Feature Request Nested Groups & Time schedule Groups/Rule

Hi,

Is there any chance to have nested firewall groups groups?

E.g

set firewall group address-group AG_SERVERS1 address 192.168.1.10-192.168.1.20
set firewall group address-group AG_SERVERS2 address 192.168.2.10-192.168.2.20
set firewall group address-group AG_SERVERS3 address 192.168.3.10-192.168.4.20
set firewall group address-group AG_SERVERSALL address AG_SERVERS1,AG_SERVERS2,AG_SERVERS3

Also is it easy to implement nested scheduled rule times. e.g I have workstations that I only want to allow web access at different times for weekday and weekend. Currently you need to add a rule for each of these options. Is there a way to create a time rule group that has the schedules added so you only need one firewall rule referencing that time rule?

An example would look something like this

set firewall group time WORKSTATION_WEB_ACCESS rule 1 description “Allow Daily Web”
set firewall group time WORKSTATION_WEB_ACCESS rule 1 starttime ‘22:30:00’
set firewall group time WORKSTATION_WEB_ACCESS rule 1 stoptime ‘07:00:00’
set firewall group time WORKSTATION_WEB_ACCESS rule 1 utc
set firewall group time WORKSTATION_WEB_ACCESS rule 2 description “Allow Weekend Web”
set firewall group time WORKSTATION_WEB_ACCESS rule 2 starttime ‘22:30:00’
set firewall group time WORKSTATION_WEB_ACCESS rule 2 stoptime ‘09:00:00’
set firewall group time WORKSTATION_WEB_ACCESS rule 2 utc
set firewall group time WORKSTATION_WEB_ACCESS rule 2 weekdays ‘Sat,Sun’
set firewall name INSIDE-OUTSIDE rule 1000 action ‘accept’
set firewall name INSIDE-OUTSIDE rule 1000 description ‘Allow Internet’
set firewall name INSIDE-OUTSIDE rule 1000 log ‘enable’
set firewall name INSIDE-OUTSIDE rule 1000 protocol ‘tcp’
set firewall name INSIDE-OUTSIDE rule 1000 destination port ‘80,443’
set firewall name INSIDE-OUTSIDE rule 1000 source group address-group ‘WORKSTATIONS’
set firewall name INSIDE-OUTSIDE rule 1000 state new ‘enable’
set firewall name INSIDE-OUTSIDE rule 1000 time group WORKSTATION_WEB_ACCESS

Kind Regards

There is a task for it T478
It can be implemented after rewriting the firewall to XML/Python.

Hi Viacheslav,

Thanks for your reply. Guessing this will also have options to include nested time schedules.

Kind Regards

Hi Viacheslav,

Notice T478 has been completed, although is there a possibility, to do this with time?

Example

set firewall group group-schedule "time_fri_4.00pm_9.45pm" starttime 16:00:00
set firewall group group-schedule "time_fri_4.00pm_9.45pm" stoptime 21:45:00
set firewall group group-schedule "time_fri_4.00pm_9.45pm"  weekdays Friday

set firewall group group-schedule "time_sat_2.00pm-9.45pm" starttime 14:00:00
set firewall group group-schedule "time_sat_2.00pm-9.45pm" stoptime 21:45:00
set firewall group group-schedule "time_sat_2.00pm-9.45pm"  weekdays Saturday

set firewall group group-schedule "time_sun_2.00pm-4.00pm" starttime 14:00:00
set firewall group group-schedule "time_sun_2.00pm-4.00pm" stoptime 16:00:00
set firewall group group-schedule "time_sun_2.00pm-4.00pm"  weekdays Sunday

set firewall group group-schedule ClientAccessHours include time_fri_4.00pm_9.45pm
set firewall group group-schedule ClientAccessHours include time_sat_2.00pm-9.45pm
set firewall group group-schedule ClientAccessHours include time_sun_2.00pm-4.00pm

set firewall ipv4 name CLIENT-SYSTEMS rule 2000 accept
.....
.....
set firewall ipv4 name CLIENT-SYSTEMS rule 2000 destination group address-group Client-Servers
set firewall ipv4 name CLIENT-SYSTEMS rule 2000 time group-schedule ClientAccessHours 

Kind Regards

I’m not sure if this is supported in backend nftables.
If you can provide a valid example on nftables, we can analyze if this is doable for vyos

Hi n.fort,

Appreciate your response.

Unfortunately I cannot give you an example as I have no experience with nftables. Excuse my ignorance, but I thought that VyOS firewall CLI was a wrapper to nftables? So in the example above, the backend script would read the CLI configuration and create three rules within nftables config.

Yes, I know you can create three separate rules, but somehow groups seem to be cleaner.

I guess group-addresses, group-networks etc are included/part of nftabes?

Regards.