vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-12-16 18:42:05 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1076 from nicolas-fort/Firewall_new_cli_update

Browse Source 
Firewall refactor: add visible note in firewall docs:
This commit is contained in:
Robert Göhler 2023-09-11 20:37:43 +02:00 committed by GitHub
commit 0a2c9463b9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 61 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
docs/configexamples/zone-policy.rst
View File

@ -5,6 +5,16 @@
Zone-Policy example
-------------------
.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall
structure can be found on all vyos instalations, and zone based firewall is
no longer supported. Documentation for most of the new firewall CLI can be
found in the `firewall
<https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_
chapter. The legacy firewall is still available for versions before
1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy`
chapter. The examples in this section use the legacy firewall configuration
commands, since this feature has been removed in earlier releases.
.. note:: In :vytask:`T2199` the syntax of the zone configuration was changed.
The zone configuration moved from ``zone-policy zone <name>`` to ``firewall
zone <name>``.

4
docs/configuration/firewall/general-legacy.rst
View File

@ -1,6 +1,6 @@
:lastproofread: 2021-06-29
.. _firewall:
.. _firewall-legacy:
###############
Firewall-Legacy
@ -8,7 +8,7 @@ Firewall-Legacy
.. note:: **Important note:**
This documentation is valid only for VyOS Sagitta prior to
1.4-rolling-YYYYMMDDHHmm
1.4-rolling-202308040557
********
Overview

10
docs/configuration/firewall/zone.rst
View File

@ -6,6 +6,16 @@
Zone Based Firewall
###################
.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall
structure can be found on all vyos instalations, and zone based firewall is
no longer supported. Documentation for most of the new firewall CLI can be
found in the `firewall
<https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_
chapter. The legacy firewall is still available for versions before
1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy`
chapter. The examples in this section use the legacy firewall configuration
commands, since this feature has been removed in earlier releases.
.. note:: For latest releases, refer the `firewall
<https://docs.vyos.io/en/latest/configuration/firewall/general.html#interface-groups>`_
main page to configure zone based rules. New syntax was introduced here

66
docs/quick-start.rst
View File

@ -122,6 +122,15 @@ network via IP masquerade.
Firewall
########
.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall
structure can be found on all vyos instalations. Documentation for most
of the new firewall CLI can be found in the `firewall
<https://docs.vyos.io/en/latest/configuration/firewall/general.html>`_
chapter. The legacy firewall is still available for versions before
1.4-rolling-202308040557 and can be found in the :ref:`firewall-legacy`
chapter. The examples in this section use the new firewall configuration
commands.
Add a set of firewall policies for our outside/WAN interface.
This configuration creates a proper stateful firewall that blocks all traffic
@ -129,19 +138,25 @@ which was not initiated from the internal/LAN side first.
.. code-block:: none
set firewall name OUTSIDE-IN default-action 'drop'
set firewall name OUTSIDE-IN rule 10 action 'accept'
set firewall name OUTSIDE-IN rule 10 state established 'enable'
set firewall name OUTSIDE-IN rule 10 state related 'enable'
set firewall ipv4 forward filter default-action 'drop'
set firewall ipv4 forward filter rule 10 action 'accept'
set firewall ipv4 forward filter rule 10 state established 'enable'
set firewall ipv4 forward filter rule 10 state related 'enable'
set firewall ipv4 forward filter rule 20 action 'drop'
set firewall ipv4 forward filter rule 20 state invalid 'enable'
set firewall ipv4 forward filter rule 30 inbound-interface interface-name 'eth1'
set firewall ipv4 forward filter rule 30 action 'accept'
set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
set firewall ipv4 input filter default-action drop
set firewall ipv4 input filter rule 10 action 'accept'
set firewall ipv4 input filter rule 10 state established 'enable'
set firewall ipv4 input filter rule 10 state related 'enable'
set firewall ipv4 input filter rule 20 action 'drop'
set firewall ipv4 input filter rule 20 state invalid 'enable'
set firewall ipv4 input filter rule 30 action 'accept'
set firewall ipv4 input filter rule 30 icmp type-name 'echo-request'
set firewall ipv4 input filter rule 30 protocol 'icmp'
set firewall ipv4 input filter rule 30 state new 'enable'
If you wanted to enable SSH access to your firewall from the outside/WAN
interface, you could create some additional rules to allow that kind of
@ -152,24 +167,19 @@ blocks brute-forcing attempts:
.. code-block:: none
set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
set firewall name OUTSIDE-LOCAL rule 30 recent time 'minute'
set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
set firewall ipv4 input filter rule 40 action 'drop'
set firewall ipv4 input filter rule 40 inbound-interface interface-name 'eth0'
set firewall ipv4 input filter rule 40 destination port '22'
set firewall ipv4 input filter rule 40 protocol 'tcp'
set firewall ipv4 input filter rule 40 recent count '4'
set firewall ipv4 input filter rule 40 recent time 'minute'
set firewall ipv4 input filter rule 40 state new 'enable'
set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'
set firewall ipv4 input filter rule 41 action 'accept'
set firewall ipv4 input filter rule 41 destination port '22'
set firewall ipv4 input filter rule 41 protocol 'tcp'
set firewall ipv4 input filter rule 41 state new 'enable'
Apply the firewall policies:
.. code-block:: none
set firewall interface eth0 in name 'OUTSIDE-IN'
set firewall interface eth0 local name 'OUTSIDE-LOCAL'
Commit changes, save the configuration, and exit configuration mode: