home

Supported platforms

Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers
Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers

Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Show On this page:

thumbnailSupported platforms

Zone-based firewall

Creating rule sets

The next step, shown in the following example, creates two rule sets: one from the private zone to the DMZ and one from the public zone to the DMZ.

  • The rule set from the public zone to the DMZ accepts all traffic for HTTP, HTTPS, FTP, SSH, and Telnet as well as all ICMP traffic.
  • The rule set from the private zone to the DMZ accepts HTTP, HTTPS and ICMP traffic only.

To configure these rule sets, perform the following steps in configuration mode.

Table 1. Creating the rule set for traffic to the DMZ
Step Command

Create the configuration node for the private_to_dmz rule set and give a description for the rule set. 

vyatta@R1# set security firewall name private_to_dmz description "filter traffic from PRIVATE zone to DMZ zone"

Create a rule to allow traffic sent from the private zone to HTTP, HTTPS, FTP, SSH, and Telnet ports in the DMZ. 

vyatta@R1# set security firewall name private_to_dmz rule 1 action accept

vyatta@R1# set security firewall name private_to_dmz rule 1 destination port http,https,ftp,ssh,telnet

vyatta@R1# set security firewall name private_to_dmz rule 1 protocol tcp

Create a rule to allow all ICMP traffic sent from the private zone to the DMZ. 

vyatta@R1# set security firewall name private_to_dmz rule 2 action accept

vyatta@R1# set security firewall name private_to_dmz rule 2 icmp type-name any

vyatta@R1# set security firewall name private_to_dmz rule 2 protocol icmp

Commit the configuration. 

vyatta@R1# commit

Show the firewall configuration. 

vyatta@R1# show security firewall name private_to_dmz

rule 5 {
     action accept
     source {
         mac-address 0:13:ce:29:be:e7
     }
 }

Create the configuration node for the public_to_dmz rule set and give a description for the rule set. 

vyatta@R1# set security firewall name public_to_dmz description "filter traffic from PUBLIC zone to DMZ zone"

Create a rule to allow traffic sent from the public zone only to HTTP and HTTPS ports in the DMZ. 

vyatta@R1# set security firewall name public_to_dmz rule 1 action accept

vyatta@R1# set security firewall name public_to_dmz rule 1 destination port http,https

vyatta@R1# set security firewall name public_to_dmz rule 1 protocol tcp

Create a rule to allow all ICMP traffic sent from the public zone to the DMZ. 

vyatta@R1# set security firewall name public_to_dmz rule 2 action accept

vyatta@R1# set security firewall name public_to_dmz rule 2 icmp type-name any

vyatta@R1# set security firewall name public_to_dmz rule 2 protocol icmp

Commit the configuration. 

vyatta@R1# commit

Show the firewall configuration. 

vyatta@R1# show security firewall name public_to_dmz

 description "filter traffic from PUBLIC zone to DMZ zone"

 rule 1 {
    action accept
    destination {
        port http,https
    }
    protocol tcp
 }
 rule 2 {
    action accept
    icmp {
        type-name any
    }
    protocol icmp
 }

Last updated: May 7, 2021