HOW TO add named FIREWALL RULES to specific interfaces eth0.777

pavlind · July 25, 2024, 10:53am

Hello ALL,
Configure WAN-LOCAL firewall rules:

set firewall ipv4 name WAN-LOCAL default-action ‘drop’
set firewall ipv4 name WAN-LOCAL default-log
set firewall ipv4 name WAN-LOCAL rule 1000 action ‘drop’
set firewall ipv4 name WAN-LOCAL rule 1000 state ‘invalid’
set firewall ipv4 name WAN-LOCAL rule 1010 action ‘accept’
set firewall ipv4 name WAN-LOCAL rule 1010 state ‘established’
set firewall ipv4 name WAN-LOCAL rule 1010 state ‘related’
set firewall ipv4 name WAN-LOCAL rule 1020 action ‘accept’
set firewall ipv4 name WAN-LOCAL rule 1020 icmp type-name ‘echo-request’
set firewall ipv4 name WAN-LOCAL rule 1020 protocol ‘icmp’
set firewall ipv4 name WAN-LOCAL rule 1030 action ‘accept’
set firewall ipv4 name WAN-LOCAL rule 1030 destination port ‘22’
set firewall ipv4 name WAN-LOCAL rule 1030 protocol ‘tcp’
set firewall ipv4 name WAN-LOCAL rule 1030 source geoip country-code ‘bg’
set firewall ipv4 name WAN-LOCAL rule 1030 state ‘new’
set firewall ipv4 name WAN-LOCAL rule 1040 action ‘accept’

But can’t find how to apply that policy, any suqqestions ?
Version is VyOS 1.5-rolling-202405101513

n.fort · July 25, 2024, 10:59am

You need to also use interface as matching criteria, in the chain you are trying to apply this filter (input, forward, output for example).
Take a look at documentation:
https://docs.vyos.io/en/latest/configuration/firewall/index.html
https://docs.vyos.io/en/latest/configuration/firewall/index.html

And an example which uses VRF. Is not your case, but you can check it in order to have an idea how to use interfaces:
https://docs.vyos.io/en/latest/configexamples/fwall-and-vrf.html

pavlind · July 25, 2024, 11:00am

I have already read documentation and It is not clear for me. Could you provide me an example ?

n.fort · July 25, 2024, 11:04am

I would assume it’s for input traffic, since custom ruleset is named WAN-LOCAL

set firewall ipv4 input filter rule 10 action jump
set firewall ipv4 input filter rule 10 jump-target WAN-LOCAL
set firewall ipv4 input filter rule 10 inbound-interface name eth0

pavlind · July 25, 2024, 11:07am

I will try, Many thanks !!!

pavlind · July 25, 2024, 12:44pm

How do I verify that a firewall has an effect on the interface???

talmakion · July 25, 2024, 1:48pm

A quick show firewall statistics will show you if things are matching.

If you’re not sure or want closer modelling, just add a log rule, send through some matching traffic and check the logs.

pavlind · July 29, 2024, 7:43am

**Thanks for the guidance, everything working fine for me:) **

system · August 12, 2024, 12:13pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.