Currently, the zone based firewall is set up under the assumption that traffic between interfaces belonging to the same zone should always pass. For routers in our network backbone we need to filter unwanted traffic such as from/to private IPs on interfaces which are in the same zone, i.e. “backbone”. We worked around this limitiation by putting each interface into each own zone, actually using the interface name as its zone name. This works but creates a myriad of interface-interface-zone combinations which defeats the purpose of a ZBF.
Another solution may be to replace the ZBF with an interface based firewall. However, that prevents us from defining rules to limit what the router can send outbound, i.e. because there is no outbound complement to “local” firewall rules.
So I went back to the ZBF approach and disabled the same zone check in /opt/vyatta/share/vyatta-cfg/templates/zone-policy/zone/node.tag/from/node.def which enabled me to add a rule for same-zone traffic and it committed fine, except that the rules created now look like this:
*filter
...
-A VZONE_backbone -i eth1 -j RETURN
-A VZONE_backbone -i eth0 -j RETURN
-A VZONE_backbone -i eth0 -j pub-pub-v4
-A VZONE_backbone -i eth0 -j RETURN
-A VZONE_backbone -i eth1 -j pub-pub-v4
-A VZONE_backbone -i eth1 -j RETURN
I.e. the rule which permits same-zone traffic is automatically created and placed before the intended same-zone-rulesets. This behavior would have to be improved in a backwards compatible manner, i.e. if a from zone has no ruleset assigned to itself as a target zone, create the allow-all RETURNs, otherwise skip them and let the code work that creates inter-zone-rules for each interface in a zone.
Unfortunately, my perl skills are kind of read-only and even if I was able to modify the code, I wouldn’t be able to work with git and create a PR. So support for the idea and all further help is appreciated.
BR, Thomas.