On Juniper I’m used to applying the local firewall to the loopback interface, but on vyos you can’t apply firewall filters to lo. What I do is I have a firewall filter I apply to local on all connected interfaces, but I find this very annoying and open to mistakes. It’s so easy to forget to apply the firewall to some interface, and doubly when it’s something other than a physical interface (wireguard etc.), since it’s easier to forget that those interfaces receive external traffic just like the physical ones.
Is there an easier way to configure a local firewall filter, without having to apply it to every interface?
which VyOS version are you running? The “real” equivalent of a loopback interface on e.g. Juniper/Cisco on VyOS/Linux is a so called dummy interface. And the dummy interface has firewalling support as of VyOS 1.3.2
I’m running 1.3.1, but I was planning on upgrading to 1.3.2 next week.
Using a dummy interface instead of the loopback sounds like it could be just the things, thanks.
But those firewall rules will only work if traffic really is routed over the dummy interface. Which it probably isn’t.
Consider zone based firewall
“local” is somewhat different on Juniper than on VyOS: the loopback interface on Juniper devices is what connects the routing engine (the control plane - where your SSH, BGP, … services are running) to the PFE (where all packets are routed/switched/…). So while you have an IP on ge-0/0/0, it basically directs the PFE to “forward all packets directed to this IP to the routing engine (loopback)”, which can then be filtered by the single filter.
VyOS doesn’t have this distinction, so every interface needs either its own filter, or has to belong to a zone.
Makes sense. Seems I need to just be careful to add local firewall to all interfaces if I want to keep using packet based firewall
You can use zone based firewall and “interface eth+” or “wg+”