vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-10-26 08:41:46 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'vyos:master' into master

Browse Source
This commit is contained in:
Ganawa Juanah 2021-06-29 19:12:13 -05:00 committed by GitHub
commit a8f2f59e33
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
20 changed files with 261 additions and 125 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
docs/_include/vyos-1x

@ -1 +1 @@
Subproject commit 0de84e53c36604af2bac3b5d8eb00480f9623aa0
Subproject commit 09efa0550dd169e30a851513781b611dd84e9c79

28
docs/automation/cloud-init.rst
View File

@ -1,29 +1,31 @@
.. _cloud-init:
:lastproofread: 2021-06-27
. _cloud-init:
###############
VyOS cloud-init
###############
Cloud instances of VyOS are initialized using the industry-standard cloud-init.
Via cloud-init, the system performs tasks such as injecting SSH keys and
configuring the network. In addition, the user can supply a custom
Cloud instances of VyOS are initialized using the industry-standard
cloud-init. Via cloud-init, the system performs tasks such as injecting
SSH keys and configuring the network. In addition, the user can supply a custom
configuration at the time of instance launch.
**************
Config Sources
**************
VyOS support three type of config sources.
VyOS support three types of config sources.
.. stop_vyoslinter
* Metadata - Metadata is sourced by the cloud platform or hypervisor.
In some clouds, there is implemented as an HTTP endpoint at
http://169.254.169.254.
* Metadata - Metadata is sourced by the cloud platform or hypervisor. In some clouds, there is implemented as an HTTP endpoint at http://169.254.169.254.
* Network configuration - This config source informs the system about the
network.
* Network configuration - Ths config source informs the system about the network.
* User-data - User-data is specified by the user. This config source offers the most flexibility and will be the focus of this documentation.
.. start_vyoslinter
* User-data - User-data is specified by the user. This config source offers the
most flexibility and will be the focus of this documentation.
*********
@ -86,7 +88,7 @@ These are the VyOS defaults and fallbacks.
* DHCP on first Ethernet interface if no network configuration is provided
All of these can be overridden using configuration in user-data.
All of these can be overridden using the configuration in user-data.
***************

23
docs/automation/command-scripting.rst
View File

@ -1,3 +1,5 @@
:lastproofread: 2021-06-27
.. _command-scripting:
Command Scripting
@ -34,7 +36,7 @@ example, if you want to disable a BGP peer on VRRP transition to backup:
Run operational commands
------------------------
Unlike a normal configuration sessions, all operational commands must be
Unlike a normal configuration session, all operational commands must be
prepended with ``run``, even if you haven't created a session with configure.
.. code-block:: none
@ -44,8 +46,8 @@ prepended with ``run``, even if you haven't created a session with configure.
run show interfaces
exit
Other script language
---------------------
Other script languages
----------------------
If you want to script the configs in a language other than bash you can have
your script output commands and then source them in a bash script.
@ -108,7 +110,7 @@ group, the script can be safeguarded like this:
Executing pre-hooks/post-hooks Scripts
--------------------------------------
Vyos has the ability to run custom scripts before and after each commit
VyOS has the ability to run custom scripts before and after each commit
The default directories where your custom Scripts should be located are:
@ -124,7 +126,8 @@ Scripts are run in alphabetical order. Their names must consist entirely of
ASCII upper- and lower-case letters,ASCII digits, ASCII underscores, and
ASCII minus-hyphens.No other characters are allowed.
.. note:: Custom scripts are not executed with root privileges (Use sudo inside if this is necessary).
.. note:: Custom scripts are not executed with root privileges
(Use sudo inside if this is necessary).
A simple example is shown below, where the ops command executed in
the post-hook script is "show interfaces".
@ -148,8 +151,8 @@ Preconfig on boot
The ``/config/scripts/vyos-preconfig-bootup.script`` script is called on boot
before the VyOS configuration during boot process.
Any modifications done to work around unfixed bugs and implement enhancements
which are not complete in the VyOS system can be placed here.
Any modifications were done to work around unfixed bugs and implement
enhancements that are not complete in the VyOS system can be placed here.
The default file looks like this:
@ -167,8 +170,8 @@ Postconfig on boot
The ``/config/scripts/vyos-postconfig-bootup.script`` script is called on boot
after the VyOS configuration is fully applied.
Any modifications done to work around unfixed bugs and implement enhancements
which are not complete in the VyOS system can be placed here.
Any modifications were done to work around unfixed bugs and implement
enhancements that are not complete in the VyOS system can be placed here.
The default file looks like this:
@ -179,6 +182,6 @@ The default file looks like this:
# applied. Any modifications required to work around unfixed bugs or use
# services not available through the VyOS CLI system can be placed here.
.. hint:: For configuration/upgrade management issues, modification of these
.. hint:: For configuration/upgrade management issues, modification of this
script should be the last option. Always try to find solutions based on CLI
commands first.

2
docs/automation/vyos-ansible.rst
View File

@ -1,3 +1,5 @@
:lastproofread: 2021-06-28
.. _vyos-ansible:
Ansible

23
docs/automation/vyos-api.rst
View File

@ -1,3 +1,5 @@
:lastproofread: 2021-06-28
.. _vyosapi:
########
@ -10,11 +12,11 @@ for configuration and enabling the API see :ref:`http-api`
Authentication
**************
All Endpoint only listen on HTTP POST requests and the API KEY must set as
All endpoints only listen on HTTP POST requests and the API KEY must set as
``key`` in the formdata.
Below see one example or curl and one for python.
In the following, the documentation is reduced to curl.
Below see one example for curl and one for python.
The rest of the documentation is reduced to curl.
.. code-block:: none
@ -74,8 +76,7 @@ To get the whole configuration, pass an empty list to the ``path`` field
}
only get a part of the configuration,
for example ``system syslog``.
To only get a part of the configuration, for example ``system syslog``.
.. code-block:: none
@ -105,7 +106,7 @@ for example ``system syslog``.
if you just want the Value of a multi-valued node, use the ``returnValues``
operation.
for example get the addresses of a ``dum0`` interface
For example, get the addresses of a ``dum0`` interface.
.. code-block:: none
@ -165,9 +166,9 @@ delete an image, for example ``1.3-rolling-202006070117``
/show
=====
The ``/show`` endpoint is to show everthing in operational mode
The ``/show`` endpoint is to show everything in the operational mode.
for example which images are installed
For example, show which images are installed.
.. code-block:: none
@ -189,7 +190,7 @@ for example which images are installed
/generate
=========
to run a ``generate`` command use the
THe ``generate`` endpoint run a ``generate`` command.
.. code-block:: none
@ -242,10 +243,10 @@ You can pass a ``set``, ``delete`` or ``comment`` command to the
"error": null
}
The API push every request to a session and commit it.
The API pushes every request to a session and commit it.
But some of VyOS components like DHCP and PPPoE Servers, IPSec, VXLAN, and
other tunnels require full configuration for commit.
The Endpoint will process multiple commands when you pass them as a list to
The endpoint will process multiple commands when you pass them as a list to
the ``data`` field.
.. code-block:: none

28
docs/changelog/1.3.rst
View File

@ -8,6 +8,32 @@
_ext/releasenotes.py
2021-06-27
==========
* :vytask:`T3653` (default): Cloudinit subnet error if a cidr (/24) is used instead of a subnet mask (255.255.255.0)
2021-06-25
==========
* :vytask:`T3650` (bug): OpenVPN: Upgrade package to 2.5.1 before releasing VyOS 1.3.0
* :vytask:`T3649` (feature): Add bonding additional hash-policy
2021-06-24
==========
* :vytask:`T2722` (bug): get_config_dict() and key_mangling=('-', '_') will alter CLI data for tagNodes
2021-06-22
==========
* :vytask:`T3629` (bug): IPoE server shifting address in the range
* :vytask:`T3582` (default): 'delete log file' does not work
2021-06-19
==========
@ -555,7 +581,7 @@
2021-02-16
==========
* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.127 / 5.10.45
* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.128 / 5.10.46
2021-02-14

31
docs/changelog/1.4.rst
View File

@ -8,6 +8,35 @@
_ext/releasenotes.py
2021-06-27
==========
* :vytask:`T3653` (default): Cloudinit subnet error if a cidr (/24) is used instead of a subnet mask (255.255.255.0)
2021-06-25
==========
* :vytask:`T3641` (feature): Upgrade base system from Debian Buster -> Debian Bullseye
* :vytask:`T3649` (feature): Add bonding additional hash-policy
2021-06-23
==========
* :vytask:`T3647` (feature): Bullseye: gcc defaults to passing --as-needed to linker
* :vytask:`T3644` (default): Replace GCC with a simpler preprocessor for including nested XML snippets in XML documents
* :vytask:`T3356` (feature): Script for remote file transfers
2021-06-22
==========
* :vytask:`T3629` (bug): IPoE server shifting address in the range
* :vytask:`T3645` (feature): Bullseye: ethtool changed output for ring-buffer information
* :vytask:`T3582` (default): 'delete log file' does not work
2021-06-21
==========
@ -662,7 +691,7 @@
==========
* :vytask:`T3313` (bug): ospfv3 interface missing options
* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.127 / 5.10.45
* :vytask:`T3318` (feature): Update Linux Kernel to v5.4.128 / 5.10.46
2021-02-15

