshot-length <0-9000>
-   Define length of packet payload to include in netlink message. Only
+   Define the length of packet payload to include in a netlink message. Only
-   applicable if rule log is enable and log group is defined.
+   applicable if rule log is enabled and log group is defined.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   log-options queue-threshold <0-65535>
@ -285,8 +286,8 @@ log options can be defined.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   log-options queue-threshold <0-65535>
-   Define number of packets to queue inside the kernel before sending them to
+   Define the number of packets to queue inside the kernel before sending them
-   userspace. Only applicable if rule log is enable and log group is defined.
+   to userspace. Only applicable if rule log is enabled and log group is defined.
 Firewall Description
 ====================
@ -311,7 +312,7 @@ every defined custom chain.
 Rule Status
 ===========
-When defining a rule, it is enable by default. In some cases, it is useful to
+When defining a rule, it is enabled by default. In some cases, it is useful to
 just disable the rule, rather than removing it.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999> disable
@ -335,7 +336,7 @@ There are a lot of matching criteria against which the packet can be tested.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   connection-status nat [destination | source]
-   Match criteria based on nat connection status.
+   Match based on nat connection status.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   connection-mark <1-2147483647>
@ -346,7 +347,7 @@ There are a lot of matching criteria against which the packet can be tested.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   connection-mark <1-2147483647>
-   Match criteria based on connection mark.
+   Match based on connection mark.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   source address [address | addressrange | CIDR]
@ -366,9 +367,8 @@ There are a lot of matching criteria against which the packet can be tested.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   destination address [address | addressrange | CIDR]
-   Match criteria based on source and/or destination address. This is similar
+   Match based on source and/or destination address. This is similar to the
-   to the network groups part, but here you are able to negate the matching
+   network groups part, but here you are able to negate the matching addresses.
   addresses.
   .. code-block:: none
@ -433,8 +433,8 @@ There are a lot of matching criteria against which the packet can be tested.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   destination fqdn <fqdn>
-   Specify a Fully Qualified Domain Name as source/destination matcher. Ensure
+   Specify a Fully Qualified Domain Name as source/destination to match. Ensure
-   router is able to resolve such dns query.
+   that the router is able to resolve this dns query.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   source geoip country-code <country>
@ -491,7 +491,7 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   source mac-address <mac-address>
-   Only in the source criteria, you can specify a mac-address.
+   You can only specify a source mac-address to match.
   .. code-block:: none
@ -516,8 +516,7 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   destination port [1-65535 | portname | start-end]
-   A port can be set with a port number or a name which is here
+   A port can be set by number or name as defined in ``/etc/services``.
   defined: ``/etc/services``.
   .. code-block:: none
@ -550,8 +549,8 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   destination group address-group <name | !name>
-   Use a specific address-group. Prepend character ``!`` for inverted matching
+   Use a specific address-group. Prepending the character ``!`` to invert the
-   criteria.
+   criteria to match is also supported.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   source group dynamic-address-group <name | !name>
@ -571,8 +570,8 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   destination group dynamic-address-group <name | !name>
-   Use a specific dynamic-address-group. Prepend character ``!`` for inverted
+   Use a specific dynamic-address-group. Prepending the character ``!`` to
-   matching criteria.
+   invert the criteria to match is also supported.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   source group network-group <name | !name>
@ -592,8 +591,8 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   destination group network-group <name | !name>
-   Use a specific network-group. Prepend character ``!`` for inverted matching
+   Use a specific network-group. Prepending the character ``!`` to invert the
-   criteria.
+   criteria to match is also supported.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   source group port-group <name | !name>
@ -613,8 +612,8 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   destination group port-group <name | !name>
-   Use a specific port-group. Prepend character ``!`` for inverted matching
+   Use a specific port-group. Prepending the character ``!`` to invert the
-   criteria.
+   criteria to match is also supported.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   source group domain-group <name | !name>
@ -634,8 +633,8 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   destination group domain-group <name | !name>
-   Use a specific domain-group. Prepend character ``!`` for inverted matching
+   Use a specific domain-group. Prepending the character ``!`` to invert the
-   criteria.
+   criteria to match is also supported.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   source group mac-group <name | !name>
@ -655,8 +654,8 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   destination group mac-group <name | !name>
-   Use a specific mac-group. Prepend character ``!`` for inverted matching
+   Use a specific mac-group. Prepending the character ``!`` to invert the
-   criteria.
+   criteria to match is also supported.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   dscp [0-63 | start-end]
@ -687,7 +686,7 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   fragment [match-frag | match-non-frag]
-   Match based on fragment criteria.
+   Match based on fragmentation.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   icmpv6 [code | type] <0-255>
@ -709,7 +708,7 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   icmpv6 type-name <text>
-   Match based on icmpv6 type-name criteria. Use tab for information
+   Match based on icmpv6 type-name. Use tab for information
   about what **type-name** criteria are supported.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
@ -720,11 +719,11 @@ geoip) to keep database and rules updated.
   inbound-interface name <iface>
   Match based on inbound interface. Wildcard ``*`` can be used.
-   For example: ``eth2*``. Prepending character ``!`` for inverted matching
+   For example: ``eth2*``. Prepending the character ``!`` to invert the
-   criteria is also supported. For example ``!eth2``
+   criteria to match is also supported. For example ``!eth2``
 .. note:: If an interface is attached to a non-default vrf, when using
-   **inbound-interface**, vrf name must be used. For example ``set firewall
+   **inbound-interface**, the vrf name must be used. For example ``set firewall
   ipv6 forward filter rule 10 inbound-interface name MGMT``
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
@ -734,8 +733,8 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   inbound-interface group <iface_group>
-   Match based on inbound interface group. Prepending character ``!`` for
+   Match based on the inbound interface group. Prepending the character ``!`` 
-   inverted matching criteria is also supported. For example ``!IFACE_GROUP``
+   to invert the criteria to match is also supported. For example ``!IFACE_GROUP``
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   outbound-interface name <iface>
@ -745,11 +744,11 @@ geoip) to keep database and rules updated.
   outbound-interface name <iface>
   Match based on outbound interface. Wildcard ``*`` can be used.
