Question for my lab setup with dns based firewall rules

tomcat667 · January 31, 2023, 2:27pm

Hi all,

i want to try dns based firewall rules.

somehow i fail to build a rule for INSIDE. Could anyone help me?

See this post on Github

github.com/vyos/vyos-1x

firewall: T970: T1877: Add source/destination fqdn, refactor domain resolver, firewall groups in NAT

vyos:current ← sarthurdev:fqdn

opened 12:46PM - 01 Nov 22 UTC

sarthurdev

+498 -190

## Change Summary * Adds `firewall name X rule N source/destination fqdn <fqd…n>` for single domain per rule support * Refactor domain resolver daemon * Enables/updates domain groups in `policy route` and `nat` tables * Resolver refactor prevents the update of domains blocking the commit * Add support for firewall group usage in NAT * Updates firewall smoketest for wait for resolver to populate nftables set * Adds group smoketest to NAT ## Types of changes  - [x] Bug fix (non-breaking change which fixes an issue) - [x] New feature (non-breaking change which adds functionality) - [ ] Code style update (formatting, renaming) - [x] Refactoring (no functional changes) - [ ] Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component - [ ] Other (please describe): ## Related Task(s) * https://phabricator.vyos.net/T970 * https://phabricator.vyos.net/T1877 * https://phabricator.vyos.net/T1097 ## Component(s) name firewall, nat ## Proposed changes ## How to test  ## Checklist: - [x] I have read the [**CONTRIBUTING**](https://github.com/vyos/vyos-1x/blob/current/CONTRIBUTING.md) document - [x] I have linked this PR to one or more Phabricator Task(s) - [x] I have run the components [**SMOKETESTS**](https://github.com/vyos/vyos-1x/tree/current/smoketest/scripts/cli) if applicable - [x] My commit headlines contain a valid Task id - [x] My change requires a change to the documentation - [ ] I have updated the documentation accordingly

that is the right way?

set firewall name INSIDE-OUT rule 10 destination group domain-group myadgroup

firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    group {
        domain-group myadgroup {
            address company.example.com
        }
    }
    interface eth0 {
        in {
            name OUTSIDE-IN
        }
        local {
            name OUTSIDE-LOCAL
        }
    }
    interface eth1 {
        out {
            name INSIDE-OUT
        }
    }
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name INSIDE-OUT {
        default-action accept
        rule 10 {
            action drop
            destination {
                group {
                    domain-group myadgroup
                }
            }
            state {
                new enable
            }
        }
        rule 20 {
            action accept
            icmp {
                type-name echo-request
            }
            protocol icmp
            state {
                new enable
            }
        }
    }
    name OUTSIDE-IN {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            protocol icmp
            state {
                new enable
            }
        }
    }
    name OUTSIDE-LOCAL {
        default-action drop
        rule 10 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            icmp {
                type-name echo-request
            }
            protocol icmp
            state {
                new enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}
interfaces {
    ethernet eth0 {
        address 10.10.10.30/23
        description OUTSIDE
        
    }
    ethernet eth1 {
        address 192.168.0.10/24
        description INSIDE
        
    }
    loopback lo {
    }
}
nat {
    source {
        rule 99 {
            outbound-interface eth0
            source {
                address 192.168.0.0/24
            }
            translation {
                address masquerade
            }
        }
    }
}
protocols {
    static {
        route 0.0.0.0/0 {
            next-hop 10.10.10.1 {
                distance 1
            }
        }
    }
}
service {
    dns {
        forwarding {
            allow-from 192.168.0.0/24
            cache-size 0
            listen-address 192.168.0.1
            listen-address 192.168.0.10
            name-server 10.10.10.10
            name-server 10.10.10.11
        }
    }
    ssh {
        port 22
    }
}
system {
    config-management {
        commit-revisions 100
    }
    conntrack {
        modules {
            ftp
            h323
            nfs
            pptp
            sip
            sqlnet
            tftp
        }
    }
    console {
        device ttyS0 {
            speed 115200
        }
    }
    host-name vyos
    login {
        user vyos {
            authentication {
                encrypted-password ****************
                plaintext-password ****************
            }
        }
    }
    name-server 10.10.10.16
    ntp {
        server time1.vyos.net {
        }
        server time2.vyos.net {
        }
        server time3.vyos.net {
        }
    }
    syslog {
        global {
            facility all {
                level info
            }
            facility protocols {
                level debug
            }
        }
    }
}