1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
|
:lastproofread: 2024-07-03
.. _firewall-groups-configuration:
###############
Firewall groups
###############
*************
Configuration
*************
Firewall groups represent collections of IP addresses, networks, ports,
mac addresses, domains or interfaces. Once created, a group can be referenced
by firewall, nat and policy route rules as either a source or destination
matcher, and/or as inbound/outbound in the case of interface group.
Address Groups
==============
In an **address group** a single IP address or IP address range is defined.
.. cfgcmd:: set firewall group address-group <name> address [address |
address range]
.. cfgcmd:: set firewall group ipv6-address-group <name> address <address>
Define a IPv4 or a IPv6 address group
.. code-block:: none
set firewall group address-group ADR-INSIDE-v4 address 192.168.0.1
set firewall group address-group ADR-INSIDE-v4 address 10.0.0.1-10.0.0.8
set firewall group ipv6-address-group ADR-INSIDE-v6 address 2001:db8::1
.. cfgcmd:: set firewall group address-group <name> description <text>
.. cfgcmd:: set firewall group ipv6-address-group <name> description <text>
Provide a IPv4 or IPv6 address group description
Network Groups
==============
While **network groups** accept IP networks in CIDR notation, specific
IP addresses can be added as a 32-bit prefix. If you foresee the need
to add a mix of addresses and networks, then a network group is
recommended.
.. cfgcmd:: set firewall group network-group <name> network <CIDR>
.. cfgcmd:: set firewall group ipv6-network-group <name> network <CIDR>
Define a IPv4 or IPv6 Network group.
.. code-block:: none
set firewall group network-group NET-INSIDE-v4 network 192.168.0.0/24
set firewall group network-group NET-INSIDE-v4 network 192.168.1.0/24
set firewall group ipv6-network-group NET-INSIDE-v6 network 2001:db8::/64
.. cfgcmd:: set firewall group network-group <name> description <text>
.. cfgcmd:: set firewall group ipv6-network-group <name> description <text>
Provide an IPv4 or IPv6 network group description.
Interface Groups
================
An **interface group** represents a collection of interfaces.
.. cfgcmd:: set firewall group interface-group <name> interface <text>
Define an interface group. Wildcard are accepted too.
.. code-block:: none
set firewall group interface-group LAN interface bond1001
set firewall group interface-group LAN interface eth3*
.. cfgcmd:: set firewall group interface-group <name> description <text>
Provide an interface group description
Port Groups
===========
A **port group** represents only port numbers, not the protocol. Port
groups can be referenced for either TCP or UDP. It is recommended that
TCP and UDP groups are created separately to avoid accidentally
filtering unnecessary ports. Ranges of ports can be specified by using
`-`.
.. cfgcmd:: set firewall group port-group <name> port
[portname | portnumber | startport-endport]
Define a port group. A port name can be any name defined in
/etc/services. e.g.: http
.. code-block:: none
set firewall group port-group PORT-TCP-SERVER1 port http
set firewall group port-group PORT-TCP-SERVER1 port 443
set firewall group port-group PORT-TCP-SERVER1 port 5000-5010
.. cfgcmd:: set firewall group port-group <name> description <text>
Provide a port group description.
MAC Groups
==========
A **mac group** represents a collection of mac addresses.
.. cfgcmd:: set firewall group mac-group <name> mac-address <mac-address>
Define a mac group.
.. code-block:: none
set firewall group mac-group MAC-G01 mac-address 88:a4:c2:15:b6:4f
set firewall group mac-group MAC-G01 mac-address 4c:d5:77:c0:19:81
.. cfgcmd:: set firewall group mac-group <name> description <text>
Provide a mac group description.
Domain Groups
=============
A **domain group** represents a collection of domains.
.. cfgcmd:: set firewall group domain-group <name> address <domain>
Define a domain group.
