Zone Based Firewall

Overview

Note

Starting from VyOS 1.4-rolling-202308040557, a new firewall structure can be found on all VyOS installations. The Zone based firewall was removed in that version, but re introduced in VyOS 1.4 and 1.5. All versions built after 2023-10-22 have this feature. Documentation for most of the new firewall CLI can be found in the firewall chapter.

In this section there’s useful information on all firewall configuration that is needed for the zone-based firewall. Configuration commands covered in this section:

set firewall zone …

From the main structure defined in Firewall Overview in this section you can find detailed information only for the next part of the general structure:

- set firewall
    * zone
         - custom_zone_name
            + ...

In zone-based policy, interfaces are assigned to zones, and inspection policy is applied to traffic moving between the zones and acted on according to firewall rules. A zone is a group of interfaces that have similar functions or features. It establishes the security borders of a network. A zone defines a boundary where traffic is subjected to policy restrictions as it crosses to another region of a network.

Key Points:

A zone must be configured before an interface is assigned to it and an interface can be assigned to only a single zone.
All traffic to and from an interface within a zone is permitted.
All traffic between zones is affected by existing policies
Traffic cannot flow between a zone member interface and any interface that is not a zone member.
You need 2 separate firewalls to define traffic: one for each direction.

Note

In T2199 the syntax of the zone configuration was changed. The zone configuration moved from zone-policy zone <name> to firewall zone <name>.

Configuration

As an alternative to applying policy to an interface directly, a zone-based firewall can be created to simplify configuration when multiple interfaces belong to the same security zone. Instead of applying rule-sets to interfaces, they are applied to source-destination zone pairs.

A basic introduction to zone-based firewalls can be found here, and an example at Zone-Policy example.

The following steps are required to create a zone-based firewall:

Define both the source and destination zones
Define the rule-set
Apply the rule-set to the zones

Define a Zone

To define a zone setup either one with interfaces or the local zone.

set firewall zone <name> interface <interface>

Assign interfaces as a member of a zone.

Note

An interface can only be a member of one zone.
A zone can have multiple interfaces, with traffic between interfaces in the same zone subject to the intra-zone-filtering policy (allowed by default).

set firewall zone <name> local-zone

Define the zone as the local zone, for traffic originating from and destined to the router itself.

Note

A local zone cannot have any member interfaces
There cannot be multiple local zones

set firewall zone <name> default-action [drop | reject]

Change the zone default-action, which applies to traffic destined to this zone that doesn’t match any of the source zone rulesets applied.

set firewall zone <name> default-log

Enable logging of packets that hit this zone’s default-action (disabled by default).

set firewall zone <name> description

Set a meaningful description.

Defining a Rule-Set

Zone-based firewall rule-sets are for traffic from a Source Zone to a Destination Zone.

The rule-sets are created as a custom firewall chain using the commands below (refer to the firewall IPv4/IPv6 sections for the full syntax):

For IPv4: set firewall ipv4 name <name> ...
For IPv6: set firewall ipv6 name <name> ...

It can be helpful to name the rule-sets in the format <Sourze Zone>-<Destination Zone>-<v4 | v6> to make them easily identifiable.

Applying a Rule-Set to a Zone

Once a rule-set has been defined, it can then be applied to the source and destination zones. The configuration syntax is anchored on the destination zone, with each of the source zone rulesets listed against the destination.

set firewall zone <Destination Zone> from <Source Zone> firewall name <ipv4-rule-set-name>

set firewall zone <Destination Zone> from <Source Zone> firewall ipv6-name <ipv6-rule-set-name>

It is recommended to create two rule-sets for each source-destination zone pair.

set firewall zone DMZ from LAN firewall name LAN-DMZ-v4
set firewall zone LAN from DMZ firewall name DMZ-LAN-v4

Operation-mode

show firewall zone-policy

This will show you a basic summary of the zone configuration.

vyos@vyos:~$ show firewall zone-policy
Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6
------  ------------  -----------  ---------------  ---------------
LAN     eth1          WAN          WAN-LAN-v4
        eth2
LOCAL   LOCAL         LAN          LAN-LOCAL-v4
                      WAN          WAN-LOCAL-v4     WAN-LOCAL-v6
WAN     eth3          LAN          LAN-WAN-v4
        eth0          LOCAL        LOCAL-WAN-v4

show firewall zone-policy zone <zone>

This will show you a basic summary of a particular zone.

vyos@vyos:~$ show firewall zone-policy zone WAN
Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6
------  ------------  -----------  ---------------  ---------------
WAN     eth3          LAN          LAN-WAN-v4
        eth0          LOCAL        LOCAL-WAN-v4

vyos@vyos:~$ show firewall zone-policy zone LOCAL
Zone    Interfaces    From Zone    Firewall IPv4    Firewall IPv6
------  ------------  -----------  ---------------  ---------------
LOCAL   LOCAL         LAN          LAN-LOCAL-v4
                      WAN          WAN-LOCAL-v4     WAN-LOCAL-v6