summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNicolas Fort <nicolasfort1988@gmail.com>2024-01-11 09:46:26 -0300
committerNicolas Fort <nicolasfort1988@gmail.com>2024-01-11 09:46:26 -0300
commit85ef13b14fa37b8780f6e6c8220bc54366c72741 (patch)
treebe4beb86f67bf1e3a3333fd4f123cdd9b85e9abe
parent11521fd4e5f8e19592d03e102bbf69ee948e0766 (diff)
downloadvyos-documentation-85ef13b14fa37b8780f6e6c8220bc54366c72741.tar.gz
vyos-documentation-85ef13b14fa37b8780f6e6c8220bc54366c72741.zip
Add opmode commands for firewall zones, and add global state-policies in quick-start
-rw-r--r--docs/configuration/firewall/zone.rst38
-rw-r--r--docs/quick-start.rst31
2 files changed, 61 insertions, 8 deletions
diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst
index 1ab9c630..059b029d 100644
--- a/docs/configuration/firewall/zone.rst
+++ b/docs/configuration/firewall/zone.rst
@@ -123,3 +123,41 @@ written from the perspective of: *Source Zone*-to->*Destination Zone*
set firewall zone DMZ from LAN firewall name LANv4-to-DMZv4
set firewall zone LAN from DMZ firewall name DMZv4-to-LANv4
+**************
+Operation-mode
+**************
+
+.. opcmd:: show firewall zone-policy
+
+ This will show you a basic summary of zones configuration.
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show firewall zone-policy
+ Zone Interfaces From Zone Firewall IPv4 Firewall IPv6
+ ------ ------------ ----------- --------------- ---------------
+ LAN eth1 WAN WAN_to_LAN
+ eth2
+ LOCAL LOCAL LAN LAN_to_LOCAL
+ WAN WAN_to_LOCAL WAN_to_LOCAL_v6
+ WAN eth3 LAN LAN_to_WAN
+ eth0 LOCAL LOCAL_to_WAN
+ vyos@vyos:~$
+
+.. opcmd:: show firewall zone-policy zone <zone>
+
+ This will show you a basic summary of a particular zone.
+
+ .. code-block:: none
+
+ vyos@vyos:~$ show firewall zone-policy zone WAN
+ Zone Interfaces From Zone Firewall IPv4 Firewall IPv6
+ ------ ------------ ----------- --------------- ---------------
+ WAN eth3 LAN LAN_to_WAN
+ eth0 LOCAL LOCAL_to_WAN
+ vyos@vyos:~$ show firewall zone-policy zone LOCAL
+ Zone Interfaces From Zone Firewall IPv4 Firewall IPv6
+ ------ ------------ ----------- --------------- ---------------
+ LOCAL LOCAL LAN LAN_to_LOCAL
+ WAN WAN_to_LOCAL WAN_to_LOCAL_v6
+ vyos@vyos:~$
diff --git a/docs/quick-start.rst b/docs/quick-start.rst
index c8bb3f04..bbd7ab77 100644
--- a/docs/quick-start.rst
+++ b/docs/quick-start.rst
@@ -141,7 +141,7 @@ networks, addresses, ports, and domains that describe different parts of
our network. We can then use them for filtering within our firewall rulesets,
allowing for more concise and readable configuration.
-In this case, we will create two interface groups—a ``WAN`` group for our
+In this case, we will create two interface groups — a ``WAN`` group for our
interfaces connected to the public internet and a ``LAN`` group for the
interfaces connected to our internal network. Additionally, we will create a
network group, ``NET-INSIDE-v4``, that contains our internal subnet.
@@ -156,10 +156,26 @@ Configure Stateful Packet Filtering
-----------------------------------
With the new firewall structure, we have have a lot of flexibility in how we
-group and order our rules, as shown by the two alternative approaches below.
+group and order our rules, as shown by the three alternative approaches below.
-Option 1: Common Chain
-^^^^^^^^^^^^^^^^^^^^^^
+Option 1: Global State Policies
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Using options defined in ``set firewall global-options state-policy``, state
+policy rules that applies for both IPv4 and IPv6 are created. These global
+state policies also applies for all traffic that passes through the router
+(transit) and for traffic originated/destinated to/from the router itself, and
+will be avaluated before any other rule defined in the firewall.
+
+Most installations would choose this option, and will contain:
+
+.. code-block:: none
+
+ set firewall global-options state-policy established action accept
+ set firewall global-options state-policy related action accept
+ set firewall global-options state-policy invalid action drop
+
+Option 2: Common/Custom Chain
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
We can create a common chain for stateful connection filtering of multiple
interfaces (or multiple netfilter hooks on one interface). Those individual
@@ -196,12 +212,11 @@ hooks as the first filtering rule in the respective chains:
set firewall ipv4 input filter rule 10 action 'jump'
set firewall ipv4 input filter rule 10 jump-target CONN_FILTER
-Option 2: Per-Hook Chain
+Option 3: Per-Hook Chain
^^^^^^^^^^^^^^^^^^^^^^^^
-Alternatively, instead of configuring the ``CONN_FILTER`` chain described above,
-you can take the more traditional stateful connection filtering approach by
-creating rules on each hook's chain:
+Alternatively, you can take the more traditional stateful connection
+filtering approach by creating rules on each base hook's chain:
.. code-block:: none