From c6815ca765f4c73e16d87ff55085cb9f8d909fe6 Mon Sep 17 00:00:00 2001 From: Nicolas Fort Date: Thu, 11 Jan 2024 09:46:26 -0300 Subject: [PATCH] Add opmode commands for firewall zones, and add global state-policies in quick-start (cherry picked from commit 85ef13b14fa37b8780f6e6c8220bc54366c72741) # Conflicts: # docs/quick-start.rst --- docs/configuration/firewall/zone.rst | 38 ++++++ docs/quick-start.rst | 184 +++++++++++++++++++++++++++ 2 files changed, 222 insertions(+) diff --git a/docs/configuration/firewall/zone.rst b/docs/configuration/firewall/zone.rst index 1ab9c63008..059b029dc9 100644 --- a/docs/configuration/firewall/zone.rst +++ b/docs/configuration/firewall/zone.rst @@ -123,3 +123,41 @@ written from the perspective of: *Source Zone*-to->*Destination Zone* set firewall zone DMZ from LAN firewall name LANv4-to-DMZv4 set firewall zone LAN from DMZ firewall name DMZv4-to-LANv4 +************** +Operation-mode +************** + +.. opcmd:: show firewall zone-policy + + This will show you a basic summary of zones configuration. + + .. code-block:: none + + vyos@vyos:~$ show firewall zone-policy + Zone Interfaces From Zone Firewall IPv4 Firewall IPv6 + ------ ------------ ----------- --------------- --------------- + LAN eth1 WAN WAN_to_LAN + eth2 + LOCAL LOCAL LAN LAN_to_LOCAL + WAN WAN_to_LOCAL WAN_to_LOCAL_v6 + WAN eth3 LAN LAN_to_WAN + eth0 LOCAL LOCAL_to_WAN + vyos@vyos:~$ + +.. opcmd:: show firewall zone-policy zone + + This will show you a basic summary of a particular zone. + + .. code-block:: none + + vyos@vyos:~$ show firewall zone-policy zone WAN + Zone Interfaces From Zone Firewall IPv4 Firewall IPv6 + ------ ------------ ----------- --------------- --------------- + WAN eth3 LAN LAN_to_WAN + eth0 LOCAL LOCAL_to_WAN + vyos@vyos:~$ show firewall zone-policy zone LOCAL + Zone Interfaces From Zone Firewall IPv4 Firewall IPv6 + ------ ------------ ----------- --------------- --------------- + LOCAL LOCAL LAN LAN_to_LOCAL + WAN WAN_to_LOCAL WAN_to_LOCAL_v6 + vyos@vyos:~$ diff --git a/docs/quick-start.rst b/docs/quick-start.rst index 7a22d9de96..405bd7dd8a 100644 --- a/docs/quick-start.rst +++ b/docs/quick-start.rst @@ -133,6 +133,7 @@ Firewall Add a set of firewall policies for our outside/WAN interface. +<<<<<<< HEAD This configuration creates a proper stateful firewall that blocks all traffic which was not initiated from the internal/LAN side first. @@ -146,6 +147,189 @@ which was not initiated from the internal/LAN side first. set firewall ipv4 forward filter rule 20 state invalid 'enable' set firewall ipv4 forward filter rule 30 inbound-interface name 'eth1' set firewall ipv4 forward filter rule 30 action 'accept' +======= +Configure Firewall Groups +------------------------- + +To make firewall configuration easier, we can create groups of interfaces, +networks, addresses, ports, and domains that describe different parts of +our network. We can then use them for filtering within our firewall rulesets, +allowing for more concise and readable configuration. + +In this case, we will create two interface groups — a ``WAN`` group for our +interfaces connected to the public internet and a ``LAN`` group for the +interfaces connected to our internal network. Additionally, we will create a +network group, ``NET-INSIDE-v4``, that contains our internal subnet. + +.. code-block:: none + + set firewall group interface-group WAN interface eth0 + set firewall group interface-group LAN interface eth1 + set firewall group network-group NET-INSIDE-v4 network '192.168.0.0/24' + +Configure Stateful Packet Filtering +----------------------------------- + +With the new firewall structure, we have have a lot of flexibility in how we +group and order our rules, as shown by the three alternative approaches below. + +Option 1: Global State Policies +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ +Using options defined in ``set firewall global-options state-policy``, state +policy rules that applies for both IPv4 and IPv6 are created. These global +state policies also applies for all traffic that passes through the router +(transit) and for traffic originated/destinated to/from the router itself, and +will be avaluated before any other rule defined in the firewall. + +Most installations would choose this option, and will contain: + +.. code-block:: none + + set firewall global-options state-policy established action accept + set firewall global-options state-policy related action accept + set firewall global-options state-policy invalid action drop + +Option 2: Common/Custom Chain +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +We can create a common chain for stateful connection filtering of multiple +interfaces (or multiple netfilter hooks on one interface). Those individual +chains can then jump to the common chain for stateful connection filtering, +returning to the original chain for further rule processing if no action is +taken on the packet. + +The chain we will create is called ``CONN_FILTER`` and has three rules: + +- A default action of ``return``, which returns the packet back to the original + chain if no action is taken. +- A rule to ``accept`` packets from established and related connections. +- A rule to ``drop`` packets from invalid connections. + +.. code-block:: none + + set firewall ipv4 name CONN_FILTER default-action 'return' + + set firewall ipv4 name CONN_FILTER rule 10 action 'accept' + set firewall ipv4 name CONN_FILTER rule 10 state established + set firewall ipv4 name CONN_FILTER rule 10 state related + + set firewall ipv4 name CONN_FILTER rule 20 action 'drop' + set firewall ipv4 name CONN_FILTER rule 20 state invalid + +Then, we can jump to the common chain from both the ``forward`` and ``input`` +hooks as the first filtering rule in the respective chains: + +.. code-block:: none + + set firewall ipv4 forward filter rule 10 action 'jump' + set firewall ipv4 forward filter rule 10 jump-target CONN_FILTER + + set firewall ipv4 input filter rule 10 action 'jump' + set firewall ipv4 input filter rule 10 jump-target CONN_FILTER + +Option 3: Per-Hook Chain +^^^^^^^^^^^^^^^^^^^^^^^^ + +Alternatively, you can take the more traditional stateful connection +filtering approach by creating rules on each base hook's chain: + +.. code-block:: none + + set firewall ipv4 forward filter rule 5 action 'accept' + set firewall ipv4 forward filter rule 5 state established + set firewall ipv4 forward filter rule 5 state related + set firewall ipv4 forward filter rule 10 action 'drop' + set firewall ipv4 forward filter rule 10 state invalid + + set firewall ipv4 input filter rule 5 action 'accept' + set firewall ipv4 input filter rule 5 state established + set firewall ipv4 input filter rule 5 state related + set firewall ipv4 input filter rule 10 action 'drop' + set firewall ipv4 input filter rule 10 state invalid + +Block Incoming Traffic +---------------------- + +Now that we have configured stateful connection filtering to allow traffic from +established and related connections, we can block all other incoming traffic +addressed to our local network. + +Create a new chain (``OUTSIDE-IN``) which will drop all traffic that is not +explicity allowed at some point in the chain. Then, we can jump to that chain +from the ``forward`` hook when traffic is coming from the ``WAN`` interface +group and is addressed to our local network. + +.. code-block:: none + + set firewall ipv4 name OUTSIDE-IN default-action 'drop' + + set firewall ipv4 forward filter rule 100 action jump + set firewall ipv4 forward filter rule 100 jump-target OUTSIDE-IN + set firewall ipv4 forward filter rule 100 inbound-interface group WAN + set firewall ipv4 forward filter rule 100 destination group network-group NET-INSIDE-v4 + +We should also block all traffic destinated to the router itself that isn't +explicitly allowed at some point in the chain for the ``input`` hook. As +we've already configured stateful packet filtering above, we only need to +set the default action to ``drop``: + +.. code-block:: none + + set firewall ipv4 input filter default-action 'drop' + +Allow Management Access +--------------------------- + +We can now configure access to the router itself, allowing SSH +access from the inside/LAN network and rate limiting SSH access from the +outside/WAN network. + +First, create a new dedicated chain (``VyOS_MANAGEMENT``) for management +access, which returns to the parent chain if no action is taken. Add a rule +to accept traffic from the ``LAN`` interface group: + +.. code-block:: none + + set firewall ipv4 name VyOS_MANAGEMENT default-action 'return' + +Configure a rule on the ``input`` hook filter to jump to the ``VyOS_MANAGEMENT`` +chain when new connections are addressed to port 22 (SSH) on the router itself: + +.. code-block:: none + + set firewall ipv4 input filter rule 20 action jump + set firewall ipv4 input filter rule 20 jump-target VyOS_MANAGEMENT + set firewall ipv4 input filter rule 20 destination port 22 + set firewall ipv4 input filter rule 20 protocol tcp + +Finally, configure the ``VyOS_MANAGEMENT`` chain to accept connection from the +``LAN`` interface group while limiting requests coming from the ``WAN`` +interface group to 4 per minute: + +.. code-block:: none + + set firewall ipv4 name VyOS_MANAGEMENT rule 15 action 'accept' + set firewall ipv4 name VyOS_MANAGEMENT rule 15 inbound-interface group 'LAN' + + set firewall ipv4 name VyOS_MANAGEMENT rule 20 action 'drop' + set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent count 4 + set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent time minute + set firewall ipv4 name VyOS_MANAGEMENT rule 20 state new + set firewall ipv4 name VyOS_MANAGEMENT rule 20 inbound-interface group 'WAN' + + set firewall ipv4 name VyOS_MANAGEMENT rule 21 action 'accept' + set firewall ipv4 name VyOS_MANAGEMENT rule 21 state new + set firewall ipv4 name VyOS_MANAGEMENT rule 21 inbound-interface group 'WAN' + +Allow Access to Services +------------------------ + +Here we're allowing the router to respond to pings. Then, we can allow access to +the DNS recursor we configured earlier, accepting traffic bound for port 53 from +all hosts on the ``NET-INSIDE-v4`` network: + +.. code-block:: none +>>>>>>> 85ef13b1 (Add opmode commands for firewall zones, and add global state-policies in quick-start) set firewall ipv4 input filter default-action drop set firewall ipv4 input filter rule 10 action 'accept'