Attempting to setup a skeleton/template regarding zone-based firewalling with the new firewall frontend (since refactoring early august 2023).
For config scroll to the bottom.
Noticed these three anomalies (so far):
- show firewall group doesnt properly display members of each interface-group:
vyos@vyos:~$ show firewall group Firewall Groups Name Type References Members ------ --------------- ------------ --------- DMZ interface_group N/A N/A LAN interface_group N/A N/A MGMT interface_group N/A N/A WAN interface_group N/A N/A
- show firewall statistics shows all counters for packets and bytes as 0 (se below for output).
- show firewall statistics displays source/destination for "IPv6 Firewall" as "0.0.0.0/0" where "::/0" or similar would be expected - that is it displays as a IPv4-address instead of a IPv6-address:
vyos@vyos:~$ show firewall statistics Rulesets Statistics --------------------------------- IPv4 Firewall "forward filter" Rule Packets Bytes Action Source Destination ------- --------- ------- -------- --------- ------------- 10 0 0 drop 0.0.0.0/0 0.0.0.0/0 20 0 0 accept 0.0.0.0/0 0.0.0.0/0 30 0 0 accept 0.0.0.0/0 0.0.0.0/0 40 0 0 jump 0.0.0.0/0 0.0.0.0/0 50 0 0 jump 0.0.0.0/0 0.0.0.0/0 60 0 0 jump 0.0.0.0/0 0.0.0.0/0 default 0 0 accept 0.0.0.0/0 0.0.0.0/0 --------------------------------- IPv4 Firewall "input filter" Rule Packets Bytes Action Source Destination ------- --------- ------- -------- --------- ------------- 10 0 0 drop 0.0.0.0/0 0.0.0.0/0 20 0 0 accept 0.0.0.0/0 0.0.0.0/0 30 0 0 accept 0.0.0.0/0 0.0.0.0/0 default 0 0 accept 0.0.0.0/0 0.0.0.0/0 --------------------------------- IPv4 Firewall "name V4_TO_DMZ" Rule Packets Bytes Action Source Destination ------- --------- ------- -------- --------- ------------- default 0 0 return 0.0.0.0/0 0.0.0.0/0 --------------------------------- IPv4 Firewall "name V4_TO_LAN" Rule Packets Bytes Action Source Destination ------- --------- ------- -------- --------- ------------- default 0 0 return 0.0.0.0/0 0.0.0.0/0 --------------------------------- IPv4 Firewall "name V4_TO_WAN" Rule Packets Bytes Action Source Destination ------- --------- ------- -------- --------- ------------- default 0 0 return 0.0.0.0/0 0.0.0.0/0 --------------------------------- IPv4 Firewall "output filter" Rule Packets Bytes Action Source Destination ------- --------- ------- -------- --------- ------------- 10 0 0 drop 0.0.0.0/0 0.0.0.0/0 20 0 0 accept 0.0.0.0/0 0.0.0.0/0 30 0 0 accept 0.0.0.0/0 0.0.0.0/0 default 0 0 accept 0.0.0.0/0 0.0.0.0/0 --------------------------------- IPv6 Firewall "forward filter" Rule Packets Bytes Action Source Destination ------- --------- ------- -------- --------- ------------- 10 0 0 drop 0.0.0.0/0 0.0.0.0/0 20 0 0 accept 0.0.0.0/0 0.0.0.0/0 30 0 0 accept 0.0.0.0/0 0.0.0.0/0 40 0 0 jump 0.0.0.0/0 0.0.0.0/0 50 0 0 jump 0.0.0.0/0 0.0.0.0/0 60 0 0 jump 0.0.0.0/0 0.0.0.0/0 default 0 0 accept 0.0.0.0/0 0.0.0.0/0 --------------------------------- IPv6 Firewall "input filter" Rule Packets Bytes Action Source Destination ------- --------- ------- -------- --------- ------------- 10 0 0 drop 0.0.0.0/0 0.0.0.0/0 20 0 0 accept 0.0.0.0/0 0.0.0.0/0 30 0 0 accept 0.0.0.0/0 0.0.0.0/0 default 0 0 accept 0.0.0.0/0 0.0.0.0/0 --------------------------------- IPv6 Firewall "name V6_TO_DMZ" Rule Packets Bytes Action Source Destination ------- --------- ------- -------- --------- ------------- default 0 0 return 0.0.0.0/0 0.0.0.0/0 --------------------------------- IPv6 Firewall "name V6_TO_LAN" Rule Packets Bytes Action Source Destination ------- --------- ------- -------- --------- ------------- default 0 0 return 0.0.0.0/0 0.0.0.0/0 --------------------------------- IPv6 Firewall "name V6_TO_WAN" Rule Packets Bytes Action Source Destination ------- --------- ------- -------- --------- ------------- default 0 0 return 0.0.0.0/0 0.0.0.0/0 --------------------------------- IPv6 Firewall "output filter" Rule Packets Bytes Action Source Destination ------- --------- ------- -------- --------- ------------- 10 0 0 drop 0.0.0.0/0 0.0.0.0/0 20 0 0 accept 0.0.0.0/0 0.0.0.0/0 30 0 0 accept 0.0.0.0/0 0.0.0.0/0 default 0 0 accept 0.0.0.0/0 0.0.0.0/0
Using following config:
