vyos/vyos-documentation
1
0
Fork 0
mirror of https://github.com/vyos/vyos-documentation.git synced 2025-12-15 18:12:02 +01:00
Code Issues Packages Projects Releases Wiki Activity

Added new section about the different firewalls

Browse Source 
Updated labels for the pages
Added new pictures.

Signed-off-by: Nephiaust <29741794+Nephiaust@users.noreply.github.com>
This commit is contained in:
Nephiaust 2023-09-18 01:08:00 +09:30
parent d9a978cf58
commit 7d07926f37
No known key found for this signature in database
GPG Key ID: 726EDD6402B17A64
7 changed files with 98 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
docs/_static/images/firewall-netfilter.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB

BIN
docs/_static/images/firewall-traditional.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

BIN
docs/_static/images/firewall-zonebased.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

8
docs/configuration/firewall/general-legacy.rst
View File

@ -1,10 +1,10 @@
:lastproofread: 2021-06-29 :lastproofread: 2021-06-29
.. _firewall-legacy: .. _legacy-firewall:
############### ###################################
Firewall-Legacy Firewall Configuration (Deprecated)
############### ###################################
.. note:: **Important note:** .. note:: **Important note:**
This documentation is valid only for VyOS Sagitta prior to This documentation is valid only for VyOS Sagitta prior to

55
docs/configuration/firewall/general.rst
View File

@ -1,10 +1,10 @@
:lastproofread: 2021-06-29 :lastproofread: 2023-09-17
.. _firewall: .. _firewall-configuration:
######## ######################
Firewall Firewall Configuration
######## ######################
******** ********
Overview Overview
@ -17,48 +17,41 @@ The firewall supports the creation of groups for addresses, domains,
interfaces, mac-addresses, networks and port groups. This groups can be used interfaces, mac-addresses, networks and port groups. This groups can be used
later in firewall ruleset as desired. later in firewall ruleset as desired.
.. note:: **Important note on usage of terms:**
The firewall makes use of the terms `forward`, `input`, and `output`
for firewall policy. More information of Netfilter hooks and Linux
networking packet flows can be found in `Netfilter-Hooks
<https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_
Main structure is shown next: Main structure is shown next:
.. code-block:: none .. code-block:: none
- set firewall - set firewall
* global-options * global-options
+ all-ping + all-ping
+ broadcast-ping + broadcast-ping
+ ... + ...
* group * group
- address-group - address-group
- ipv6-address-group - ipv6-address-group
- network-group - network-group
- ipv6-network-group - ipv6-network-group
- interface-group - interface-group
- mac-group - mac-group
- port-group - port-group
- domain-group - domain-group
* ipv4 * ipv4
- forward - forward
+ filter + filter
- input - input
+ filter + filter
- output - output
+ filter + filter
- name - name
+ custom_name + custom_name
* ipv6 * ipv6
- forward - forward
+ filter + filter
- input - input
+ filter + filter
- output - output
+ filter + filter
- ipv6-name - ipv6-name
+ custom_name + custom_name
Where, main key words and configuration paths that needs to be understood: Where, main key words and configuration paths that needs to be understood:

73
docs/configuration/firewall/index.rst
View File

@ -1,24 +1,85 @@
:lastproofread: 2023-09-17
######## ########
Firewall Firewall
######## ########
Starting from VyOS 1.4-rolling-202308040557, a new firewall structure .. attention::
can be found on all vyos installations. Documentation for most new firewall Starting from VyOS 1.4-rolling-202308040557, a new firewall structure
cli can be found here: can be found on all vyos installations.
.. note::
The legacy and zone-based firewall configuration options is not longer
supported. They are here for reference purposes only.
Netfilter based
^^^^^^^^^^^^^^^
.. toctree:: .. toctree::
:maxdepth: 1 :maxdepth: 1
:includehidden: :includehidden:
general general
Also, for those who haven't updated to newer version, legacy documentation is With VyOS being based on top of Linux and its kernel, the Netfilter project created
still present and valid for all sagitta version prior to VyOS the iptables and now the successor nftables for the Linux kernel to work directly
1.4-rolling-202308040557: on the data flows. This now extends the concept of zone-based security to allow
for manipulating the data at multiple stages once accepted by the network interface
and the driver before being handed off to the destination (e.g. a web server OR
another device).
To configure VyOS with the new :doc:`firewall configuration </configuration/firewall/general>`
The only stages VyOS will process as part of the firewall configuration is the
`forward` (F4 stage), `input` (L4 stage), and `output` (L5 stage). All the other
stages and steps are for reference and cant be manipulated through VyOS.
In this example image, a simplifed traffic flow is shown to help provide context
to the terms of `forward`, `input`, and `output` for the new firewall CLI format.
.. figure:: /_static/images/firewall-netfilter.png
.. note:: **For more information**
of Netfilter hooks and Linux networking packet flows can be
found in `Netfilter-Hooks
<https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_
Legacy Firewall
^^^^^^^^^^^^^^^
.. toctree:: .. toctree::
:maxdepth: 1 :maxdepth: 1
:includehidden: :includehidden:
general-legacy general-legacy
Traditionally firewalls weere configured with the concept of data going in and
out of an interface. The router just listened to the data flowing through and
responding as required if it was directed at the router itself.
To configure VyOS with the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>`
As the example image below shows, the device was configured with rules blocking
inbound or outbound traffic on each interface.
.. figure:: /_static/images/firewall-traditional.png
Zone-based firewall
^^^^^^^^^^^^^^^^^^^
.. toctree::
:maxdepth: 1
:includehidden:
zone zone
With zone-based firewalls a new concept was implemented, in addtion to the standard
in and out traffic flows, a local flow was added. This local was for traffic
originating and destined to the router itself. Which means additional rules were
required to secure the firewall itself from the network, in addition to the existing
inbound and outbound rules from the traditional concept above.
To configure VyOS with the :doc:`zone-based firewall configuration </configuration/firewall/zone>`
As the example image below shows, the device now needs rules to allow/block traffic
to or from the services running on the device that have open connections on that
interface.
.. figure:: /_static/images/firewall-zonebased.png

6
docs/configuration/firewall/zone.rst
View File

@ -2,9 +2,9 @@
.. _firewall-zone: .. _firewall-zone:
################### ################################
Zone Based Firewall Zone Based Firewall (Deprecated)
################### ################################
.. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall .. note:: Starting from VyOS 1.4-rolling-202308040557, a new firewall
structure can be found on all vyos instalations, and zone based firewall is structure can be found on all vyos instalations, and zone based firewall is