2
docs/configexamples/azure-vpn-bgp.rst
View File

@ -1,3 +1,5 @@
:lastproofread: 2021-06-28
.. _examples-azure-vpn-bgp:
Route-Based Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)

2
docs/configexamples/azure-vpn-dual-bgp.rst
View File

@ -1,3 +1,5 @@
:lastproofread: 2021-06-28
.. _examples-azure-vpn-dual-bgp:
Route-Based Redundant Site-to-Site VPN to Azure (BGP over IKEv2/IPsec)

2
docs/configexamples/bgp-ipv6-unnumbered.rst
View File

@ -1,3 +1,5 @@
:lastproofread: 2021-06-28
.. _examples-bgp-ipv6-unnumbered:
#########################################

5
docs/configexamples/dhcp-relay-through-gre-bridge.rst
View File

@ -1,7 +1,4 @@
:lastproofread: 2021-06-28
.. _examples-dhcp-relay-through-gre-bridge:

46
docs/configexamples/ha.rst
View File

@ -1,24 +1,26 @@
:lastproofread: 2021-06-28
#############################
High Availability Walkthrough
#############################
This document walks you through a complete HA setup of two VyOS machines. This
design is based on a VM as the primary router, and a physical machine as a
backup, using VRRP, BGP, OSPF and conntrack sharing.
design is based on a VM as the primary router and a physical machine as a
backup, using VRRP, BGP, OSPF, and conntrack sharing.
The aim of this document is to walk you through setting everything up, so
This document aims to walk you through setting everything up, so
at a point where you can reboot any machine and not lose more than a few
seconds worth of connectivity.
Design
======
This is based on a real life, in production design. One of the complex issues
This is based on a real-life production design. One of the complex issues
is ensuring you have redundant data INTO your network. We do this with a pair
of Cisco Nexus switches, and using Virtual PortChannels that are spanned across
them. This as an added bonus, also allows for complete switch failure without
an outage. How you achieve this yourself is left as an exercise to the reader
but our setup is documented here.
of Cisco Nexus switches and using Virtual PortChannels that are spanned across
them. As a bonus, this also allows for complete switch failure without
an outage. How you achieve this yourself is left as an exercise to the reader.
But our setup is documented here.
Walkthrough suggestion
----------------------
@ -31,7 +33,7 @@ If you are following through this document, it is strongly suggested you
complete the entire document, ONLY doing the virtual router1 steps, and then
come back and walk through it AGAIN on the backup hardware router.
This ensures you don't go to fast, or miss a step. However, it will make your
This ensures you don't go too fast or miss a step. However, it will make your
life easier to configure the fixed IP address and default route now on the
hardware router.
@ -43,7 +45,7 @@ provider, which we are publishing on VLAN100.
They want us to establish a BGP session to their routers on 192.0.2.11 and
192.0.2.12 from our routers 192.0.2.21 and 192.0.2.22. They are AS 65550 and
we are AS65551.
we are AS 65551.
Our routers are going to have a floating IP address of 203.0.113.1, and use
.2 and .3 as their fixed IPs.
@ -54,13 +56,13 @@ When traffic is originated from the 10.200.201.0/24 network, it will be
masqueraded to 203.0.113.1
For connection between sites, we are running a WireGuard link to two REMOTE
routers, and using OSPF over those links to distribute routes. That remote
routers and using OSPF over those links to distribute routes. That remote
site is expected to send traffic from anything in 10.201.0.0/16
VLANs
-----
These are the vlans we wll be using:
These are the vlans we will be using:
* 50: Upstream, using the 192.0.2.0/24 network allocated by them.
* 100: 'Public' network, using our 203.0.113.0/24 network.
@ -95,7 +97,7 @@ of scope of this.
.. note:: Our implementation uses VMware's Distributed Port Groups, which allows
VMware to use LACP. This is a part of the ENTERPRISE licence, and is not
available on a Free licence. If you are implementing this and do not have
available on a free licence. If you are implementing this and do not have
access to DPGs, you should not use VMware, and use some other virtualization
platform instead.
@ -103,7 +105,7 @@ of scope of this.
Basic Setup (via console)
=========================
Create your router1 VM so it is able to withstand a VM Host failing, or a
Create your router1 VM. So it can withstand a VM Host failing or a
network link failing. Using VMware, this is achieved by enabling vSphere DRS,
vSphere Availability, and creating a Distributed Port Group that uses LACP.
@ -177,7 +179,7 @@ Enable SSH so you can now SSH into the routers, rather than using the console.
commit
save
At this point you should be able to SSH into both of them, and will no longer
At this point, you should be able to SSH into both of them, and will no longer
need access to the console (unless you break something!)
@ -417,9 +419,9 @@ Make sure you can ping 10.254.60.1 and .2 from both routers.
Create Export Filter
--------------------
We only want to export the networks we know we should be exporting. Always
whitelist your route filters, both importing and exporting. A good rule of
thumb is **'If you are not the default router for a network, don't advertise
We only want to export the networks we know. Always do a whitelist on your route
filters, both importing and exporting. A good rule of thumb is
**'If you are not the default router for a network, don't advertise
it'**. This means we explicitly do not want to advertise the 192.0.2.0/24
network (but do want to advertise 10.200.201.0 and 203.0.113.0, which we ARE
the default route for). This filter is applied to ``redistribute connected``.
@ -448,7 +450,7 @@ default again. This is called 'flapping'.
Create Import Filter
--------------------
We only want to import networks we know about. Our OSPF peer should only be
We only want to import networks we know. Our OSPF peer should only be
advertising networks in the 10.201.0.0/16 range. Note that this is an INVERSE
MATCH. You deny in access-list 100 to accept the route.
@ -491,7 +493,7 @@ Test OSPF
When you have enabled OSPF on both routers, you should be able to see each
other with the command ``show ip ospf neighbour``. The state must be 'Full'
or '2-Way', if it is not then there is a network connectivity issue between the
or '2-Way'. If it is not, then there is a network connectivity issue between the
hosts. This is often caused by NAT or MTU issues. You should not see any new
routes (unless this is the second pass) in the output of ``show ip route``
@ -514,8 +516,8 @@ You should now be able to see the advertised network on the other host.
Duplicate configuration
-----------------------
At this pont you now need to create the X link between all four routers. Use a
different /30 for each link.
At this point, you now need to create the X link between all four routers.
Use amdifferent /30 for each link.
Priorities
----------

