Using per-interface rule sets with zone-based firewall
On the creation of a zone (transit or local), traffic to that zone is allowed only from another zone by using firewall rule sets to filter traffic from that zone. Thus, interfaces that are not included as part of any zone are not able to send traffic to any zone. However, traffic between interfaces that are not part of any zone flows freely and can be filtered using per-interface firewall rule sets. Consider the example that follows.
Three zones are defined in this topology: DMZ, public, and local zone. A sample zone policy configuration for this topology may look something like this:
Step | Command |
---|---|
Show the zone policy configuration. |
|
The dp0p1p1 and dp0p1p2 interfaces are not part of any zone. Thus, traffic to any of the three zones from these interfaces is dropped. Traffic flowing between LAN1 and LAN2 flows freely and unfiltered. In addition, traffic exiting dp0p1p1 and dp0p1p2 from any of the zones (DMZ, public, and local zone) flows unfiltered. Now, if you want to drop all traffic from any of the zones exiting dp0p1p1 and dp0p1p2 and allow just ICMP packets between LAN1 and LAN2, perform the following steps in configuration mode.
Step | Command |
---|---|
Show the allow_ping_only firewall configuration. NOTE: The not_allowed_nets network group contains subnets of the DMZ and public zone. |
|
Show the firewall configuration of the dp0p1p1 and dp0p1p2 interfaces. |
|
This procedure does not filter traffic originating from the vRouter and that exits the dp0p1p1 and dp0p1p2 interfaces. No commands exist to filter traffic that originates from the system on a per-interface basis. If the zone policy configuration in this example has the local zone (Vyatta zone) being used as a from zone under the DMZ, public zone, or both zones, then traffic originating from the system exits only those zones and no other zones.