Page MenuHomeVyOS Platform

[ZBF] Allow filtering intra zone traffic
Closed, ResolvedPublicFEATURE REQUEST

Description

Not being able to apply a policy between interfaces of the same zone is inconvenient.

Even cisco in the 15.x series now allows this, because it's really useful. Else you end up often having to define 1 zone per interface ...

Imagine the case (which I think is pretty common) of N LAN segments that should be completely isolated from each other but be able to access the internet.
Ideally I'd create a LAN zone and a WAN zone, and set the intra policy of LAN to DROP.
Instead I have to create N different zones, each time with the same policies applied to them.

When in addition to the WAN zone you have a 'service' zone with shared internal services, this gets even worse.

If the "from SAME_ZONE" doesn't exist, behavior shouldn't change and stay accept. But if it does, then apply the policy. It could either follow the same syntax as from XX { firewall ... }. Or be something more explicit to note the difference.

Details

Difficulty level
Hard (possibly days)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)

Event Timeline

syncer triaged this task as Wishlist priority.Aug 1 2017, 3:18 AM
syncer changed the edit policy from "Task Author" to "Custom Policy".
syncer added a project: VyOS 1.2 Crux.
syncer changed Difficulty level from Easy (less than an hour) to Hard (possibly days).
syncer set Version to -.
syncer edited subscribers, added: Maintainers, Active contributors, Community; removed: 246tnt.

We require feedback from community on that!
@dmbaturin
@UnicronNL
@EwaldvanGeffen
Your input appreciated

syncer added a subscriber: syncer.

Design-wise this is the right choice. Other platforms have adopted this mantra. The only thing we need to think about is the default policy for intra-zone traffic (allow, drop, reject). My personal preference would be to set the default-intra-zone policy to allow-all within the upgrade scripts, otherwise drop for new configs.

Semi-related: Palo Alto has this hybrid inter/intra rule-type, this would be the step-up after intra-zone but I'm not sure whether it's the right step though. I think it could easily lead to not-so-secure firewalls especially when you combine from zone-a, zone-c to zone-b, zone-c type of rules. Although traditionally I prefer empowering the (power-)user than limiting it's possibilities.

Universal
By default, all the traffic destined between two zones, regardless of being from the same zone or different zone, this applies the rule to all matching interzone and intrazone traffic in the specified source and destination zones.
For example, if creating a universal role with source zones A and B and destination zones A and B, the rule would apply to all traffic within zone A, all traffic within zone B, and all traffic from zone A to zone B and all traffic from zone B to zone A.

from https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC

syncer changed the subtype of this task from "Task" to "Feature Request".Oct 20 2018, 7:02 AM

I hacked this into VyOS/Vyatta some 5 years ago - all it took was commenting out a snippet in Zone.pm and /opt/vyatta/share/vyatta-cfg/templates/zone-policy/zone/node.tag/from/node.def to prevent VyOS from complaining when creating a zonex_to_zonex chain

Was very handy to achieve exactly what @246tnt described. Haven't looked at 1.2 or 1.3 code to see if it's as easy to achieve but it would be great to see the feature upstream in latest releases! :)

dmbaturin set Is it a breaking change? to Unspecified (possibly destroys the router).
n.fort claimed this task.