Page MenuHomeVyOS Platform

Zone based Firewall - Filter traffic in same zone
Closed, ResolvedPublicFEATURE REQUEST

Description

Issue: in cases where multiple (>100) VLANs are attached to single interface, firewall configuration entries may be a lot, impacting performance on every commit and in global performance.

By default, when defining a zone, traffic between interfaces that belongs to that zone, is permitted. In same cases, filtering traffic would be necessary.
For example:

  • 200 Vlans under interface bond0
  • Filtering from/to some networks for those vlans is required.
  • With traditional firewall, 200 entries like "set interface bonding bond0 vif 10 firewall in name ABC" will be needed (just for in)
  • With zone based firewall, all entries could be attached to same zone using "set zone-policy zone LAN interface bond0+", but all traffic through those vlans will be permitted.

For now, this command is not supported (from zone to same zone):

set zone-policy zone LAN from LAN firewall name INTERNAL_LAN

On a regular config, for example with 3 zones (MGMT with eth3 interface, ETH2 with eth2 interface, and LAN with all vlans under bond0), iptables rules generated for zone LAN looks like this:

-A VZONE_LAN -i bond0+ -j RETURN
-A VZONE_LAN -i eth2 -j ETH2-to-LAN
-A VZONE_LAN -i eth2 -j RETURN
-A VZONE_LAN -i eth3 -j MGMT-to-LAN
-A VZONE_LAN -i eth3 -j RETURN
-A VZONE_LAN -j DROP

First rule will return, and finally traffic will be accepted, and no filter is applied in traffic within same zone.

Proposal:

  • Allow command: Example -> "set zone-policy zone LAN from LAN firewall name INTERNAL_LAN"
  • Then, user must define filtering and create rules: -> "set firewall name INTERNAL_NAME"
  • If both entries are present in configuration, an entry in iptables need to be added. In our example, that rule would be:
iptables -I VZONE_LAN 1 -i bond0+ -j  INTERNAL_LAN
  • Final result in iptables in our example:
-A VZONE_LAN -i bond0+ -j  INTERNAL_LAN 
-A VZONE_LAN -i bond0+ -j RETURN
-A VZONE_LAN -i eth2 -j ETH2-to-LAN
-A VZONE_LAN -i eth2 -j RETURN
-A VZONE_LAN -i eth3 -j MGMT-to-LAN
-A VZONE_LAN -i eth3 -j RETURN
-A VZONE_LAN -j DROP

A patch using post vyos-postconfig-bootup.scrip was used and tested in lab.
Content of this script:

#! /bin/bash

LOG_FILE="/var/log/messages"
ZONE_NAME="VZONE_LAN"
FW_NAME="INTERNAL_LAN"
INTERFACE="bond0+"

if iptables -S | grep -q ${ZONE_NAME} ; then
    echo "Zone $ZONE_NAME present on iptables" >> $LOG_FILE
    if iptables -S | grep -q ${FW_NAME} ; then
        echo "Firewall rules $FW_NAME for intra zone $ZONE_NAME is present" >> $LOG_FILE
        echo "Execute postboot script" >> $LOG_FILE
        iptables -I $ZONE_NAME 1 -i $INTERFACE -j  $FW_NAME
    else
        echo "ERROR - Firewall rules $FW_NAME removed from config" >> $LOG_FILE
    fi
else
    echo "ERROR - Zone $ZONE_NAME not configured on VyOS. No config can be done" >> $LOG_FILE
fi
exit

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Unspecified (please specify)

Event Timeline

n.fort created this object in space S1 VyOS Public.
Viacheslav changed the subtype of this task from "Task" to "Feature Request".Sep 29 2021, 6:52 PM

This entries:

set zone-policy zone LAN description "LAN Zone"
set zone-policy zone LAN default-action drop
set zone-policy zone LAN interface eth1
set zone-policy zone LAN interface eth2
set zone-policy zone LAN interface eth3

Generates this iptables rules (ignore entry WANtoLAN, since we focus on intrazone policy):

-A FORWARD -o eth1 -j VZONE_LAN
-A FORWARD -o eth2 -j VZONE_LAN
-A FORWARD -o eth3 -j VZONE_LAN
...
-A VZONE_LAN -i eth3 -j RETURN
-A VZONE_LAN -i eth2 -j RETURN
-A VZONE_LAN -i eth1 -j RETURN
-A VZONE_LAN -i eth0 -j WANtoLAN
-A VZONE_LAN -i eth0 -j RETURN

So, in future, it would be good to choose what to do for intrazone traffic:

  • Permit
  • Drop
  • Custom

For example, while defining the policy:

[email protected]# set zone-policy zone LAN 
Possible completions:
   default-action
                Default-action for traffic coming into this zone
   description  Zone description
+> from         Zone from which to filter traffic
+  interface    Interface associated with zone
   local-zone   Zone to be local-zone
   intra-zone-filtering
                Default-action for traffic coming into this zone

[email protected]# set zone-policy zone LAN intra-zone-filtering
Possible completions:
   permit
   drop
+> firewall       Firewall options
[email protected]# set zone-policy zone LAN intra-zone-filtering firewall
Possible completions:
   ipv6-name    IPv6 firewall ruleset
   name         IPv4 firewall ruleset

If "set zone-policy zone LAN intra-zone-filtering accept", original iptables ruleset should be created.

