1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
|
# SOME DESCRIPTIVE TITLE.
# Copyright (C) 2021, VyOS maintainers and contributors
# This file is distributed under the same license as the VyOS package.
# FIRST AUTHOR <EMAIL@ADDRESS>, YEAR.
#
#, fuzzy
msgid ""
msgstr ""
"Project-Id-Version: VyOS 1.4\n"
"Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2022-10-21 12:01+0200\n"
"PO-Revision-Date: 2022-10-21 10:05+0000\n"
"Language-Team: German (Germany) (https://www.transifex.com/vyos/teams/155110/de_DE/)\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n"
"Language: de_DE\n"
"Plural-Forms: nplurals=2; plural=(n != 1);\n"
#: ../../configexamples/zone-policy.rst:6 3c76f26421954ac884480d0cffe55150
msgid "Zone-Policy example"
msgstr ""
#: ../../configexamples/zone-policy.rst:8 b000af62a2ff45e3bea0983ff08c6ca9
msgid ""
"In :vytask:`T2199` the syntax of the zone configuration was changed. The "
"zone configuration moved from ``zone-policy zone <name>`` to ``firewall zone"
" <name>``."
msgstr ""
#: ../../configexamples/zone-policy.rst:13 518ed4192332498b988ad701dbe4ae94
msgid "Native IPv4 and IPv6"
msgstr ""
#: ../../configexamples/zone-policy.rst:15 e785499caee9483ebbfa8fea63bd3f60
msgid "We have three networks."
msgstr ""
#: ../../configexamples/zone-policy.rst:24 d5184c69966f41c5acd57ba576316df4
msgid ""
"**This specific example is for a router on a stick, but is very easily "
"adapted for however many NICs you have**:"
msgstr ""
#: ../../configexamples/zone-policy.rst:28 dc181a02a98a45da8888bc017de3ea1f
msgid "Internet - 192.168.200.100 - TCP/80"
msgstr ""
#: ../../configexamples/zone-policy.rst:29 4e066389682c40048d57dec2c83a5aae
msgid "Internet - 192.168.200.100 - TCP/443"
msgstr ""
#: ../../configexamples/zone-policy.rst:30 99c22b93805b4a9d97c17590c0d1ff93
msgid "Internet - 192.168.200.100 - TCP/25"
msgstr ""
#: ../../configexamples/zone-policy.rst:31 98671bd795584e58ab09f67a17c41bf1
msgid "Internet - 192.168.200.100 - TCP/53"
msgstr ""
#: ../../configexamples/zone-policy.rst:32 132e6aa544e14ab68d588186821b0cf1
msgid "VyOS acts as DHCP, DNS forwarder, NAT, router and firewall."
msgstr ""
#: ../../configexamples/zone-policy.rst:33 378d3439fdd441d0b598dee31369da95
msgid ""
"192.168.200.200/2001:0DB8:0:BBBB::200 is an internal/external DNS, web and "
"mail (SMTP/IMAP) server."
msgstr ""
#: ../../configexamples/zone-policy.rst:35 45a4384bc0fc4bd1a25c98a27c2a81ce
msgid ""
"192.168.100.10/2001:0DB8:0:AAAA::10 is the administrator's console. It can "
"SSH to VyOS."
msgstr ""
#: ../../configexamples/zone-policy.rst:37 5cc8e033a70c48bcbc424e36c169c4af
msgid "LAN and DMZ hosts have basic outbound access: Web, FTP, SSH."
msgstr ""
#: ../../configexamples/zone-policy.rst:38 7345f3e3a5874d65b6922d88f3117ecd
msgid "LAN can access DMZ resources."
msgstr ""
#: ../../configexamples/zone-policy.rst:39 2413bb4e87ee4a92922530672b633c3c
msgid "DMZ cannot access LAN resources."
msgstr ""
#: ../../configexamples/zone-policy.rst:40 604e13042cc6421fa69f297748ae55ab
msgid "Inbound WAN connect to DMZ host."
msgstr ""
#: ../../configexamples/zone-policy.rstNone c296c8f6b6874d18872c119a8cc8ee57
msgid "Network Topology Diagram"
msgstr ""
#: ../../configexamples/zone-policy.rst:47 8aacd45be8534832803d7d08a1a8b19d
msgid ""
"The VyOS interface is assigned the .1/:1 address of their respective "
"networks. WAN is on VLAN 10, LAN on VLAN 20, and DMZ on VLAN 30."
msgstr ""
#: ../../configexamples/zone-policy.rst:50 5e0f72b4b2db4789ac8dd371ba669517
msgid "It will look something like this:"
msgstr ""
#: ../../configexamples/zone-policy.rst:79 74742cf5724e4f2cb3049240b8b10f52
msgid "Zones Basics"
msgstr ""
#: ../../configexamples/zone-policy.rst:81 634e5b24c3f749cc9428984dd8206b28
msgid ""
"Each interface is assigned to a zone. The interface can be physical or "
"virtual such as tunnels (VPN, PPTP, GRE, etc) and are treated exactly the "
"same."