set firewall global-options all-ping 'enable' set firewall global-options broadcast-ping 'disable' set firewall global-options ip-src-route 'disable' set firewall global-options ipv6-receive-redirects 'disable' set firewall global-options ipv6-src-route 'disable' set firewall global-options log-martians 'enable' set firewall global-options receive-redirects 'disable' set firewall global-options resolver-cache set firewall global-options resolver-interval '60' set firewall global-options send-redirects 'disable' set firewall global-options source-validation 'strict' set firewall global-options syn-cookies 'enable' set firewall global-options twa-hazards-protection 'disable' set firewall group interface-group DMZ interface 'eth2' set firewall group interface-group LAN interface 'eth3' set firewall group interface-group MGMT interface 'eth0' set firewall group interface-group WAN interface 'eth1' set firewall ipv4 forward filter default-action 'accept' set firewall ipv4 forward filter rule 10 action 'drop' set firewall ipv4 forward filter rule 10 state invalid 'enable' set firewall ipv4 forward filter rule 20 action 'accept' set firewall ipv4 forward filter rule 20 state established 'enable' set firewall ipv4 forward filter rule 30 action 'accept' set firewall ipv4 forward filter rule 30 state related 'enable' set firewall ipv4 forward filter rule 40 action 'jump' set firewall ipv4 forward filter rule 40 jump-target 'V4_TO_WAN' set firewall ipv4 forward filter rule 40 outbound-interface interface-group 'WAN' set firewall ipv4 forward filter rule 50 action 'jump' set firewall ipv4 forward filter rule 50 jump-target 'V4_TO_DMZ' set firewall ipv4 forward filter rule 50 outbound-interface interface-group 'DMZ' set firewall ipv4 forward filter rule 60 action 'jump' set firewall ipv4 forward filter rule 60 jump-target 'V4_TO_LAN' set firewall ipv4 forward filter rule 60 outbound-interface interface-group 'LAN' set firewall ipv4 input filter default-action 'accept' set firewall ipv4 input filter rule 10 action 'drop' set firewall ipv4 input filter rule 10 state invalid 'enable' set firewall ipv4 input filter rule 20 action 'accept' set firewall ipv4 input filter rule 20 state established 'enable' set firewall ipv4 input filter rule 30 action 'accept' set firewall ipv4 input filter rule 30 state related 'enable' set firewall ipv4 name V4_TO_DMZ default-action 'return' set firewall ipv4 name V4_TO_LAN default-action 'return' set firewall ipv4 name V4_TO_WAN default-action 'return' set firewall ipv4 output filter default-action 'accept' set firewall ipv4 output filter rule 10 action 'drop' set firewall ipv4 output filter rule 10 state invalid 'enable' set firewall ipv4 output filter rule 20 action 'accept' set firewall ipv4 output filter rule 20 state established 'enable' set firewall ipv4 output filter rule 30 action 'accept' set firewall ipv4 output filter rule 30 state related 'enable' set firewall ipv6 forward filter default-action 'accept' set firewall ipv6 forward filter rule 10 action 'drop' set firewall ipv6 forward filter rule 10 state invalid 'enable' set firewall ipv6 forward filter rule 20 action 'accept' set firewall ipv6 forward filter rule 20 state established 'enable' set firewall ipv6 forward filter rule 30 action 'accept' set firewall ipv6 forward filter rule 30 state related 'enable' set firewall ipv6 forward filter rule 40 action 'jump' set firewall ipv6 forward filter rule 40 jump-target 'V6_TO_WAN' set firewall ipv6 forward filter rule 40 outbound-interface interface-group 'WAN' set firewall ipv6 forward filter rule 50 action 'jump' set firewall ipv6 forward filter rule 50 jump-target 'V6_TO_DMZ' set firewall ipv6 forward filter rule 50 outbound-interface interface-group 'DMZ' set firewall ipv6 forward filter rule 60 action 'jump' set firewall ipv6 forward filter rule 60 jump-target 'V6_TO_LAN' set firewall ipv6 forward filter rule 60 outbound-interface interface-group 'LAN' set firewall ipv6 input filter default-action 'accept' set firewall ipv6 input filter rule 10 action 'drop' set firewall ipv6 input filter rule 10 state invalid 'enable' set firewall ipv6 input filter rule 20 action 'accept' set firewall ipv6 input filter rule 20 state established 'enable' set firewall ipv6 input filter rule 30 action 'accept' set firewall ipv6 input filter rule 30 state related 'enable' set firewall ipv6 name V6_TO_DMZ default-action 'return' set firewall ipv6 name V6_TO_LAN default-action 'return' set firewall ipv6 name V6_TO_WAN default-action 'return' set firewall ipv6 output filter default-action 'accept' set firewall ipv6 output filter rule 10 action 'drop' set firewall ipv6 output filter rule 10 state invalid 'enable' set firewall ipv6 output filter rule 20 action 'accept' set firewall ipv6 output filter rule 20 state established 'enable' set firewall ipv6 output filter rule 30 action 'accept' set firewall ipv6 output filter rule 30 state related 'enable'