zone based firewall concepts and deleting firewall rules


#1

Guys I would like to ask you all more about the zone based firewall concept. From what I assume the firewall rules are unidirectional when dealing with zones. So lets say I have two zones zone A and zone B. I would like to allow SSH, and RDP from zone A to zone B. So with that said seems I would have to create a rule from zone a to zone b basically allow the rdp and ssh traffic to leave zone a. After that I would than have to create a second rule for zone b where it accepts the traffic. So I ask is there a way to create bidirectional rules also I would like to know how do I delete a firewall rule? I don’t want to delete the firewall just the entire rule.


#2

As soon as you place an interface into a zone, traffic in and out of that zone is inspected and acted on according to firewall rules. You need 2 separate firewalls to define traffic: one for each direction. Bidirectional rules aren’t really practical. For example the destination port for rdp will always be tcp 3389 but the source port on the client is a random high port number. It’s better to allow traffic to destination ports and you could consider using state established enable state related enable, to allow return traffic without too much trouble. You can delete a firewall rule by being more specific in your delete command: delete firewall name A_to_B rule 21


#3

As jl3128 referenced, you will want to use state related and established. Then you only have to allow the traffic in the zone policy where the packet is ingress to the firewall with TCP SYN or new UDP traffic. This also results in efficiency - once a flow is established, related packets are allowed by the established/related lookup and the packet doesn’t need to traverse your firewall ruleset.

This wiki item:
http://vyos.net/wiki/Zone-policy_example
seems to cover what you need (although adaptation will be required of course :))

HTH

Chris