Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Filtering traffic to and from the local zone

The local zone is a special zone that refers to the vRouter itself. By default, all traffic destined for the system and originating from the system is allowed. In the following figure, arrows depict traffic flow to and from the transit zones (private, DMZ, and public) as well as to and from the local zone.

Figure 1. Default traffic to and from the local zone

To create a configuration that restricts vRouter access to hosts located within the private zone, perform the following steps in configuration mode.

Table 1. Restricting vRouter access to hosts located in the private zone
Step Command

Create the configuration node for the private_to_Vyatta rule set and give a description for the rule set.

vyatta@R1# set security firewall name private_to_Vyatta description “filter traffic from PRIVATE zone to local-zone”

Allow all traffic.

vyatta@R1# set security firewall name private_to_Vyatta rule 1 action accept

Commit the configuration.

vyatta@R1# commit

Show the private_to_Vyatta firewall configuration.

vyatta@R1# show security firewall name private_to_Vyatta

 description "filter traffic from PRIVATE zone to local-zone"

 rule 1{
    action accept
 }

Apply the private_to_Vyatta rule set to traffic from the private zone to the local zone.

vyatta@R1# set security zone-policy zone Vyatta from private firewall name private_to_Vyatta

                            

Set the local zone.

vyatta@R1# set security zone-policy zone Vyatta local-zone

Commit the configuration.

vyatta@R1# commit

Show the local zone policy configuration.

vyatta@R1# show security zone-policy zone Vyatta

 from private {
    firewall {
        name private_to_Vyatta
    }
 }
 local-zone

At this point, only traffic from the private zone destined for the vRouter is allowed. Traffic from all other zones is dropped. However, all traffic originating from the vRouter is still allowed to all zones.

Note: Care should be taken when defining the local zone. If you are configuring the system through a remote connection (for example, through SSH) and restrict access from the zone in which you are located, your session is dropped. You must make sure that traffic from your zone to the vRouter is allowed.

Be aware that some services (for example, DNS forwarding and Web Proxy) terminate connections to them within the vRouter and then initiate connections to another host. In the case of DNS forwarding, packets destined to the router for lookup of a non-cached DNS entry result in the DNS forwarder initiating a connection to the external name-server to retrieve the DNS entry and then passing it back to the originating client. In the previous configuration example in which packets to the router are allowed only from the private zone, DNS lookups coming back to the router from an external name-server in the public zone are dropped. Thus, to allow packets destined for the router from the public zone, define a rule set and apply it in the local zone by performing the following steps.

Table 2. Filtering traffic from the public zone to the vRouter
Step Command

Create the configuration node for the public_to_Vyatta rule set and give a description for the rule set.

vyatta@R1# set security firewall name public_to_Vyatta description “filter traffic from PUBLIC zone to local-zone”

Allow the specified traffic.

vyatta@R1# set security firewall name public_to_Vyatta rule 1 action accept

vyatta@R1# set security firewall name public_to_Vyatta rule 1 protocol all

vyatta@R1# set security firewall name public_to_Vyatta rule 1 state established enable

vyatta@R1# set security firewall name public_to_Vyatta rule 1 state related enable

Commit the configuration.

vyatta@R1# commit

Show the public_to_Vyatta firewall configuration.

vyatta@R1# show security firewall name public_to_Vyatta

 description "filter traffic from PUBLIC zone to local-zone"

 rule 1{
    action accept
    protocol all
    state {
        established enable
        related enable
    }
 }

Apply the public_to_Vyatta rule set to traffic from the public zone to the local zone.

vyatta@R1# set security zone-policy zone Vyatta from public firewall name public_to_Vyatta

                            

Commit the configuration.

vyatta@R1# commit

Show the new local zone policy configuration.

vyatta@R1# show zone-policy 

 from private {
    firewall {
        name private_to_Vyatta
    }
 }
 from public {
    firewall {
        name public_to_Vyatta
    }
 }
 local-zone

By default, all traffic originating from the local zone is permitted. To restrict this traffic, you must define the local zone as a “from zone” within the definition of a transit zone. After the local zone is used as a “from zone,” all traffic from the vRouter to all other zones is blocked unless explicitly allowed through the use of a rule set that allows traffic into a specific zone.

For example, to allow traffic from the vRouter only to the private zone, perform the following steps.

Table 3. Allowing traffic from the vRouter to the private zone
Step Command

Create the configuration node for the from_Vyatta rule set and give a description for the rule set.

vyatta@R1# set security firewall name from_Vyatta description “allow all traffic from local-zone”

Allow the specified traffic.

vyatta@R1# set security firewall name from_Vyatta rule 1 action accept

vyatta@R1# set security firewall name from_Vyatta rule 1 protocol all

Commit the configuration.

vyatta@R1# commit

Show the from_Vyatta firewall configuration.

vyatta@R1# show security firewall name from_Vyatta

 description "allow all traffic from local-zone"

 rule 1{
    action accept
    protocol all
 }

Apply the from_Vyatta rule set to traffic from the local zone to the private zone.

vyatta@R1# set security zone-policy zone private from Vyatta firewall name from_Vyatta

                            

Commit the configuration.

vyatta@R1# commit

Show the new private zone policy configuration.

vyatta@R1# show zone-policy zone private

 description "PRIVATE ZONE"
 from dmz {
    firewall {
        name to_private
    }
 }
 from public {
    firewall {
        name to_private
    }
 }
 from Vyatta {
    firewall {
        name from_Vyatta
    }
 }
 interface dp0p1p1
 interface dp0p1p2

Remember, the services that require traffic to originate from the vRouter require appropriate filtering to those zones from the local zone. For example, for DNS forwarding to work, traffic would have to be permitted from the vRouter to the public zone.