mirror of
https://github.com/vyos/vyos-documentation.git
synced 2025-10-26 08:41:46 +01:00
96 lines
3.2 KiB
ReStructuredText
96 lines
3.2 KiB
ReStructuredText
:lastproofread: 2022-09-14
|
|
|
|
.. _firewall-zone:
|
|
|
|
###################
|
|
Zone Based Firewall
|
|
###################
|
|
|
|
.. note:: **Important note:**
|
|
This documentation is valid only for VyOS Sagitta prior to
|
|
1.4-rolling-YYYYMMDDHHmm
|
|
|
|
In zone-based policy, interfaces are assigned to zones, and inspection policy
|
|
is applied to traffic moving between the zones and acted on according to
|
|
firewall rules. A Zone is a group of interfaces that have similar functions or
|
|
features. It establishes the security borders of a network. A zone defines a
|
|
boundary where traffic is subjected to policy restrictions as it crosses to
|
|
another region of a network.
|
|
|
|
Key Points:
|
|
|
|
* A zone must be configured before an interface is assigned to it and an
|
|
interface can be assigned to only a single zone.
|
|
* All traffic to and from an interface within a zone is permitted.
|
|
* All traffic between zones is affected by existing policies
|
|
* Traffic cannot flow between zone member interface and any interface that is
|
|
not a zone member.
|
|
* You need 2 separate firewalls to define traffic: one for each direction.
|
|
|
|
.. note:: In :vytask:`T2199` the syntax of the zone configuration was changed.
|
|
The zone configuration moved from ``zone-policy zone <name>`` to ``firewall
|
|
zone <name>``.
|
|
|
|
*************
|
|
Configuration
|
|
*************
|
|
|
|
As an alternative to applying policy to an interface directly, a zone-based
|
|
firewall can be created to simplify configuration when multiple interfaces
|
|
belong to the same security zone. Instead of applying rule-sets to interfaces,
|
|
they are applied to source zone-destination zone pairs.
|
|
|
|
An basic introduction to zone-based firewalls can be found `here
|
|
<https://support.vyos.io/en/kb/articles/a-primer-to-zone-based-firewall>`_,
|
|
and an example at :ref:`examples-zone-policy`.
|
|
|
|
Define a Zone
|
|
=============
|
|
|
|
To define a zone setup either one with interfaces or a local zone.
|
|
|
|
.. cfgcmd:: set firewall zone <name> interface <interface>
|
|
|
|
Set interfaces to a zone. A zone can have multiple interfaces.
|
|
But an interface can only be a member in one zone.
|
|
|
|
.. cfgcmd:: set firewall zone <name> local-zone
|
|
|
|
Define the zone as a local zone. A local zone has no interfaces and
|
|
will be applied to the router itself.
|
|
|
|
.. cfgcmd:: set firewall zone <name> default-action [drop | reject]
|
|
|
|
Change the default-action with this setting.
|
|
|
|
.. cfgcmd:: set firewall zone <name> description
|
|
|
|
Set a meaningful description.
|
|
|
|
Applying a Rule-Set to a Zone
|
|
=============================
|
|
|
|
Before you are able to apply a rule-set to a zone you have to create the zones
|
|
first.
|
|
|
|
It helps to think of the syntax as: (see below). The 'rule-set' should be
|
|
written from the perspective of: *Source Zone*-to->*Destination Zone*
|
|
|
|
.. cfgcmd:: set firewall zone <Destination Zone> from <Source Zone>
|
|
firewall name <rule-set>
|
|
|
|
.. cfgcmd:: set firewall zone <name> from <name> firewall name
|
|
<rule-set>
|
|
|
|
.. cfgcmd:: set firewall zone <name> from <name> firewall ipv6-name
|
|
<rule-set>
|
|
|
|
You apply a rule-set always to a zone from an other zone, it is recommended
|
|
to create one rule-set for each zone pair.
|
|
|
|
.. code-block:: none
|
|
|
|
set firewall zone DMZ from LAN firewall name LANv4-to-DMZv4
|
|
set firewall zone LAN from DMZ firewall name DMZv4-to-LANv4
|
|
|