zone-policy for local-zone

system · March 18, 2018, 4:16am

I can create a zone for a Vyos router itself, say:
set zone-policy zone vyoslocal local-zone

I was planning to use local-zone to restrict access to the Vyos router itself based on zoning but I have found that local-zone is not terribly useful.

I have set up firewall rules for access to the router from private LAN but it does not help. As soon as I set the zone-policy for local-zone the access to the Vyos router is locked down. I have traffic between zones through the router but I am not able to ping the router or ping from the router. Basically I cannot remotely manage the router and I cannot do any work related functions while sitting in front of the Vyos console.

Ping outside from the router:
root@vyos:~# ping 98.134.183.24
PING 98.134.183.24 (98.134.183.24) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

Could someone share experience on how to use local-zone?

Thanks,

kouak · March 18, 2018, 4:16am

It looks like you’ve authorized traffic from you LAN zone to your local zone but forgot to authorized traffic from the local-zone to your LAN.

system · March 18, 2018, 4:16am

Greetings.

When zone policies are used, the number of rulesets is N ^ 2 + N, where N is the total number of subnets. The “+ N” part of the formula indicates that also takes into account the firewall itself.

For example:

Traffic flow:

LAN <------> Firewall (VyOS) <------> WAN

Zone policy configuration:

set zone-policy zone lan default-action drop
set zone-policy zone lan description “LAN subnet”
set zone-policy zone lan interface eth0

set zone-policy zone wan default-action drop
set zone-policy zone wan description “WAN subnet”
set zone-policy zone wan interface eth1

set zone-policy zone firewall default-action drop
set zone-policy zone firewall description “Firewall itself”
set zone-policy zone firewall local-zone

set zone-policy zone lan from wan firewall name wan-lan
set zone-policy zone lan from firewall firewall name firewall-lan

set zone-policy zone wan from lan firewall name lan-wan
set zone-policy zone wan from firewall firewall name firewall-wan

set zone-policy zone firewall from lan firewall name lan-firewall
set zone-policy zone firewall from wan firewall name wan-firewall

Here wan-lan, firewall-lan, lan-wan, firewall-wan, lan-firewall and wan-firewall are rulesets defined by “set firewall name…” command.

When I go to configure the firewall, my first commands are:

set firewall all-ping enable
set firewall broadcast-ping disable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable

And then the other.