Config validation/question

reno138 · May 25, 2020, 5:19am

This is 100% asking for someone to spend (waste) time looking at my config just to tell me where I messed up, or if it looks good. I’m just starting to use zones, so I’m still in the process of getting all that converted.

So, if someone has some time they want to waste looking over a very boring and simple vyos config, I sure would appreciate it.
On that note, and unrelated to this individual post, I just wanted to say it sure is nice to see an online community that isn’t just a dungeon filled with trolls. It’s a rare thing these days…

Anyway, this is my vyos config. Other than the questions I’ve had answered here, I’ve been casually learning more and more of the network/firewall/security side of things after a significant amount of time in the sysadmin/server infrastructure side of things. So, it’s important to me that I do this right. Not for any work related things at this point, but just so I understand more about it.

Tear it apart if needed. I’m open to all input.

TIA, again and aagain…

vyos@vyos# show 
 [?1h =
 firewall { 
     all-ping enable 
     broadcast-ping disable 
     group { 
         address-group ALL-INSIDE { 
             address 10.10.18.1-10.10.18.255 
             address 10.10.19.1-10.10.19.255 
             address 10.10.20.1-10.10.20.255 
             description "All inside snetworks" 
         } 
         port-group MAILPORTS { 
             port 25 
             port 80 
             port 465 
             port 587 
             port 443 
         } 
         port-group MINECRAFT-PORTS { 
             port 25565 
         } 
         port-group WEB-PORTS { 
             port 80 
             port 443 
         } 
         port-group WOW-PORTS { 
             port 3724 
             port 8085 
             port 8086 
         } 
     } 
     name INSIDE-OUT { 
         default-action accept 
         rule 5001 { 
             action accept 
             source { 
                 group { 
                     address-group ALL-INSIDE 
                 } 
             } 
             state { 
                 established enable 
                 new enable 
                 related enable 
:  
               } 
         } 
     } 
     name OUTSIDE-IN { 
         default-action drop 
         rule 10 { 
             action accept 
             state { 
                 established enable 
                 related enable 
             } 
         } 
         rule 1801 { 
             action accept 
             destination { 
                 address 10.10.18.5 
                 group { 
                     port-group MAILPORTS 
                 } 
             } 
             log enable 
             protocol tcp 
             state { 
                 established enable 
                 new enable 
                 related enable 
             } 
         } 
         rule 1901 { 
             action accept 
             description WEB-IN 
             destination { 
                 address 10.10.19.60 
                 group { 
                     port-group WEB-PORTS 
                 } 
             } 
             protocol tcp 
             state { 
                 new enable 
             } 
         } 
         rule 2001 { 
:  
               action accept 
             description MINECRAFT 
             destination { 
                 address 10.10.20.150 
                 group { 
                     port-group MINECRAFT-PORTS 
                 } 
             } 
             protocol tcp_udp 
             state { 
                 new enable 
             } 
         } 
     } 
     name OUTSIDE-LOCAL { 
         default-action drop 
         rule 10 { 
             action accept 
             state { 
                 established enable 
                 related enable 
             } 
         } 
         rule 20 { 
             action accept 
             destination { 
                 address 192.168.254.140 
                 port 2200 
             } 
             protocol tcp 
             state { 
                 new enable 
             } 
         } 
     } 
 } 
 interfaces { 
     ethernet eth0 { 
         address 192.168.254.139/29 
         address 192.168.254.140/29 
         address 192.168.254.141/29 
         hw-id 00:0c:29:4c:7b:d3 
     } 
:  
       ethernet eth1 { 
         hw-id 00:0c:29:4c:7b:dd 
         vif 18 { 
             address 10.10.18.1/24 
         } 
         vif 19 { 
             address 10.10.19.1/24 
         } 
         vif 20 { 
             address 10.10.20.1/24 
         } 
     } 
     loopback lo { 
     } 
 } 
 nat { 
     destination { 
         rule 1801 { 
             destination { 
                 address 192.168.254.139 
                 port 25,80,465,443,587 
             } 
             inbound-interface eth0 
             protocol tcp 
             translation { 
                 address 10.10.18.5 
             } 
         } 
         rule 1901 { 
             description "Web-services - Outside to rproxy" 
             destination { 
                 address 192.168.254.140 
                 port 80,443 
             } 
             inbound-interface eth0 
             protocol tcp 
             translation { 
                 address 10.10.19.60 
             } 
         } 
         rule 2001 { 
             destination { 
                 address 192.168.254.141 
:  
                   port 25565 
             } 
             inbound-interface eth0 
             protocol tcp_udp 
             translation { 
                 address 10.10.20.150 
             } 
         } 
     } 
     source { 
         rule 1801 { 
             outbound-interface eth0 
             source { 
                 address 10.10.18.0/24 
             } 
             translation { 
                 address 192.168.254.139 
             } 
         } 
         rule 1901 { 
             outbound-interface eth0 
             source { 
                 address 10.10.19.0/24 
             } 
             translation { 
                 address 192.168.254.140 
             } 
         } 
         rule 2001 { 
             outbound-interface eth0 
             source { 
                 address 10.10.20.0/24 
             } 
             translation { 
                 address 192.168.254.141 
             } 
         } 
     } 
 } 
 protocols { 
     static { 
         route 0.0.0.0/0 { 
             next-hop 192.168.254.137 { 
:  
               } 
         } 
     } 
 } 
 service { 
     ssh { 
         port 2200 
     } 
 } 
 system { 
     config-management { 
         commit-revisions 100 
     } 
     console { 
         device ttyS0 { 
             speed 115200 
         } 
     } 
     host-name vyos 
     login { 
         user vyos { 
             authentication { 
                 encrypted-password superdupersecretpassword 
                 plaintext-password "" 
             } 
         } 
     } 
     name-server 1.1.1.1 
     ntp { 
         server 0.pool.ntp.org { 
         } 
         server 1.pool.ntp.org { 
         } 
         server 2.pool.ntp.org { 
         } 
     } 
     syslog { 
         global { 
             facility all { 
                 level info 
             } 
             facility protocols { 
:  
                   level debug 
             } 
         } 
     } 
     time-zone America/Chicago 
 } 
 zone-policy { 
     zone INSIDE { 
         from OUTSIDE { 
             firewall { 
                 name OUTSIDE-IN 
             } 
         } 
         interface eth1 
         interface eth1.18 
         interface eth1.19 
         interface eth1.20 
     } 
     zone OUTSIDE { 
         default-action drop 
         from INSIDE { 
             firewall { 
                 name INSIDE-OUT 
             } 
         } 
         interface eth0 
     } 
     zone OUTSIDE-LOCAL { 
         from OUTSIDE { 
             firewall { 
                 name OUTSIDE-LOCAL 
             } 
         } 
         local-zone 
     } 
 } 

