VPN/IPsec - explain the need for firewall rules. The new connection module does not offer automatic rules as these are prone to errors.

source/manual/vpnet.rst

@@ -123,6 +123,30 @@ a "kernel route" is installed as well, which traps traffic before normal routing
   :code:`Passthrough networks` option in :menuselection:`VPN -> IPsec -> Advanced Settings` to prevent traffic being blackholed.
 
 
+.................................
+Firewall rules
+.................................
+
+When using the legacy tunnels and :code:`Disable Auto-added VPN rules` is not checked in :menuselection:`VPN --> IPsec --> Advanced Settings`
+some automatic firewall rules are created for remote hosts connecting to this one.
+The new connections feature does not offer this and (WAN) rules have to be specified manually in order to connect to IPsec on this host.
+
+The relevant protocols and ports for IPsec are the following:
+
+* Protocol: ESP (https://en.wikipedia.org/wiki/IPsec#Encapsulating_Security_Payload)
+* Port: 500/UDP (https://en.wikipedia.org/wiki/Internet_Security_Association_and_Key_Management_Protocol)
+* Port: 4500/UDP (https://en.wikipedia.org/wiki/NAT_traversal#IPsec)
+
+.. Note::
+
+  One of the main reasons we are not offering automatic rules is that their either more open than expected (allow IPsec from anywhere)
+  or too closed as the rule engine will "guess" the remote endpoint (in case of a fqdn).
+
+
+The default behavior of our firewall is to block inbound traffic, which also means traffic using the tunnel should
+be allowed explicitly, the :menuselection:`Firewall --> Rules --> IPsec` menu items offer access to the IPsec traffic policies.
+
+
 .................................
 Implementation schemes
 .................................