If "set zone-policy zone LAN intra-zone-filtering drop", iptables ruleset should look something like:

-A FORWARD -o eth1 -j VZONE_LAN
-A FORWARD -o eth2 -j VZONE_LAN
-A FORWARD -o eth3 -j VZONE_LAN
...
-A VZONE_LAN -i eth3 -j DROP
-A VZONE_LAN -i eth2 -j DROP
-A VZONE_LAN -i eth1 -j DROP
-A VZONE_LAN -i eth0 -j WANtoLAN
-A VZONE_LAN -i eth0 -j RETURN

And, if "set zone-policy zone LAN intra-zone-filtering firewall name CUSTOMLAN", something similar to this:

-A FORWARD -o eth1 -j VZONE_LAN
-A FORWARD -o eth2 -j VZONE_LAN
-A FORWARD -o eth3 -j VZONE_LAN
...
-A VZONE_LAN -i eth3 -j CUSTOMLAN
-A VZONE_LAN -i eth2 -j CUSTOMLAN
-A VZONE_LAN -i eth1 -j CUSTOMLAN
-A VZONE_LAN -i eth0 -j WANtoLAN
-A VZONE_LAN -i eth0 -j RETURN
...
-A CUSTOMLAN .... (custom rules)

Included this feature in the firewall/zone-policy rewrite: https://github.com/vyos/vyos-1x/pull/1033

Testing this feature in VyOS 1.4-rolling-202201100317 I'm getting some unexpected behavior.
Config:

# Zones config
set zone-policy zone LAN default-action 'drop'
set zone-policy zone LAN description 'LAN Zone'
set zone-policy zone LAN from WAN firewall name 'WANtoLAN'
set zone-policy zone LAN interface 'eth1'
set zone-policy zone LAN interface 'eth2'
set zone-policy zone LAN interface 'eth3'
set zone-policy zone LAN intra-zone-filtering firewall name 'intraLAN'
set zone-policy zone WAN default-action 'drop'
set zone-policy zone WAN description 'WAN Zone'
set zone-policy zone WAN from LAN firewall name 'LANtoWAN'
set zone-policy zone WAN interface 'eth0'

# Firewall Config
set firewall name LANtoWAN default-action 'drop'
set firewall name LANtoWAN description 'Traffic from LAN to WAN'
set firewall name LANtoWAN rule 10 action 'accept'
set firewall name LANtoWAN rule 10 description 'Accept traffic from LAN-1 to WAN'
set firewall name LANtoWAN rule 10 source address '10.1.1.0/24'
set firewall name WANtoLAN default-action 'drop'
set firewall name WANtoLAN description 'Traffic from WAN to LAN'
set firewall name WANtoLAN rule 10 action 'accept'
set firewall name WANtoLAN rule 10 description 'Accept traffic from WAN to LAN-3'
set firewall name WANtoLAN rule 10 destination address '10.3.3.0/24'
set firewall name intraLAN default-action 'accept'
set firewall name intraLAN description 'Intrazone LAN - Allow all and filter something'
set firewall name intraLAN rule 10 action 'drop'
set firewall name intraLAN rule 10 description 'Filter something in same zone'
set firewall name intraLAN rule 10 destination address '10.2.2.0/24'
set firewall name intraLAN rule 10 source address '10.1.1.0/24'
set firewall name intraLAN rule 20 action 'accept'
set firewall name intraLAN rule 20 destination address '10.3.3.0/24'
set firewall name intraLAN rule 20 source address '10.1.1.0/24'

Expected behavior regarding LAN intra-zone: allow all intra-zone traffic, and only drop when matching rule 10 criteria. Rule 20 was added just for counter purposes, since default-action for firewall name intraLAN is accept
But, this is the relevant config generated on nftables:

table ip filter {
	chain VYOS_FW_FORWARD {
		type filter hook forward priority filter; policy accept;
		oifname { "eth0" } counter packets 0 bytes 0 jump VZONE_WAN
		oifname { "eth1", "eth2", "eth3" } counter packets 6 bytes 504 jump VZONE_LAN
		jump VYOS_POST_FW

	chain VZONE_LAN {
		iifname { "eth1", "eth2", "eth3" } counter packets 6 bytes 504 jump intraLAN
		iifname { "eth0" } counter packets 0 bytes 0 jump WANtoLAN
		iifname { "eth0" } counter packets 0 bytes 0 return
		counter packets 6 bytes 504 drop
	}

	chain intraLAN {
		ip daddr 10.2.2.0/24 ip saddr 10.1.1.0/24 counter packets 0 bytes 0 drop comment "intraLAN-10"
		ip daddr 10.3.3.0/24 ip saddr 10.1.1.0/24 counter packets 5 bytes 420 return comment "intraLAN-20"
		counter packets 0 bytes 0 return comment "intraLAN default-action accept"
	}

So, problem is in "return" action on chain intraLAN. Since action is return (and not accept), all intra-zone is being filtered, because of general drop rule in chain VZONE_LAN

sdev changed the task status from Open to In progress.Jan 16 2022, 9:43 PM
sdev claimed this task.

Thanks, will include a fix in a PR shortly

Tested on VyOS 1.4-rolling-202201180317 and working as expected