Zone Based Firewall
Overview
Note
Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all vyos instalations. Zone based firewall was removed in that version, but re introduced in VyOS 1.4 and 1.5. All versions built after 2023-10-22 has this feature. Documentation for most of the new firewall CLI can be found in the firewall chapter. The legacy firewall is still available for versions before 1.4-rolling-202308040557 and can be found in the legacy firewall configuration chapter.
In this section there’s useful information of all firewall configuration that is needed for zone-based firewall. Configuration commands covered in this section:
From main structure defined in Firewall Overview in this section you can find detailed information only for the next part of the general structure:
- set firewall
* zone
- custom_zone_name
+ ...
In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to firewall rules. A zone is a group of interfaces that have similar functions or features. It establishes the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network.
Key Points:
A zone must be configured before an interface is assigned to it and an interface can be assigned to only a single zone.
All traffic to and from an interface within a zone is permitted.
All traffic between zones is affected by existing policies
Traffic cannot flow between zone member interface and any interface that is not a zone member.
You need 2 separate firewalls to define traffic: one for each direction.
Note
In T2199 the syntax of the zone configuration was changed.
The zone configuration moved from zone-policy zone <name> to firewall
zone <name>.
Configuration
As an alternative to applying policy to an interface directly, a zone-based firewall can be created to simplify configuration when multiple interfaces belong to the same security zone. Instead of applying rule-sets to interfaces, they are applied to source zone-destination zone pairs.
A basic introduction to zone-based firewalls can be found here, and an example at Zone-Policy example.
Define a Zone
To define a zone setup either one with interfaces or a local zone.
Set interfaces to a zone. A zone can have multiple interfaces. But an interface can only be a member in one zone.
Define the zone as a local zone. A local zone has no interfaces and will be applied to the router itself.
Change the default-action with this setting.
Applying a Rule-Set to a Zone
Before you are able to apply a rule-set to a zone you have to create the zones first.
It helps to think of the syntax as: (see below). The ‘rule-set’ should be written from the perspective of: Source Zone-to->*Destination Zone*
You apply a rule-set always to a zone from an other zone, it is recommended to create one rule-set for each zone pair.
set firewall zone DMZ from LAN firewall name LANv4-to-DMZv4
set firewall zone LAN from DMZ firewall name DMZv4-to-LANv4