vyos · mergify · Jan 11, 2024
@@ -123,3 +123,41 @@ written from the perspective of: *Source Zone*-to->*Destination Zone*
       set firewall zone DMZ from LAN firewall name LANv4-to-DMZv4
       set firewall zone LAN from DMZ firewall name DMZv4-to-LANv4
 
+**************
+Operation-mode
+**************
+
+.. opcmd:: show firewall zone-policy
+
+   This will show you a basic summary of zones configuration.
+
+   .. code-block:: none
+
+      vyos@vyos:~$ show firewall zone-policy
+      Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6
+      ------  ------------  -----------  ---------------  ---------------
+      LAN     eth1          WAN          WAN_to_LAN
+              eth2
+      LOCAL   LOCAL         LAN          LAN_to_LOCAL
+                            WAN          WAN_to_LOCAL     WAN_to_LOCAL_v6
+      WAN     eth3          LAN          LAN_to_WAN
+              eth0          LOCAL        LOCAL_to_WAN
+      vyos@vyos:~$
+
+.. opcmd:: show firewall zone-policy zone <zone>
+
+   This will show you a basic summary of a particular zone.
+
+   .. code-block:: none
+
+      vyos@vyos:~$ show firewall zone-policy zone WAN
+      Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6
+      ------  ------------  -----------  ---------------  ---------------
+      WAN     eth3          LAN          LAN_to_WAN
+              eth0          LOCAL        LOCAL_to_WAN
+      vyos@vyos:~$ show firewall zone-policy zone LOCAL
+      Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6
+      ------  ------------  -----------  ---------------  ---------------
+      LOCAL   LOCAL         LAN          LAN_to_LOCAL
+                            WAN          WAN_to_LOCAL     WAN_to_LOCAL_v6
+      vyos@vyos:~$
@@ -133,6 +133,7 @@
 
 Add a set of firewall policies for our outside/WAN interface.
 
+<<<<<<< HEAD
 This configuration creates a proper stateful firewall that blocks all traffic
 which was not initiated from the internal/LAN side first.
 
