docs/configuration/firewall/zone.rst


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193

:lastproofread: 2024-07-03

.. _firewall-zone:

###################
Zone Based Firewall
###################

********
Overview
********

.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall
   structure can be found on all VyOS installations. The Zone based firewall
   was removed in that version, but re introduced in VyOS 1.4 and 1.5. All
   versions built after 2023-10-22 have this feature.
   Documentation for most of the new firewall CLI can be
   found in the `firewall
   <https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_
   chapter.

In this section there's useful information on all firewall configuration that
is needed for the zone-based firewall.
Configuration commands covered in this section:

.. cfgcmd:: set firewall zone ...

From the main structure defined in
:doc:`Firewall Overview</configuration/firewall/index>`
in this section you can find detailed information only for the next part
of the general structure:

.. code-block:: none

   - set firewall
       * zone
            - custom_zone_name
               + ...

In zone-based policy, interfaces are assigned to zones, and inspection policy
is applied to traffic moving between the zones and acted on according to
firewall rules. A zone is a group of interfaces that have similar functions or
features. It establishes the security borders of a network. A zone defines a
boundary where traffic is subjected to policy restrictions as it crosses to
another region of a network.

Key Points:

* A zone must be configured before an interface is assigned to it and an
  interface can be assigned to only a single zone.
* All traffic to and from an interface within a zone is permitted.
* All traffic between zones is affected by existing policies
* Traffic cannot flow between a zone member interface and any interface that is
  not a zone member.
* You need 2 separate firewalls to define traffic: one for each direction.

.. note:: In :vytask:`T2199` the syntax of the zone configuration was changed.
   The zone configuration moved from ``zone-policy zone <name>`` to ``firewall
   zone <name>``.

*************
Configuration
*************

As an alternative to applying policy to an interface directly, a zone-based
firewall can be created to simplify configuration when multiple interfaces
belong to the same security zone. Instead of applying rule-sets to interfaces,
they are applied to source-destination zone pairs.

A basic introduction to zone-based firewalls can be found `here
<https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_,
and an example at :ref:`examples-zone-policy`.

The following steps are required to create a zone-based firewall:

1. Define both the source and destination zones
2. Define the rule-set
3. Apply the rule-set to the zones

Define a Zone
=============

To define a zone setup either one with interfaces or the local zone.

.. cfgcmd:: set firewall zone <name> interface <interface>

   Assign interfaces as a member of a zone.

   .. note::

      * An interface can only be a member of one zone.
      * A zone can have multiple interfaces, with traffic between interfaces in
        the same zone subject to the intra-zone-filtering policy (allowed by
        default).

.. cfgcmd:: set firewall zone <name> local-zone

   Define the zone as the local zone, for traffic originating from and destined
   to the router itself.

   .. note::

      * A local zone cannot have any member interfaces
      * There cannot be multiple local zones

.. cfgcmd:: set firewall zone <name> default-action [drop | reject]

   Change the zone default-action, which applies to traffic destined to this
   zone that doesn't match any of the source zone rulesets applied.

.. cfgcmd:: set firewall zone <name> default-log

   Enable logging of packets that hit this zone's default-action (disabled by
   default).

.. cfgcmd:: set firewall zone <name> description

   Set a meaningful description.

Defining a Rule-Set
=============================

Zone-based firewall rule-sets are for traffic from a *Source Zone* to a
*Destination Zone*.

The rule-sets are created as a custom firewall chain using the commands below
(refer to the firewall IPv4/IPv6 sections for the full syntax):

* For :ref:`IPv4<configuration/firewall/ipv4:Firewall - IPv4 Rules>`:
  ``set firewall ipv4 name <name> ...``
* For :ref:`IPv6<configuration/firewall/ipv6:Firewall - IPv6 Rules>`:
  ``set firewall ipv6 name <name> ...``

It can be helpful to name the rule-sets in the format
``<Sourze Zone>-<Destination Zone>-<v4 | v6>`` to make them easily identifiable.

Applying a Rule-Set to a Zone
=============================

Once a rule-set has been defined, it can then be applied to the source and
destination zones. The configuration syntax is anchored on the destination
zone, with each of the source zone rulesets listed against the destination.

.. cfgcmd::  set firewall zone <Destination Zone> from <Source Zone>
   firewall name <ipv4-rule-set-name>

.. cfgcmd::  set firewall zone <Destination Zone> from <Source Zone>
   firewall ipv6-name <ipv6-rule-set-name>

It is recommended to create two rule-sets for each source-destination zone pair.

.. code-block:: none

   set firewall zone DMZ from LAN firewall name LAN-DMZ-v4
   set firewall zone LAN from DMZ firewall name DMZ-LAN-v4

**************
Operation-mode
**************

.. opcmd:: show firewall zone-policy

   This will show you a basic summary of the zone configuration.

   .. code-block:: none

      vyos@vyos:~$ show firewall zone-policy
      Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6
      ------  ------------  -----------  ---------------  ---------------
      LAN     eth1          WAN          WAN-LAN-v4
              eth2
      LOCAL   LOCAL         LAN          LAN-LOCAL-v4
                            WAN          WAN-LOCAL-v4     WAN-LOCAL-v6
      WAN     eth3          LAN          LAN-WAN-v4
              eth0          LOCAL        LOCAL-WAN-v4

.. opcmd:: show firewall zone-policy zone <zone>

   This will show you a basic summary of a particular zone.

   .. code-block:: none

      vyos@vyos:~$ show firewall zone-policy zone WAN
      Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6
      ------  ------------  -----------  ---------------  ---------------
      WAN     eth3          LAN          LAN-WAN-v4
              eth0          LOCAL        LOCAL-WAN-v4

      vyos@vyos:~$ show firewall zone-policy zone LOCAL
      Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6
      ------  ------------  -----------  ---------------  ---------------
      LOCAL   LOCAL         LAN          LAN-LOCAL-v4
                            WAN          WAN-LOCAL-v4     WAN-LOCAL-v6