diff options
Diffstat (limited to 'docs/configexamples')
-rw-r--r-- | docs/configexamples/firewall.rst | 3 | ||||
-rw-r--r-- | docs/configexamples/fwall-and-bridge.rst | 497 |
2 files changed, 499 insertions, 1 deletions
diff --git a/docs/configexamples/firewall.rst b/docs/configexamples/firewall.rst index e0a4ca55..a1ad7e19 100644 --- a/docs/configexamples/firewall.rst +++ b/docs/configexamples/firewall.rst @@ -1,4 +1,4 @@ -:lastproofread: 2024-06-14 +:lastproofread: 2024-09-11 Firewall Examples ================= @@ -9,4 +9,5 @@ This section contains examples of firewall configurations for various deployment :maxdepth: 2 fwall-and-vrf + fwall-and-bridge zone-policy diff --git a/docs/configexamples/fwall-and-bridge.rst b/docs/configexamples/fwall-and-bridge.rst new file mode 100644 index 00000000..32c53fa5 --- /dev/null +++ b/docs/configexamples/fwall-and-bridge.rst @@ -0,0 +1,497 @@ +:lastproofread: 2024-09-11 + +Bridge and firewall example +--------------------------- + +Scenario and requirements +^^^^^^^^^^^^^^^^^^^^^^^^^ + +This example shows how to configure a VyOS router with bridge interfaces and +firewall rules. + +Three non VLAN-aware bridges are going to be configured, and each one has its +own requirements. + +* Bridge br0: + * Isolated layer 2 bridge. + * Accept only IPv6 communication whithin the bridge. + +* Bridge br1: + * Drop all DHCP discover packets. + * Accept all ARP packets. + * Within the bridge, accept only new IPv4 connections from host 10.1.1.102 + * Drop all other IPv4 connections. + * Drop all IPv6 connections. + * Accept access to router itself. + * Allow connections to internet + * Drop connections to other LANs. + +* Bridge br2: + * Accept all DHCP discover packets. + * Accept only DHCP offers from valid server and|or trusted bridge port. + * Accept all ARP packets. + * Accept all IPv4 connections. + * Drop all IPv6 connections. + * Deny access to the router. + * Allow connections to internet. + * Allow connections to bridge br1. + +Configuration +^^^^^^^^^^^^^ + +Bridges and interfaces configuration +"""""""""""""""""""""""""""""""""""" + +First, we need to configure the interfaces and bridges: + +.. code-block:: none + + # Brige br0 + set interfaces bridge br0 description 'Isolated L2 bridge' + set interfaces bridge br0 member interface eth1 + set interfaces bridge br0 member interface eth2 + set interfaces ethernet eth1 description 'br0' + set interfaces ethernet eth2 description 'br0' + + # Bridge br1: + set interfaces bridge br1 address '10.1.1.1/24' + set interfaces bridge br1 description 'L3 bridge br1' + set interfaces bridge br1 member interface eth3 + set interfaces bridge br1 member interface eth4 + set interfaces ethernet eth3 description 'br1' + set interfaces ethernet eth4 description 'br1' + + # Bridge br2: + set interfaces bridge br2 address '10.2.2.1/24' + set interfaces bridge br2 description 'L3 bridge br2' + set interfaces bridge br2 member interface eth5 + set interfaces bridge br2 member interface eth6 + set interfaces bridge br2 member interface eth7 + set interfaces ethernet eth5 description 'br2 - Host' + set interfaces ethernet eth6 description 'br2 - Trusted DHCP Server' + set interfaces ethernet eth7 description 'br2' + +Bridge firewall configuration +""""""""""""""""""""""""""""" + +In this section, we are going to configure the firewall rules that will be used +in bridge firewall, and will control the traffic within each bridge. + +We are going to use custom firewall rulesets, one for each bridge that will +be used in ``prerouting``, and one for each bridge that will be used in the +``forward`` chain. + +Also, we are going to use firewall interface groups in order to simplify the +firewall configuration. + +So first, let's create the required firewall interface groups: + +.. code-block:: none + + # Bridge br0 interface-group: + set firewall group interface-group br0-ifaces interface 'br0' + set firewall group interface-group br0-ifaces interface 'eth1' + set firewall group interface-group br0-ifaces interface 'eth2' + + # Bridge br1 interface-group: + set firewall group interface-group br1-ifaces interface 'br1' + set firewall group interface-group br1-ifaces interface 'eth3' + set firewall group interface-group br1-ifaces interface 'eth4' + + # Bridge br2 interface-group: + set