2
docs/configexamples/ospf-unnumbered.rst
View File

@ -1,3 +1,5 @@
:lastproofread: 2021-06-29
.. _examples-ospf-unnumbered:
#########################

24
docs/configexamples/pppoe-ipv6-basic.rst
View File

@ -1,3 +1,5 @@
:lastproofread: 2021-06-29
.. _examples-pppoe-ipv6-basic:
#######################################
@ -5,9 +7,9 @@ PPPoE IPv6 Basic Setup for Home Network
#######################################
This document is to describe a basic setup using PPPoE with DHCPv6-PD +
SLAAC to construct a typical home network. The user can follow steps described
here to quickly setup a working network and use this as a starting point to
further configure or fine tune other settings.
SLAAC to construct a typical home network. The user can follow the steps
described here to quickly setup a working network and use this as a starting
point to further configure or fine-tune other settings.
To achieve this, your ISP is required to support DHCPv6-PD. If you're not sure,
please contact your ISP for more information.
@ -40,8 +42,8 @@ DHCPv6-PD Setup
---------------
During address configuration, in addition to assigning an address to the WAN
interface, ISP also provides a prefix to allow router to configure addresses of
LAN interface and other nodes connecting to LAN, which is called prefix
interface, ISP also provides a prefix to allow the router to configure addresses
of LAN interface and other nodes connecting to LAN, which is called prefix
delegation (PD).
.. code-block:: none
@ -49,8 +51,8 @@ delegation (PD).
set interfaces pppoe pppoe0 ipv6 address autoconf
set interfaces pppoe pppoe0 dhcpv6-options pd 0 interface eth1 address '100'
* Here we use prefix to configure the address of eth1 (LAN) to form ``<prefix>::64``,
where ``64`` is hexadecimal of address 100.
* Here we use the prefix to configure the address of eth1 (LAN) to form
``<prefix>::64``, where ``64`` is hexadecimal of address 100.
* For home network users, most of time ISP only provides /64 prefix, hence
there is no need to set SLA ID and prefix length. See :ref:`pppoe-interface`
for more information.
@ -59,7 +61,7 @@ Router Advertisement
--------------------
We need to enable router advertisement for LAN network so that PC can receive
the prefix and use SLAAC to configure address automatically.
the prefix and use SLAAC to configure the address automatically.
.. code-block:: none
@ -68,8 +70,8 @@ the prefix and use SLAAC to configure address automatically.
set service router-advert interface eth1 prefix ::/64 valid-lifetime '172800'
* Set MTU in advertisement to 1492 because of PPPoE header overhead.
* Set DNS server address in advertisement so that clients can obtain it by using
RDNSS option. Most operating systems (Windows, Linux, Mac) should
* Set DNS server address in the advertisement so that clients can obtain it by
using RDNSS option. Most operating systems (Windows, Linux, Mac) should
already support it.
* Here we set the prefix to ``::/64`` to indicate advertising any /64 prefix
the LAN interface is assigned.
@ -106,5 +108,5 @@ To have basic protection while keeping IPv6 network functional, we need to:
set interfaces pppoe pppoe0 firewall in ipv6-name 'WAN_IN'
set interfaces pppoe pppoe0 firewall local ipv6-name 'WAN_LOCAL'
Note to allow router to receive DHCPv6 response from ISP, we need to allow
Note to allow the router to receive DHCPv6 response from ISP. We need to allow
packets with source port 547 (server) and destination port 546 (client).

10
docs/configexamples/tunnelbroker-ipv6.rst
View File

@ -1,3 +1,5 @@
:lastproofread: 2021-06-29
.. _examples-tunnelbroker-ipv6:
.. stop_vyoslinter
@ -6,7 +8,7 @@
Tunnelbroker.net (IPv6)
#######################
This guides walks through the setup of https://www.tunnelbroker.net/ for an
This guide walks through the setup of https://www.tunnelbroker.net/ for an
IPv6 Tunnel.
Prerequisites
@ -78,12 +80,12 @@ You should now be able to ping something by IPv6 DNS name:
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 16.880/17.153/17.426/0.273 ms
Assuming everything works, you can proceed to client configuration
Assuming everything works, you can proceed to the client configuration
LAN Configuration
=================
At this point your VyOS install should have full IPv6, but now your LAN devices
At this point, your VyOS install should have full IPv6, but now your LAN devices
need access.
With Tunnelbroker.net, you have two options:
@ -140,7 +142,7 @@ The format of these addresses:
In the above examples, 1,2,ffff are all chosen by you. You can use 1-ffff
(1-65535).
So, when your LAN is eth1, your DMZ is eth2, your cameras live on eth3, etc:
So, when your LAN is eth1, your DMZ is eth2, your cameras are on eth3, etc:
.. code-block:: none

25
docs/configexamples/wan-load-balancing.rst
View File

@ -1,3 +1,5 @@
:lastproofread: 2021-06-29
.. _wan-load-balancing:
.. stop_vyoslinter # pictures and text have to change
@ -65,21 +67,20 @@ Configure the WAN load balancer with the parameters described above:
Example 2: Failover based on interface weights
----------------------------------------------
This examples uses the failover mode.
This example uses the failover mode.
.. _wan:example2_overwiew:
Overview
^^^^^^^^
In this example eth0 is the primary interface and eth1 is the secondary
interface to provide simple failover functionality. If eth0 fails, eth1
In this example, eth0 is the primary interface and eth1 is the secondary
interface. To provide simple failover functionality. If eth0 fails, eth1
takes over.
Create interface weight based configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The configuration steps are the same as in the previous example, except
rule 10 so we keep the configuration, remove rule 10 and add a new rule
rule 10. So we keep the configuration, remove rule 10 and add a new rule
for the failover mode:
.. code-block:: none
@ -93,8 +94,8 @@ for the failover mode:
Example 3: Failover based on rule order
---------------------------------------
The previous example used the failover command to send traffic thorugh
eth1 if eth0 fails. In this example failover functionality is provided
The previous example used the failover command to send traffic through
eth1 if eth0 fails. In this example, failover functionality is provided
by rule order.
.. _wan:example3_overwiew:
@ -108,7 +109,7 @@ directing traffic to eth1.
Create rule order based configuration
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
We keep the configurtation from the previous example, delete rule 10
We keep the configuration from the previous example, delete rule 10
and create the two new rules as described:
.. code-block:: none
@ -122,20 +123,20 @@ and create the two new rules as described:
Example 4: Failover based on rule order - priority traffic
----------------------------------------------------------
A rule order for prioritising traffic is useful in scenarios where the
A rule order for prioritizing traffic is useful in scenarios where the
secondary link has a lower speed and should only carry high priority
traffic. It is assumed for this example that eth1 is connected to a
slower connection than eth0 and should prioritise VoIP traffic.
slower connection than eth0 and should prioritize VoIP traffic.
.. _wan:example4_overwiew:
Overview
^^^^^^^^
A rule order for prioritising traffic is useful in scenarios where the
A rule order for prioritizing traffic is useful in scenarios where the
secondary link has a lower speed and should only carry high priority
traffic. It is assumed for this example that eth1 is connected to a
slower connection than eth0 and should prioritise VoIP traffic.
slower connection than eth0 and should prioritize VoIP traffic.
Create rule order based configuration with low speed secondary link
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

6
docs/configexamples/zone-policy.rst
View File

@ -1,3 +1,5 @@
:lastproofread: 2021-06-29
.. _examples-zone-policy:
Zone-Policy example
@ -132,7 +134,7 @@ To add logging to the default rule, do:
set firewall name <ruleSet> enable-default-log
By default, iptables does not allow traffic for established session to
By default, iptables does not allow traffic for established sessions to
return, so you must explicitly allow this. I do this by adding two rules
to every ruleset. 1 allows established and related state packets through
and rule 2 drops and logs invalid state packets. We place the
@ -367,7 +369,7 @@ IPv6 Tunnel
^^^^^^^^^^^
If you are using a IPv6 tunnel from HE.net or someone else, the basis is
the same except you have two WAN interface. One for v4 and one for v6.
the same except you have two WAN interfaces. One for v4 and one for v6.
You would have 5 zones instead of just 4 and you would configure your v6
ruleset between your tunnel interface and your LAN/DMZ zones instead of

60
docs/configuration/firewall/index.rst
View File

@ -1,3 +1,5 @@
:lastproofread: 2021-06-29
.. _firewall:
########
@ -29,7 +31,7 @@ or zone based firewall policy.
Global settings
***************
Some firewall settings are global and have a affect on the whole system.
Some firewall settings are global and have an affect on the whole system.
.. cfgcmd:: set firewall all-ping [enable | disable]
@ -89,7 +91,7 @@ Some firewall settings are global and have a affect on the whole system.
.. cfgcmd:: set firewall send-redirects [enable | disable]
enable or disable of ICMPv4 redirect messages send by VyOS
enable or disable ICMPv4 redirect messages send by VyOS
The following system parameter will be altered:
* ``net.ipv4.conf.all.send_redirects``
@ -127,7 +129,7 @@ Some firewall settings are global and have a affect on the whole system.
.. cfgcmd:: set firewall state-policy established log enable
Set the global setting for a established connections.
Set the global setting for an established connection.
.. cfgcmd:: set firewall state-policy invalid action [accept | drop | reject]
@ -163,8 +165,8 @@ names.
Address Groups
==============
In a **address group** a single IP adresses or IP address ranges are
definded.
In an **address group** a single IP address or IP address ranges are
defined.
.. cfgcmd:: set firewall group address-group <name> address [address |
address range]
@ -221,7 +223,7 @@ filtering unnecessary ports. Ranges of ports can be specified by using
.. cfgcmd:: set firewall group port-group <name> port
[portname | portnumber | startport-endport]
Define a port group. A port name are any name defined in
Define a port group. A port name can be any name defined in
/etc/services. e.g.: http
.. code-block:: none
@ -240,10 +242,10 @@ Rule-Sets
*********
A rule-set is a named collection of firewall rules that can be applied
to an interface or zone. Each rule is numbered, has an action to apply
to an interface or a zone. Each rule is numbered, has an action to apply
if the rule is matched, and the ability to specify the criteria to
match. Data packets go through the rules from 1 - 9999, at the first match
the action of the rule will executed.
the action of the rule will be executed.
.. cfgcmd:: set firewall name <name> description <text>
.. cfgcmd:: set firewall ipv6-name <name> description <text>
@ -267,7 +269,7 @@ the action of the rule will executed.
.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> action [drop | reject |
accept]
This required setting define the action of the current rule.
This required setting defines the action of the current rule.
.. cfgcmd:: set firewall name <name> rule <1-9999> description <text>
.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> description <text>
@ -287,7 +289,7 @@ the action of the rule will executed.
Matching criteria
=================
There are a lot of matching criteria gainst which the package can be tested.
There are a lot of matching criteria against which the package can be tested.
.. cfgcmd:: set firewall name <name> rule <1-9999> source address
@ -299,7 +301,7 @@ There are a lot of matching criteria gainst which the package can be tested.
.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> destination address
[address | addressrange | CIDR]
This is similiar to the network groups part, but here you are able to negate
This is similar to the network groups part, but here you are able to negate
the matching addresses.
.. code-block:: none
@ -315,7 +317,7 @@ There are a lot of matching criteria gainst which the package can be tested.
.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> source mac-address
<mac-address>
