Setting up a firewall

Introduction

VyOS uses netfilter (iptables) to implement packet filtering.
Firewall rules are managed through rule sets, a collection of separate rules numbering from 1 to 9999. These rules are applied sequentially (from 1 to 9999), although they do not need to be defined sequentially.
These rule sets are then applied to an interface (or interfaces), and can either be applied as

  • in
    This corresponds to the input interface of the FORWARD chain (netfilter), ie. external traffic being routed through to an internal address.
  • out
    This corresponds to the output interface of the FORWARD chain (netfilter), ie. internal traffic being routed through to an external address.
  • local
    This corresponds to the INPUT chain (netfilter), ie. traffic which is directed at the firewall.

Creating a new rule

Each new rule created corresponds to a user defined rule set, to then be applied on an interface or a group (more details later). Each rule needs to be able to match the packets, and then apply some action to it.

Let's now set up a firewall, continuing on from our last example. In this case, we will now need to let traffic through port 22 for ssh (or whichever port was used). On top of this, we shall let icmp through, as well as already established/related packets. We'll call this rule set eth1-local, and apply it to eth1 local (traffic directed at the VyOS machine) and eth1 in (traffic directed to eth1's internal network).

First we will need to go into configuration mode (if not already in it).

configure
edit firewall name eth1-local

Set the default action to drop packets

set default-action drop

Allow already established or related packets

set rule 10 action accept
set rule 10 description 'Allow established and related packets'
set rule 10 state established enable
set rule 10 state related enable

Allow icmp

set rule 20 action accept
set rule 20 description 'Allow icmp'
set rule 20 icmp type-name echo-request
set rule 20 protocol icmp

Try prevent brute ssh (max of 3 connections every 30 seconds)

set rule 30 action drop
set rule 30 destination port 22
set rule 30 protocol tcp
set rule 30 recent count 3
set rule 30 recent time 30
set rule 30 state new enable

Allow ssh (this needs to be placed after as these are checked sequentially, need to prevent brute ssh before allowing it)

set rule 35 action accept
set rule 35 description 'Allow ssh'
set rule 35 destination port 22
set rule 35 protocol tcp

This rule set will then need to be applied to an interface, eth1 local and eth1 in as mentioned above.

top

set interfaces ethernet eth1 firewall local name eth1-local
set interfaces ethernet eth1 firewall in name eth1-local

Finally commit and save this to the configuration

commit
save

Working with groups

It is also possible to create groups of either address, networks or ports, which can then be used when defining rules. Let's say we wish to create a group of addresses, 1.1.1.1 to 1.1.1.3 and 2.2.2.2.

set firewall group address-group <ADDRESS-GROUP-NAME> address 1.1.1.1-1.1.1.3
set firewall group address-group <ADDRESS-GROUP-NAME> address 2.2.2.2
set firewall group address-group <ADDRESS-GROUP-NAME> description 'A group of addresses'

Let's also create a group of networks, 3.3.3.0/24 and 4.4.4.0/24.

set firewall group network-group <NETWORK-GROUP-NAME> address 3.3.3.0/24
set firewall group network-group <NETWORK-GROUP-NAME> address 4.4.4.0/24
set firewall group network-group <NETWORK-GROUP-NAME> description 'A group of networks'

Finally, let's create a group of ports, 22, 23, 50-75 and the port for ftp.

set firewall group port-group <PORT-GROUP-NAME> port 22
set firewall group port-group <PORT-GROUP-NAME> port 23
set firewall group port-group <PORT-GROUP-NAME> port 23
set firewall group port-group <PORT-GROUP-NAME> port 50-75
set firewall group port-group <PORT-GROUP-NAME> port ftp
set firewall group port-group <PORT-GROUP-NAME> description 'A group of ports'

These groups can then be applied to a certain rule, eg. to reject packets targeting the ports from the port group of the addresses group, and which originate from the network group, the following would need to be done.

set firewall name <NAME> rule 10 reject
set firewall name <NAME> rule 10 destination group address-group <ADDRESS-GROUP-NAME>
set firewall name <NAME> rule 10 destination group port-group <PORT-GROUP-NAME>
set firewall name <NAME> rule 10 source group network-group <NETWORK-GROUP-NAME>