Easy to handle firewall rules

Feature requests
, , ,
1

The firewall rule handling is the main drawback of VyOS for me.
Otherwise a terrific OS :slight_smile:

  1. To create a rule several lines have to be written.
    It would be much more intuitive if you could create rules in one line. (At least simple rules)

    • For example:
      set firewall name test-1 rule 100 accept tcp 6.6.6.6 7.7.7.7 5555
    • Instead of:
      set firewall name test-1 rule 100 action ‘accept’
      set firewall name test-1 rule 100 destination address ‘7.7.7.7’
      set firewall name test-1 rule 100 destination port ‘5555’
      set firewall name test-1 rule 100 protocol ‘tcp’
      set firewall name test-1 rule 100 source address ‘6.6.6.6’

  2. A more readable view of the rules (“show firewall”) would be very helpful.
    One line per rule would be optimal (maybe “show firewall compact”).
    Update: Ok, there are more readable views in operational mode, my fault.

2

I do not think that the current form should be eliminated, but if I see it, it is very useful to create simpler rules as well as you propose.

3

This thread is 3 years old but maybe still relevant for someone…
You can do this really easy with a bit of scripting.
https://docs.vyos.io/en/latest/automation/command-scripting.html

I added a little script called /config/scripts/addfw.sh with following lines:

#!/bin/vbash
NAME=$1
RULE=$2
ACTION=$3
SRC=$4
DST=$5
PROT=$6
PORT=$7

source /opt/vyatta/etc/functions/script-template
configure
delete firewall name $NAME rule $RULE
set firewall name $NAME rule $RULE action $ACTION
set firewall name $NAME rule $RULE source address $SRC
set firewall name $NAME rule $RULE destination address $DST
set firewall name $NAME rule $RULE protocol $PROT
set firewall name $NAME rule $RULE destination port $PORT
commit
exit

Then execute (or put it in .bashrc etc.)
alias addfw=/config/scripts/addfw.sh

Now you are able to easily add simple firewall rules like that

addfw test 100 accept 1.2.3.5 2.3.4.5 udp 100

show configuration commands |grep firewall
set firewall name test rule 100 action 'accept'
set firewall name test rule 100 destination address '2.3.4.5'
set firewall name test rule 100 destination port '100'
set firewall name test rule 100 protocol 'udp'
set firewall name test rule 100 source address '1.2.3.5'

I hope that helps :wink: