I can create a zone for a Vyos router itself, say:
set zone-policy zone vyoslocal local-zone
I was planning to use local-zone to restrict access to the Vyos router itself based on zoning but I have found that local-zone is not terribly useful.
I have set up firewall rules for access to the router from private LAN but it does not help. As soon as I set the zone-policy for local-zone the access to the Vyos router is locked down. I have traffic between zones through the router but I am not able to ping the router or ping from the router. Basically I cannot remotely manage the router and I cannot do any work related functions while sitting in front of the Vyos console.
Ping outside from the router:
root@vyos:~# ping 98.134.183.24
PING 98.134.183.24 (98.134.183.24) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
Could someone share experience on how to use local-zone?
When zone policies are used, the number of rulesets is N ^ 2 + N, where N is the total number of subnets. The “+ N” part of the formula indicates that also takes into account the firewall itself.
For example:
Traffic flow:
LAN <------> Firewall (VyOS) <------> WAN
Zone policy configuration:
set zone-policy zone lan default-action drop
set zone-policy zone lan description “LAN subnet”
set zone-policy zone lan interface eth0
set zone-policy zone wan default-action drop
set zone-policy zone wan description “WAN subnet”
set zone-policy zone wan interface eth1
set zone-policy zone firewall default-action drop
set zone-policy zone firewall description “Firewall itself”
set zone-policy zone firewall local-zone
set zone-policy zone lan from wan firewall name wan-lan
set zone-policy zone lan from firewall firewall name firewall-lan
set zone-policy zone wan from lan firewall name lan-wan
set zone-policy zone wan from firewall firewall name firewall-wan
set zone-policy zone firewall from lan firewall name lan-firewall
set zone-policy zone firewall from wan firewall name wan-firewall
Here wan-lan, firewall-lan, lan-wan, firewall-wan, lan-firewall and wan-firewall are rulesets defined by “set firewall name…” command.
When I go to configure the firewall, my first commands are:
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable