Zone based firewall design thoughts?

ngoehring · March 31, 2021, 4:24pm

I’ve decided to try to set up a zone based firewall but wanted to get some thoughts from others who may already have done so. My network consists of the following interfaces/network segments:

WAN
Mullvad VPN
Site to Site Wireguard
Remote access WG
LAN
Kids
Cameras
DMZ

Obviously I could create zones for all, but I fear that defeats the purpose. How would you set up zones if your network were mine?

phillipmcmahon · March 31, 2021, 8:54pm

I would do as you propose, a zone for all. Why do you think that would default the purpose?

ngoehring · April 1, 2021, 3:37am

@phillipmcmahon I thought part of the idea with ZBF was to be able to group interfaces with similar trust levels into zones rather than have to set up zones/rules for each. What I ended up doing was creating a zone for each interface except for the Mullvad one. Because it functions as a WAN interface and is trusted no better than my normal WAN, I went ahead and assigned it to the WAN zone. Everything works fine so far. I can appreciate the concept and power of ZBF and the rules are obviously a bit easier to understand since you create one for each traffic flow versus just IN/OUT/local. Not sure what I personally gained by setting it up versus sticking with interface-assigned rules though. Maybe I’m missing the point.

phillipmcmahon · April 1, 2021, 6:14am

ZBF can offer that efficiency, if as you say you have zones with the same access profiles. I set up my interfaces all as individual zones, I have a fair amount of duplication in my config but this also means I can toy with an interface/zone ruleset without likely impacting existing connectivity.

ZBF has also been easier for me to understand long-term as my rulesets have grown. IN/OUT/local was not as intuitive and I am sure I’ve saved time because of this. Creating a new zone is a dull process of cut and paste and modifying existing zones, a helper function in vyos to insert the stubs would be appreciated.

nktech1135 · April 1, 2021, 12:24pm

a bit easier to understand

This, I started with zones on juniper and when i started using vyos that came much easier than interface rulesets. In fact, i still haven’t wrapped my mind around just how those work.

a helper function in vyos to insert the stubs would be appreciated.

+1 to this. this is my biggest gripe with doing the initial setup on zones, there is so much additional config. Once set up though i do think it’s easier to manage.
Another thing, if you’re using this for a homelab and start messing around with interfaces and wireing it’s much easier to just slap the correct interface to the correct zone and let the zone’s firewall settings take care of the rest than going around to each interface and making sure the correct firewall names are asigned to the correct directions on each interface.

HTH.

ngoehring · April 1, 2021, 12:39pm

Appreciate the comments from all. I’m going to keep rocking the ZBF, if for no other reason than all the work I put into setting it up! I’m sure things will become me clearer to me over time.

Viacheslav · June 21, 2021, 1:27pm

Which exactly issue?

monotux · June 22, 2021, 1:17pm

I think Clemens post is just spam?

monotux · June 22, 2021, 1:20pm

I’ve setup an Ansible playbook (heavily inspired by this blog entry, lengthy but very thourough!) to deal with similar situations. I then just add a couple of lines of yaml and run the playbook to add new zones etc.

Ansible and VyOS is a great combo!

phillipmcmahon · June 22, 2021, 1:59pm

any chance you could share as that sounds like a pretty sustainable approach?

monotux · June 22, 2021, 2:11pm

It’s a bit hacky but I can try to publish it somewhere. Currently in a private repo, but there are no secret stuff in it so should be doable.

monotux · June 24, 2021, 7:38am

I accidentally made this gist secret, but I’m too lazy to redo it.

This is an example that should be fairly complete, but you’ll have to read the templates and tasks in order to understand which variables are needed.

gist.github.com

https://gist.github.com/oscarcarlsson/125f62f88582dbcdd2da6d896410e1cd

firewall-tasks-main.yml

---
- name: Allow all local ICMP
  vyos.vyos.vyos_config:
    lines:
      - set firewall all-ping enable
  tags:
    - firewall

- name: Allow stateful traffic
  vyos.vyos.vyos_config:

This file has been truncated. show original

firewall-templates-addressbook.j2

{% for address in fw_addresses %}
  {% if address['groups'] is defined %}
    {% for group in address['groups'] %}
      {% if address['ip'] is defined %}
        set firewall group address-group {{ group }} address {{ address['ip'] }}
      {% endif %}
      {% if address['ipv6'] is defined %}
        set firewall group ipv6-address-group {{ group }} address {{ address['ipv6'] }}
      {% endif %}
    {% endfor %}

This file has been truncated. show original

firewall-templates-policy_v4.j2

{% for zone in zones %}
  {% if zone['policies'] is defined %}
    {% for policy in zone['policies'] %}
      {% if zone['name'] != policy['dest'] %}
        {# Interfaces are defined elsewhere. This is to allow us to apply rulesets #}
        {# to these zones in particular. #}
        set zone-policy zone {{ policy['dest'] }} from {{ zone['name'] }} firewall name {{ zone['name'] }}-{{ policy['dest'] }}

        {# Set default inter-zone action. Can be set to accept, contrary to the #}
        {# zbf based value. #}

This file has been truncated. show original

There are more than three files. show original