@@ -146,6 +147,189 @@
   set firewall ipv4 forward filter rule 20 state invalid 'enable'
   set firewall ipv4 forward filter rule 30 inbound-interface name 'eth1'
   set firewall ipv4 forward filter rule 30 action 'accept'
+=======
+Configure Firewall Groups
+-------------------------
+
+To make firewall configuration easier, we can create groups of interfaces,
+networks, addresses, ports, and domains that describe different parts of
+our network. We can then use them for filtering within our firewall rulesets,
+allowing for more concise and readable configuration.
+
+In this case, we will create two interface groups — a ``WAN`` group for our
+interfaces connected to the public internet and a ``LAN`` group for the
+interfaces connected to our internal network. Additionally, we will create a
+network group, ``NET-INSIDE-v4``, that contains our internal subnet.
+
+.. code-block:: none
+
+  set firewall group interface-group WAN interface eth0
+  set firewall group interface-group LAN interface eth1
+  set firewall group network-group NET-INSIDE-v4 network '192.168.0.0/24'
+
+Configure Stateful Packet Filtering
+-----------------------------------
+
+With the new firewall structure, we have have a lot of flexibility in how we
+group and order our rules, as shown by the three alternative approaches below.
+
+Option 1: Global State Policies
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Using options defined in ``set firewall global-options state-policy``, state
+policy rules that applies for both IPv4 and IPv6 are created. These global
+state policies also applies for all traffic that passes through the router
+(transit) and for traffic originated/destinated to/from the router itself, and
+will be avaluated before any other rule defined in the firewall.
+
+Most installations would choose this option, and will contain:
+
+.. code-block:: none
+
+  set firewall global-options state-policy established action accept
+  set firewall global-options state-policy related action accept
+  set firewall global-options state-policy invalid action drop
+
+Option 2: Common/Custom Chain
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+We can create a common chain for stateful connection filtering of multiple
+interfaces (or multiple netfilter hooks on one interface). Those individual
+chains can then jump to the common chain for stateful connection filtering,
+returning to the original chain for further rule processing if no action is
+taken on the packet.
+
+The chain we will create is called ``CONN_FILTER`` and has three rules:
+
+- A default action of ``return``, which returns the packet back to the original
+  chain if no action is taken.
+- A rule to ``accept`` packets from established and related connections.
+- A rule to ``drop`` packets from invalid connections.
+
+.. code-block:: none
+
+  set firewall ipv4 name CONN_FILTER default-action 'return'
+
+  set firewall ipv4 name CONN_FILTER rule 10 action 'accept'
+  set firewall ipv4 name CONN_FILTER rule 10 state established 
+  set firewall ipv4 name CONN_FILTER rule 10 state related 
+
+  set firewall ipv4 name CONN_FILTER rule 20 action 'drop'
+  set firewall ipv4 name CONN_FILTER rule 20 state invalid 
+
+Then, we can jump to the common chain from both the ``forward`` and ``input``
+hooks as the first filtering rule in the respective chains:
+
+.. code-block:: none
+
+  set firewall ipv4 forward filter rule 10 action 'jump'
+  set firewall ipv4 forward filter rule 10 jump-target CONN_FILTER
+
+  set firewall ipv4 input filter rule 10 action 'jump'
+  set firewall ipv4 input filter rule 10 jump-target CONN_FILTER
+
+Option 3: Per-Hook Chain
+^^^^^^^^^^^^^^^^^^^^^^^^
+
+Alternatively, you can take the more traditional stateful connection
+filtering approach by creating rules on each base hook's chain:
+
+.. code-block:: none
+
+  set firewall ipv4 forward filter rule 5 action 'accept'
+  set firewall ipv4 forward filter rule 5 state established 
+  set firewall ipv4 forward filter rule 5 state related 
+  set firewall ipv4 forward filter rule 10 action 'drop'
+  set firewall ipv4 forward filter rule 10 state invalid 
+
+  set firewall ipv4 input filter rule 5 action 'accept'
+  set firewall ipv4 input filter rule 5 state established 
+  set firewall ipv4 input filter rule 5 state related 
+  set firewall ipv4 input filter rule 10 action 'drop'
+  set firewall ipv4 input filter rule 10 state invalid 
+
+Block Incoming Traffic
+----------------------
+
+Now that we have configured stateful connection filtering to allow traffic from
+established and related connections, we can block all other incoming traffic
+addressed to our local network.
+
+Create a new chain (``OUTSIDE-IN``) which will drop all traffic that is not
+explicity allowed at some point in the chain. Then, we can jump to that chain
+from the ``forward`` hook when traffic is coming from the ``WAN`` interface
+group and is addressed to our local network.
+
+.. code-block:: none
+
+  set firewall ipv4 name OUTSIDE-IN default-action 'drop'
+
+  set firewall ipv4 forward filter rule 100 action jump
+  set firewall ipv4 forward filter rule 100 jump-target OUTSIDE-IN
+  set firewall ipv4 forward filter rule 100 inbound-interface group WAN
+  set firewall ipv4 forward filter rule 100 destination group network-group NET-INSIDE-v4
+
+We should also block all traffic destinated to the router itself that isn't
+explicitly allowed at some point in the chain for the ``input`` hook. As
+we've already configured stateful packet filtering above, we only need to
+set the default action to ``drop``:
+
+.. code-block:: none
+
+  set firewall ipv4 input filter default-action 'drop'
+
+Allow Management Access
+---------------------------
+
+We can now configure access to the router itself, allowing SSH
+access from the inside/LAN network and rate limiting SSH access from the
+outside/WAN network.
+
+First, create a new dedicated chain (``VyOS_MANAGEMENT``) for management
+access, which returns to the parent chain if no action is taken. Add a rule
+to accept traffic from the ``LAN`` interface group:
+
+.. code-block:: none
+
+  set firewall ipv4 name VyOS_MANAGEMENT default-action 'return'
+
+Configure a rule on the ``input`` hook filter to jump to the ``VyOS_MANAGEMENT``
+chain when new connections are addressed to port 22 (SSH) on the router itself:
+
+.. code-block:: none
+
+  set firewall ipv4 input filter rule 20 action jump
+  set firewall ipv4 input filter rule 20 jump-target VyOS_MANAGEMENT
+  set firewall ipv4 input filter rule 20 destination port 22
+  set firewall ipv4 input filter rule 20 protocol tcp
+
+Finally, configure the ``VyOS_MANAGEMENT`` chain to accept connection from the
+``LAN`` interface group while limiting requests coming from the ``WAN``
+interface group to 4 per minute:
+
+.. code-block:: none
+
+  set firewall ipv4 name VyOS_MANAGEMENT rule 15 action 'accept'
+  set firewall ipv4 name VyOS_MANAGEMENT rule 15 inbound-interface group 'LAN'
+
+  set firewall ipv4 name VyOS_MANAGEMENT rule 20 action 'drop'
+  set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent count 4
+  set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent time minute
+  set firewall ipv4 name VyOS_MANAGEMENT rule 20 state new 
+  set firewall ipv4 name VyOS_MANAGEMENT rule 20 inbound-interface group 'WAN'
+
+  set firewall ipv4 name VyOS_MANAGEMENT rule 21 action 'accept'
+  set firewall ipv4 name VyOS_MANAGEMENT rule 21 state new 
+  set firewall ipv4 name VyOS_MANAGEMENT rule 21 inbound-interface group 'WAN'
+
+Allow Access to Services
+------------------------
+
+Here we're allowing the router to respond to pings. Then, we can allow access to
+the DNS recursor we configured earlier, accepting traffic bound for port 53 from
+all hosts on the ``NET-INSIDE-v4`` network:
+
+.. code-block:: none
+>>>>>>> 85ef13b1 (Add opmode commands for firewall zones, and add global state-policies in quick-start)
 
   set firewall ipv4 input filter default-action drop
   set firewall ipv4 input filter rule 10 action 'accept'