Vyos Firewall Rules and Troubleshooting - devinziegler/Devin-Tech-Journal GitHub Wiki

Guide to configure VYOS firewall zones and rules:

Rules and mappings:

The first step is to create a zone policy, each interface should be mapped to a zone, and the zone should have a corresponding zone policy. This is depicted in the code block below:

set zone-policy zone <zone_name> interface <interface_name>

Setting up drop policies:

When a firewall is first configured, it should be set to drop everything. Only then will rules be added to accept traffic through the firewall. Here an an example used to create a drop policy. In the lab example, each zone has two firewalls. (WAN-to-LAN and LAN-to-WAN)

set firewall name <firewall_name> default-action drop

Auto logging should also be enabled. Use this command:

set firewall name <firewall_name> enable-default-log

Now that the firewalls have a default setting, they can be assigned to zones created earlier.

set zone-policy zone <zone1> from <zone2> firewall name <firewall_name>
set zone-policy zone <zone2. from <zone1> firewall name <firewall_name>

Make sure to assign these correctly

Configuring Rules

Here is an example that demonstrates how rules can allow services though the firewall. In this example, LAN-to-WAN will allow outgoing http, and WAN-to-LAN will allow established connections.

set firewall name LAN-to-WAN rule 1 action accept
set firewall name LAN-to-WAN rule 1 destination port '80,443'
set firewall name LAN-to-WAN rule 1 protocol tcp

set firewall name WAN-to-LAN rule 1 action action accept
set firewall name WAN-to-LAN rule 1 state established enabled

Troubleshooting and file exporting

Firewall rules can be tedious, it is import to keep track of everything in an organized manner. A system that works for me is setting everything to drop by default, then creating specific rules that allow specific things through the firewall. Each time a rule is added, it should be tested to see if it functions as intended. This means that at each step of the way, the only problematic rule is the most recent.

Here are some helpful commands to see what rules are in place, and what zones your firewalls are mapped to.

show firewall name <FIREWALL_NAME>
# OR
show firewall name <FIREWALL_NAME> rule <RULE_NUMBER>

The first command will show the whole firewall including rules, the second just shows the rule specified in the command syntax.

Showing zones can be a good to make sure each firewall is mapped to the correct zone policy.

show zone-policy

This will show all zones

Exporting firewall configs and startup configs

To export a startup or running config, run the following command:

show configuration commands | grep -v "syslog global\|ntp\|login\|console\|hw-id\|loopback\|conntrack" > vyos_config.txt

This command save the config in a file called vyos_config.txt

To export the firewall configurations, run:

show configuration commands | grep firewall > firewall_config.txt

This command saves the firewall config in a file called firewall_config.txt

Tech Journal Home

Repo QuickLink

⚠️ **GitHub.com Fallback** ⚠️