Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Changes in global-state-policy behavior

This section describes changes in global-state-policy behavior prior to Release 5.1 and gives an example of how to achieve similar functionality for later releases.

Prior to Release 5.1, the vRouter would add implicit rules when global state policies were defined. From release 5.1 onwards this no longer occurs. The reason for the change is to ensure that firewalls are not "opened up" unintentionally. The details of the behavior change are as follows.

Prior to Release 5.1, a rule group named "default_state_group" would be added after all rule groups configured on interfaces, in both the "out" and the "in" directions. Its contents would depend on what values were set for "global-state-policy" (possible values are one or more of "icmp", "tcp", and "udp"). If all three were configured, i.e.

set global-state-policy icmp

set global-state-policy tcp

set global-state-policy udp

Then the following would be its contents:

rule 100 - allow stateful proto tcp

rule 200 - allow stateful proto udp

rule 300 - allow stateful proto icmp

If a protocol was not set as global-state-policy, then an entry would not appear for that protocol.

If with release 5.1 and greater, you would like similar functionality as earlier releases, an explicit group of rules needs to be created which should be applied to each interface and direction (e.g. "in" and "out") after all rule groups you matched earlier (if any).

For example, if the configuration has the lines:

set global-state-policy icmp

set global-state-policy tcp

set global-state-policy udp

then similar functionality can be achieved by the added configuration:

set security firewall name DEFAULT-FW rule 100 action accept

set security firewall name DEFAULT-FW rule 100 protocol tcp

set security firewall name DEFAULT-FW rule 200 action accept

set security firewall name DEFAULT-FW rule 200 protocol udp

set security firewall name DEFAULT-FW rule 300 action accept

set security firewall name DEFAULT-FW rule 300 protocol icmp

for each interface IF-NAME where firewall groups were applied in the "in" direction, configure the following after all other firewall groups on the interface:

set interfaces dataplane IF-NAME firewall in DEFAULT-FW

and for each interface IF-NAME where firewall groups were applied in the "out" direction, configure the following after all other firewall groups on the interface:

set interfaces dataplane IF-NAME firewall out DEFAULT-FW