Setting up a firewall
VyOS uses netfilter (iptables) to implement packet filtering.
Firewall rules are managed through rule sets, a collection of separate rules numbering from 1 to 9999. These rules are applied sequentially (from 1 to 9999), although they do not need to be defined sequentially.
These rule sets are then applied to an interface (or interfaces), and can either be applied as
This corresponds to the input interface of the FORWARD chain (netfilter), ie. external traffic being routed through to an internal address.
This corresponds to the output interface of the FORWARD chain (netfilter), ie. internal traffic being routed through to an external address.
This corresponds to the INPUT chain (netfilter), ie. traffic which is directed at the firewall.
Creating a new rule
Each new rule created corresponds to a user defined rule set, to then be applied on an interface or a group (more details later). Each rule needs to be able to match the packets, and then apply some action to it.
Let's now set up a firewall, continuing on from our last example. In this case, we will now need to let traffic through port 22 for ssh (or whichever port was used). On top of this, we shall let icmp through, as well as already established/related packets. We'll call this rule set eth1-local, and apply it to eth1 local (traffic directed at the VyOS machine) and eth1 in (traffic directed to eth1's internal network).
First we will need to go into configuration mode (if not already in it).
configure edit firewall name eth1-local
Set the default action to drop packets
set default-action drop
Allow already established or related packets
set rule 10 action accept set rule 10 description 'Allow established and related packets' set rule 10 state established enable set rule 10 state related enable
set rule 20 action accept set rule 20 description 'Allow icmp' set rule 20 icmp type-name echo-request set rule 20 protocol icmp
Try prevent brute ssh (max of 3 connections every 30 seconds)
set rule 30 action drop set rule 30 destination port 22 set rule 30 protocol tcp set rule 30 recent count 3 set rule 30 recent time 30 set rule 30 state new enable
Allow ssh (this needs to be placed after as these are checked sequentially, need to prevent brute ssh before allowing it)
set rule 35 action accept set rule 35 description 'Allow ssh' set rule 35 destination port 22 set rule 35 protocol tcp
This rule set will then need to be applied to an interface, eth1 local and eth1 in as mentioned above.
top set interfaces ethernet eth1 firewall local name eth1-local set interfaces ethernet eth1 firewall in name eth1-local
Finally commit and save this to the configuration
Working with groups
It is also possible to create groups of either address, networks or ports, which can then be used when defining rules. Let's say we wish to create a group of addresses, 184.108.40.206 to 220.127.116.11 and 18.104.22.168.
set firewall group address-group <ADDRESS-GROUP-NAME> address 22.214.171.124-126.96.36.199 set firewall group address-group <ADDRESS-GROUP-NAME> address 188.8.131.52 set firewall group address-group <ADDRESS-GROUP-NAME> description 'A group of addresses'
Let's also create a group of networks, 184.108.40.206/24 and 220.127.116.11/24.
set firewall group network-group <NETWORK-GROUP-NAME> address 18.104.22.168/24 set firewall group network-group <NETWORK-GROUP-NAME> address 22.214.171.124/24 set firewall group network-group <NETWORK-GROUP-NAME> description 'A group of networks'
Finally, let's create a group of ports, 22, 23, 50-75 and the port for ftp.
set firewall group port-group <PORT-GROUP-NAME> port 22 set firewall group port-group <PORT-GROUP-NAME> port 23 set firewall group port-group <PORT-GROUP-NAME> port 23 set firewall group port-group <PORT-GROUP-NAME> port 50-75 set firewall group port-group <PORT-GROUP-NAME> port ftp set firewall group port-group <PORT-GROUP-NAME> description 'A group of ports'
These groups can then be applied to a certain rule, eg. to reject packets targeting the ports from the port group of the addresses group, and which originate from the network group, the following would need to be done.
set firewall name <NAME> rule 10 reject set firewall name <NAME> rule 10 destination group address-group <ADDRESS-GROUP-NAME> set firewall name <NAME> rule 10 destination group port-group <PORT-GROUP-NAME> set firewall name <NAME> rule 10 source group network-group <NETWORK-GROUP-NAME>