New Firewall Configuration Options

I’ve really become used to the zone based firewall from versions past. I’m just moving to a new build that does away with that concept. And I am starting to learn the new model.
I’m following the newest quickstart guide (Quick Start — VyOS 1.4.x (sagitta) documentation) and going through setting up a brand new VyOS VM to learn on.

My question is about the section titled “Allow Management Access”.

This is my question. Why does this rule not need a “state new enable” configuration?

When following that manual you already configured the state checking in the steps before. This is done with either Option 1: Common Chain or Options 2: Per-Hook Chain

So when the packet hits the Input chain, the state is first checked by:

Option 1: Jumping to the CONN_FILTER chain
Option 2: The State checking rule configured on the input chain

The VYOS_MANAGEMENT chain is jumped to after the Option 1 or Option 2 rules are checked.

1 Like

Yes and no…

The established, related and invalid states have already been taken care of (the first rules of input, output and forward filters).

So whats left are new sessions (default drop so we act on what we want to allow).

I think technically rule 20 and 21 in that example wouldnt need to check for “state new”.

What could happen if we remove those lines (with “state new”) and you didnt already allow for established/related is that ALL packets arriving from WAN would hit that “count 4” and because of that getting blocked.

So performance wise you could remove that extra check for “state new” because its redundant in this case. Yet it doesnt hurt to be specific and have it included (except for performance if we strictly look at number of cpu cycles before letting a new session through).

I mean its similar to if you have in the forward filter a rule that looks for “outbound-interface interface-group WAN” and have a jump to V4_CUSTOM chain and in that chain again look for “outbound-interface interface-group” before accepting a new session towards lets say TCP22 from LAN to WAN.

1 Like

Thank you @Apachez . That’s what I was thinking, just wanted to make sure I wasn’t misunderstanding.