Network Firewalls - tmansfield42/Tech-Journal GitHub Wiki
This entry will include lots of vyos configurations for configuring network firewalls, in order to begin you need to create the firwall zones.
set zone-policy zone LAN interface eth2
set zone-policy zone WAN interface eth0
set zone-policy zone DMZ interface eth1
Then, we need to create groups (which contain the actions/rules a firewall should follow) that we can add into the zone, which basically puts the firewall rules into effect. A firewall name needs to be put into a firewall zone which will apply it to the interfaces (eth2, eth0, eth1).
set firewall name WAN-to-LAN
set firewall name LAN-to-WAN
If you want packets to travel through a firewall from one place to another, such as DMZ to WAN or LAN to DMZ, you must create two groups for the packets going from Point A to Point B along with Point B to Point A. For example, if you want a firewall rule to be followed between the traffic of the WAN and the LAN, you have to set a firewall name for both directions which would be adding WAN-to-LAN and LAN-to-WAN.
Next, you have to put those firewalls that were just created into a zone. In this example, we are adding the firewall name WAN-to-LAN to the zone LAN, this is because the packets coming from the WAN (i.e. "from WAN" in the command) are arriving at the LAN, which is the zone we are placing this firewall into.
set zone-policy zone LAN from WAN firewall name WAN-to-LAN
As expected, you need to do the same for the packets coming from the LAN to the WAN
set zone-policy zone WAN from LAN firewall name LAN-to-WAN
set firewall name <fw name> default-action drop
set firewall name <fw name> enable-default-log
set firewall name <fw name> rule 1 action 'accept'
set firewall name <fw name> rule 1 state established 'enable'
This rule will by default set the firewall to drop all packets but allow established connections back through.
You will need to be able to create firewall rules that allow or deny specific IPs, ports, services, etc. This is an example rule that allows http, https, ssh and wazzuh traffic coming from 172.16.150.10 to 172.16.200.10.
set firewall name LAN-to-MGMT rule 2 action 'accept'
set firewall name LAN-to-MGMT rule 2 destination address '172.16.200.10'
set firewall name LAN-to-MGMT rule 2 destination port '443,80,22,1514,1515'
set firewall name LAN-to-MGMT rule 2 protocol 'tcp'
set firewall name LAN-to-MGMT rule 2 source address '172.16.150.10'
In order to dump the configuration commands, you must export it by running the following command:
show configuration commands | grep -v "syslog global\|ntp\|login\|console\|config\|hw-id\|loopback\|conntrack"