Only in the source criteria you can specify a mac-address
Only in the source criteria, you can specify a mac-address.
.. code-block:: none
@ -331,7 +333,7 @@ There are a lot of matching criteria gainst which the package can be tested.
.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> destination port
[1-65535 | portname | start-end]
A port can be set with a portnumber or a name which is here
A port can be set with a port number or a name which is here
defined: ``/etc/services``.
.. code-block:: none
@ -410,9 +412,9 @@ There are a lot of matching criteria gainst which the package can be tested.
set firewall name WAN-IN-v4 rule 13 tcp flags 'SYN,!ACK,!FIN,!RST'
.. cfgcmd:: set firewall name <name> rule <1-9999> state [established |
invalid | new | related] [enable | disable ]
invalid | new | related] [enable | disable]
.. cfgcmd:: set firewall ipv6-name <name> rule <1-9999> state [established |
invalid | new | related] [enable | disable ]
invalid | new | related] [enable | disable]
Match against the state of a packet.
@ -423,8 +425,8 @@ Applying a Rule-Set to an Interface
A Rule-Set can be applied to every interface:
* ``in``: Ruleset for forwarded packets on inbound interface
* ``out``: Ruleset for forwarded packets on outbound interface
* ``in``: Ruleset for forwarded packets on an inbound interface
* ``out``: Ruleset for forwarded packets on an outbound interface
* ``local``: Ruleset for packets destined for this router
.. cfgcmd:: set interface ethernet <ethN> firewall [in | out | local]
@ -451,7 +453,7 @@ Zone-based Firewall Policy
As an alternative to applying policy to an interface directly, a
zone-based firewall can be created to simplify configuration when
multiple interfaces belong to the same security zone. Instead of
applying rulesets to interfaces, they are applied to source
applying rule-sets to interfaces, they are applied to source
zone-destination zone pairs.
An basic introduction to zone-based firewalls can be found `here
@ -465,12 +467,12 @@ To define a zone setup either one with interfaces or a local zone.
.. cfgcmd:: set zone-policy zone <name> interface <interfacenames>
Set a interfaces to a zone. A zone can have multiple interfaces.
But a interface can only be member in one zone.
Set interfaces to a zone. A zone can have multiple interfaces.
But an interface can only be a member in one zone.
.. cfgcmd:: set zone-policy zone <name> local-zone
Define the Zone as a local zone. A local zone have no interfaces and
Define the zone as a local zone. A local zone has no interfaces and
will be applied to the router itself.
.. cfgcmd:: set zone-policy zone <name> default-action [drop | reject]
@ -486,14 +488,14 @@ Applying a Rule-Set to a Zone
=============================
Before you are able to apply a rule-set to a zone you have to create the zones
first.
first.
.. cfgcmd:: set zone-policy zone <name> from <name> firewall name
<rule-set>
.. cfgcmd:: set zone-policy zone <name> from <name> firewall ipv6-name
<rule-set>
You apply a rule-set always to a zone from a other zone, it is recommended
You apply a rule-set always to a zone from an other zone, it is recommended
to create one rule-set for each zone pair.
.. code-block:: none
@ -577,7 +579,7 @@ Rule-set overview
.. opcmd:: show firewall summary
This will show you a summary about rule-sets and groups
This will show you a summary of rule-sets and groups
.. code-block:: none
@ -630,7 +632,7 @@ Rule-set overview
.. opcmd:: show firewall [name | ipv6name] <name> rule <1-9999>
This command will give an overview about a rule in a single rule-set
This command will give an overview of a rule in a single rule-set
.. opcmd:: show firewall group <name>
@ -658,7 +660,7 @@ Rule-set overview
.. opcmd:: show firewall [name | ipv6name] <name>
This command will give an overview about a single rule-set
This command will give an overview of a single rule-set.
.. opcmd:: show firewall [name | ipv6name] <name> statistics
@ -666,7 +668,7 @@ Rule-set overview
.. opcmd:: show firewall [name | ipv6name] <name> rule <1-9999>
This command will give an overview about a rule in a single rule-set
This command will give an overview of a rule in a single rule-set.
Zone-Policy Overview
@ -674,7 +676,7 @@ Zone-Policy Overview
.. opcmd:: show zone-policy zone <name>
Use this command to get an overview about a zone
Use this command to get an overview of a zone.
.. code-block:: none
@ -695,7 +697,7 @@ Show Firewall log
.. opcmd:: show log firewall [name | ipv6name] <name>
Show the logs of a specific Rule-Set
Show the logs of a specific Rule-Set.
.. note::
At the moment it not possible to look at the whole firewall log with VyOS