firewall group interface-group br2-ifaces interface 'br2' + set firewall group interface-group br2-ifaces interface 'eth5' + set firewall group interface-group br2-ifaces interface 'eth6' + set firewall group interface-group br2-ifaces interface 'eth7' + +As said before, we are going to create custom firewall rulesets for each +bridge, that will be used in the ``prerouting`` chain, in order to drop as much +unwanted traffic as early as possible. So, custom rulesets used in +``prerouting`` chain are going to be ``br0-pre``, ``br1-pre``, and ``br2-pre``: + +.. code-block:: none + + # Prerouting - Catch all traffic for br0 + set firewall bridge prerouting filter rule 10 action 'jump' + set firewall bridge prerouting filter rule 10 description 'br0 traffic' + set firewall bridge prerouting filter rule 10 inbound-interface group 'br0-ifaces' + set firewall bridge prerouting filter rule 10 jump-target 'br0-pre' + + # Prerouting - Catch all traffic for br1 + set firewall bridge prerouting filter rule 20 action 'jump' + set firewall bridge prerouting filter rule 20 description 'br1 traffic' + set firewall bridge prerouting filter rule 20 inbound-interface group 'br1-ifaces' + set firewall bridge prerouting filter rule 20 jump-target 'br1-pre' + + # Prerouting - Catch all traffic for br2 + set firewall bridge prerouting filter rule 30 action 'jump' + set firewall bridge prerouting filter rule 30 description 'br2 traffic' + set firewall bridge prerouting filter rule 30 inbound-interface group 'br2-ifaces' + set firewall bridge prerouting filter rule 30 jump-target 'br2-pre' + +And then create the custom rulesets: + +.. code-block:: none + + ### br0 - br0-pre + # Requirements: accept only IPv6 communication within the bridge + set firewall bridge name br0-pre rule 10 description 'Accept IPv6 traffic' + set firewall bridge name br0-pre rule 10 action 'accept' + set firewall bridge name br0-pre rule 10 ethernet-type 'ipv6' + # And drop everything else + set firewall bridge name br0-pre default-action 'drop' + + ### br1 - br1-pre + # Requirements: drop all DHCP discover packets + set firewall bridge name br1-pre rule 10 description 'Drop DHCP discover' + set firewall bridge name br1-pre rule 10 action 'drop' + set firewall bridge name br1-pre rule 10 protocol 'udp' + set firewall bridge name br1-pre rule 10 source port '68' + set firewall bridge name br1-pre rule 10 destination port '67' + set firewall bridge name br1-pre rule 10 destination mac-address 'ff:ff:ff:ff:ff:ff' + set firewall bridge name br1-pre rule 10 log + # Requirement: drop all IPv6 connections + set firewall bridge name br1-pre rule 20 description 'Drop IPv6 traffic' + set firewall bridge name br1-pre rule 20 action 'drop' + set firewall bridge name br1-pre rule 20 ethernet-type 'ipv6' + # Accept everything else so it can be parsed later + set firewall bridge name br1-pre default-action 'accept' + + ### br2 - br2-pre + # Requirements: drop all IPv6 connections + set firewall bridge name br2-pre rule 10 description 'Drop IPv6 traffic' + set firewall bridge name br2-pre rule 10 action 'drop' + set firewall bridge name br2-pre rule 10 ethernet-type 'ipv6' + # Accept everything else so it can be parsed later + set firewall bridge name br2-pre default-action 'accept' + +Now, in the ``forward`` chain, we are going to define state policies, and +custom rulesets for each bridge that would be used in the ``forward`` chain. +These rulesets are ``br0-fwd``, ``br1-fwd``, and ``br2-fwd``: + +.. code-block:: none + + # Forward - State policies if not defined globally + set firewall bridge forward filter rule 5 action 'accept' + set firewall bridge forward filter rule 5 state 'established' + set firewall bridge forward filter rule 5 state 'related' + set firewall bridge forward filter rule 10 action 'drop' + set firewall bridge forward filter rule 10 state 'invalid' + + # Forward - Catch all traffic for br0 + set firewall bridge forward filter rule 110 description 'br0 traffic' + set firewall bridge forward filter rule 110 action 'jump' + set firewall bridge forward filter rule 110 inbound-interface group 'br0-ifaces' + set firewall bridge forward filter rule 110 jump-target 'br0-fwd' + + # Forward - Catch all traffic for br1 + set firewall bridge forward filter rule 120 description 'br1 traffic' + set