Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Zone-based firewall

Ordinary firewall rule sets are applied on a per-interface basis to act as a packet filter for the interface.

In a zone-based firewall, firewall rule sets are applied to traffic flowing between zones. There are two types of zones:
  • Interface-based zones: Where one or more interfaces have been assigned as members.
  • The local zone: A single zone that has been assigned to represent traffic coming into or going out from the router itself. The local zone cannot contain any interfaces.

Firewall rule sets are assigned to traffic flowing in one direction between two zones. For example, firewall FW_A_TO_B is applied to traffic from ZONE_A to ZONE_B.

In a zone-based firewall, interfaces are grouped into security "zones", where each interface in a zone has the same security level.

Traffic flowing between interfaces includes within the same zone is not filtered; traffic flows freely because the interfaces share the same security level.

The following figure shows an example of a zone-based firewall implementation. This example has these characteristics:

  • Three transit zones exist (that is, points where traffic transits the router): the private zone, the demilitarized zone (DMZ), and the public zone.
  • The dp0p1p4 interface lies in the public zone; the dp0p1p1 and dp0p1p2 interfaces lie in the private zone; and the dp0p1p3 interface lies in the DMZ.
  • The arrows from one zone to another zone represent traffic-filtering policies that are applied to traffic flowing between zones.
  • Traffic flowing between LAN 1 and LAN 2 remains within a single security zone. Thus, traffic from LAN1 to LAN2, and conversely, flows unfiltered.
Figure 1. Zone-based firewall overview

In addition to the three transit zones in the preceding figure, there is a fourth zone: the local zone. The local zone is the router itself. By default, all traffic coming into the router and originating from the router is allowed.

You can, however, configure traffic-filtering policies that allow traffic to the local zone from specific zones, and likewise from the local zone to only specific zones. As soon as you apply a filtering policy that explicitly allows traffic destined to the local zone from another zone, traffic from all other zones to the local zone is dropped unless explicitly allowed by a filtering policy. Similarly, as soon as you apply a filtering policy that allows traffic originating from the local zone to another zone, traffic to all other zones is dropped unless explicitly allowed by a filtering policy.

Note the following additional points about zone-based firewalls:

  • An interface can be associated with only one zone.
  • An interface that belongs to a zone cannot have an interface-based firewall rule set applied to it, not the converse.
  • Traffic between interfaces that do not belong to any zone flows unfiltered, and interface-based firewall rule sets can be applied to those interfaces.
  • Traffic between interfaces that do not belong to any zone is not filtered by a zone-based firewall.
  • Traffic between interfaces where only one interface is in a zone is always dropped.
  • By default, all traffic to a zone is dropped unless explicitly allowed by a filtering policy for a source zone (from_zone).
  • Filtering policies are unidirectional; they are defined as a “zone pair” that identifies the zone from which traffic is sourced (from_zone ) and the zone to which traffic is destined (to_zone ). In the preceding figure, these unidirectional policies can be seen as follows:
    • From private to DMZ
    • From public to DMZ
    • From private to public
    • From DMZ to public
    • From public to private
    • From DMZ to private