.. code-block:: none
set firewall group domain-group DOM address example.com
.. cfgcmd:: set firewall group domain-group <name> description <text>
Provide a domain group description.
Dynamic Groups
==============
Firewall dynamic groups are different from all the groups defined previously
because, not only they can be used as source/destination in firewall rules,
but members of these groups are not defined statically using vyos
configuration.
Instead, members of these groups are added dynamically using firewall
rules.
Defining Dynamic Address Groups
-------------------------------
Dynamic address group is supported by both IPv4 and IPv6 families.
Commands used to define dynamic IPv4|IPv6 address groups are:
.. cfgcmd:: set firewall group dynamic-group address-group <name>
.. cfgcmd:: set firewall group dynamic-group ipv6-address-group <name>
Add description to firewall groups:
.. cfgcmd:: set firewall group dynamic-group address-group <name>
description <text>
.. cfgcmd:: set firewall group dynamic-group ipv6-address-group <name>
description <text>
Adding elements to Dynamic Firewall Groups
------------------------------------------
Once dynamic firewall groups are defined, they should be used in firewall
rules in order to dynamically add elements to it.
Commands used for this task are:
* Add destination IP address of the connection to a dynamic address group:
.. cfgcmd:: set firewall ipv4 [forward | input | output] filter rule
<1-999999> add-address-to-group destination-address address-group <name>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> add-address-to-group
destination-address address-group <name>
.. cfgcmd:: set firewall ipv6 [forward | input | output] filter rule
<1-999999> add-address-to-group destination-address address-group <name>
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> add-address-to-group
destination-address address-group <name>
* Add source IP address of the connection to a dynamic address group:
.. cfgcmd:: set firewall ipv4 [forward | input | output] filter rule
<1-999999> add-address-to-group source-address address-group <name>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> add-address-to-group
source-address address-group <name>
.. cfgcmd:: set firewall ipv6 [forward | input | output] filter rule
<1-999999> add-address-to-group source-address address-group <name>
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> add-address-to-group
source-address address-group <name>
Also, specific timeouts can be defined per rule. In case rule gets a hit,
a source or destinatination address will be added to the group, and this
element will remain in the group until the timeout expires. If no timeout
is defined, then the element will remain in the group until next reboot,
or until a new commit that changes firewall configuration is done.
.. cfgcmd:: set firewall ipv4 [forward | input | output] filter rule
<1-999999> add-address-to-group [destination-address | source-address]
timeout <timeout>
.. cfgcmd:: set firewall ipv4 name <name> rule <1-999999> add-address-to-group
[destination-address | source-address] timeout <timeout>
.. cfgcmd:: set firewall ipv6 [forward | input | output] filter rule
<1-999999> add-address-to-group [destination-address | source-address]
timeout <timeout>
.. cfgcmd:: set firewall ipv6 name <name> rule <1-999999> add-address-to-group
[destination-address | source-address] timeout <timeout>
Timeout can be defined using seconds, minutes, hours or days:
.. code-block:: none
set firewall ipv6 name FOO rule 10 add-address-to-group source-address timeout
Possible completions:
<number>s Timeout value in seconds
<number>m Timeout value in minutes
<number>h Timeout value in hours
<number>d Timeout value in days
Using Dynamic Firewall Groups
-----------------------------
As any other firewall group, dynamic firewall groups can be used in firewall
rules as matching options. For example:
.. code-block:: none
set firewall ipv4 input filter rule 10 source group dynamic-address-group FOO
set firewall ipv4 input filter rule 10 destination group dynamic-address-group BAR
********
Examples
********
General example
===============
As said before, once firewall groups are created, they can be referenced
either in firewall, nat, nat66 and/or policy-route rules.