msgstr ""
#: ../../configexamples/zone-policy.rst:85 6224d85ed139427b8bec0f53015beeb3
msgid ""
"Traffic flows from zone A to zone B. That flow is what I refer to as a zone-"
"pair-direction. eg. A->B and B->A are two zone-pair-destinations."
msgstr ""
#: ../../configexamples/zone-policy.rst:88 8cfb35f32511467cb39a75b1d6cd9548
msgid "Ruleset are created per zone-pair-direction."
msgstr ""
#: ../../configexamples/zone-policy.rst:90 ab2f3b9301084a50ac3c4342abfc2cfa
msgid ""
"I name rule sets to indicate which zone-pair-direction they represent. eg. "
"ZoneA-ZoneB or ZoneB-ZoneA. LAN-DMZ, DMZ-LAN."
msgstr ""
#: ../../configexamples/zone-policy.rst:93 c7c352c3ba8341ee9563ded10b507dd9
msgid ""
"In VyOS, you have to have unique Ruleset names. In the event of overlap, I "
"add a \"-6\" to the end of v6 rulesets. eg. LAN-DMZ, LAN-DMZ-6. This allows "
"for each auto-completion and uniqueness."
msgstr ""
#: ../../configexamples/zone-policy.rst:97 c0ee89a6de5b40e8b7b1f41327938ce7
msgid ""
"In this example we have 4 zones. LAN, WAN, DMZ, Local. The local zone is the"
" firewall itself."
msgstr ""
#: ../../configexamples/zone-policy.rst:100 25d67004a0b34f2d80fe07eb586b31eb
msgid ""
"If your computer is on the LAN and you need to SSH into your VyOS box, you "
"would need a rule to allow it in the LAN-Local ruleset. If you want to "
"access a webpage from your VyOS box, you need a rule to allow it in the "
"Local-LAN ruleset."
msgstr ""
#: ../../configexamples/zone-policy.rst:105 074031ebe23742cf9ab553c1d3c89851
msgid ""
"In rules, it is good to keep them named consistently. As the number of rules"
" you have grows, the more consistency you have, the easier your life will "
"be."
msgstr ""
#: ../../configexamples/zone-policy.rst:123 36212be96d234f809e3aa0635b224e23
msgid ""
"The first two rules are to deal with the idiosyncrasies of VyOS and "
"iptables."
msgstr ""
#: ../../configexamples/zone-policy.rst:126 cdaf927567ba470a843b6daed8e148a5
msgid ""
"Zones and Rulesets both have a default action statement. When using Zone-"
"Policies, the default action is set by the zone-policy statement and is "
"represented by rule 10000."
msgstr ""
#: ../../configexamples/zone-policy.rst:130 b923769f3fa648cabd265468da6f0ed8
msgid ""
"It is good practice to log both accepted and denied traffic. It can save you"
" significant headaches when trying to troubleshoot a connectivity issue."
msgstr ""
#: ../../configexamples/zone-policy.rst:134 8cdbfa157d0c40c5aaa5ce98e2e10eba
msgid "To add logging to the default rule, do:"
msgstr ""
#: ../../configexamples/zone-policy.rst:141 8370b1669e3244a6a370ab9344a5e114
msgid ""
"By default, iptables does not allow traffic for established sessions to "
"return, so you must explicitly allow this. I do this by adding two rules to "
"every ruleset. 1 allows established and related state packets through and "
"rule 2 drops and logs invalid state packets. We place the "
"established/related rule at the top because the vast majority of traffic on "
"a network is established and the invalid rule to prevent invalid state "
"packets from mistakenly being matched against other rules. Having the most "
"matched rule listed first reduces CPU load in high volume environments. "
"Note: I have filed a bug to have this added as a default action as well."
msgstr ""
#: ../../configexamples/zone-policy.rst:152 b98728b4c0444251a8ddd9aae0061313
msgid ""
"''It is important to note, that you do not want to add logging to the "
"established state rule as you will be logging both the inbound and outbound "
"packets for each session instead of just the initiation of the session. Your"
" logs will be massive in a very short period of time.''"
msgstr ""
#: ../../configexamples/zone-policy.rst:157 5731588a00a1445aae957e1dfca6f6a9
msgid ""
"In VyOS you must have the interfaces created before you can apply it to the "
"zone and the rulesets must be created prior to applying it to a zone-policy."
msgstr ""
#: ../../configexamples/zone-policy.rst:161 214fa70e97f947ecb6bcb6ee8a95f7d7
msgid ""
"I create/configure the interfaces first. Build out the rulesets for each "
"zone-pair-direction which includes at least the three state rules. Then I "
"setup the zone-policies."
msgstr ""
#: ../../configexamples/zone-policy.rst:165 ff4bfdb0fea6403bbb05ec6ea9fa65b7
msgid ""
"Zones do not allow for a default action of accept; either drop or reject. It"
" is important to remember this because if you apply an interface to a zone "
"and commit, any active connections will be dropped. Specifically, if you are"
" SSH’d into VyOS and add local or the interface you are connecting through "
"to a zone and do not have rulesets in place to allow SSH and established "
"sessions, you will not be able to connect."
msgstr ""
#: ../../configexamples/zone-policy.rst:172 217de4fa5abe448d8c381c002f97e539
msgid ""
"The following are the rules that were created for this example (may not be "
"complete), both in IPv4 and IPv6. If there is no IP specified, then the "
"source/destination address is not explicit."
msgstr ""
#: ../../configexamples/zone-policy.rst:226 68c0c6d0b20b468f99608f851ae72f5f
msgid "Since we have 4 zones, we need to setup the following rulesets."
msgstr ""
#: ../../configexamples/zone-policy.rst:243 5b84e1b04a934648956fa3d46c7d7ab3
msgid ""
"Even if the two zones will never communicate, it is a good idea to create "
"the zone-pair-direction rulesets and set enable-default-log. This will allow"
" you to log attempts to access the networks. Without it, you will never see "
"the connection attempts."
msgstr ""
#: ../../configexamples/zone-policy.rst:248 633e0ef63aa44eb68b1f92674e715140
msgid "This is an example of the three base rules."
msgstr ""
#: ../../configexamples/zone-policy.rst:272 617108f6e8a04def8d089d3373c5fdc4
msgid "Here is an example of an IPv6 DMZ-WAN ruleset."
msgstr ""
#: ../../configexamples/zone-policy.rst:345 a17a13e6dca3416fb9c3d5fa95aff51b
msgid ""
"Once you have all of your rulesets built, then you need to create your zone-"
"policy."
msgstr ""
#: ../../configexamples/zone-policy.rst:348 2570cdfd598542d4ab4b7e38b8fb7d1e
msgid "Start by setting the interface and default action for each zone."
msgstr ""
#: ../../configexamples/zone-policy.rst:355 ac4dd0fd6ee24b81a3d208db070b0029
msgid ""
"In this case, we are setting the v6 ruleset that represents traffic sourced "
"from the LAN, destined for the DMZ. Because the zone-policy firewall syntax "
"is a little awkward, I keep it straight by thinking of it backwards."
msgstr ""
#: ../../configexamples/zone-policy.rst:364 ded641d51758415e9f0cf27ae1e9b3c4
msgid ""
"DMZ-LAN policy is LAN-DMZ. You can get a rhythm to it when you build out a "
"bunch at one time."
msgstr ""
#: ../../configexamples/zone-policy.rst:367 f3adf536211a4f12817bf30695b1b65f
msgid ""
"In the end, you will end up with something like this config. I took out "
"everything but the Firewall, Interfaces, and zone-policy sections. It is "
"long enough as is."
msgstr ""
#: ../../configexamples/zone-policy.rst:373 d4a2cf9526ec4602822a592145060277
msgid "IPv6 Tunnel"
msgstr ""
#: ../../configexamples/zone-policy.rst:375 44a092c185cb4956b7b4bec83f6da9b6
msgid ""
"If you are using a IPv6 tunnel from HE.net or someone else, the basis is the"
" same except you have two WAN interfaces. One for v4 and one for v6."
msgstr ""
#: ../../configexamples/zone-policy.rst:378 a9091d4fcd5b424088a2352f008d5947
msgid ""
"You would have 5 zones instead of just 4 and you would configure your v6 "
"ruleset between your tunnel interface and your LAN/DMZ zones instead of to "
"the WAN."
msgstr ""
#: ../../configexamples/zone-policy.rst:382 eb7fd578bb60426f8d96fd0016a0d005
msgid "LAN, WAN, DMZ, local and TUN (tunnel)"
msgstr ""
#: ../../configexamples/zone-policy.rst:384 c4c7ca9af6244fcf9b0b9ff4ad49cd10
msgid "v6 pairs would be:"
msgstr ""
#: ../../configexamples/zone-policy.rst:401 28572036af8b4fd4b48436a393b06d90
msgid "Notice, none go to WAN since WAN wouldn't have a v6 address on it."
msgstr ""
#: ../../configexamples/zone-policy.rst:403 0c5f292540b24741a12114027008fe61
msgid ""
"You would have to add a couple of rules on your wan-local ruleset to allow "
"protocol 41 in."
msgstr ""
#: ../../configexamples/zone-policy.rst:406 36b65f4c07e644a7b2d18c4ca8639c83
msgid "Something like:"
msgstr ""
|
