Zone based firewall allow rule for same zone

Currently, the zone based firewall is set up under the assumption that traffic between interfaces belonging to the same zone should always pass. For routers in our network backbone we need to filter unwanted traffic such as from/to private IPs on interfaces which are in the same zone, i.e. “backbone”. We worked around this limitiation by putting each interface into each own zone, actually using the interface name as its zone name. This works but creates a myriad of interface-interface-zone combinations which defeats the purpose of a ZBF.

Another solution may be to replace the ZBF with an interface based firewall. However, that prevents us from defining rules to limit what the router can send outbound, i.e. because there is no outbound complement to “local” firewall rules.

So I went back to the ZBF approach and disabled the same zone check in /opt/vyatta/share/vyatta-cfg/templates/zone-policy/zone/node.tag/from/node.def which enabled me to add a rule for same-zone traffic and it committed fine, except that the rules created now look like this:

-A VZONE_backbone -i eth1 -j RETURN
-A VZONE_backbone -i eth0 -j RETURN
-A VZONE_backbone -i eth0 -j pub-pub-v4
-A VZONE_backbone -i eth0 -j RETURN
-A VZONE_backbone -i eth1 -j pub-pub-v4
-A VZONE_backbone -i eth1 -j RETURN

I.e. the rule which permits same-zone traffic is automatically created and placed before the intended same-zone-rulesets. This behavior would have to be improved in a backwards compatible manner, i.e. if a from zone has no ruleset assigned to itself as a target zone, create the allow-all RETURNs, otherwise skip them and let the code work that creates inter-zone-rules for each interface in a zone.

Unfortunately, my perl skills are kind of read-only and even if I was able to modify the code, I wouldn’t be able to work with git and create a PR. So support for the idea and all further help is appreciated.

BR, Thomas.

Maybe it will be solution for you to use raw iptables/nft commands in /config/scripts/vyos-postconfig-bootup.script

Yeah, I will either succeed in patching the Perl module myself or fix the FW rules after they have been built - because I want to get rid of the one-interface-per-zone workaround we did that increases boot up time considerably.

OTOH, I can’t believe everybody is happy with the underlying assumption that same-zone-traffic need not have firewall rules. That appears (to me) to be a serious limitation security-wise. And as I’ve found out that it could be implemented in a backwards compatible way, I wanted to suggest it to the community.

There is task for firewall rewriting T2199
We not apply new features in the old Perl code, only bug fixes

1 Like