quick-start: initial pass of netfilter firewall configuration intro

docs/quick-start.rst

@@ -118,7 +118,6 @@ network via IP masquerade.
   set nat source rule 100 source address '192.168.0.0/24'
   set nat source rule 100 translation address masquerade
 
-
 Firewall
 ########
 
@@ -126,57 +125,177 @@ Firewall
    found on all vyos instalations. Documentation for most of the new firewall CLI
    can be found in the :ref:`firewall` chapter. The legacy firewall is still available
    for versions before 1.4-rolling-202308040557 and can be found in the
-   :ref:`firewall-legacy` chapter. The examples in this section still use the
+   :ref:`firewall-legacy` chapter. The examples in this section use the
-   legacy firewall configuration options.
+   new configuration.
 
-Add a set of firewall policies for our outside/WAN interface.
+Configure Firewall Groups
+-------------------------
 
-This configuration creates a proper stateful firewall that blocks all traffic
+To make firewall configuration easier, we can create groups of interfaces,
-which was not initiated from the internal/LAN side first.
+networks, addresses, ports, and domains that describe different parts of
+our network. We can then use them for filtering within our firewall rulesets,
+allowing for more concise and readable configuration.
+
+In this case, we will create two interface groups—a `WAN` group for our
+interfaces connected to the public internet and a `LAN` group for the interfaces
+connected to our internal network. Additionally, we will create a network group,
+`NET-INSIDE-v4`, that contains our internal subnet.
 
 .. code-block:: none
 
-  set firewall name OUTSIDE-IN default-action 'drop'
+  set firewall group interface-group WAN interface eth0
-  set firewall name OUTSIDE-IN rule 10 action 'accept'
+  set firewall group interface-group LAN interface eth1
-  set firewall name OUTSIDE-IN rule 10 state established 'enable'
+  set firewall group network-group NET-INSIDE-v4 network '192.168.0.0/24'
-  set firewall name OUTSIDE-IN rule 10 state related 'enable'
 
-  set firewall name OUTSIDE-LOCAL default-action 'drop'
+Stateful Packet Filtering
-  set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
+-------------------------
-  set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
-  set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
-  set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
-  set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
-  set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
-  set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
 
-If you wanted to enable SSH access to your firewall from the outside/WAN
+Using the new firewall structure, we can create a common chain for stateful
-interface, you could create some additional rules to allow that kind of
+connection filtering of multiple interfaces (or multiple netfilter hooks on one
-traffic.
+interface). Those individual chains can then jump to the common chain for
-
+stateful connection filtering, returning to the original chain for further
-These rules allow SSH traffic and rate limit it to 4 requests per minute. This
+rule processing if no action is taken on the packet:
-blocks brute-forcing attempts:
 
 .. code-block:: none
 
-  set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
+  # Create a new chain for stateful connection filtering that
-  set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
+  # will return to the original chain if no action is taken
-  set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
+  set firewall ipv4 name CONN_FILTER default-action 'return'
-  set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
-  set firewall name OUTSIDE-LOCAL rule 30 recent time 'minute'
-  set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
 
-  set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
+  # Allow established and related traffic
-  set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
+  set firewall ipv4 name CONN_FILTER rule 10 action 'accept'
-  set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
+  set firewall ipv4 name CONN_FILTER rule 10 state established 'enable'
-  set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'
+  set firewall ipv4 name CONN_FILTER rule 10 state related 'enable'
 
-Apply the firewall policies:
+  # Drop invalid traffic
+  set firewall ipv4 name CONN_FILTER rule 20 action 'drop'
+  set firewall ipv4 name CONN_FILTER rule 20 state invalid 'enable'
+
+Then, we can jump to the common chain from both the `forward` and `input` hooks
+as the first filtering rule in the respective chains:
 
