summaryrefslogtreecommitdiff
path: root/docs/configuration/firewall/zone.rst
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-09-14 19:55:56 +0200
committerChristian Poessinger <christian@poessinger.com>2022-09-14 19:55:56 +0200
commit122ecb23fc35806b48836772423581cf66a2ee59 (patch)
tree1cdf7fd0c897abab30ec0fef84a1fc9f1213a674 /docs/configuration/firewall/zone.rst
parent6071376c03d34081f8e24c0e1b9093e9a7a1a1c4 (diff)
downloadvyos-documentation-122ecb23fc35806b48836772423581cf66a2ee59.tar.gz
vyos-documentation-122ecb23fc35806b48836772423581cf66a2ee59.zip
firewall: T2199: adjust to new 1.4 CLI syntax
"set zone-policy zone <name>" moved to "set firewall zone <name>".
Diffstat (limited to 'docs/configuration/firewall/zone.rst')
-rw-r--r--docs/configuration/firewall/zone.rst91
1 files changed, 91 insertions, 0 deletions
diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst
new file mode 100644
index 00000000..6ed3e9f1
--- /dev/null
+++ b/docs/configuration/firewall/zone.rst
@@ -0,0 +1,91 @@
+:lastproofread: 2022-09-14
+
+.. _firewall-zone:
+
+###################
+Zone Based Firewall
+###################
+
+In zone-based policy, interfaces are assigned to zones, and inspection policy
+is applied to traffic moving between the zones and acted on according to
+firewall rules. A Zone is a group of interfaces that have similar functions or
+features. It establishes the security borders of a network. A zone defines a
+boundary where traffic is subjected to policy restrictions as it crosses to
+another region of a network.
+
+Key Points:
+
+* A zone must be configured before an interface is assigned to it and an
+ interface can be assigned to only a single zone.
+* All traffic to and from an interface within a zone is permitted.
+* All traffic between zones is affected by existing policies
+* Traffic cannot flow between zone member interface and any interface that is
+ not a zone member.
+* You need 2 separate firewalls to define traffic: one for each direction.
+
+.. note:: In :vytask:`T2199` the syntax of the zone configuration was changed.
+ The zone configuration moved from ``zone-policy zone <name>`` to ``firewall
+ zone <name>``.
+
+*************
+Configuration
+*************
+
+As an alternative to applying policy to an interface directly, a zone-based
+firewall can be created to simplify configuration when multiple interfaces
+belong to the same security zone. Instead of applying rule-sets to interfaces,
+they are applied to source zone-destination zone pairs.
+
+An basic introduction to zone-based firewalls can be found `here
+<https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_,
+and an example at :ref:`examples-zone-policy`.
+
+Define a Zone
+=============
+
+To define a zone setup either one with interfaces or a local zone.
+
+.. cfgcmd:: set firewall zone <name> interface <interface>
+
+ Set interfaces to a zone. A zone can have multiple interfaces.
+ But an interface can only be a member in one zone.
+
+.. cfgcmd:: set firewall zone <name> local-zone
+
+ Define the zone as a local zone. A local zone has no interfaces and
+ will be applied to the router itself.
+
+.. cfgcmd:: set firewall zone <name> default-action [drop | reject]
+
+ Change the default-action with this setting.
+
+.. cfgcmd:: set firewall zone <name> description
+
+ Set a meaningful description.
+
+Applying a Rule-Set to a Zone
+=============================
+
+Before you are able to apply a rule-set to a zone you have to create the zones
+first.
+
+It helps to think of the syntax as: (see below). The 'rule-set' should be
+written from the perspective of: *Source Zone*-to->*Destination Zone*
+
+.. cfgcmd:: set firewall zone <Destination Zone> from <Source Zone>
+ firewall name <rule-set>
+
+.. cfgcmd:: set firewall zone <name> from <name> firewall name
+ <rule-set>
+
+.. cfgcmd:: set firewall zone <name> from <name> firewall ipv6-name
+ <rule-set>
+
+ You apply a rule-set always to a zone from an other zone, it is recommended
+ to create one rule-set for each zone pair.
+
+ .. code-block:: none
+
+ set firewall zone DMZ from LAN firewall name LANv4-to-DMZv4
+ set firewall zone LAN from DMZ firewall name DMZv4-to-LANv4
+