Vyatta Network OS Documentation

Learn how to install, configure and operate the Vyatta NOS, which helps drive our virtual networking & physical platforms portfolio.

Filtering traffic between the transit zones

The first step in setting up zone-based traffic filtering is to create zone policies, as shown in the following example. To create the zone policies, perform the following steps in configuration mode.

Table 1. Creating the zone policies
Step Command

Create the configuration node for the DMZ and give a description for the zone.

vyatta@R1# set security zone-policy zone dmz description “DMZ ZONE”

Add the interface contained in the DMZ.

vyatta@R1# set security zone-policy zone dmz interface dp0p1p3

Create the configuration node for the private zone and give a description for the zone.

vyatta@R1# set security zone-policy zone private description “PRIVATE ZONE”

Add one of the interfaces contained in the private zone.

vyatta@R1# set security zone-policy zone private interface dp0p1p1

Add the other interface contained in the private zone.

vyatta@R1# set security zone-policy zone private interface dp0p1p2

Create the configuration node for the public zone and give a description for the zone.

vyatta@R1# set security zone-policy zone public description “PUBLIC ZONE”

Add the interface contained in the public zone.

vyatta@R1# set security zone-policy zone public interface dp0p1p4

Commit the configuration.

vyatta@R1# commit

Show the configuration.

vyatta@R1# show security zone-policy 

 zone dmz {
    description "DMZ ZONE"
    interface dp0p1p3
 }
 zone private {
    description "PRIVATE ZONE"
    interface dp0p1p1
    interface dp0p1p2
 }
 zone public {
     description "PUBLIC ZONE"
     interface dp0p1p4
 }

At this point, while traffic can flow freely within a zone, no traffic flows between zones. All traffic flowing from one zone to another is dropped. For example, because the dp0p1p1 and dp0p1p2 interfaces lie in the same zone (private), traffic between these interfaces flows freely. However, traffic from dp0p1p2 to dp0p1p3 (which lies in the DMZ) is dropped.

The next step, shown in the following example, is to create firewall rule sets to allow traffic between zones. The first rule set allows all traffic to the public zone. To configure this rule set, perform the following steps in configuration mode.

Table 2. Creating the rule set for traffic to the public zone
Step Command

Create the configuration node for the to_public rule set and give a description for the rule set.

vyatta@R1# set security firewall name to_public description "allow all traffic to PUBLIC zone"

Create a rule to accept all traffic sent to the public zone.

vyatta@R1# set security firewall name to_public rule 1 action accept

Commit the configuration.

vyatta@R1# commit

Show the firewall configuration.

vyatta@R1# show security firewall name to_public

 description "allow all traffic to PUBLIC zone"
 rule 1 {
     action accept
 }