fix(vrouter): ACL rules enforced on VyOS #258
Merged
+6
−14
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We add a jump rule for each ingress/egress ruleset in the vrouter VyOS template so that the forward chain jumps traffic to the appropriate name chains that are already created. Note: using the forward chain is a limitation (does not protect the fireall, requires forwarding traffic across interfaces). Before this fix, firewall (ACL) rules in vrouter vyos template were created, but added to a custom 'name' chain. Custom name chains are not used by default. "Custom firewall chains can be created, with commands set firewall ipv4 name <name> .... In order to use such custom chain, a rule with action jump, and the appropriate target should be defined in a base chain." https://docs.vyos.io/en/latest/configuration/firewall/ipv4.html I think a re-write of the VyOS template that takes advantage of VyOS zone-based routing would be more efficient and intuitive to users, but would require modification of the vrouter app spec. ref: sandialabs#257
nblair2
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
fix(vrouter): ACL rules are now enforced on VyOS
Description
We add a jump rule for each ingress/egress ruleset in the vrouter VyOS template so that the forward chain jumps traffic to the appropriate name chains that are already created. Note: using the forward chain is a limitation (does not protect the firewall, requires forwarding traffic across interfaces).
Before this fix, firewall (ACL) rules in vrouter vyos template were created, but added to a custom 'name' chain. Custom name chains are not used by default. "Custom firewall chains can be created, with commands set firewall ipv4 name .... In order to use such custom chain, a rule with action jump, and the appropriate target should be defined in a base chain."
https://docs.vyos.io/en/latest/configuration/firewall/ipv4.html
I think a re-write of the VyOS template that takes advantage of VyOS zone-based routing would be more efficient and intuitive to users, but would require modification of the vrouter app spec.This does not work (tried in https://github.com/nblair2/sceptre-phenix/tree/fix/vrouter-acl2). Zone-based rules are deny by default, so creating zones is all-or-nothing. User would have to explicitly add an allow established/related to all zones.Related Issue
resolves #257
Type of Change
Please select the type of change your pull request introduces:
Checklist
I have commented my code, particularly in hard-to-understand areas.I have made corresponding changes to the documentation.My changes generate no new warnings.Additional Notes
N/A