Merge pull request #1238 from nicolas-fort/fwall-multiple-updates

Add opmode commands for firewall zones, and add global state-policies…
2025-10-26 01:31:44 +02:00 · 2024-01-12 17:25:32 +01:00 · 2024-01-12 17:25:32 +01:00 · bbf1ecdef2
commit bbf1ecdef2
parent 9ccf8010ad 85ef13b14f
2 changed files with 61 additions and 8 deletions
--- a/docs/configuration/firewall/zone.rst
+++ b/docs/configuration/firewall/zone.rst
@ -123,3 +123,41 @@ written from the perspective of: *Source Zone*-to->*Destination Zone*
      set firewall zone DMZ from LAN firewall name LANv4-to-DMZv4
      set firewall zone LAN from DMZ firewall name DMZv4-to-LANv4

+**************
+Operation-mode
+**************
+
+.. opcmd:: show firewall zone-policy
+
+   This will show you a basic summary of zones configuration.
+
+   .. code-block:: none
+
+      vyos@vyos:~$ show firewall zone-policy
+      Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6
+      ------  ------------  -----------  ---------------  ---------------
+      LAN     eth1          WAN          WAN_to_LAN
+              eth2
+      LOCAL   LOCAL         LAN          LAN_to_LOCAL
+                            WAN          WAN_to_LOCAL     WAN_to_LOCAL_v6
+      WAN     eth3          LAN          LAN_to_WAN
+              eth0          LOCAL        LOCAL_to_WAN
+      vyos@vyos:~$
+
+.. opcmd:: show firewall zone-policy zone <zone>
+
+   This will show you a basic summary of a particular zone.
+
+   .. code-block:: none
+
+      vyos@vyos:~$ show firewall zone-policy zone WAN
+      Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6
+      ------  ------------  -----------  ---------------  ---------------
+      WAN     eth3          LAN          LAN_to_WAN
+              eth0          LOCAL        LOCAL_to_WAN
+      vyos@vyos:~$ show firewall zone-policy zone LOCAL
+      Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6
+      ------  ------------  -----------  ---------------  ---------------
+      LOCAL   LOCAL         LAN          LAN_to_LOCAL
+                            WAN          WAN_to_LOCAL     WAN_to_LOCAL_v6
+      vyos@vyos:~$
--- a/docs/quick-start.rst
+++ b/docs/quick-start.rst
@ -142,7 +142,7 @@ networks, addresses, ports, and domains that describe different parts of
 our network. We can then use them for filtering within our firewall rulesets,
 allowing for more concise and readable configuration.

-In this case, we will create two interface groups—a ``WAN`` group for our
+In this case, we will create two interface groups — a ``WAN`` group for our
 interfaces connected to the public internet and a ``LAN`` group for the
 interfaces connected to our internal network. Additionally, we will create a
 network group, ``NET-INSIDE-v4``, that contains our internal subnet.
@ -157,10 +157,26 @@ Configure Stateful Packet Filtering
 -----------------------------------

 With the new firewall structure, we have have a lot of flexibility in how we
-group and order our rules, as shown by the two alternative approaches below.
+group and order our rules, as shown by the three alternative approaches below.

-Option 1: Common Chain
-^^^^^^^^^^^^^^^^^^^^^^
+Option 1: Global State Policies
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+Using options defined in ``set firewall global-options state-policy``, state
+policy rules that applies for both IPv4 and IPv6 are created. These global
+state policies also applies for all traffic that passes through the router
+(transit) and for traffic originated/destinated to/from the router itself, and
+will be avaluated before any other rule defined in the firewall.
+
+Most installations would choose this option, and will contain:
+
+.. code-block:: none
+
+  set firewall global-options state-policy established action accept
+  set firewall global-options state-policy related action accept
+  set firewall global-options state-policy invalid action drop
+
+Option 2: Common/Custom Chain
+^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

 We can create a common chain for stateful connection filtering of multiple
 interfaces (or multiple netfilter hooks on one interface). Those individual
@ -197,12 +213,11 @@ hooks as the first filtering rule in the respective chains:
  set firewall ipv4 input filter rule 10 action 'jump'
  set firewall ipv4 input filter rule 10 jump-target CONN_FILTER

-Option 2: Per-Hook Chain
+Option 3: Per-Hook Chain
 ^^^^^^^^^^^^^^^^^^^^^^^^

-Alternatively, instead of configuring the ``CONN_FILTER`` chain described above,
-you can take the more traditional stateful connection filtering approach by
-creating rules on each hook's chain:
+Alternatively, you can take the more traditional stateful connection
+filtering approach by creating rules on each base hook's chain:

 .. code-block:: none