VyOS firewall zones onboarding

junicast · February 23, 2025, 11:19am

I found an error in:
https://docs.vyos.io/en/latest/configexamples/zone-policy.html

The nice diagram on top in the physical view depicts VLAN 20 to be assigned to DMZ which is wrong according to the rest of the document.
Correct would be to display VLAN 20 as LAN while VLAN 30 should be displayed as DMZ.

Also there is a broken link at

A basic introduction to zone-based firewalls can be found here

Other than that I’m confused about how those two documents fit together:

/en/latest/configexamples/zone-policy.html and
/en/latest/configuration/firewall/zone.html
Is this blueprint actually a blueprint for this firewall zones concept? In the zone-policy configuration example a list of rulesets is given but it doesn’t say how to create them.

I’m really struggling at onboarding to VyOS even though I’m not new to packet filter mechanisms at all. I figure those zone based firewall configurations are quite new in vyos and I’m trying to understand them in the first place. I like the idea of having zones in a 1 to many relation which I prefer over a one to one relation between zone and interface.

What I basically have done so far is giving my vif interfaces IP configurations and assigned them to zones like this:

 zone DMZ {
     default-action reject
     default-log
     member {
         interface eth1.103
         interface eth1.109
     }
 }
 zone DOWNPROD {
     default-action reject
     default-log
     member {
         interface eth1.104
     }
 }
 zone DOWNTEST {
     default-action reject
     default-log
     member {
         interface eth1.105
     }
 }
 zone FFGUEST {
     default-action reject
     default-log
     member {
         interface eth1.111
     }
 }
 zone FFMESH {
     default-action reject
     default-log
     member {
         interface eth1.110
     }
 }
 zone FFWAN {
     default-action reject
     default-log
     member {
         interface eth1.101
     }
 }
 zone INSECURE {
     default-action reject
     default-log
     member {
         interface eth1.102
     }
 }
 zone KIDS {
     default-action reject
     default-log
     member {
         interface eth1.107
     }
 }
 zone MGMT {
     default-action reject
     default-log
     member {
         interface eth1.112
         interface eth1.106
     }
 }
 zone OUTDOORS {
     default-action reject
     member {
         interface eth1.108
     }
 }
 zone WAN {
     description "naughty internetz"
     from MGMT {
         firewall {
             ipv6-name mgmt6-to-wan6
             name mgmt4-to-wan4
         }
     }
     member {
         interface eth0
     }
 }

I want basically to disallow any traffic and then initially whitelist whole zones to allow flows unobstructed but most networks shall only get dedicated and precise rules what exactly is allowed. This is my first try to allow MGMT to WAN access

set firewall zone WAN from MGMT firewall ipv6-name mgmt6-to-wan6
set firewall ipv6 name mgmt6-to-wan6 default-log
set firewall ipv6 name mgmt6-to-wan6 rule 10 action accept
set firewall ipv4 name mgmt4-to-wan4 default-log
set firewall ipv4 name mgmt4-to-wan4 rule 10 action accept

I’m on 1.5 rolling btw.

Nicolas · February 24, 2025, 7:56am

I think the broken link is to this article: Zone-based Firewall Guide : VyOS Support Portal

And I agree, for a blueprint it would be more helpful to have the config commands than the plain config. But the structure usually maps 1:1, so you can reconstruct the commands from a configuration. Also it looks like the example is outdated. Personally I started with VyOS 1.4 and never used the ZBF, just the standard one.

To configure the zone ruleset you can reference

IPv4 Firewall Configuration — VyOS 1.5.x (circinus) documentation
IPv6 Firewall Configuration — VyOS 1.5.x (circinus) documentation
(ignore the forward/input/output)

Typically you’d have either set global:

set firewall global-options state-policy established action accept
set firewall global-options state-policy related action accept
set firewall global-options state-policy invalid action drop

or per zone

set firewall ipv4 name mgmt4-to-wan4 default-action 'drop'
set firewall ipv4 name mgmt4-to-wan4 default-log
set firewall ipv4 name mgmt4-to-wan4 rule 1 action 'accept'
set firewall ipv4 name mgmt4-to-wan4 rule 1 state 'established'
set firewall ipv4 name mgmt4-to-wan4 rule 1 state 'related'
set firewall ipv4 name mgmt4-to-wan4 rule 2 action 'drop'
set firewall ipv4 name mgmt4-to-wan4 rule 2 state 'invalid'

Then to allow all traffic explicitly as you have it:

set firewall ipv4 name mgmt4-to-wan4 rule 10 action accept

And maybe this might be helpful for you:

junicast · February 27, 2025, 8:48pm

I think I might have figured it out basically.

Zone      Members    From Zone    Firewall IPv4      Firewall IPv6
--------  ---------  -----------  -----------------  -----------------
DMZ       eth3.103   MGMT         mgmt4-to-dmz4      mgmt6-to-dmz6
          eth3.109
DOWNPROD  eth3.104
DOWNTEST  eth3.105
FFGUEST   eth3.111
FFMESH    eth3.110
FFWAN     eth3.101
INSECURE  eth3.102
KIDS      eth3.107
MGMT      eth3.112
          eth3.106
OUTDOORS  eth3.108
WAN       pppoe0     DMZ          dmz4-to-wan4       dmz6-to-wan6
                     DOWNPROD     downprod4-to-wan4  downprod6-to-wan6
                     DOWNTEST     downtest4-to-wan4  downtest6-to-wan6
                     INSECURE     insecure4-to-wan4  insecure6-to-wan6
                     KIDS         kids4-to-wan4      kids6-to-wan6
                     MGMT         mgmt4-to-wan4      mgmt6-to-wan6

So what I have to do is basically create a ruleset for every inter-zone interaction. So for IPv4 traffic from kids to the Internet there is kids4-to-wan4

vyos@fwofden0:~$ show firewall ipv4 name kids4-to-wan4
Ruleset Information

---------------------------------
ipv4 Firewall "name kids4-to-wan4"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  ------------
10       accept    all                 0        0  accept
default  drop      all                 0        0

Where do I put rules that would allow input traffic with the firewall as the destination? I’m sorry those feel like dumb questions…

marvin · February 28, 2025, 12:21am

You’re almost there: you simply need a Local zone (and corresponding WAN-to-LOCAL, etc firewall names for your rules) for traffic destined to the firewall itself.

IOW, in your zone definitions, instead of specifying an interface:

set firewall zone <name> interface <interface>

you’ll set the (LOCAL) zone to be local-zone; eg:

set firewall zone LOCAL local-zone

junicast · February 28, 2025, 9:18am

Thank you. Next question. Do I really have to define all those

mgmt4-to-local4
local4-to-mgmt4
mgmt6-to-local6
local6-to-mgmt6

for all the zones?
This would be a hell of a lot of work… I basically want my firewall output to be allowed in any case and for input to the firewall I would like to sometimes restrict it depending on what source interface it comes from…

marvin · February 28, 2025, 1:51pm

Ideally, yes: if you explicitly define each one of the zone relationships with LOCAL, it can save a lot of confusion when trying to diagnose something down the road.

Yes, it’s a lot of firewall namespaces that probably won’t have rules in most cases (just a default-action), but I’m afraid defining them can’t be avoided.

system · March 30, 2025, 1:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.