Filtering traffic to and from the local zone
The local zone is a special zone that refers to the vRouter itself. By default, all traffic destined for the system and originating from the system is allowed. In the following figure, arrows depict traffic flow to and from the transit zones (private, DMZ, and public) as well as to and from the local zone.
To create a configuration that restricts vRouter access to hosts located within the private zone, perform the following steps in configuration mode.
| Step | Command |
|---|---|
|
Create the configuration node for the private_to_Vyatta rule set and give a description for the rule set. | |
|
Allow all traffic. | |
|
Commit the configuration. | |
|
Show the private_to_Vyatta firewall configuration. | |
|
Apply the private_to_Vyatta rule set to traffic from the private zone to the local zone. | |
|
Set the local zone. | |
|
Commit the configuration. | |
|
Show the local zone policy configuration. | |
At this point, only traffic from the private zone destined for the vRouter is allowed. Traffic from all other zones is dropped. However, all traffic originating from the vRouter is still allowed to all zones.
Be aware that some services (for example, DNS forwarding and Web Proxy) terminate connections to them within the vRouter and then initiate connections to another host. In the case of DNS forwarding, packets destined to the router for lookup of a non-cached DNS entry result in the DNS forwarder initiating a connection to the external name-server to retrieve the DNS entry and then passing it back to the originating client. In the previous configuration example in which packets to the router are allowed only from the private zone, DNS lookups coming back to the router from an external name-server in the public zone are dropped. Thus, to allow packets destined for the router from the public zone, define a rule set and apply it in the local zone by performing the following steps.
| Step | Command |
|---|---|
|
Create the configuration node for the public_to_Vyatta rule set and give a description for the rule set. | |
|
Allow the specified traffic. | |
|
Commit the configuration. | |
|
Show the public_to_Vyatta firewall configuration. | |
|
Apply the public_to_Vyatta rule set to traffic from the public zone to the local zone. | |
|
Commit the configuration. | |
|
Show the new local zone policy configuration. | |
By default, all traffic originating from the local zone is permitted. To restrict this traffic, you must define the local zone as a “from zone” within the definition of a transit zone. After the local zone is used as a “from zone,” all traffic from the vRouter to all other zones is blocked unless explicitly allowed through the use of a rule set that allows traffic into a specific zone.
For example, to allow traffic from the vRouter only to the private zone, perform the following steps.
| Step | Command |
|---|---|
|
Create the configuration node for the from_Vyatta rule set and give a description for the rule set. | |
|
Allow the specified traffic. | |
|
Commit the configuration. | |
|
Show the from_Vyatta firewall configuration. | |
|
Apply the from_Vyatta rule set to traffic from the local zone to the private zone. | |
|
Commit the configuration. | |
|
Show the new private zone policy configuration. | |
Remember, the services that require traffic to originate from the vRouter require appropriate filtering to those zones from the local zone. For example, for DNS forwarding to work, traffic would have to be permitted from the vRouter to the public zone.