8
docs/installation/install.rst
View File

@ -35,7 +35,7 @@ Building from source
----------------------
Non-subscribers can always get the LTS release by building it from source.
Instruction can be found in the :ref:`build` section of this manual. VyOS
Instructions can be found in the :ref:`build` section of this manual. VyOS
source code repository is available for everyone at
https://github.com/vyos/vyos-build.
@ -58,11 +58,11 @@ https://downloads.vyos.io/rolling/current/amd64/vyos-rolling-latest.iso
Download Verification
---------------------
LTS images are signed by VyOS lead package-maintainer private key. With
LTS images are signed by the VyOS lead package-maintainer private key. With
the official public key, the authenticity of the package can be
verified. :abbr:`GPG (GNU Privacy Guard)` is used for verification.
.. note:: This subsection only applies e applies to LTS images, for
.. note:: This subsection only applies to LTS images, for
Rolling images please jump to :ref:`live_installation`.
Preparing for the verification
@ -190,7 +190,7 @@ it in your hard drive. **With your downloaded VyOS .iso file you can
create a bootable USB drive that will let you boot into a fully
functional VyOS system**. Once you have tested it, you can either decide
to begin a :ref:`permanent_installation` in your hard drive or power
your system off, remove the USB drive, and leave everythng as it was.
your system off, remove the USB drive, and leave everything as it was.
If you have a GNU+Linux system, you can create your VyOS bootable USB

57
docs/operation/information.rst
View File

@ -94,3 +94,60 @@ For additional details you can refer to https://phabricator.vyos.net/T2490.
usb0b2.4p1.1 Quad_RS232-HS Future Technology Devices International, Ltd
usb0b2.4p1.2 Quad_RS232-HS Future Technology Devices International, Ltd
usb0b2.4p1.3 Quad_RS232-HS Future Technology Devices International, Ltd
.. _information_version:
########
Version
########
.. opcmd:: show version
Return the current running VyOS version and build information. This includes
also the name of the release train which is ``crux`` on VyOS 1.2, ``equuleus``
on VyOS 1.3 and ``sagitta`` on VyOS 1.4.
.. code-block:: none
vyos@vyos:~$ show version
Version: VyOS 1.4-rolling-202106270801
Release Train: sagitta
Built by: autobuild@vyos.net
Built on: Sun 27 Jun 2021 09:50 UTC
Build UUID: ab43e735-edcb-405a-9f51-f16a1b104e52
Build Commit ID: f544d75eab758f
Architecture: x86_64
Boot via: installed image
System type: KVM guest
Hardware vendor: QEMU
Hardware model: Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID: Unknown
Copyright: VyOS maintainers and contributors
.. opcmd:: show version kernel
Return version number of the Linux Kernel used in this release.
.. code-block:: none
vyos@vyos:~$ show version kernel
5.10.46-amd64-vyos
.. opcmd:: show version frr
Return version number of FRR (Free Range Routing - https://frrouting.org/)
used in this release. This is the routing control plane and a successor to GNU
Zebra and Quagga.
.. code-block:: none
vyos@vyos:~$ show version frr
FRRouting 7.5.1-20210625-00-gf07d935a2 (vyos).
Copyright 1996-2005 Kunihiro Ishiguro, et al.