proofread and update firewall docs

docs/automation/cloud-init.rst

@@ -1,4 +1,4 @@
-:lastproofread: 2021-07-12
+:lastproofread: 2024-07-03
 
 .. _cloud-init:
 

docs/configuration/container/index.rst

@@ -1,10 +1,10 @@
-:lastproofread: 2022-06-10
+:lastproofread: 2024-07-03
 
 #########
 Container
 #########
 
-The VyOS container implementation is based on `Podman<https://podman.io/>` as
+The VyOS container implementation is based on `Podman <https://podman.io/>`_ as
 a deamonless container engine.
 
 *************

docs/configuration/firewall/bridge.rst

@@ -1,4 +1,4 @@
-:lastproofread: 2023-11-08
+:lastproofread: 2024-07-03
 
 .. _firewall-configuration:
 
@@ -12,13 +12,13 @@ Bridge Firewall Configuration
 Overview
 ********
 
-In this section there's useful information of all firewall configuration that
-can be done regarding bridge, and appropriate op-mode commands.
+In this section there's useful information on all firewall configuration that
+can be done regarding bridges, and appropriate op-mode commands.
 Configuration commands covered in this section:
 
 .. cfgcmd:: set firewall bridge ...
 
-From main structure defined in :doc:`Firewall Overview</configuration/firewall/index>`
+From the main structure defined in :doc:`Firewall Overview</configuration/firewall/index>`
 in this section you can find detailed information only for the next part
 of the general structure:
 
@@ -41,7 +41,7 @@ For traffic that needs to be forwarded internally by the bridge, base chain is
 is **forward**, and it's base command for filtering is ``set firewall bridge
 forward filter ...``, which happens in stage 4, highlighted with red color.
 
-Custom bridge firewall chains can be create with command ``set firewall bridge
+Custom bridge firewall chains can be created with the command ``set firewall bridge
 name <name> ...``. In order to use such custom chain, a rule with action jump,
 and the appropriate target should be defined in a base chain.
 
@@ -55,17 +55,17 @@ and the appropriate target should be defined in a base chain.
 Bridge Rules
 ************
 
-For firewall filtering, firewall rules needs to be created. Each rule is
+For firewall filtering, firewall rules need to be created. Each rule is
 numbered, has an action to apply if the rule is matched, and the ability
-to specify multiple criteria matchers. Data packets go through the rules
+to specify multiple matching criteria. Data packets go through the rules
 from 1 - 999999, so order is crucial. At the first match the action of the
 rule will be executed.
 
 Actions
 =======
 
 If a rule is defined, then an action must be defined for it. This tells the
-firewall what to do if all criteria matchers defined for such rule do match.
+firewall what to do if all matching criterea in the rule are met.
 
 In firewall bridge rules, the action can be:
 
@@ -101,7 +101,7 @@ In firewall bridge rules, the action can be:
    queue <0-65535>
 
    To be used only when action is set to ``queue``. Use this command to specify
-   queue target to use. Queue range is also supported.
+   the queue target to use. Queue range is also supported.
 
 .. cfgcmd:: set firewall bridge forward filter rule <1-999999>
    queue-options bypass
@@ -121,18 +121,18 @@ In firewall bridge rules, the action can be:
    distribute packets between several queues.
 
 Also, **default-action** is an action that takes place whenever a packet does
-not match any rule in it's chain. For base chains, possible options for
+not match any rule in its' chain. For base chains, possible options for
 **default-action** are **accept** or **drop**.
 
 .. cfgcmd:: set firewall bridge forward filter default-action
    [accept | drop]
 .. cfgcmd:: set firewall bridge name <name> default-action
    [accept | continue | drop | jump | queue | return]
 
-   This set the default action of the rule-set if no rule matched a packet
-   criteria. If default-action is set to ``jump``, then
+   This sets the default action of the rule-set if a packet does not match
+   any of the rules in that chain. If default-action is set to ``jump``, then
    ``default-jump-target`` is also needed. Note that for base chains, default
-   action can only be set to ``accept`` or ``drop``, while on custom chain,
+   action can only be set to ``accept`` or ``drop``, while on custom chains
    more actions are available.
 
