Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Creating a rule set for traffic to the private zone

The next step, shown in the following example, creates a rule set for traffic to the private zone.

Note that this rule set includes state rules specifically allowing traffic from existing and related connections. This rule is required in this scenario for the following reasons:

  • The rule set from the public zone to the DMZ accepts all traffic for HTTP, HTTPS, FTP, SSH, and Telnet as well as all ICMP traffic.
  • The rule set from the private zone to the DMZ accepts HTTP, HTTPS and ICMP traffic only.

To configure this rule set, perform the following steps in configuration mode.

Table 1. Creating the rule set for traffic to the private zone
Step Command

Create the configuration node for the to_private rule set and give a description for the rule set.

vyatta@R1# set security firewall name to_private description "filter traffic to PRIVATE zone"

Create a rule to allow only established and related traffic to the private zone. This means that only traffic initiated in the private zone or traffic related to established connections (such as FTP data connections or ICMP messages associated with a flow) are allowed.

vyatta@R1# set security firewall name to_private rule 1 action accept

vyatta@R1# set security firewall name to_private rule 1 state established enable

vyatta@R1# set security firewall name to_private rule 1 state related enable

vyatta@R1# set security firewall name to_private rule 1 protocol all

Commit the configuration.

vyatta@R1# commit

Show the firewall configuration.

vyatta@R1# show security firewall name to_private

 description "filter traffic to PRIVATE zone"

 rule 1 {
    action accept
    protocol all
    state {
        established enable
        related enable
    }
 }