So I’ve setup a working set of zone policies, but I realized I need to create a rule specifically to download new images. Is vyos just using port 443 for the request? Is there a reccomended way to limit it to vyos servers without opening such a well known port to local?
You need to allow established connections. These are my outside to local firewall rules:
set firewall name OUTSIDE-LOCAL default-action 'drop'
set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
You will also need a name-server for the system image download to succeed:
set system name-server '1.1.1.1'
You don’t open port 443 locally to establish a connection to a webserver to download an image. You don’t need to open any ports to initiate a connection outbound unless you’re purposefully blocking all ports from creating any connections outbound, in which case, you have a LOT of administration work on your hands to allow certain devices to communicate.
Probably a script that resolves the VyOS upstream server(s) and updates an address group with addresses found will do. Schedule the script so DNS changes are followed