diff options
Diffstat (limited to 'docs/configuration/firewall/index.rst~')
-rw-r--r-- | docs/configuration/firewall/index.rst~ | 179 |
1 files changed, 0 insertions, 179 deletions
diff --git a/docs/configuration/firewall/index.rst~ b/docs/configuration/firewall/index.rst~ deleted file mode 100644 index bdfc2069..00000000 --- a/docs/configuration/firewall/index.rst~ +++ /dev/null @@ -1,179 +0,0 @@ -:lastproofread: 2023-11-23 - -######## -Firewall -######## - -With VyOS being based on top of Linux and its kernel, the Netfilter project -created iptables and its successor nftables for the Linux kernel to -work directly on the data flows. This now extends the concept of zone-based -security to allow for manipulating the data at multiple stages once accepted -by the network interface and the driver before being handed off to the -destination (e.g., a web server OR another device). - -A simplified traffic flow diagram, based on Netfilter packet flow, is shown next, in -order to have a full view and understanding of how packets are processed, and -what possible paths traffic can take. - -.. figure:: /_static/images/firewall-gral-packet-flow.png - -Main points regarding this packet flow and terminology used in VyOS firewall are below: - - * **Bridge Port?**: choose appropriate path based on whether interface where the - packet was received is part of a bridge, or not. - -If interface where the packet was received isn't part of a bridge, then packet -is processed at the **IP Layer**: - - * **Prerouting**: several actions can be done in this stage, and currently - these actions are defined in different parts in VyOS configuration. Order - is important, and all these actions are performed before any actions - defined under ``firewall`` section. Relevant configuration that acts in - this stage are: - - * **Conntrack Ignore**: rules defined under ``set system conntrack ignore - [ipv4 | ipv6] ...``. - - * **Policy Route**: rules defined under ``set policy [route | route6] - ...``. - - * **Destination NAT**: rules defined under ``set [nat | nat66] - destination...``. - - * **Destination is the router?**: choose appropriate path based on - destination IP address. Transit forward continues to **forward**, - while traffic that destination IP address is configured on the router - continues to **input**. - - * **Input**: stage where traffic destined for the router itself can be - filtered and controlled. This is where all rules for securing the router - should take place. This includes ipv4 and ipv6 filtering rules, defined - in: - - * ``set firewall ipv4 input filter ...``. - - * ``set firewall ipv6 input filter ...``. - - * **Forward**: stage where transit traffic can be filtered and controlled. - This includes ipv4 and ipv6 filtering rules, defined in: - - * ``set firewall ipv4 forward filter ...``. - - * ``set firewall ipv6 forward filter ...``. - - * **Output**: stage where traffic that originates from the router itself - can be filtered and controlled. Bear in mind that this traffic can be a - new connection originated by a internal process running on VyOS router, - such as NTP, or a response to traffic received externaly through - **inputt** (for example response to an ssh login attempt to the router). - This includes ipv4 and ipv6 filtering rules, defined in: - - * ``set firewall ipv4 input filter ...``. - - * ``set firewall ipv6 output filter ...``. - - * **Postrouting**: as in **Prerouting**, several actions defined in - different parts of VyOS configuration are performed in this - stage. This includes: - - * **Source NAT**: rules defined under ``set [nat | nat66] - destination...``. - -If interface where the packet was received is part of a bridge, then packet -is processed at the **Bridge Layer**, which contains a basic setup for -bridge filtering: - - * **Forward (Bridge)**: stage where traffic that is trespasing through the - bridge is filtered and controlled: - - * ``set firewall bridge forward filter ...``. - -Main structure VyOS firewall cli is shown next: - -.. code-block:: none - - - set firewall - * bridge - - forward - + filter - * flowtable - - custom_flow_table - + ... - * global-options - + all-ping - + broadcast-ping - + ... - * group - - address-group - - ipv6-address-group - - network-group - - ipv6-network-group - - interface-group - - mac-group - - port-group - - domain-group - * ipv4 - - forward - + filter - - input - + filter - - output - + filter - - name - + custom_name - * ipv6 - - forward - + filter - - input - + filter - - output - + filter - - ipv6-name - + custom_name - * zone - - custom_zone_name - + ... - -Please, refer to appropiate section for more information about firewall -configuration: - -.. toctree:: - :maxdepth: 1 - :includehidden: - - global-options - groups - bridge - ipv4 - ipv6 - flowtables - -.. note:: **For more information** - of Netfilter hooks and Linux networking packet flows can be - found in `Netfilter-Hooks - <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_ - - -Zone-based firewall -^^^^^^^^^^^^^^^^^^^ -.. toctree:: - :maxdepth: 1 - :includehidden: - - zone - -With zone-based firewalls a new concept was implemented, in addtion to the -standard in and out traffic flows, a local flow was added. This local was for -traffic originating and destined to the router itself. Which means additional -rules were required to secure the firewall itself from the network, in -addition to the existing inbound and outbound rules from the traditional -concept above. - -To configure VyOS with the -:doc:`zone-based firewall configuration </configuration/firewall/zone>` - -As the example image below shows, the device now needs rules to allow/block -traffic to or from the services running on the device that have open -connections on that interface. - -.. figure:: /_static/images/firewall-zonebased.png |