Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Configuring global state policies

You can change behavior to be globally stateful by setting a global state policy with security firewall global-state-policy <protocol>. When state policies are defined, state rules for return traffic of that type need not be explicitly mentioned within the rule sets.

The following apply to global stateful rules:

  • A global stateful rule affects only the firewall rules that explicitly (or by inference) refer to that protocol. This inference can occur if the protocol keyword has been omitted for TCP, ICMP or ICMPv6 rules.
  • ICMP sessions are created only for echo-request packets. Attempting to create a session for an echo-response results in a packet drop.
  • It is usually not necessary to specify default-action (or default-log). Reserve default-action for use with a stateless firewall if you want to block only a few packets and pass all others using default-action accept.

Consider the following configuration. In this configuration, each of the rules 10, 20, 30, 40, 100, 200 act as if they also had state enable present. Rule 400 is not affected, and does not enable a state.

The following protocol-specific notes apply to this example:

ICMP

An IPv4 ICMP echo-request packet matches rule 10, creates a state, and allows ICMP echo-response packets to be received. The same applies to IPv6 ICMP echo-request packets and rule 20.

ICMP sessions are created only for echo-request packets. Any attempt to create a session for echo-response packet fails. An echo-response in the presence of the example ruleset will match rule 30 (or 40 for IPv6), and be dropped. Other ICMP packets are allowed through. In this example, it is not necessary to use the security firewall global-state-policy icmp rule because state enable can be used for rule 10 or 20. ICMP errors corresponding to an existing session are always passed (and NAT translated) unless explicitly blocked by a firewall rule.

TCP

For TCP, rule 200 allows outbound traffic to port 80 (http), and allows its response packets. Rule 400 allows out all other packets (including other TCP packets), but packets matching these rules do not create a state. Outbound TCP traffic to a port such as port 88 is allowed, but its response packets are blocked.

UDP

The example ruleset allows all UDP traffic, including requests and responses.

Example configuration

security {
        firewall {
                global-state-policy {
                        icmp
                        tcp
                        udp
                }
                name GblState {
                        rule 10 {
                                action accept
                                icmp {
                                        name echo-request
                                }
                        }
                        rule 20 {
                                action accept
                                icmpv6 {
                                        name echo-request
                                }
                        }
                        rule 30 {
                                action accept
                                protocol icmp
                        }
                        rule 40 {
                                action accept
                                protocol ipv6-icmp
                        }
                        rule 100 {
                                action accept
                                protocol udp
                        }
                        rule 200 {
                                action accept
                                destination {
                                        port 80
                                }
                                protocol tcp
                        }
                        rule 400 {
                                action accept
                        }
                }
        }
 }

Example steps to configure a global firewall policy to allow all return traffic

The following example shows the steps to configure a firewall globally to allow all return traffic. In addition, the firewall allows any traffic (such as FTP data) that is related to allowed traffic in the original direction. The firewall drops invalid traffic.

To configure this global stateful behavior, perform the following steps in configuration mode.

Table 1. Setting a global state policy
Step Command

Configure global state policy.

vyatta@R1# set security firewall global-state-policy icmp

vyatta@R1# set security firewall global-state-policy tcp

vyatta@R1# set security firewall global-state-policy udp

Commit the configuration.

vyatta@R1# commit

Show the state policy configuration.

vyatta@R1# show security firewall global-state-policy
security {
    firewall {
      global-state-policy {
           icmp
           tcp
           udp
        }
    }
}