-   For example: ``eth2*``. Prepending character ``!`` for inverted matching
+   For example: ``eth2*``. Prepending the character ``!`` to invert the
-   criteria is also supported. For example ``!eth2``
+   criteria to match is also supported. For example ``!eth2``
 .. note:: If an interface is attached to a non-default vrf, when using
-   **outbound-interface**, real interface name must be used. For example
+   **outbound-interface**, the real interface name must be used. For example
   ``set firewall ipv6 forward filter rule 10 outbound-interface name eth0``
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
@ -759,8 +758,8 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   outbound-interface group <iface_group>
-   Match based on outbound interface group. Prepending character ``!`` for
+   Match based on outbound interface group. Prepending the character ``!`` to
-   inverted matching criteria is also supported. For example ``!IFACE_GROUP``
+   invert the criteria to match is also supported. For example ``!IFACE_GROUP``
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   ipsec [match-ipsec | match-none]
@ -771,7 +770,7 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   ipsec [match-ipsec | match-none]
-   Match based on ipsec criteria.
+   Match based on ipsec.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   limit burst <0-4294967295>
@ -814,7 +813,7 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   packet-length-exclude <text>
-   Match based on packet length criteria. Multiple values from 1 to 65535
+   Match based on the packet length. Multiple values from 1 to 65535
   and ranges are supported.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
@ -826,7 +825,7 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   packet-type [broadcast | host | multicast | other]
-   Match based on packet type criteria.
+   Match based on the packet type.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
   protocol [<text> | <0-255> | all | tcp_udp]
@ -837,10 +836,9 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   protocol [<text> | <0-255> | all | tcp_udp]
-   Match a protocol criteria. A protocol number or a name which is here
+   Match based on protocol number or name as defined in ``/etc/protocols``.
   defined: ``/etc/protocols``.
   Special names are ``all`` for all protocols and ``tcp_udp`` for tcp and udp
-   based packets. The ``!`` negate the selected protocol.
+   based packets. The ``!`` negates the selected protocol.
   .. code-block:: none
@ -948,7 +946,7 @@ geoip) to keep database and rules updated.
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999>
   hop-limit <eq | gt | lt> <0-255>
-   Match hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
+   Match the hop-limit parameter, where 'eq' stands for 'equal'; 'gt' stands for
   'greater than', and 'lt' stands for 'less than'.
 .. cfgcmd:: set firewall ipv6 forward filter rule <1-999999>
@ -984,7 +982,7 @@ Synproxy connections
 .. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>
   synproxy tcp mss <501-65535>
-    Set TCP-MSS (maximum segment size) for the connection
+    Set the TCP-MSS (maximum segment size) for the connection
 .. cfgcmd:: set firewall ipv6 [input | forward] filter rule <1-999999>
   synproxy tcp window-scale <1-14>
@ -1027,7 +1025,8 @@ Rule-set overview
 .. opcmd:: show firewall
-   This will show you a basic firewall overview
+   This will show you a basic firewall overview, for all rule-sets, and not
   only for ipv6
   .. code-block:: none
--- a/docs/configuration/firewall/zone.rst
+++ b/docs/configuration/firewall/zone.rst
@ -1,4 +1,4 @@
-:lastproofread: 2023-11-01
+:lastproofread: 2024-07-03
 .. _firewall-zone:
@ -11,9 +11,9 @@ Overview
 ********
 .. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall
-   structure can be found on all VyOS installations. Zone based firewall was
+   structure can be found on all VyOS installations. The Zone based firewall
-   removed in that version, but re introduced in VyOS 1.4 and 1.5. All
+   was removed in that version, but re introduced in VyOS 1.4 and 1.5. All
-   versions built after 2023-10-22 has this feature.
+   versions built after 2023-10-22 have this feature.
   Documentation for most of the new firewall CLI can be
   found in the `firewall
   <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_
@ -22,13 +22,13 @@ Overview
   :doc:`legacy firewall configuration </configuration/firewall/general-legacy>`
   chapter.
-In this section there's useful information of all firewall configuration that
+In this section there's useful information on all firewall configuration that
-is needed for zone-based firewall.
+is needed for the zone-based firewall.
 Configuration commands covered in this section:
 .. cfgcmd:: set firewall zone ...
-From main structure defined in
+From the main structure defined in
 :doc:`Firewall Overview</configuration/firewall/index>`
 in this section you can find detailed information only for the next part
 of the general structure:
@ -53,7 +53,7 @@ Key Points:
  interface can be assigned to only a single zone.
 * All traffic to and from an interface within a zone is permitted.
 * All traffic between zones is affected by existing policies
-* Traffic cannot flow between zone member interface and any interface that is
+* Traffic cannot flow between a zone member interface and any interface that is
  not a zone member.
 * You need 2 separate firewalls to define traffic: one for each direction.
@ -129,7 +129,7 @@ Operation-mode
 .. opcmd:: show firewall zone-policy
-   This will show you a basic summary of zones configuration.
+   This will show you a basic summary of the zone configuration.
   .. code-block:: none
`@ -1,4 +1,4 @@`
	`:lastproofread: 2021-07-12`	`:lastproofread: 2024-07-03`

	`.. _cloud-init:`	`.. _cloud-init:`