Lo interface to LOCAL (zone based) - how?

Hello,
I’m trying to follow this VyOS for Home Use: Part 5 – Traffic Monitoring with ntopng - Level Zero Networking

But since he uses normal interface-based rules and Im using zone-based - how can I implement something like that since “Lo” isnt bound to any zone…

I’m stuck at this part:

## Allowing redis traffic through the input firewall chain

We block all traffic to the input firewall chain unless it’s return traffic that we orignated, or the traffic is coming in on “eth2” (our LAN interface). We need to allow input traffic from the “lo” interface.

set firewall ipv4 input filter rule 1010 action ‘accept’
set firewall ipv4 input filter rule 1010 inbound-interface name ‘lo’

Thanks for any help!

I don’t think you should need to assign the interface, if my understanding of zone based firewall is correct.

I believe in terms of iptables/nftables concepts, the local zone is anything that would trigger input or output chains - AKA anything sourced or destined for the device itself, regardless of what zone the interface is configured in.

Thus anything to or from the LB should be considered as local for the purposes of firewalling automatically, without any assignment.

The zone assignments should be for traffic which is routed through an interface.

If I’m wrong, hopefully someone will correct me.

If I am correct, you would just need to add the allow rule to the firewall which is applied on zone LOCAL from whichever zone you expect the traffic.

1 Like

In VyOS with zone-based firewalls, traffic for the lo (loopback) interface is handled by the local zone. You can define it like this:

set zone-policy zone LOCAL local-zone

Once defined, you can reference the LOCAL zone in your ruleset and apply it for inter-zone traffic as needed.