 .. cfgcmd:: set firewall bridge name <name> default-jump-target <text>
@@ -141,9 +141,9 @@ not match any rule in it's chain. For base chains, possible options for
    command to specify jump target for default rule.
 
 .. note:: **Important note about default-actions:**
-   If default action for any base chain is not defined, then the default
-   action is set to **accept** for that chain. For custom chains, if default
-   action is not defined, then the default-action is set to **drop**.
+   If the default action for any base chain is not defined, then the default
+   action is set to **accept** for that chain. For custom chains, if the 
+   default action is not defined, then the default-action is set to **drop**.
 
 Firewall Logs
 =============
@@ -155,7 +155,7 @@ log options can be defined.
 .. cfgcmd:: set firewall bridge name <name> rule <1-999999> log
 
    Enable logging for the matched packet. If this configuration command is not
-   present, then log is not enabled.
+   present, then the log is not enabled.
 
 .. cfgcmd:: set firewall bridge forward filter default-log
 .. cfgcmd:: set firewall bridge name <name> default-log
@@ -170,30 +170,32 @@ log options can be defined.
    log-options level [emerg | alert | crit | err | warn | notice
    | info | debug]
 
-   Define log-level. Only applicable if rule log is enable.
+   Define log-level. Only applicable if rule log is enabled.
 
 .. cfgcmd:: set firewall bridge forward filter rule <1-999999>
    log-options group <0-65535>
 .. cfgcmd:: set firewall bridge name <name> rule <1-999999>
    log-options group <0-65535>
 
-   Define log group to send message to. Only applicable if rule log is enable.
+   Define the log group to send messages to. Only applicable if rule log is
+   enabled.
 
 .. cfgcmd:: set firewall bridge forward filter rule <1-999999>
    log-options snapshot-length <0-9000>
 .. cfgcmd:: set firewall bridge name <name> rule <1-999999>
    log-options snapshot-length <0-9000>
 
    Define length of packet payload to include in netlink message. Only
-   applicable if rule log is enable and log group is defined.
+   applicable if rule log is enabled and the log group is defined.
 
 .. cfgcmd:: set firewall bridge forward filter rule <1-999999>
    log-options queue-threshold <0-65535>
 .. cfgcmd:: set firewall bridge name <name> rule <1-999999>
    log-options queue-threshold <0-65535>
 
-   Define number of packets to queue inside the kernel before sending them to
-   userspace. Only applicable if rule log is enable and log group is defined.
+   Define the number of packets to queue inside the kernel before sending them
+   to userspace. Only applicable if rule log is enabled and the log group is 
+   defined.
 
 Firewall Description
 ====================
@@ -207,7 +209,7 @@ For reference, a description can be defined for every defined custom chain.
 Rule Status
 ===========
 
-When defining a rule, it is enable by default. In some cases, it is useful to
+When defining a rule, it is enabled by default. In some cases, it is useful to
 just disable the rule, rather than removing it.
 
 .. cfgcmd:: set firewall bridge forward filter rule <1-999999> disable

docs/configuration/firewall/flowtables.rst

@@ -1,4 +1,4 @@
-:lastproofread: 2024-06-20
+:lastproofread: 2024-07-02
 
 .. _firewall-flowtables-configuration:
 
@@ -12,12 +12,12 @@ Flowtables Firewall Configuration
 Overview
 ********
 
-In this section there's useful information of all firewall configuration that
+In this section there's useful information on all firewall configuration that
 can be done regarding flowtables.
 
 .. cfgcmd:: set firewall flowtables ...
 
-From main structure defined in
+From the main structure defined in
 :doc:`Firewall Overview</configuration/firewall/index>`
 in this section you can find detailed information only for the next part
 of the general structure:
@@ -30,7 +30,7 @@ of the general structure:
                + ...
 
 
-Flowtables  allows you to define a fastpath through the flowtable datapath.
+Flowtables allow you to define a fastpath through the flowtable datapath.
 The flowtable supports for the layer 3 IPv4 and IPv6 and the layer 4 TCP
 and UDP protocols.
 
