Note: I am new to vyos but have used it way back when purely as a router. I have re-found my love for CLI and trying to understand the firewall using rules and zones
I have got two interfaces OUTSIDE(eth0, WAN) and INSIDE(eth1,LAN)
I have configured NAT for eth0
I have configured a DHCP server that allocates PC IP addresses.
At this point everything is just open, I am able to get an address and ping the vyos router. I presume firewall is open by default and requires specific drop rules?
Now I want to set up some zone polices.
set zone-policy zone OUTSIDE interface eth0 set zone-policy zone OUTSIDE default-action drop set zone-policy zone INSIDE interface eth1 set zone-policy zone INSIDE default-action drop set zone-policy zone LOCAL interface local-zone set zone-policy zone LOCAL default-action drop
I am expecting that this should drop all connection to the vyos router, as I have not specified any firewall rules and defined them to the zone. Funnily enough my pings and SSH session drop but I am still able to receive a DHCP address leases? I would have expected that I would require a rule that goes from INSIDE-LOCAL port 67 and that LOCAL would require a rule LOCAL-INSIDE with default-action accept.
Where am I going wrong here?
Appreciate the help.