diff options
Diffstat (limited to 'docs/configuration/firewall')
| -rw-r--r-- | docs/configuration/firewall/general-legacy.rst | 23 | ||||
| -rw-r--r-- | docs/configuration/firewall/general.rst | 104 | ||||
| -rw-r--r-- | docs/configuration/firewall/index.rst | 73 | ||||
| -rw-r--r-- | docs/configuration/firewall/zone.rst | 20 |
4 files changed, 166 insertions, 54 deletions
diff --git a/docs/configuration/firewall/general-legacy.rst b/docs/configuration/firewall/general-legacy.rst index de91e54b..5d235eb8 100644 --- a/docs/configuration/firewall/general-legacy.rst +++ b/docs/configuration/firewall/general-legacy.rst @@ -1,14 +1,14 @@ :lastproofread: 2021-06-29 -.. _firewall: +.. _legacy-firewall: -############### -Firewall-Legacy -############### +################################### +Firewall Configuration (Deprecated) +################################### .. note:: **Important note:** This documentation is valid only for VyOS Sagitta prior to - 1.4-rolling-YYYYMMDDHHmm + 1.4-rolling-202308040557 ******** Overview @@ -153,7 +153,7 @@ Groups ****** Firewall groups represent collections of IP addresses, networks, ports, -mac addresses or domains. Once created, a group can be referenced by +mac addresses or domains. Once created, a group can be referenced by firewall, nat and policy route rules as either a source or destination matcher. Members can be added or removed from a group without changes to, or the need to reload, individual firewall rules. @@ -424,11 +424,13 @@ There are a lot of matching criteria against which the package can be tested. An arbitrary netmask can be applied to mask addresses to only match against a specific portion. This is particularly useful with IPv6 and a zone-based firewall as rules will remain valid if the IPv6 prefix changes and the host - portion of systems IPv6 address is static (for example, with SLAAC or `tokenised IPv6 addresses - <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_) - + portion of systems IPv6 address is static (for example, with SLAAC or + `tokenised IPv6 addresses + <https://datatracker.ietf.org/doc/id/draft-chown-6man-tokenised-ipv6-identifiers-02.txt>`_). + This functions for both individual addresses and address groups. + .. stop_vyoslinter .. code-block:: none # Match any IPv6 address with the suffix ::0000:0000:0000:beef @@ -442,6 +444,7 @@ There are a lot of matching criteria against which the package can be tested. set firewall group ipv6-address-group WEBSERVERS address ::2000 set firewall name WAN-LAN-v6 rule 200 source group address-group WEBSERVERS set firewall name WAN-LAN-v6 rule 200 source address-mask ::ffff:ffff:ffff:ffff + .. start_vyoslinter .. cfgcmd:: set firewall name <name> rule <1-999999> source fqdn <fqdn> .. cfgcmd:: set firewall name <name> rule <1-999999> destination fqdn <fqdn> @@ -1048,4 +1051,4 @@ Update geoip database .. opcmd:: update geoip - Command used to update GeoIP database and firewall sets.
\ No newline at end of file + Command used to update GeoIP database and firewall sets. diff --git a/docs/configuration/firewall/general.rst b/docs/configuration/firewall/general.rst index 0e172a24..3fe876f2 100644 --- a/docs/configuration/firewall/general.rst +++ b/docs/configuration/firewall/general.rst @@ -1,10 +1,10 @@ -:lastproofread: 2021-06-29 +:lastproofread: 2023-09-17 -.. _firewall: +.. _firewall-configuration: -######## -Firewall -######## +###################### +Firewall Configuration +###################### ******** Overview @@ -17,48 +17,41 @@ The firewall supports the creation of groups for addresses, domains, interfaces, mac-addresses, networks and port groups. This groups can be used later in firewall ruleset as desired. -.. note:: **Important note on usage of terms:** - The firewall makes use of the terms `forward`, `input`, and `output` - for firewall policy. More information of Netfilter hooks and Linux - networking packet flows can be found in `Netfilter-Hooks - <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_ - - Main structure is shown next: .. code-block:: none - set firewall * global-options - + all-ping - + broadcast-ping - + ... + + all-ping + + broadcast-ping + + ... * group - - address-group - - ipv6-address-group - - network-group - - ipv6-network-group - - interface-group - - mac-group - - port-group - - domain-group + - address-group + - ipv6-address-group + - network-group + - ipv6-network-group + - interface-group + - mac-group + - port-group + - domain-group * ipv4 - - forward + - forward + filter - - input + - input + filter - - output + - output + filter - - name + - name + custom_name * ipv6 - - forward + - forward + filter - - input + - input + filter - - output + - output + filter - - ipv6-name + - ipv6-name + custom_name Where, main key words and configuration paths that needs to be understood: @@ -351,10 +344,12 @@ The action can be : * ``queue``: Enqueue packet to userspace. + * ``synproxy``: synproxy the packet. + .. cfgcmd:: set firewall [ipv4 | ipv6] forward filter rule <1-999999> action - [accept | drop | jump | queue | reject | return] + [accept | drop | jump | queue | reject | return | synproxy] .. cfgcmd:: set firewall [ipv4 | ipv6] input filter rule <1-999999> action - [accept | drop | jump | queue | reject | return] + [accept | drop | jump | queue | reject | return | synproxy] .. cfgcmd:: set firewall [ipv4 | ipv6] output filter rule <1-999999> action [accept | drop | jump | queue | reject | return] .. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> action @@ -1264,6 +1259,49 @@ geoip) to keep database and rules updated. Match when 'count' amount of connections are seen within 'time'. These matching criteria can be used to block brute-force attempts. +******** +Synproxy +******** +Synproxy connections + +.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> action synproxy +.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> protocol tcp +.