firewall bridge forward filter rule 120 action 'jump' + set firewall bridge forward filter rule 120 inbound-interface group 'br1-ifaces' + set firewall bridge forward filter rule 120 jump-target 'br1-fwd' + + # Forward - Catch all traffic for br2 + set firewall bridge forward filter rule 130 description 'br2 traffic' + set firewall bridge forward filter rule 130 action 'jump' + set firewall bridge forward filter rule 130 inbound-interface group 'br2-ifaces' + set firewall bridge forward filter rule 130 jump-target 'br2-fwd' + + # Forward - Default action drop: + set firewall bridge forward filter default-action 'drop' + +And the content of the custom rulesets: + +.. code-block:: none + + ### br0 - br0-fwd + # Accept everything that wasn't dropped in prerouting + set firewall bridge name br0-fwd default-action 'accept' + + ### br1 - br1-fwd + # Requirement: Accept all ARP packets + set firewall bridge name br1-fwd rule 10 description 'Accept ARP' + set firewall bridge name br1-fwd rule 10 action 'accept' + set firewall bridge name br1-fwd rule 10 ethernet-type 'arp' + # Requirement: Accept only new IPv4 connections from host 10.1.1.102 + set firewall bridge name br1-fwd rule 20 description 'Accept ipv4 from host' + set firewall bridge name br1-fwd rule 20 action 'accept' + set firewall bridge name br1-fwd rule 20 source address '10.1.1.102' + set firewall bridge name br1-fwd rule 20 state 'new' + # Drop everythin else within the bridge: + set firewall bridge name br1-fwd default-action 'drop' + + ### br2 - br2-fwd + # Requirement: Accept all DHCP discover packets + set firewall bridge name br2-fwd rule 10 description 'Accept DHCP discover' + set firewall bridge name br2-fwd rule 10 action 'accept' + set firewall bridge name br2-fwd rule 10 protocol 'udp' + set firewall bridge name br2-fwd rule 10 source port '68' + set firewall bridge name br2-fwd rule 10 destination port '67' + set firewall bridge name br2-fwd rule 10 destination mac-address 'ff:ff:ff:ff:ff:ff' + # Requirement: Accept only DHCP offers from valid server on port eth6 + set firewall bridge name br2-fwd rule 20 description 'Accept DHCP offers from trusted interface' + set firewall bridge name br2-fwd rule 20 action 'accept' + set firewall bridge name br2-fwd rule 20 protocol 'udp' + set firewall bridge name br2-fwd rule 20 source port '67' + set firewall bridge name br2-fwd rule 20 destination port '68' + set firewall bridge name br2-fwd rule 20 inbound-interface name 'eth6' + set firewall bridge name br2-fwd rule 22 description 'Drop all other DHCP offers' + set firewall bridge name br2-fwd rule 22 action 'drop' + set firewall bridge name br2-fwd rule 22 protocol 'udp' + set firewall bridge name br2-fwd rule 22 source port '67' + set firewall bridge name br2-fwd rule 22 destination port '68' + set firewall bridge name br2-fwd rule 22 log + + # Accept all ARP packets + set firewall bridge name br2-fwd rule 30 description 'Accept ARP' + set firewall bridge name br2-fwd rule 30 action 'accept' + set firewall bridge name br2-fwd rule 30 ethernet-type 'arp' + # Accept all IPv4 connections + set firewall bridge name br2-fwd rule 40 description 'Accept ipv4' + set firewall bridge name br2-fwd rule 40 action 'accept' + set firewall bridge name br2-fwd rule 40 ethernet-type 'ipv4' + # Drop everything else + set firewall bridge name br2-fwd default-action 'drop' + + +IP firewall configuration +""""""""""""""""""""""""" + +Since some of the requirements listed above exceed the capabilities of the +bridge firewall, we need to use the IP firewall to implement them. +For bridge br1 and br2, we need to control the traffic that is going to the +router itself, to other local networks, and to the Internet. + +As a reminder, here's a link to the :doc:`firewall documentation +</configuration/firewall/index>`, where you can find more information about +the packet flow for traffic that comes from bridge layer and should be analized +by the IP firewall. + +Access to the router itself is controlled by the base chain ``input``, and +rules to accomplish all the requirements are: + +.. code-block:: none + + # First of all, if not using global state policies, we need to define them: + set firewall ipv4 input filter rule 10 state 'established' + set firewall ipv4 input filter rule 10 state 'related' + set