@@ -107,10 +107,10 @@ Things to be considered in this setup:
    * Minimum firewall ruleset is provided, which includes some filtering rules,
      and appropriate rules for using flowtable offload capabilities.
 
-As described, first packet will be evaluated by all the firewall path, so
+As described, the first packet will be evaluated by the firewall path, so a
 desired connection should be explicitly accepted. Same thing should be taken
 into account for traffic in reverse order. In most cases state policies are
-used in order to accept connection in reverse patch.
+used in order to accept a connection in the reverse path.
 
 We will only accept traffic coming from interface eth0, protocol tcp and
 destination port 1122. All other traffic trespassing the router should be
@@ -142,7 +142,7 @@ Explanation
 
 Analysis on what happens for desired connection:
 
-   1. First packet is received on eth0, with destination address 192.0.2.100,
+   1. Firstly, a packet is received on eth0, with destination address 192.0.2.100,
    protocol tcp and destination port 1122. Assume such destination address is
    reachable through interface eth1.
 
@@ -151,22 +151,22 @@ Analysis on what happens for desired connection:
 
    3. Rule 110 is hit, so connection is accepted.
 
-   4. Once answer from server 192.0.2.100 is seen in opposite direction,
+   4. Once an answer from server 192.0.2.100 is seen in opposite direction,
    connection state will be triggered to **established**, so this reply is
    accepted in rule 20.
 
-   5. Second packet for this connection is received by the router. Since
+   5. The second packet for this connection is received by the router. Since
    connection state is **established**, then rule 10 is hit, and a new entry
    in the flowtable FT01 is added for this connection.
 
-   6. All the following packets will skip traditional path, and will be offloaded
-   and will use the **Fast Path**.
+   6. All the following packets will skip the traditional path, will be
+   offloaded and use the **Fast Path**.
 
 Checks
 ------
 
-It's time to check conntrack table, to see if any connection was accepted,
-and if was properly offloaded
+It's time to check the conntrack table, to see if any connections were accepted,
+and if it was properly offloaded
 
 .. code-block:: none
 

docs/configuration/firewall/global-options.rst

@@ -1,4 +1,4 @@
-:lastproofread: 2023-12-26
+:lastproofread: 2024-07-03
 
 .. _firewall-global-options-configuration:
 
@@ -25,7 +25,7 @@ Configuration
 .. cfgcmd:: set firewall global-options all-ping [enable | disable]
 
    By default, when VyOS receives an ICMP echo request packet destined for
-   itself, it will answer with an ICMP echo reply, unless you avoid it
+   itself, it will answer with an ICMP echo reply, unless you prevent it
    through its firewall.
 
    With the firewall you can set rules to accept, drop or reject ICMP in,
@@ -55,16 +55,16 @@ Configuration
 
 .. cfgcmd:: set firewall global-options broadcast-ping [enable | disable]
 
-   This setting enable or disable the response of icmp broadcast
+   This setting enables or disables the response to icmp broadcast
    messages. The following system parameter will be altered:
 
    * ``net.ipv4.icmp_echo_ignore_broadcasts``
 
 .. cfgcmd:: set firewall global-options ip-src-route [enable | disable]
 .. cfgcmd:: set firewall global-options ipv6-src-route [enable | disable]
 
-   This setting handle if VyOS accept packets with a source route
-   option. The following system parameter will be altered:
+   This setting handles if VyOS accepts packets with a source route
+   option. The following system parameters will be altered:
 
    * ``net.ipv4.conf.all.accept_source_route``
    * ``net.ipv6.conf.all.accept_source_route``
@@ -73,22 +73,22 @@ Configuration
 .. cfgcmd:: set firewall global-options ipv6-receive-redirects
    [enable | disable]
 
-   enable or disable of ICMPv4 or ICMPv6 redirect messages accepted
-   by VyOS. The following system parameter will be altered:
+   Enable or disable ICMPv4 or ICMPv6 redirect messages being accepted by
+   VyOS. The following system parameters will be altered:
 
