I have some questions about the order of the process by which Vyos/ Debian processes traffic related to services terminating on the outside-local address.
For instance, setting up ssh does not require any adjustments to the outside local but can be initiated through the “set service ssh” . A question arises, what firewall chain does this tie to and is it visible in logs?
Also I would like to limit the ranges that can access the device. e.g. 10.1.1.0/24 . There does not appear to be an access control through the SSH commands. It allows you to access
set service ssh access-control allow
- group Allow members of a group to login <<---- is this a network group or user group?>?
- user Allow specific users to login
If not a network group , I don’t see where below it allows you to put a user in a group.
set system login user vyos
full-name Full name of the user (use quotes for names with spaces)
Is a better way to use the outside-local in conjunction with the “set service ssh” commands to create more granular access controls?
set firewall group network-group INTERNAL_NETWORKS network ‘10.1.1.0/24’
set firewall name OUTSIDE-LOCAL rule 20 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 20 destination port ‘22’
set firewall name OUTSIDE-LOCAL rule 20 protocol ‘tcp’
set firewall name OUTSIDE-LOCAL rule 20 source group network-group ‘INTERNAL_NETWORKS’
set firewall name OUTSIDE-LOCAL rule 20 state new ‘enable’
set firewall name OUTSIDE-LOCAL rule 20 state established ‘enable’
set firewall name OUTSIDE-LOCAL rule 20 state related ‘enable’
Any insight on the best method would be appreciated.