I am continuing to work on switching from pfSense to VyOS for my home router and I think the last thing I need to sort out are the firewall rules.
I have the following zones:
PRIVATE: contains the LAN and WAN modem admin interface
PUBLIC: The Internet - contains the PPPoE interface
DMZ: contain the DMZ interface for servers
LOCAL: The firewall itself
I am running the router dual-stack (IPv6 and IPv4), which has resulted in a lot of configuration to write. In the end I write a little script to generate the VyOS commands, because there were so many commands / permutations to write.
This is all just ‘boilerplate’ before I write any extra rules.
I think the complexity is created by:
All the different permutations of the 4 different zones talking to each other
Having to write nearly everything twice (IPv4 and IPv6)
Having to enable stateful firewall for each ruleset
Am I missing something? Is there a way this could made shorter / simpler?
Not had any response to this but I am pretty sure there the answer is that if you want a dual-stack firewall you have to duplicate all the rules, once for IPv4 and once for IPv6. Even for a small firewall, this starts to become quite hard to manage - to ensure that all the rules are consistently applied to both IPv4 and IPv6.
I have considerably extended my Ruby script to take zone configuration and firewall rules as JSON and then outputs a VyOS configuration file (or a series of set commands).