Firewall

A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.

The following section will guide you through the process of enabling and configuring the firewall in VyOS.

If you are yet to provision your VyOS instances on the OrionVM platform please follow our Getting Started guide.


Firewall Basics

Firewall rules are managed through rule sets, a collection of separate rules numbering from 1 to 9999. These rules are applied sequentially (from 1 to 9999), although they do not need to be defined sequentially.

These rule sets are then applied to an interface (or interfaces), and can either be applied as:

  • in - external traffic being routed through to an internal address
  • out - internal traffic being routed through to an external address
  • local - traffic which is directed at the firewall

Each new rule created corresponds to a user defined rule set, to then be applied on an interface or a group. Each rule needs to be able to match the packets, and then apply some action to it.


Basic Firewall Configuration

We will now set up a basic firewall configuration.

We will let traffic through port 22 for ssh. On top of this, we will let icmp through, as well as already established/related packets. We will call this rule set eth1-local, and apply it to eth1 local (traffic directed at the VyOS machine) and eth1 in (traffic directed to eth1's internal network).

First we will need to go into configuration mode (if not already in it):

configure
edit firewall name eth1-local

We then set the default action to drop packets:

set default-action drop

Allow already established or related packets:

set rule 10 action accept
set rule 10 description 'Allow established and related packets'
set rule 10 state established enable
set rule 10 state related enable

Allow icmp:

set rule 20 action accept
set rule 20 description 'Allow icmp'
set rule 20 icmp type-name echo-request
set rule 20 protocol icmp

Try prevent brute ssh (max of 3 connections every 30 seconds):

set rule 30 action drop
set rule 30 destination port 22
set rule 30 protocol tcp
set rule 30 recent count 3
set rule 30 recent time 30
set rule 30 state new enable

Allow ssh (this needs to be placed after as these are checked sequentially, need to prevent brute ssh before allowing it):

set rule 35 action accept
set rule 35 description 'Allow ssh'
set rule 35 destination port 22
set rule 35 protocol tcp

This rule set will then need to be applied to an interface, eth1 local and eth1 in:

top

set interfaces ethernet eth1 firewall local name eth1-local
set interfaces ethernet eth1 firewall in name eth1-local

Finally commit and save this to the configuration:

commit
save

Opening Additional Ports

If you would like to open additional ports you can do so by creating another rule under the eth1-local firewall (assuming it is already enabled). For example, to open port 80 (often used for HTTP) I would do the following:

configure
edit firewall name eth1-local

set rule 40 action accept
set rule 40 description 'Allow http'
set rule 40 destination port 80
set rule 40 protocol tcp

top
commit
save

Working With Groups

It is also possible to create groups of either address, networks or ports, which can then be used when defining rules. Let's say we wish to create a group of addresses, 1.1.1.1 to 1.1.1.3 and 2.2.2.2.

set firewall group address-group <ADDRESS-GROUP-NAME> address 1.1.1.1-1.1.1.3
set firewall group address-group <ADDRESS-GROUP-NAME> address 2.2.2.2
set firewall group address-group <ADDRESS-GROUP-NAME> description 'A group of addresses'

Let's also create a group of networks, 3.3.3.0/24 and 4.4.4.0/24.

set firewall group network-group <NETWORK-GROUP-NAME> address 3.3.3.0/24
set firewall group network-group <NETWORK-GROUP-NAME> address 4.4.4.0/24
set firewall group network-group <NETWORK-GROUP-NAME> description 'A group of networks'

Finally, let's create a group of ports, 22, 23, 50-75 and the port for ftp.

set firewall group port-group <PORT-GROUP-NAME> port 22
set firewall group port-group <PORT-GROUP-NAME> port 23
set firewall group port-group <PORT-GROUP-NAME> port 23
set firewall group port-group <PORT-GROUP-NAME> port 50-75
set firewall group port-group <PORT-GROUP-NAME> port ftp
set firewall group port-group <PORT-GROUP-NAME> description 'A group of ports'

These groups can then be applied to a certain rule, eg. to reject packets targeting the ports from the port group of the addresses group, and which originate from the network group, the following would need to be done.

set firewall name <NAME> rule 10 reject
set firewall name <NAME> rule 10 destination group address-group <ADDRESS-GROUP-NAME>
set firewall name <NAME> rule 10 destination group port-group <PORT-GROUP-NAME>
set firewall name <NAME> rule 10 source group network-group <NETWORK-GROUP-NAME>