[edit]

rob · May 28, 2020, 7:48pm

Hi @reno138,

what don’t work at the moment? What i first see is, you just have the OUTSIDE-LOCAL rule set apply to your local-zone from you OUTSIDE zone, all traffic from the other zones will drop per default.
The best practice is to create a rule-set per “zone from zone” combination to cover all connections.

Did you read little bit here?

If you struggle with the explanation, please let me know, so we can try to write it better and bring in another point of view.

reno138 · May 29, 2020, 5:27am

Heya @rob

I dropped the zone based stuff until I can get my head around it better so I don’t leave my network exposed to the internet again.

The documentation (from my point of view as a long time sysadmin, but short time netadmin) seems to be sparse in some areas. The documentation for wireguard is a good example. Also, the documentation for zone based firewalls, policy based routing…

But, now that i’ve seen the three links you posted (and somehow haven’t seen before after tons of searching) I take it back. If there are similar pages for wireguard and policy based routing, I’m going to be very happy.

Overall, what you guys are doing is amazing, and I can’t thank you enough for giving us an enterprise feature set on an open source platform. I was talking to a friend of mine and we were thinking about putting together some “wizards” for tasks that seem to take up too much time for how simple the configuration is. Like openvpn, as an example. We could break that down into a few questions, apply those questions to the config, and all the cert generation, etc, just happens in the background. But, of course the more complex configs could be build on top of that, or just done from scratch. Firewall configs as another example. I need to allow these ports on this interface with this destination IP, and build a DNAT rule for it while we’re at it. Maybe we’ll sit down soon and do it, just to see if it works and how hard it is to add…

Anyway, I could rave about this thing all night, because it got me interested in learning how more of this stuff works, and now I actually enjoy messing around it and learning. After 25 years in the IT world, that isn’t common anymore.

Again, thanks for all the work you guys put into this. If I could afford the subscription, I’d be all over it just to help the project in some way.

Now that I’ve rambled for a while in my brain dead tired state, I’ll drop off of here.