Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Configuring firewall

As it is shipped, Vyatta NOS does not restrict traffic flow. That is, unless a firewall rule is applied to an interface, the interface allows all traffic through it. The firewall functionality provides packet filtering, delivering flexibility in restricting traffic as required.

In general, to configure a firewall on an interface, follow these steps:
  1. Define a number of named firewall rule sets, each of which contains one or more firewall rules.

    When applying a firewall rule set, keep in mind that after the final user-defined rule, an implicit rule of “deny all” takes effect.

  2. Apply each of the named rule sets to an interface as a filter. You can apply one named rule set to each of the following on an interface:
    • in. If you apply the rule set to an interface as in, the rule set filters packets entering the interface.
    • out. If you apply the rule set to an interface as out, the rule set filters packets leaving the interface.

Define a firewall rule set

The following example shows how to define a firewall rule set and add a firewall rule to the set.

By default, when you create a firewall rule, it denies all traffic (in and out) on the interface to which the firewall rule set is applied. To allow outbound traffic, you must specify the sources of the outbound traffic. To allow inbound traffic, you must specify the sources of the inbound traffic.
Note: If you allow only outbound traffic, outbound connections cannot be established properly because the required response packets are denied by the firewall. A rule that allows outbound traffic and denies all other traffic blocks session creation for new outbound connections.
vyatta@R1# set security firewall name FROM_INTERNET
[edit]
vyatta@R1# set security firewall name FROM_INTERNET rule 10 action accept
[edit]
vyatta@R1# set security firewall name FROM_INTERNET rule 10 source address 10.0.0.1
[edit]
vyatta@R1# set security firewall name FROM_INTERNET rule 10 destination address 10.0.0.2
[edit]
vyatta@R1# commit
[edit]

Apply the rule set to an interface

The following example shows how to apply the FROM_INTERNET rule as in on the dp0p1p1 Internet-facing interface.

vyatta@R1# set interfaces dataplane dp0p1p1 firewall in FROM_INTERNET
[edit]
vyatta@R1# commit
[edit]
vyatta@R1# 
            

Here is the firewall rule set that is created.

vyatta@vyatta# show security firewall 
 firewall {
        name FROM_INTERNET {
                rule 10 {
                        action accept
                        destination {
                                address 10.0.0.2
                        }
                        source {
                                address 10.0.0.1
                        }
                }
        }