home

Getting started

Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers
Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers

Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Show On this page:

Show Page Sections

thumbnailGetting started

Quick-start scenario: Configure a basic Internet gateway

Configure the firewall

By default in a fresh installation, Vyatta NOS does not restrict traffic flow. That is, unless you configure a firewall rule to apply to an interface, the interface will transmit all traffic that it receives.

The firewall functionality provides packet filtering, which gives you the flexibility to restrict traffic to meet the needs of your environment.

General steps to configure a firewall on an interface are as follows:

  1. Define a number of named firewall rule sets, each of which contains one or more firewall rules.
    When you apply a firewall rule set, be aware that after the final user-defined rule, an implicit rule of 'deny all' takes effect.
  2. Apply each of the named rule sets to an interface, to provide filtering on that interface.
    You can apply one named rule set to each of the following on an interface:
    • in: If you apply the rule set to an interface as in, the rule set will filter packets that enter the interface.
    • out: If you apply the rule set to an interface as out, the rule set will filter packets that leave the interface.

Define a firewall rule set

How to define a firewall rule set and add a firewall rule to the set.

By default, when you create a firewall rule set and apply it to an interface, the system will block all traffic on that interface — that is, the system will block both in and out traffic on that interface.

  • To allow inbound traffic, you must specify the sources of the inbound traffic.
  • To allow outbound traffic, you must specify the sources of the outbound traffic.
Attention: If you allow only outbound traffic then Vyatta NOS will not be able to establish outbound connections properly, because the firewall will block necessary response packets.
  1. Create a firewall rule set, and specify a rule to accept packets with the appropriate source and destination.
    In this example, we name the rule set FROM_INTERNET.
    user@system# set security firewall name FROM_INTERNET
user@system# set security firewall name FROM_INTERNET rule 10 action accept
user@system# set security firewall name FROM_INTERNET rule 10 source address 10.0.0.1
user@system# set security firewall name FROM_INTERNET rule 10 destination address 10.0.0.2
user@system# set security firewall name FROM_INTERNET rule 10 destination address 10.0.0.2
  2. Commit your changes.
    user@system# commit

Apply the firewall rule set to an interface

  1. Use the set interfaces ... firewall command to apply the firewall rule set to the appropriate interface.
    In this example, we apply the FROM_INTERNET rule set as in on the Internet-facing Ethernet interface named dp0p1p1.
    user@system# set interfaces dataplane dp0p1p1 firewall in FROM_INTERNET
  2. Commit your changes.
    user@system# commit
  3. Optional: Use the show security firewall command to view the configuration.
    user@system# show security firewall
     firewall {
        name FROM_INTERNET {
                rule 10 {
                        action accept
                        destination {
                                address 10.0.0.2
                        }
                        source {
                                address 10.0.0.1
                        }
                }
        }

Last updated: August 30, 2022