Issue: in cases where multiple (>100) VLANs are attached to single interface, firewall configuration entries may be a lot, impacting performance on every commit and in global performance.
By default, when defining a zone, traffic between interfaces that belongs to that zone, is permitted. In same cases, filtering traffic would be necessary.
For example:
- 200 Vlans under interface bond0
- Filtering from/to some networks for those vlans is required.
- With traditional firewall, 200 entries like "set interface bonding bond0 vif 10 firewall in name ABC" will be needed (just for in)
- With zone based firewall, all entries could be attached to same zone using "set zone-policy zone LAN interface bond0+", but all traffic through those vlans will be permitted.
For now, this command is not supported (from zone to same zone):
set zone-policy zone LAN from LAN firewall name INTERNAL_LAN
On a regular config, for example with 3 zones (MGMT with eth3 interface, ETH2 with eth2 interface, and LAN with all vlans under bond0), iptables rules generated for zone LAN looks like this:
-A VZONE_LAN -i bond0+ -j RETURN -A VZONE_LAN -i eth2 -j ETH2-to-LAN -A VZONE_LAN -i eth2 -j RETURN -A VZONE_LAN -i eth3 -j MGMT-to-LAN -A VZONE_LAN -i eth3 -j RETURN -A VZONE_LAN -j DROP
First rule will return, and finally traffic will be accepted, and no filter is applied in traffic within same zone.
Proposal:
- Allow command: Example -> "set zone-policy zone LAN from LAN firewall name INTERNAL_LAN"
- Then, user must define filtering and create rules: -> "set firewall name INTERNAL_NAME"
- If both entries are present in configuration, an entry in iptables need to be added. In our example, that rule would be:
iptables -I VZONE_LAN 1 -i bond0+ -j INTERNAL_LAN
- Final result in iptables in our example:
-A VZONE_LAN -i bond0+ -j INTERNAL_LAN -A VZONE_LAN -i bond0+ -j RETURN -A VZONE_LAN -i eth2 -j ETH2-to-LAN -A VZONE_LAN -i eth2 -j RETURN -A VZONE_LAN -i eth3 -j MGMT-to-LAN -A VZONE_LAN -i eth3 -j RETURN -A VZONE_LAN -j DROP
A patch using post vyos-postconfig-bootup.scrip was used and tested in lab.
Content of this script:
#! /bin/bash LOG_FILE="/var/log/messages" ZONE_NAME="VZONE_LAN" FW_NAME="INTERNAL_LAN" INTERFACE="bond0+" if iptables -S | grep -q ${ZONE_NAME} ; then echo "Zone $ZONE_NAME present on iptables" >> $LOG_FILE if iptables -S | grep -q ${FW_NAME} ; then echo "Firewall rules $FW_NAME for intra zone $ZONE_NAME is present" >> $LOG_FILE echo "Execute postboot script" >> $LOG_FILE iptables -I $ZONE_NAME 1 -i $INTERFACE -j $FW_NAME else echo "ERROR - Firewall rules $FW_NAME removed from config" >> $LOG_FILE fi else echo "ERROR - Zone $ZONE_NAME not configured on VyOS. No config can be done" >> $LOG_FILE fi exit