-
Notifications
You must be signed in to change notification settings - Fork 351
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1088 from Nephiaust/2023-FirewallUpdates
Updates to the firewall pages
- Loading branch information
Showing
7 changed files
with
98 additions
and
44 deletions.
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,24 +1,85 @@ | ||
| :lastproofread: 2023-09-17 | ||
|
|
||
| ######## | ||
| Firewall | ||
| ######## | ||
|
|
||
| Starting from VyOS 1.4-rolling-202308040557, a new firewall structure | ||
| can be found on all vyos installations. Documentation for most new firewall | ||
| cli can be found here: | ||
| .. attention:: | ||
| Starting from VyOS 1.4-rolling-202308040557, a new firewall structure | ||
| can be found on all vyos installations. | ||
|
|
||
| .. note:: | ||
| The legacy and zone-based firewall configuration options is not longer | ||
| supported. They are here for reference purposes only. | ||
|
|
||
| Netfilter based | ||
| ^^^^^^^^^^^^^^^ | ||
| .. toctree:: | ||
| :maxdepth: 1 | ||
| :includehidden: | ||
|
|
||
| general | ||
|
|
||
| Also, for those who haven't updated to newer version, legacy documentation is | ||
| still present and valid for all sagitta version prior to VyOS | ||
| 1.4-rolling-202308040557: | ||
| With VyOS being based on top of Linux and its kernel, the Netfilter project created | ||
| the iptables and now the successor nftables for the Linux kernel to work directly | ||
| on the data flows. This now extends the concept of zone-based security to allow | ||
| for manipulating the data at multiple stages once accepted by the network interface | ||
| and the driver before being handed off to the destination (e.g. a web server OR | ||
| another device). | ||
|
|
||
| To configure VyOS with the new :doc:`firewall configuration </configuration/firewall/general>` | ||
|
|
||
| The only stages VyOS will process as part of the firewall configuration is the | ||
| `forward` (F4 stage), `input` (L4 stage), and `output` (L5 stage). All the other | ||
| stages and steps are for reference and cant be manipulated through VyOS. | ||
|
|
||
| In this example image, a simplifed traffic flow is shown to help provide context | ||
| to the terms of `forward`, `input`, and `output` for the new firewall CLI format. | ||
|
|
||
| .. figure:: /_static/images/firewall-netfilter.png | ||
|
|
||
| .. note:: **For more information** | ||
| of Netfilter hooks and Linux networking packet flows can be | ||
| found in `Netfilter-Hooks | ||
| <https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks>`_ | ||
|
|
||
| Legacy Firewall | ||
| ^^^^^^^^^^^^^^^ | ||
| .. toctree:: | ||
| :maxdepth: 1 | ||
| :includehidden: | ||
|
|
||
| general-legacy | ||
|
|
||
| Traditionally firewalls weere configured with the concept of data going in and | ||
| out of an interface. The router just listened to the data flowing through and | ||
| responding as required if it was directed at the router itself. | ||
|
|
||
| To configure VyOS with the :doc:`legacy firewall configuration </configuration/firewall/general-legacy>` | ||
|
|
||
| As the example image below shows, the device was configured with rules blocking | ||
| inbound or outbound traffic on each interface. | ||
|
|
||
| .. figure:: /_static/images/firewall-traditional.png | ||
|
|
||
| Zone-based firewall | ||
| ^^^^^^^^^^^^^^^^^^^ | ||
| .. toctree:: | ||
| :maxdepth: 1 | ||
| :includehidden: | ||
|
|
||
| zone | ||
|
|
||
| With zone-based firewalls a new concept was implemented, in addtion to the standard | ||
| in and out traffic flows, a local flow was added. This local was for traffic | ||
| originating and destined to the router itself. Which means additional rules were | ||
| required to secure the firewall itself from the network, in addition to the existing | ||
| inbound and outbound rules from the traditional concept above. | ||
|
|
||
| To configure VyOS with the :doc:`zone-based firewall configuration </configuration/firewall/zone>` | ||
|
|
||
| As the example image below shows, the device now needs rules to allow/block traffic | ||
| to or from the services running on the device that have open connections on that | ||
| interface. | ||
|
|
||
| .. figure:: /_static/images/firewall-zonebased.png |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters