Applying rules to interfaces

I’m moving from an ancient version of vyatta to vyos. My config file seems to be very repetitive so I’m not sure if I’m missing some tricks to bundle rules up?

I have created an input chain and an output chain with some rules
input chain p1
rule 1
rule 2

I want to apply that to virtual interface eth0.1

  set firewall ipv4 name p1 rule 1 inbound-interface name eth0.p1
  set firewall ipv4 name p1 rule 1 inbound-interface name eth0.p1
  ...
  set firewall ipv4 name p1 rule 10 inbound-interface name eth0.p1

and then the same again for the outbound rule.

The full config will have about 30 different input/output chains, each with maybe 12 rules, so that’s why I’m thinking there must be a better way to do this? Vyatta allowed you to create a ‘set’ of rules and apply that set to the interface. Must I really apply every individual rule? What am I missing?

The firewall for 1.4/1.5 will be a little different from Vyatta and earlier VyOS versions. You’ll want to familiarize the differences between the 2 for Input, Output, and Forward.

In 1.4/1.5, the 3 chains are these:

  • Input:
    • For traffic that terminates on VyOS itself
      • Ex. SSH into VyOS
  • Output:
    • For traffic that originates directly from VyOS
      • Ex. Pinging from VyOS
  • Forwarding:
    • For traffic that goes through VyOS (interface to interface)
      • Traffic from an inside host to the internet.

You can apply traffic like you did in Vyatta, but it’s just done a little different. You use jump-targets to achieve it. Imagine you had this setup.

Interfaces

  • eth0.10
  • eth0.20
  • eth0.30

You can create named rulesets for those interfaces like this:

set firewall ipv4 name eth0_vif10_in default-action 'drop'
set firewall ipv4 name eth0_vif10_in rule 5 action 'accept'
set firewall ipv4 name eth0_vif10_in rule 5 <some matching criteria>

set firewall ipv4 name eth0_vif20_in default-action 'drop'
set firewall ipv4 name eth0_vif20_in rule 5 action 'accept'
set firewall ipv4 name eth0_vif20_in rule 5 <some matching criteria>

set firewall ipv4 name eth0_vif30_in default-action 'drop'
set firewall ipv4 name eth0_vif30_in rule 5 action 'accept'
set firewall ipv4 name eth0_vif30_in rule 5 <some matching criteria>

You then apply them on the input chain:

set firewall ipv4 input filter rule 5 action 'jump'
set firewall ipv4 input filter rule 5 inbound-interface name 'eth0.10'
set firewall ipv4 input filter rule 5 jump-target 'eth0_vif10_in'

set firewall ipv4 input filter rule 10 action 'jump'
set firewall ipv4 input filter rule 10 inbound-interface name 'eth0.20'
set firewall ipv4 input filter rule 10 jump-target 'eth0_vif20_in'

set firewall ipv4 input filter rule 105 action 'jump'
set firewall ipv4 input filter rule 105 inbound-interface name 'eth0.30'
set firewall ipv4 input filter rule 105 jump-target 'eth0_vif30_in'

You can also simplify things if you have rules that are the same for multiple interfaces by creating interface groups. So if the input chain is the same for all 3 of those interfaces, you could do this:

set firewall group interface-group eth0_vifs interface 'eth0.10'
set firewall group interface-group eth0_vifs interface 'eth0.20'
set firewall group interface-group eth0_vifs interface 'eth0.30'

set firewall ipv4 name eth0_vifs default-action 'drop'
set firewall ipv4 name eth0_vifs rule 5 action 'accept'
set firewall ipv4 name eth0_vifs rule 5 <some matching criteria>

set firewall ipv4 input filter default-action 'drop'
set firewall ipv4 input filter rule 5 action 'jump'
set firewall ipv4 input filter rule 5 inbound-interface group 'eth0_vifs'
set firewall ipv4 input filter rule 5 jump-target 'eth_vifx_in'
3 Likes

Thanks for your replies. My confusion was added to by mistakenly thinking I wanted to implement input /output filters as iI did in vyatta, when vyos now seems to refer to transit traffic as forward.

I think I have managed to get the syntax and logic for the new system. Hopefully I’ll have something to test today.

1 Like