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> synproxy tcp mss <501-65535> + + Set TCP-MSS (maximum segment size) for the connection + +.. cfgcmd:: set firewall [ipv4 | ipv6] [input | forward] filter rule <1-999999> synproxy tcp window-scale <1-14> + + Set the window scale factor for TCP window scaling + +Example synproxy +================ +Requirements to enable synproxy: + + * Traffic must be symmetric + * Synproxy relies on syncookies and TCP timestamps, ensure these are enabled + * Disable conntrack loose track option + +.. code-block:: none + + set system sysctl parameter net.ipv4.tcp_timestamps value '1' + + set system conntrack tcp loose disable + set system conntrack ignore ipv4 rule 10 destination port '8080' + set system conntrack ignore ipv4 rule 10 protocol 'tcp' + set system conntrack ignore ipv4 rule 10 tcp flags syn + + set firewall global-options syn-cookies 'enable' + set firewall ipv4 input filter rule 10 action 'synproxy' + set firewall ipv4 input filter rule 10 destination port '8080' + set firewall ipv4 input filter rule 10 inbound-interface interface-name 'eth1' + set firewall ipv4 input filter rule 10 protocol 'tcp' + set firewall ipv4 input filter rule 10 synproxy tcp mss '1460' + set firewall ipv4 input filter rule 10 synproxy tcp window-scale '7' + set firewall ipv4 input filter rule 1000 action 'drop' + set firewall ipv4 input filter rule 1000 state invalid 'enable' + + *********************** Operation-mode Firewall *********************** diff --git a/docs/configuration/firewall/index.rst b/docs/configuration/firewall/index.rst index 567e48a0..4b923143 100644 --- a/docs/configuration/firewall/index.rst +++ b/docs/configuration/firewall/index.rst @@ -1,24 +1,85 @@ +:lastproofread: 2023-09-17 + ######## Firewall ######## -Starting from VyOS 1.4-rolling-202308040557, a new firewall structure -can be found on all vyos installations. Documentation for most new firewall -cli can be found here: +.. attention:: + Starting from VyOS 1.4-rolling-202308040557, a new firewall structure + can be found on all vyos installations. + +.. note:: + The legacy and zone-based firewall configuration options is not longer + supported. They are here for reference purposes only. +Netfilter based +^^^^^^^^^^^^^^^ .. toctree:: :maxdepth: 1 :includehidden: general -Also, for those who haven't updated to newer version, legacy documentation is -still present and valid for all sagitta version prior to VyOS -1.4-rolling-202308040557: +With VyOS being based on top of Linux and its kernel, the Netfilter project created +the iptables and now the successor nftables for the Linux kernel to work directly +on the data flows. This now extends the concept of zone-based security to allow +for manipulating the data at multiple stages once accepted by the network interface +and the driver before being handed off to the destination (e.g. a web server OR +another device). + +To configure VyOS with the new :doc:`firewall configuration </configuration/firewall/general>` + +The only stages VyOS will process as part of the firewall configuration is the +`forward` (F4 stage), `input` (L4 stage), and `output` (L5 stage). All the other +stages and steps are for reference and cant be manipulated through VyOS. + +In this example image, a simplifed traffic flow is shown to help provide context +to the terms of `forward`, `input`, and `output` for the new firewall CLI format. +.. figure:: /_static/images/firewall-netfilter.png + +.. note:: **For more information** + of Netfilter hooks and Linux networking packet flows can be + found in `Netfilter-Hooks + <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_ + +Legacy Firewall +^^^^^^^^^^^^^^^ .. toctree:: :maxdepth: 1 :includehidden: general-legacy + +Traditionally firewalls weere configured with the concept of data going in and +out of an interface. The router just listened to the data flowing through and +responding as required if it was directed at the router itself. + +To configure VyOS with the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>` + +As the example image below shows, the device was configured with rules blocking +inbound or outbound traffic on each interface. + +.. figure:: /_static/images/firewall-traditional.png + +Zone-based firewall +^^^^^^^^^^^^^^^^^^^ +.. toctree:: + :maxdepth: 1 + :includehidden: + zone + +With zone-based firewalls a new concept was implemented, in addtion to the standard +in and out traffic flows, a local flow was added. This local was for traffic +originating and destined to the router itself. Which means additional rules were +required to secure the firewall itself from the network, in addition to the existing +inbound and outbound rules from the traditional concept above. + +To configure VyOS with the :doc:`zone-based firewall configuration </configuration/firewall/zone>` + +As the example image below shows, the device now needs rules to allow/block traffic +to or from the services running on the device that have open connections on that +interface. + +.. figure:: /_static/images/firewall-zonebased.png diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst index 6afd47e9..38869c32 100644 --- a/docs/configuration/firewall/zone.rst +++ b/docs/configuration/firewall/zone.rst @@ -2,11 +2,21 @@ .. _firewall-zone: -################### -Zone Based Firewall -################### - -.. note:: For latest releases, refer the `firewall +################################ +Zone Based Firewall (Deprecated) +################################ + +.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall + structure can be found on all vyos instalations, and zone based firewall is + no longer supported. Documentation for most of the new firewall CLI can be + found in the `firewall + <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_ + chapter. The legacy firewall is still available for versions before + 1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy` + chapter. The examples in this section use the legacy firewall configuration + commands, since this feature has been removed in earlier releases. + +.. note:: For latest releases, refer the `firewall (interface-groups) <https://docs.vyos.io/en/latest/configuration/firewall/general.html#interface-groups>`_ main page to configure zone based rules. New syntax was introduced here :vytask:`T5160` |