 .. code-block:: none
 
-  set firewall interface eth0 in name 'OUTSIDE-IN'
+  # Add a filter for the `forward` hook that sends all packets to CONN_FILTER
-  set firewall interface eth0 local name 'OUTSIDE-LOCAL'
+  set firewall ipv4 forward filter rule 10 action 'jump'
+  set firewall ipv4 forward filter rule 10 jump-target CONN_FILTER
+
+  # Add a filter for the `input` hook that sends all packets to that same chain
+  set firewall ipv4 input filter rule 10 action 'jump'
+  set firewall ipv4 input filter rule 10 jump-target CONN_FILTER
+
+Alternatively, you can take the more traditional approach of creating rules on
+each hook's chain for stateful connection filtering:
+
+.. code-block:: none
+
+  set firewall ipv4 forward filter rule 5 action 'accept'
+  set firewall ipv4 forward filter rule 5 state established 'enable'
+  set firewall ipv4 forward filter rule 5 state related 'enable'
+  set firewall ipv4 forward filter rule 10 action 'drop'
+  set firewall ipv4 forward filter rule 10 state invalid 'enable'
+
+  set firewall ipv4 input filter rule 5 action 'accept'
+  set firewall ipv4 input filter rule 5 state established 'enable'
+  set firewall ipv4 input filter rule 5 state related 'enable'
+  set firewall ipv4 input filter rule 10 action 'drop'
+  set firewall ipv4 input filter rule 10 state invalid 'enable'
+
+Block Incoming Traffic
+----------------------
+
+Now that we have configured stateful connection filtering to allow traffic from
+established and related connections, we can block all other incoming traffic
+addressed to our local network.
+
+Create a new chain (`OUTSIDE-IN`) which will drop all traffic that is not
+explicity allowed at some point in the chain. Then, we can jump to that chain
+from the `forward` hook when traffic is coming from the `WAN` interface group
+and is addressed to our local network.
+
+.. code-block:: none
+
+  set firewall ipv4 name OUTSIDE-IN default-action 'drop'
+
+  set firewall ipv4 forward filter rule 100 action jump
+  set firewall ipv4 forward filter rule 100 jump-target OUTSIDE-IN
+  set firewall ipv4 forward filter rule 100 inbound-interface interface-group WAN
+  set firewall ipv4 forward filter rule 100 destination group network-group NET-INSIDE-v4
+
+We should also block all traffic destinated to the router itself that isn't
+explicitly allowed at some point in the chain for the `input` hook. As
+we've already configured stateful packet filtering above, we only need to
+set the default action to `drop`:
+
+.. code-block:: none
+
+  set firewall ipv4 input filter default-action 'drop'
+
+Configure Management Access
+---------------------------
+
+We can now configure access to the router itself, allowing SSH
+access from the inside/LAN network and rate limiting SSH access from the
+outside/WAN network.
+
+First, create a new dedicated chain (`VyOS_MANAGEMENT`) for management
+access, which returns to the parent chain if no action is taken. Add a rule
+to accept traffic from the `LAN` interface group:
+
+.. code-block:: none
+
+  set firewall ipv4 name VyOS_MANAGEMENT default-action 'return'
+
+Configure a rule on the `input` hook filter to jump to the `VyOS_MANAGEMENT`
+chain when new connections are addressed to port 22 (SSH) on the router itself:
+
+.. code-block:: none
+
+  set firewall ipv4 input filter rule 20 action jump
+  set firewall ipv4 input filter rule 20 jump-target VyOS_MANAGEMENT
+  set firewall ipv4 input filter rule 20 destination port 22
+  set firewall ipv4 input filter rule 20 protocol tcp
+
+Finally, configure the `VyOS_MANAGEMENT` chain to accept connection from the
+`LAN` interface group while limiting requests coming from the `WAN` interface
+group to 4 per minute:
+
+.. code-block:: none
+
+  set firewall ipv4 name VyOS_MANAGEMENT rule 15 action 'accept'
+  set firewall ipv4 name VyOS_MANAGEMENT rule 15 inbound-interface interface-group 'LAN'
+
+  set firewall ipv4 name VyOS_MANAGEMENT rule 20 action 'drop'
+  set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent count 4
+  set firewall ipv4 name VyOS_MANAGEMENT rule 20 recent time minute
+  set firewall ipv4 name VyOS_MANAGEMENT rule 20 state new enable
+  set firewall ipv4 name VyOS_MANAGEMENT rule 20 inbound-interface interface-group 'WAN'
+
+  set firewall ipv4 name VyOS_MANAGEMENT rule 21 action 'accept'
+  set firewall ipv4 name VyOS_MANAGEMENT rule 21 state new enable
+  set firewall ipv4 name VyOS_MANAGEMENT rule 21 inbound-interface interface-group 'WAN'
+
+Allow Access to Services
+------------------------
+
+We can now configure access to the services running on this router, allowing
+all connections coming from localhost:
+
+.. code-block:: none
+
+  set firewall ipv4 input filter rule 30 action 'accept'
+  set firewall ipv4 input filter rule 30 source address 127.0.0.0/8
+
+Finally, we can allow access to the DNS recursor we configured earlier,
+accepting traffic bound for port 53 from all hosts on the `NET-INSIDE-v4`
+network:
+
+.. code-block:: none
+
+  set firewall ipv4 input filter rule 40 action 'accept'
+  set firewall ipv4 input filter rule 40 destination port '53'
+  set firewall ipv4 input filter rule 40 protocol 'tcp_udp'
+  set firewall ipv4 input filter rule 40 source group network-group NET-INSIDE-v4
 
 Commit changes, save the configuration, and exit configuration mode:
 
@@ -189,7 +308,6 @@ Commit changes, save the configuration, and exit configuration mode:
   vyos@vyos# exit
   vyos@vyos$
 
-
 Hardening
 #########