firewall ipv4 input filter rule 10 action 'accept' + set firewall ipv4 input filter rule 20 state 'invalid' + set firewall ipv4 input filter rule 20 action 'drop' + + # Input - br1 - Accept access to router itself + set firewall ipv4 input filter rule 110 description "Accept access from br1" + set firewall ipv4 input filter rule 110 action 'accept' + set firewall ipv4 input filter rule 110 inbound-interface group 'br1-ifaces' + + # Input - br2 - Deny access to the router + set firewall ipv4 input filter rule 120 description "Deny access from br2" + set firewall ipv4 input filter rule 120 action 'drop' + set firewall ipv4 input filter rule 120 inbound-interface group 'br2-ifaces' + +And for traffic that is going to other local networks, and to he Internet, we +need to use the base chain ``forward``. As in the bridge firewall, we are +going to use custom rulesets for each bridge, that would be used in the +``forward`` chain. Those rulesets are ``ip-br1-fwd`` and ``ip-br2-fwd``: + +.. code-block:: none + + # First of all, if not using global state policies, we need to define them: + set firewall ipv4 forward filter rule 5 action 'accept' + set firewall ipv4 forward filter rule 5 state 'established' + set firewall ipv4 forward filter rule 5 state 'related' + set firewall ipv4 forward filter rule 10 action 'drop' + set firewall ipv4 forward filter rule 10 state 'invalid' + + # Forward - Catch all traffic for br1 + set firewall ipv4 forward filter rule 110 description 'br1 traffic' + set firewall ipv4 forward filter rule 110 action 'jump' + set firewall ipv4 forward filter rule 110 inbound-interface group 'br1-ifaces' + set firewall ipv4 forward filter rule 110 jump-target 'ip-br1-fwd' + + # Forward - Catch all traffic for br2 + set firewall ipv4 forward filter rule 120 description 'br2 traffic' + set firewall ipv4 forward filter rule 120 action 'jump' + set firewall ipv4 forward filter rule 120 inbound-interface group 'br2-ifaces' + set firewall ipv4 forward filter rule 120 jump-target 'ip-br2-fwd' + + # Forward - Default action drop: + set firewall ipv4 forward filter default-action 'drop' + +And the content of the custom rulesets: + +.. code-block:: none + + ### br1 - ip-br1-fwd + # Requirement: Allow connections to internet + set firewall ipv4 name ip-br1-fwd rule 10 description 'br1 - allow internet access' + set firewall ipv4 name ip-br1-fwd rule 10 action 'accept' + set firewall ipv4 name ip-br1-fwd rule 10 outbound-interface name 'eth0' + # Requirement: Drop all other connections + set firewall ipv4 name ip-br1-fwd default-action 'drop' + + ### br2 - ip-br2-fwd + # Requirement: Allow connections to internet + set firewall ipv4 name ip-br2-fwd rule 10 description 'br2 - allow internet access' + set firewall ipv4 name ip-br2-fwd rule 10 action 'accept' + set firewall ipv4 name ip-br2-fwd rule 10 outbound-interface name 'eth0' + # Requirement: Allow connections to br1 + set firewall ipv4 name ip-br2-fwd rule 20 description 'br2 - allow access to br1' + set firewall ipv4 name ip-br2-fwd rule 20 action 'accept' + set firewall ipv4 name ip-br2-fwd rule 20 outbound-interface group 'br1-ifaces' + # Requirement: Drop all other connections + set firewall ipv4 name ip-br2-fwd default-action 'drop' + + +Validation +^^^^^^^^^^ + +While testing the configuration, we can check logs in order to ensure that +we are accepting and/or blocking the correct traffic. + +For example, while a host tries to get an IP address from a DHCP server in +br1 all DHCP discover are dropped, and in br2, we can see that DHCP offers from +untrusted servers are dropped: + +.. code-block:: none + + vyos@bridge:~$ show log firewall bridge + Sep 17 14:22:35 kernel: [bri-NAM-br2-fwd-22-D]IN=eth7 OUT=eth5 MAC=50:00:00:09:00:00:50:00:00:04:00:00:08:00 SRC=10.2.2.199 DST=10.2.2.92 LEN=322 TOS=0x10 PREC=0x00 TTL=128 ID=0 DF PROTO=UDP SPT=67 DPT=68 LEN=302 + Sep 17 14:28:18 kernel: [bri-NAM-br1-pre-10-D]IN=eth3 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:79:66:68:0c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=392 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=372 + Sep 17 14:28:19 kernel: [bri-NAM-br1-pre-10-D]IN=eth3 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:79:66:68:0c:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=392 TOS=0x10 PREC=0x00 TTL=16 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=372 + + +And with operational mode commands, we can check rules matchers, actions, and +counters. + +Bridge firewall rulset: + +.. code-block:: none + + vyos@bri:~$ show firewall bridge + Rulesets bridge Information + + --------------------------------- + bridge Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ----------------------------------------- + 5 accept all 19 1916 ct state { established, related } accept + 10 drop all 0 0 ct state invalid + 110 jump all 2 208 iifname @I_br0-ifaces jump NAME_br0-fwd + 120 jump all 10 670 iifname @I_br1-ifaces jump NAME_br1-fwd + 130 jump all 12 3086 iifname @I_br2-ifaces jump NAME_br2-fwd + default drop all 0 0 + + --------------------------------- + bridge Firewall "name br0-fwd" + + Rule Action Protocol Packets Bytes + ------- -------- ---------- --------- ------- + default accept all 2 208 + + --------------------------------- + bridge Firewall "name br0-pre" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------- + 10 accept all 18 1872 ether type ip6 accept + default drop all 9 1476 + + --------------------------------- + bridge Firewall "name br1-fwd" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------- + 10 accept all 5 250 ether type arp accept + 20 accept all 3 252 ct state new ip saddr 10.1.1.102 accept + default drop all 2 168 + + --------------------------------- + bridge Firewall "name br1-pre" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------------------------------------------------------- + 10 drop udp 3 1176 ether daddr ff:ff:ff:ff:ff:ff udp sport 68 udp dport 67 prefix "[bri-NAM-br1-pre-10-D]" + 20 drop all 0 0 ether type ip6 + default accept all 58 4430 + + --------------------------------- + bridge Firewall "name br2-fwd" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- --------------------------------------------------------------- + 10 accept udp 4 1312 ether daddr ff:ff:ff:ff:ff:ff udp sport 68 udp dport 67 accept + 20 accept udp 2 656 udp sport 67 udp dport 68 iifname "eth6" accept + 22 drop udp 1 322 udp sport 67 udp dport 68 prefix "[bri-NAM-br2-fwd-22-D]" + 30 accept all 2 92 ether type arp accept + 40 accept all 3 704 ether type ip accept + default drop all 0 0 + + --------------------------------- + bridge Firewall "name br2-pre" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- -------------- + 10 drop all 7 728 ether type ip6 + default accept all 77 7548 + + --------------------------------- + bridge Firewall "prerouting filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------------------------- + 10 jump all 27 3348 iifname @I_br0-ifaces jump NAME_br0-pre + 20 jump all 61 5606 iifname @I_br1-ifaces jump NAME_br1-pre + 30 jump all 84 8276 iifname @I_br2-ifaces jump NAME_br2-pre + default drop all 0 0 + + vyos@bridge:~$ + +IPv4 firewall rulset: + +.. code-block:: none + + vyos@bridge:~$ show firewall ipv4 + Rulesets ipv4 Information + + --------------------------------- + ipv4 Firewall "forward filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ------------------------------------------- + 5 accept all 76 6384 ct state { established, related } accept + 10 drop all 0 0 ct state invalid + 110 jump all 13 1092 iifname @I_br1-ifaces jump NAME_ip-br1-fwd + 120 jump all 3 252 iifname @I_br2-ifaces jump NAME_ip-br2-fwd + default drop all 0 0 + + --------------------------------- + ipv4 Firewall "input filter" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ----------------------------------------- + 10 accept all 0 0 ct state { established, related } accept + 20 drop all 0 0 ct state invalid + 110 accept all 10 720 iifname @I_br1-ifaces accept + 120 drop all 26 2672 iifname @I_br2-ifaces + default accept all 3037 991621 + + --------------------------------- + ipv4 Firewall "name ip-br1-fwd" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ---------------------- + 10 accept all 5 420 oifname "eth0" accept + default drop all 8 672 + + --------------------------------- + ipv4 Firewall "name ip-br2-fwd" + + Rule Action Protocol Packets Bytes Conditions + ------- -------- ---------- --------- ------- ----------------------------- + 10 accept all 1 84 oifname "eth0" accept + 20 accept all 2 168 oifname @I_br1-ifaces accept + default drop all 0 0 + + vyos@bridge:~$ |