Is there any chance to have nested firewall groups groups?
E.g
set firewall group address-group AG_SERVERS1 address 192.168.1.10-192.168.1.20
set firewall group address-group AG_SERVERS2 address 192.168.2.10-192.168.2.20
set firewall group address-group AG_SERVERS3 address 192.168.3.10-192.168.4.20
set firewall group address-group AG_SERVERSALL address AG_SERVERS1,AG_SERVERS2,AG_SERVERS3
Also is it easy to implement nested scheduled rule times. e.g I have workstations that I only want to allow web access at different times for weekday and weekend. Currently you need to add a rule for each of these options. Is there a way to create a time rule group that has the schedules added so you only need one firewall rule referencing that time rule?
An example would look something like this
set firewall group time WORKSTATION_WEB_ACCESS rule 1 description “Allow Daily Web”
set firewall group time WORKSTATION_WEB_ACCESS rule 1 starttime ‘22:30:00’
set firewall group time WORKSTATION_WEB_ACCESS rule 1 stoptime ‘07:00:00’
set firewall group time WORKSTATION_WEB_ACCESS rule 1 utc
set firewall group time WORKSTATION_WEB_ACCESS rule 2 description “Allow Weekend Web”
set firewall group time WORKSTATION_WEB_ACCESS rule 2 starttime ‘22:30:00’
set firewall group time WORKSTATION_WEB_ACCESS rule 2 stoptime ‘09:00:00’
set firewall group time WORKSTATION_WEB_ACCESS rule 2 utc
set firewall group time WORKSTATION_WEB_ACCESS rule 2 weekdays ‘Sat,Sun’
set firewall name INSIDE-OUTSIDE rule 1000 action ‘accept’
set firewall name INSIDE-OUTSIDE rule 1000 description ‘Allow Internet’
set firewall name INSIDE-OUTSIDE rule 1000 log ‘enable’
set firewall name INSIDE-OUTSIDE rule 1000 protocol ‘tcp’
set firewall name INSIDE-OUTSIDE rule 1000 destination port ‘80,443’
set firewall name INSIDE-OUTSIDE rule 1000 source group address-group ‘WORKSTATIONS’
set firewall name INSIDE-OUTSIDE rule 1000 state new ‘enable’
set firewall name INSIDE-OUTSIDE rule 1000 time group WORKSTATION_WEB_ACCESS
Notice T478 has been completed, although is there a possibility, to do this with time?
Example
set firewall group group-schedule "time_fri_4.00pm_9.45pm" starttime 16:00:00
set firewall group group-schedule "time_fri_4.00pm_9.45pm" stoptime 21:45:00
set firewall group group-schedule "time_fri_4.00pm_9.45pm" weekdays Friday
set firewall group group-schedule "time_sat_2.00pm-9.45pm" starttime 14:00:00
set firewall group group-schedule "time_sat_2.00pm-9.45pm" stoptime 21:45:00
set firewall group group-schedule "time_sat_2.00pm-9.45pm" weekdays Saturday
set firewall group group-schedule "time_sun_2.00pm-4.00pm" starttime 14:00:00
set firewall group group-schedule "time_sun_2.00pm-4.00pm" stoptime 16:00:00
set firewall group group-schedule "time_sun_2.00pm-4.00pm" weekdays Sunday
set firewall group group-schedule ClientAccessHours include time_fri_4.00pm_9.45pm
set firewall group group-schedule ClientAccessHours include time_sat_2.00pm-9.45pm
set firewall group group-schedule ClientAccessHours include time_sun_2.00pm-4.00pm
set firewall ipv4 name CLIENT-SYSTEMS rule 2000 accept
.....
.....
set firewall ipv4 name CLIENT-SYSTEMS rule 2000 destination group address-group Client-Servers
set firewall ipv4 name CLIENT-SYSTEMS rule 2000 time group-schedule ClientAccessHours
Unfortunately I cannot give you an example as I have no experience with nftables. Excuse my ignorance, but I thought that VyOS firewall CLI was a wrapper to nftables? So in the example above, the backend script would read the CLI configuration and create three rules within nftables config.
Yes, I know you can create three separate rules, but somehow groups seem to be cleaner.
I guess group-addresses, group-networks etc are included/part of nftabes?