Here is an example were multiple groups are created:
.. code-block:: none
set firewall group address-group SERVERS address 198.51.100.101
set firewall group address-group SERVERS address 198.51.100.102
set firewall group network-group TRUSTEDv4 network 192.0.2.0/30
set firewall group network-group TRUSTEDv4 network 203.0.113.128/25
set firewall group ipv6-network-group TRUSTEDv6 network 2001:db8::/64
set firewall group interface-group LAN interface eth2.2001
set firewall group interface-group LAN interface bon0
set firewall group port-group PORT-SERVERS port http
set firewall group port-group PORT-SERVERS port 443
set firewall group port-group PORT-SERVERS port 5000-5010
And next, some configuration example where groups are used:
.. code-block:: none
set firewall ipv4 output filter rule 10 action accept
set firewall ipv4 output filter rule 10 outbound-interface group !LAN
set firewall ipv4 forward filter rule 20 action accept
set firewall ipv4 forward filter rule 20 source group network-group TRUSTEDv4
set firewall ipv6 input filter rule 10 action accept
set firewall ipv6 input filter rule 10 source group network-group TRUSTEDv6
set nat destination rule 101 inbound-interface group LAN
set nat destination rule 101 destination group address-group SERVERS
set nat destination rule 101 protocol tcp
set nat destination rule 101 destination group port-group PORT-SERVERS
set nat destination rule 101 translation address 203.0.113.250
set policy route PBR rule 201 destination group port-group PORT-SERVERS
set policy route PBR rule 201 protocol tcp
set policy route PBR rule 201 set table 15
Port knocking example
=====================
Using dynamic firewall groups, we can secure access to the router, or any other
device if needed, by using the technique of port knocking.
A 4 step port knocking example is shown next:
.. code-block:: none
set firewall global-options state-policy established action 'accept'
set firewall global-options state-policy invalid action 'drop'
set firewall global-options state-policy related action 'accept'
set firewall group dynamic-group address-group ALLOWED
set firewall group dynamic-group address-group PN_01
set firewall group dynamic-group address-group PN_02
set firewall ipv4 input filter default-action 'drop'
set firewall ipv4 input filter rule 5 action 'accept'
set firewall ipv4 input filter rule 5 protocol 'icmp'
set firewall ipv4 input filter rule 10 action 'drop'
set firewall ipv4 input filter rule 10 add-address-to-group source-address address-group 'PN_01'
set firewall ipv4 input filter rule 10 add-address-to-group source-address timeout '2m'
set firewall ipv4 input filter rule 10 description 'Port_nock 01'
set firewall ipv4 input filter rule 10 destination port '9990'
set firewall ipv4 input filter rule 10 protocol 'tcp'
set firewall ipv4 input filter rule 20 action 'drop'
set firewall ipv4 input filter rule 20 add-address-to-group source-address address-group 'PN_02'
set firewall ipv4 input filter rule 20 add-address-to-group source-address timeout '3m'
set firewall ipv4 input filter rule 20 description 'Port_nock 02'
set firewall ipv4 input filter rule 20 destination port '9991'
set firewall ipv4 input filter rule 20 protocol 'tcp'
set firewall ipv4 input filter rule 20 source group dynamic-address-group 'PN_01'
set firewall ipv4 input filter rule 30 action 'drop'
set firewall ipv4 input filter rule 30 add-address-to-group source-address address-group 'ALLOWED'
set firewall ipv4 input filter rule 30 add-address-to-group source-address timeout '2h'
set firewall ipv4 input filter rule 30 description 'Port_nock 03'
set firewall ipv4 input filter rule 30 destination port '9992'
set firewall ipv4 input filter rule 30 protocol 'tcp'
set firewall ipv4 input filter rule 30 source group dynamic-address-group 'PN_02'
