diff options
author | Christian Poessinger <christian@poessinger.com> | 2022-09-14 19:55:56 +0200 |
---|---|---|
committer | Christian Poessinger <christian@poessinger.com> | 2022-09-14 19:55:56 +0200 |
commit | 122ecb23fc35806b48836772423581cf66a2ee59 (patch) | |
tree | 1cdf7fd0c897abab30ec0fef84a1fc9f1213a674 /docs/configuration/firewall/zone.rst | |
parent | 6071376c03d34081f8e24c0e1b9093e9a7a1a1c4 (diff) | |
download | vyos-documentation-122ecb23fc35806b48836772423581cf66a2ee59.tar.gz vyos-documentation-122ecb23fc35806b48836772423581cf66a2ee59.zip |
firewall: T2199: adjust to new 1.4 CLI syntax
"set zone-policy zone <name>" moved to "set firewall zone <name>".
Diffstat (limited to 'docs/configuration/firewall/zone.rst')
-rw-r--r-- | docs/configuration/firewall/zone.rst | 91 |
1 files changed, 91 insertions, 0 deletions
diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst new file mode 100644 index 00000000..6ed3e9f1 --- /dev/null +++ b/docs/configuration/firewall/zone.rst @@ -0,0 +1,91 @@ +:lastproofread: 2022-09-14 + +.. _firewall-zone: + +################### +Zone Based Firewall +################### + +In zone-based policy, interfaces are assigned to zones, and inspection policy +is applied to traffic moving between the zones and acted on according to +firewall rules. A Zone is a group of interfaces that have similar functions or +features. It establishes the security borders of a network. A zone defines a +boundary where traffic is subjected to policy restrictions as it crosses to +another region of a network. + +Key Points: + +* A zone must be configured before an interface is assigned to it and an + interface can be assigned to only a single zone. +* All traffic to and from an interface within a zone is permitted. +* All traffic between zones is affected by existing policies +* Traffic cannot flow between zone member interface and any interface that is + not a zone member. +* You need 2 separate firewalls to define traffic: one for each direction. + +.. note:: In :vytask:`T2199` the syntax of the zone configuration was changed. + The zone configuration moved from ``zone-policy zone <name>`` to ``firewall + zone <name>``. + +************* +Configuration +************* + +As an alternative to applying policy to an interface directly, a zone-based +firewall can be created to simplify configuration when multiple interfaces +belong to the same security zone. Instead of applying rule-sets to interfaces, +they are applied to source zone-destination zone pairs. + +An basic introduction to zone-based firewalls can be found `here +<https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_, +and an example at :ref:`examples-zone-policy`. + +Define a Zone +============= + +To define a zone setup either one with interfaces or a local zone. + +.. cfgcmd:: set firewall zone <name> interface <interface> + + Set interfaces to a zone. A zone can have multiple interfaces. + But an interface can only be a member in one zone. + +.. cfgcmd:: set firewall zone <name> local-zone + + Define the zone as a local zone. A local zone has no interfaces and + will be applied to the router itself. + +.. cfgcmd:: set firewall zone <name> default-action [drop | reject] + + Change the default-action with this setting. + +.. cfgcmd:: set firewall zone <name> description + + Set a meaningful description. + +Applying a Rule-Set to a Zone +============================= + +Before you are able to apply a rule-set to a zone you have to create the zones +first. + +It helps to think of the syntax as: (see below). The 'rule-set' should be +written from the perspective of: *Source Zone*-to->*Destination Zone* + +.. cfgcmd:: set firewall zone <Destination Zone> from <Source Zone> + firewall name <rule-set> + +.. cfgcmd:: set firewall zone <name> from <name> firewall name + <rule-set> + +.. cfgcmd:: set firewall zone <name> from <name> firewall ipv6-name + <rule-set> + + You apply a rule-set always to a zone from an other zone, it is recommended + to create one rule-set for each zone pair. + + .. code-block:: none + + set firewall zone DMZ from LAN firewall name LANv4-to-DMZv4 + set firewall zone LAN from DMZ firewall name DMZv4-to-LANv4 + |