Page MenuHomeVyOS Platform

Add capability to use local and external dynamic-lists for firewall rules but also for various policies such as access-list, route-maps etc.
Open, WishlistPublicFEATURE REQUEST

Description

It would be nice if it would be possible to add dynamic lists to VyOS firewall regarding address, network, interface, port, mac and domain groups.

Similar to the "External Dynamic List" feature of PaloAlto Networks firewalls:

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-an-external-dynamic-list-in-policy

The purpose is that you then dont have to create something that interacts with the HTTP API of the VyOS but rather just dump a plain textfile either onto the VyOS box or the VyOS box will fetch this plain file.

Example for sources who uses plain files are https://www.team-cymru.com/bogon-reference-http among others.

Other usecases are various SEIM systems who can export a plain text file of ports, address, networks, as-numbers etc to be blocked (or allowed).

For VyOS the dynamic list could either be loaded locally (someone uploads a textfile to lets say /config/custom directory) or externally (the VyOS box fetches the file from external source through scp, sftp, ftps, http, https...).

Suggestion something like:

set firewall dynamic-list <NAME> source 'local' type 'network' path '/config/custom/blacklist_network.txt'

set firewall dynamic-list <NAME> source 'https' type 'interface' path 'https://example.com/blacklist/interface.txt'

There should also be possible to define how often these lists should be updated. Either dynamically like "every 1 minute" or statically "at 14:15:00 every day", preferly syntax from crontab could be used for this such as:

set firewall dynamic-list <NAME> refresh '15 14 * * *'

For commits VyOS would use the local cache of these files and if the cached file doesnt exist it will fetch it.

There should also for op-mode exist a way to manually refresh these caches upon request:

update firewall dynamic-list all

update firewall dynamic-list <NAME>

Same with some op-mode to refresh the firewall itself once the lists have been updated:

update firewall ruleset

A spinoff of this feature request would be that the dynamic-lists should also be accessible for use by routing protocols:

set policy dynamic-list <NAME> source 'local' type 'access-list' path '/config/custom/blacklist_access-list.txt'

set policy dynamic-list <NAME> source 'https' type 'route-map' path 'https://example.com/blacklist/routemap.txt'

set policy dynamic-list <NAME> refresh '15 14 * * *' action 'access-list <NAME>'
...
set policy dynamic-list <NAME> refresh '15 14 * * *' action 'large-community-list <NAME>'

update policy dynamic-list all

update policy dynamic-list <NAME>

update policy access-list <NAME>
update policy prefix-list <NAME>
update policy route <NAME>
update policy route6 <NAME>
update policy route-map <NAME>
update policy local-route <NAME>
update policy local-route6 <NAME>
update policy as-path-list <NAME>
update policy community-list <NAME>
update policy extcommunity-list <NAME>
update policy large-community-list <NAME>

The "update policy" op-mode is to recommit the policy once the "update policy dynamic-list" have completed its refresh of the dynamic-list.

Basically the same function as being called by "set policy dynamic-list <NAME> refresh".

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Event Timeline

Note that the PR for T4797 was never updated for requested changes:
https://github.com/vyos/vyos-1x/pull/1648

On the other hand, it is agreed that this would be a useful feature: @Apachez if you are able/willing to provide an alternative/updated PR, we will close the previous one.

@Apachez I would need this feature in another feature (https://vyos.dev/T6040) to avoid a double implementation.

syncer lowered the priority of this task from High to Wishlist.May 19 2024, 8:04 AM
syncer edited projects, added VyOS 1.5 Circinus; removed VyOS 1.4 Sagitta (1.4.0-GA).