set firewall ipv4 input filter rule 99 action 'accept'
set firewall ipv4 input filter rule 99 description 'Port_nock 04 - Allow ssh'
set firewall ipv4 input filter rule 99 destination port '22'
set firewall ipv4 input filter rule 99 protocol 'tcp'
set firewall ipv4 input filter rule 99 source group dynamic-address-group 'ALLOWED'
Before testing, we can check the members of firewall groups:
.. code-block:: none
vyos@vyos# run show firewall group
Firewall Groups
Name Type References Members Timeout Expires
------- ---------------------- -------------------- ------------- --------- ---------
ALLOWED address_group(dynamic) ipv4-input-filter-30 N/D N/D N/D
PN_01 address_group(dynamic) ipv4-input-filter-10 N/D N/D N/D
PN_02 address_group(dynamic) ipv4-input-filter-20 N/D N/D N/D
[edit]
vyos@vyos#
With this configuration, in order to get ssh access to the router, the user
needs to:
1. Generate a new TCP connection with destination port 9990. As shown next,
a new entry was added to dynamic firewall group **PN_01**
.. code-block:: none
vyos@vyos# run show firewall group
Firewall Groups
Name Type References Members Timeout Expires
------- ---------------------- -------------------- ------------- --------- ---------
ALLOWED address_group(dynamic) ipv4-input-filter-30 N/D N/D N/D
PN_01 address_group(dynamic) ipv4-input-filter-10 192.168.89.31 120 119
PN_02 address_group(dynamic) ipv4-input-filter-20 N/D N/D N/D
[edit]
vyos@vyos#
2. Generate a new TCP connection with destination port 9991. As shown next,
a new entry was added to dynamic firewall group **PN_02**
.. code-block:: none
vyos@vyos# run show firewall group
Firewall Groups
Name Type References Members Timeout Expires
------- ---------------------- -------------------- ------------- --------- ---------
ALLOWED address_group(dynamic) ipv4-input-filter-30 N/D N/D N/D
PN_01 address_group(dynamic) ipv4-input-filter-10 192.168.89.31 120 106
PN_02 address_group(dynamic) ipv4-input-filter-20 192.168.89.31 180 179
[edit]
vyos@vyos#
3. Generate a new TCP connection with destination port 9992. As shown next,
a new entry was added to dynamic firewall group **ALLOWED**
.. code-block:: none
vyos@vyos# run show firewall group
Firewall Groups
Name Type References Members Timeout Expires
------- ---------------------- -------------------- ------------- --------- ---------
ALLOWED address_group(dynamic) ipv4-input-filter-30 192.168.89.31 7200 7199
PN_01 address_group(dynamic) ipv4-input-filter-10 192.168.89.31 120 89
PN_02 address_group(dynamic) ipv4-input-filter-20 192.168.89.31 180 170
[edit]
vyos@vyos#
4. Now the user can connect through ssh to the router (assuming ssh is configured).
**************
Operation-mode
**************
.. opcmd:: show firewall group
.. opcmd:: show firewall group <name>
Overview of defined groups. You see the firewall group name, type,
references (where the group is used), members, timeout and expiration (last
two only present in dynamic firewall groups).
Here is an example of such command:
.. code-block:: none
vyos@vyos:~$ show firewall group
Firewall Groups
Name Type References Members Timeout Expires
------------ ---------------------- ---------------------- ---------------- --------- ---------
SERVERS address_group nat-destination-101 198.51.100.101
198.51.100.102
ALLOWED address_group(dynamic) ipv4-input-filter-30 192.168.77.39 7200 7174
PN_01 address_group(dynamic) ipv4-input-filter-10 192.168.0.245 120 112
192.168.77.39 120 85
PN_02 address_group(dynamic) ipv4-input-filter-20 192.168.77.39 180 151
LAN interface_group ipv4-output-filter-10 bon0
nat-destination-101 eth2.2001
TRUSTEDv6 ipv6_network_group ipv6-input-filter-10 2001:db8::/64
TRUSTEDv4 network_group ipv4-forward-filter-20 192.0.2.0/30
203.0.113.128/25
PORT-SERVERS port_group route-PBR-201 443
route-PBR-201 5000-5010
nat-destination-101 http
vyos@vyos:~$
|
