Please explain - Firewall Rules - Zones - DHCP lease

Hi All,

Note: I am new to vyos but have used it way back when purely as a router. I have re-found my love for CLI and trying to understand the firewall using rules and zones

I have got two interfaces OUTSIDE(eth0, WAN) and INSIDE(eth1,LAN)
I have configured NAT for eth0
I have configured a DHCP server that allocates PC IP addresses.

At this point everything is just open, I am able to get an address and ping the vyos router. I presume firewall is open by default and requires specific drop rules?

Now I want to set up some zone polices.

set zone-policy zone OUTSIDE interface eth0
set zone-policy zone OUTSIDE default-action drop

set zone-policy zone INSIDE interface eth1
set zone-policy zone INSIDE default-action drop

set zone-policy zone LOCAL interface local-zone
set zone-policy zone LOCAL default-action drop

I am expecting that this should drop all connection to the vyos router, as I have not specified any firewall rules and defined them to the zone. Funnily enough my pings and SSH session drop but I am still able to receive a DHCP address leases? I would have expected that I would require a rule that goes from INSIDE-LOCAL port 67 and that LOCAL would require a rule LOCAL-INSIDE with default-action accept.

Where am I going wrong here?

Appreciate the help.

Kind Regards

Most DHCP servers create a raw socket to listen on. This bypasses iptables rules. Won’t hurt to allow dhcp in iptables, as it might make DHCP renew go smoother.
Initial DHCP discovery packet is sent to 0.0.0.0 , this requires raw socket. Subsequent DHCP renew might be sent to vyos IP itself, like 192.168.0.1

Hi 16again,

Thanks for your reply,
Given that DHCP creates a raw socket which bypasses iptables, I would still expect not to get a lease because ports 67 and 68 I’m presuming are blocked? I will be allowing DHCP through the firewall just wanted to understand if my configuration is sound starting with everything blocked and opening ports as I go.

Kind Regards

As dhcp packets bypass iptables, you can’t block those packets with iptables rules.
To see what goes on:
run tcpdump sniffer on LAN, filtered on dhcp ports
and at the same time, use iptables allow rules for dhcp traffic, and enable logging on those rules.
Then compare outputs

Thanks, will try that out.