Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Using per-interface rule sets with zone-based firewall

On the creation of a zone (transit or local), traffic to that zone is allowed only from another zone by using firewall rule sets to filter traffic from that zone. Thus, interfaces that are not included as part of any zone are not able to send traffic to any zone. However, traffic between interfaces that are not part of any zone flows freely and can be filtered using per-interface firewall rule sets. Consider the example that follows.

Figure 1. Default traffic to and from the local zone

Three zones are defined in this topology: DMZ, public, and local zone. A sample zone policy configuration for this topology may look something like this:

Table 1. Showing the zone policy for a topology with three zones (DMZ, public, and local)
Step Command

Show the zone policy configuration.

vyatta@R1# show zone-policy

 zone dmz {
     default-action drop
     description "DMZ ZONE"
     from public {
         firewall {
             name public_to_dmz
         }
     }
     interface dp0p1p3
 }
 zone public {
     default-action drop
     description "PUBLIC ZONE"
     from dmz {
         firewall {
             name to_public
         }
     }
     interface dp0p1p4
 }
 zone Vyatta {
     default-action drop
     from dmz {
         firewall {
             name dmz_to_Vyatta
         }
     }
     from public {
         firewall {
             name public_to_Vyatta
         }
     }
     local-zone
 }

The dp0p1p1 and dp0p1p2 interfaces are not part of any zone. Thus, traffic to any of the three zones from these interfaces is dropped. Traffic flowing between LAN1 and LAN2 flows freely and unfiltered. In addition, traffic exiting dp0p1p1 and dp0p1p2 from any of the zones (DMZ, public, and local zone) flows unfiltered. Now, if you want to drop all traffic from any of the zones exiting dp0p1p1 and dp0p1p2 and allow just ICMP packets between LAN1 and LAN2, perform the following steps in configuration mode.

Table 2. Rejecting traffic from zones and allowing only ICMP between LANs
Step Command

Show the allow_ping_only firewall configuration.

NOTE: The not_allowed_nets network group contains subnets of the DMZ and public zone.

vyatta@R1# show security firewall name allow_ping_only

 description "allow nothing from zones. allow icmp packets between LANs"

 rule 1 {
    action drop
    protocol all
    source {
        group not_allowed_nets {
        }
    }
 }
 rule 2 {
    action accept
    icmp {
        type-name any
    }
    protocol icmp
 }

Show the firewall configuration of the dp0p1p1 and dp0p1p2 interfaces.

vyatta@R1# show interfaces dataplane dp0p1p1 firewall

firewall allow_ping_only {
 out {
 }
vyatta@R1# show interfaces dataplane dp0p1p2 firewall

firewall allow_ping_only {
 out {
 }

This procedure does not filter traffic originating from the vRouter and that exits the dp0p1p1 and dp0p1p2 interfaces. No commands exist to filter traffic that originates from the system on a per-interface basis. If the zone policy configuration in this example has the local zone (Vyatta zone) being used as a from zone under the DMZ, public zone, or both zones, then traffic originating from the system exits only those zones and no other zones.