I’m moving from an ancient version of vyatta to vyos. My config file seems to be very repetitive so I’m not sure if I’m missing some tricks to bundle rules up?
I have created an input chain and an output chain with some rules
input chain p1
rule 1
rule 2
…
I want to apply that to virtual interface eth0.1
set firewall ipv4 name p1 rule 1 inbound-interface name eth0.p1
set firewall ipv4 name p1 rule 1 inbound-interface name eth0.p1
...
set firewall ipv4 name p1 rule 10 inbound-interface name eth0.p1
and then the same again for the outbound rule.
The full config will have about 30 different input/output chains, each with maybe 12 rules, so that’s why I’m thinking there must be a better way to do this? Vyatta allowed you to create a ‘set’ of rules and apply that set to the interface. Must I really apply every individual rule? What am I missing?
The firewall for 1.4/1.5 will be a little different from Vyatta and earlier VyOS versions. You’ll want to familiarize the differences between the 2 for Input, Output, and Forward.
In 1.4/1.5, the 3 chains are these:
- Input:
- For traffic that terminates on VyOS itself
- Output:
- For traffic that originates directly from VyOS
- Forwarding:
- For traffic that goes through VyOS (interface to interface)
- Traffic from an inside host to the internet.
You can apply traffic like you did in Vyatta, but it’s just done a little different. You use jump-targets to achieve it. Imagine you had this setup.
Interfaces
You can create named rulesets for those interfaces like this:
set firewall ipv4 name eth0_vif10_in default-action 'drop'
set firewall ipv4 name eth0_vif10_in rule 5 action 'accept'
set firewall ipv4 name eth0_vif10_in rule 5 <some matching criteria>
set firewall ipv4 name eth0_vif20_in default-action 'drop'
set firewall ipv4 name eth0_vif20_in rule 5 action 'accept'
set firewall ipv4 name eth0_vif20_in rule 5 <some matching criteria>
set firewall ipv4 name eth0_vif30_in default-action 'drop'
set firewall ipv4 name eth0_vif30_in rule 5 action 'accept'
set firewall ipv4 name eth0_vif30_in rule 5 <some matching criteria>
You then apply them on the input chain:
set firewall ipv4 input filter rule 5 action 'jump'
set firewall ipv4 input filter rule 5 inbound-interface name 'eth0.10'
set firewall ipv4 input filter rule 5 jump-target 'eth0_vif10_in'
set firewall ipv4 input filter rule 10 action 'jump'
set firewall ipv4 input filter rule 10 inbound-interface name 'eth0.20'
set firewall ipv4 input filter rule 10 jump-target 'eth0_vif20_in'
set firewall ipv4 input filter rule 105 action 'jump'
set firewall ipv4 input filter rule 105 inbound-interface name 'eth0.30'
set firewall ipv4 input filter rule 105 jump-target 'eth0_vif30_in'
You can also simplify things if you have rules that are the same for multiple interfaces by creating interface groups. So if the input chain is the same for all 3 of those interfaces, you could do this:
set firewall group interface-group eth0_vifs interface 'eth0.10'
set firewall group interface-group eth0_vifs interface 'eth0.20'
set firewall group interface-group eth0_vifs interface 'eth0.30'
set firewall ipv4 name eth0_vifs default-action 'drop'
set firewall ipv4 name eth0_vifs rule 5 action 'accept'
set firewall ipv4 name eth0_vifs rule 5 <some matching criteria>
set firewall ipv4 input filter default-action 'drop'
set firewall ipv4 input filter rule 5 action 'jump'
set firewall ipv4 input filter rule 5 inbound-interface group 'eth0_vifs'
set firewall ipv4 input filter rule 5 jump-target 'eth_vifx_in'
3 Likes
Thanks for your replies. My confusion was added to by mistakenly thinking I wanted to implement input /output filters as iI did in vyatta, when vyos now seems to refer to transit traffic as forward.
I think I have managed to get the syntax and logic for the new system. Hopefully I’ll have something to test today.
1 Like