1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
|
:lastproofread: 2024-08-05
########
Firewall
########
As VyOS is based on Linux it leverages its firewall. The Netfilter project
created iptables and its successor nftables for the Linux kernel to
work directly on packet data flows. This now extends the concept of
zone-based security to allow for manipulating the data at multiple stages once
accepted by the network interface and the driver before being handed off to
the destination (e.g., a web server OR another device).
A simplified traffic flow diagram, based on Netfilter packet flow, is shown
next, in order to have a full view and understanding of how packets are
processed, and what possible paths traffic can take.
.. figure:: /_static/images/firewall-gral-packet-flow.png
The main points regarding this packet flow and terminology used in VyOS
firewall are covered below:
* **Bridge Port?**: choose appropriate path based on whether interface
where the packet was received is part of a bridge, or not.
If the interface where the packet was received isn't part of a bridge, then
packet is processed at the **IP Layer**:
* **Prerouting**: All packets that are received by the router
are processed in this stage, regardless of the destination of the packet.
Starting from vyos-1.5-rolling-202406120020, a new section was added to
the firewall configuration. There are several actions that can be done in
this stage, and currently these actions are also defined in different
parts of the VyOS configuration. Order is important, and the relevant
configuration that acts in this stage are:
* **Firewall prerouting**: rules defined under ``set firewall [ipv4 |
ipv6] prerouting raw...``. All rules defined in this section are
processed before connection tracking subsystem.
* **Conntrack Ignore**: rules defined under ``set system conntrack ignore
[ipv4 | ipv6] ...``. Starting from vyos-1.5-rolling-202406120020,
configuration done in this section can be done in ``firewall [ipv4 |
ipv6] prerouting ...``. For compatibility reasons, this feature is
still present, but it will be removed in the future.
* **Policy Route**: rules defined under ``set policy [route | route6]
...``.
* **Destination NAT**: rules defined under ``set [nat | nat66]
destination...``.
* **Destination is the router?**: choose an appropriate path based on
destination IP address. Transit forward continues to **forward**,
while traffic where the destination IP address is configured on the router
continues to **input**.
* **Input**: stage where traffic destined for the router itself can be
filtered and controlled. This is where all rules for securing the router
should take place. This includes ipv4 and ipv6 filtering rules, defined
in:
* ``set firewall ipv4 input filter ...``.
* ``set firewall ipv6 input filter ...``.
* **Forward**: stage where transit traffic can be filtered and controlled.
This includes ipv4 and ipv6 filtering rules, defined in:
* ``set firewall ipv4 forward filter ...``.
* ``set firewall ipv6 forward filter ...``.
* **Output**: stage where traffic that originates from the router itself
can be filtered and controlled. Bear in mind that this traffic can be a
new connection originated by a internal process running on the VyOS router
such as NTP, or a response to traffic received externally through
**input** (for example response to an ssh login attempt to the router).
This includes ipv4 and ipv6 rules, and two different sections are present:
* **Output Prerouting**: ``set firewall [ipv4 | ipv6] output filter ...``.
As described in **Prerouting**, rules defined in this section are
processed before connection tracking subsystem.
* **Output Filter**: ``set firewall [ipv4 | ipv6] output filter ...``.
* **Postrouting**: as in **Prerouting**, several actions defined in
different parts of VyOS configuration are performed in this
stage. This includes:
* **Source NAT**: rules defined under ``set [nat | nat66]
destination...``.
If the interface where the packet was received is part of a bridge, then
the packet is processed at the **Bridge Layer**:
* **Prerouting (Bridge)**: all packets that are received by the bridge are
processed in this stage, regardless of the destination of the packet.
First filters can be applied here, and/or also configure rules for
ignoring connection tracking system. The relevant configuration that
acts in:
* ``set firewall bridge prerouting filter ...``.
* **Forward (Bridge)**: stage where traffic that is trespassing through the
bridge is filtered and controlled:
* ``set firewall bridge forward filter ...``.
* **Input (Bridge)**: stage where traffic destined for the bridge itself can
be filtered and controlled:
* ``set firewall bridge input filter ...``.
* **Output (Bridge)**: stage where traffic that originates from the bridge
itself can be filtered and controlled:
* ``set firewall bridge output filter ...``.
The main structure of the VyOS firewall CLI is shown next:
.. code-block:: none
- set firewall
* bridge
- forward
+ filter
- input
+ filter
- output
+ filter
- prerouting
+ filter
- name
+ custom_name
* flowtable
- custom_flow_table
+ ...
* global-options
+ all-ping
+ broadcast-ping
+ ...
* group
- address-group
- ipv6-address-group
- network-group
- ipv6-network-group
- interface-group
- mac-group
- port-group
- domain-group
* ipv4
- forward
+ filter
- input
+ filter
- output
+ filter
+ raw
- prerouting
+ raw
- name
+ custom_name
* ipv6
- forward
+ filter
- input
+ filter
- output
+ filter
+ raw
- prerouting
+ raw
- ipv6-name
+ custom_name
* zone
- custom_zone_name
+ ...
Please, refer to appropriate section for more information about firewall
configuration:
.. toctree::
:maxdepth: 1
:includehidden:
global-options
groups
bridge
ipv4
ipv6
flowtables
.. note:: **For more information**
of Netfilter hooks and Linux networking packet flows can be
found in `Netfilter-Hooks
<https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_
Zone-based firewall
^^^^^^^^^^^^^^^^^^^
.. toctree::
:maxdepth: 1
:includehidden:
zone
With zone-based firewalls a new concept was implemented, in addition to the
standard in and out traffic flows, a local flow was added. This local flow was
for traffic originating and destined to the router itself. Which means that
additional rules were required to secure the firewall itself from the network,
in addition to the existing inbound and outbound rules from the traditional
concept above.
To configure VyOS with the
:doc:`zone-based firewall configuration </configuration/firewall/zone>`
As the example image below shows, the device now needs rules to allow/block
traffic to or from the services running on the device that have open
connections on that interface.
.. figure:: /_static/images/firewall-zonebased.png
|
