blob: 6afd47e9c56c019182f7105b8b231d0543e0a073 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
|
:lastproofread: 2022-09-14
.. _firewall-zone:
###################
Zone Based Firewall
###################
.. note:: For latest releases, refer the `firewall
<https://docs.vyos.io/en/latest/configuration/firewall/general.html#interface-groups>`_
main page to configure zone based rules. New syntax was introduced here
:vytask:`T5160`
In zone-based policy, interfaces are assigned to zones, and inspection policy
is applied to traffic moving between the zones and acted on according to
firewall rules. A zone is a group of interfaces that have similar functions or
features. It establishes the security borders of a network. A zone defines a
boundary where traffic is subjected to policy restrictions as it crosses to
another region of a network.
Key Points:
* A zone must be configured before an interface is assigned to it and an
interface can be assigned to only a single zone.
* All traffic to and from an interface within a zone is permitted.
* All traffic between zones is affected by existing policies
* Traffic cannot flow between zone member interface and any interface that is
not a zone member.
* You need 2 separate firewalls to define traffic: one for each direction.
.. note:: In :vytask:`T2199` the syntax of the zone configuration was changed.
The zone configuration moved from ``zone-policy zone <name>`` to ``firewall
zone <name>``.
*************
Configuration
*************
As an alternative to applying policy to an interface directly, a zone-based
firewall can be created to simplify configuration when multiple interfaces
belong to the same security zone. Instead of applying rule-sets to interfaces,
they are applied to source zone-destination zone pairs.
A basic introduction to zone-based firewalls can be found `here
<https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_,
and an example at :ref:`examples-zone-policy`.
Define a Zone
=============
To define a zone setup either one with interfaces or a local zone.
.. cfgcmd:: set firewall zone <name> interface <interface>
Set interfaces to a zone. A zone can have multiple interfaces.
But an interface can only be a member in one zone.
.. cfgcmd:: set firewall zone <name> local-zone
Define the zone as a local zone. A local zone has no interfaces and
will be applied to the router itself.
.. cfgcmd:: set firewall zone <name> default-action [drop | reject]
Change the default-action with this setting.
.. cfgcmd:: set firewall zone <name> description
Set a meaningful description.
Applying a Rule-Set to a Zone
=============================
Before you are able to apply a rule-set to a zone you have to create the zones
first.
It helps to think of the syntax as: (see below). The 'rule-set' should be
written from the perspective of: *Source Zone*-to->*Destination Zone*
.. cfgcmd:: set firewall zone <Destination Zone> from <Source Zone>
firewall name <rule-set>
.. cfgcmd:: set firewall zone <name> from <name> firewall name
<rule-set>
.. cfgcmd:: set firewall zone <name> from <name> firewall ipv6-name
<rule-set>
You apply a rule-set always to a zone from an other zone, it is recommended
to create one rule-set for each zone pair.
.. code-block:: none
set firewall zone DMZ from LAN firewall name LANv4-to-DMZv4
set firewall zone LAN from DMZ firewall name DMZv4-to-LANv4
|