    * ``net.ipv4.conf.all.accept_redirects``
    * ``net.ipv6.conf.all.accept_redirects``
 
 .. cfgcmd:: set firewall global-options send-redirects [enable | disable]
 
-   enable or disable ICMPv4 redirect messages send by VyOS
+   Enable or disable ICMPv4 redirect messages being sent by VyOS
    The following system parameter will be altered:
 
    * ``net.ipv4.conf.all.send_redirects``
 
 .. cfgcmd:: set firewall global-options log-martians [enable | disable]
 
-   enable or disable the logging of martian IPv4 packets.
+   Enable or disable the logging of martian IPv4 packets.
    The following system parameter will be altered:
 
    * ``net.ipv4.conf.all.log_martians``
@@ -103,15 +103,15 @@ Configuration
 
 .. cfgcmd:: set firewall global-options syn-cookies [enable | disable]
 
-   Enable or Disable if VyOS use IPv4 TCP SYN Cookies.
+   Enable or disable if VyOS uses IPv4 TCP SYN Cookies.
    The following system parameter will be altered:
 
    * ``net.ipv4.tcp_syncookies``
 
 .. cfgcmd:: set firewall global-options twa-hazards-protection
    [enable | disable]
 
-   Enable or Disable VyOS to be :rfc:`1337` conform.
+   Enable or Disable VyOS to be :rfc:`1337` conformant.
    The following system parameter will be altered:
 
    * ``net.ipv4.tcp_rfc1337``

docs/configuration/firewall/groups.rst

@@ -1,4 +1,4 @@
-:lastproofread: 2023-11-08
+:lastproofread: 2024-07-03
 
 .. _firewall-groups-configuration:
 
@@ -18,8 +18,7 @@ matcher, and/or as inbound/outbound in the case of interface group.
 Address Groups
 ==============
 
-In an **address group** a single IP address or IP address ranges are
-defined.
+In an **address group** a single IP address or IP address range is defined.
 
 .. cfgcmd:: set firewall group address-group <name> address [address |
    address range]
@@ -43,7 +42,7 @@ Network Groups
 
 While **network groups** accept IP networks in CIDR notation, specific
 IP addresses can be added as a 32-bit prefix. If you foresee the need
-to add a mix of addresses and networks, the network group is
+to add a mix of addresses and networks, then a network group is
 recommended.
 
 .. cfgcmd:: set firewall group network-group <name> network <CIDR>
@@ -197,9 +196,9 @@ Commands used for this task are:
 .. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> add-address-to-group
    source-address address-group <name>
 
-Also, specific timeout can be defined per rule. In case rule gets a hit,
-source or destinatination address will be added to the group, and this
-element will remain in the group until timeout expires. If no timeout
+Also, specific timeouts can be defined per rule. In case rule gets a hit,
+a source or destinatination address will be added to the group, and this
+element will remain in the group until the timeout expires. If no timeout
 is defined, then the element will remain in the group until next reboot,
 or until a new commit that changes firewall configuration is done.
 
@@ -324,7 +323,7 @@ A 4 step port knocking example is shown next:
       set firewall ipv4 input filter rule 99 protocol 'tcp'
       set firewall ipv4 input filter rule 99 source group dynamic-address-group 'ALLOWED'
 
-Before testing, we can check members of firewall groups:
+Before testing, we can check the members of firewall groups:
 
    .. code-block:: none
 
@@ -339,7 +338,7 @@ Before testing, we can check members of firewall groups:
       [edit]
       vyos@vyos#
 
-With this configuration, in order to get ssh access to the router, user
+With this configuration, in order to get ssh access to the router, the user
 needs to:
 
 1. Generate a new TCP connection with destination port 9990. As shown next,
@@ -390,7 +389,7 @@ a new entry was added to dynamic firewall group **ALLOWED**
       [edit]
       vyos@vyos#
 
-4. Now user can connect through ssh to the router (assuming ssh is configured).
+4. Now the user can connect through ssh to the router (assuming ssh is configured).
 
 **************
 Operation-mode