FiOS “Three-Router” with VyOS and ESXi, Part 6: Firewall
Before we allow other hosts on our network to connect to the Internet through our primary router, let’s put up some firewall rules to protect our network.
Here is a basic firewall configuration (run these commands in configuration mode):
set firewall all-ping enable set firewall broadcast-ping disable set firewall ipv6-receive-redirects disable set firewall ipv6-src-route disable set firewall ip-src-route disable set firewall log-martians enable
Let’s create a firewall rule set for traffic arriving from the Internet. By default, we’re going to drop that traffic unless another rule allows it.
vyos@primary-router:~# set firewall name FROM-EXTERNAL vyos@primary-router:~# set firewall name FROM-EXTERNAL default-action drop
Our first rule will allow connections that are already established by clients on our internal network.
vyos@primary-router:~# set firewall name FROM-EXTERNAL rule 10 action accept vyos@primary-router:~# set firewall name FROM-EXTERNAL rule 10 state established enable vyos@primary-router:~# set firewall name FROM-EXTERNAL rule 10 state related enable
Next, we’ll create a rule set for traffic moving between our LANs. We’ll accept this by default, since (presumably) all of the hosts on our home networks are trusted.
vyos@primary-router:~# set firewall name LAN-TO-LAN vyos@primary-router:~# set firewall name LAN-TO-LAN default-action accept
Finally we need a rule set for traffic that is destined for the router itself, such as management connections, etc.
vyos@primary-router:~# set firewall name TO-ROUTER default-action drop vyos@primary-router:~# set firewall name TO-ROUTER rule 10 action accept vyos@primary-router:~# set firewall name TO-ROUTER rule 10 log disable vyos@primary-router:~# set firewall name TO-ROUTER rule 10 state established enable vyos@primary-router:~# set firewall name TO-ROUTER rule 10 state related enable
We also should allow ICMP packets through, for Destination Unreachable, Echo and Time-Exceeded:
vyos@primary-router:~# set firewall name TO-ROUTER rule 30 action accept vyos@primary-router:~# set firewall name TO-ROUTER rule 30 icmp type 3 vyos@primary-router:~# set firewall name TO-ROUTER rule 30 log disable vyos@primary-router:~# set firewall name TO-ROUTER rule 30 protocol icmp vyos@primary-router:~# set firewall name TO-ROUTER rule 32 action accept vyos@primary-router:~# set firewall name TO-ROUTER rule 32 icmp type 8 vyos@primary-router:~# set firewall name TO-ROUTER rule 32 log disable vyos@primary-router:~# set firewall name TO-ROUTER rule 32 protocol icmp vyos@primary-router:~# set firewall name TO-ROUTER rule 34 action accept vyos@primary-router:~# set firewall name TO-ROUTER rule 34 icmp type 11 vyos@primary-router:~# set firewall name TO-ROUTER rule 34 log disable vyos@primary-router:~# set firewall name TO-ROUTER rule 34 protocol icmp
Now that our rule sets are configured, we can assign them to interfaces. Remember that eth0 faces the public Internet, so we want traffic arriving there to be filtered through the FROM-EXTERNAL rule set.
vyos@primary-router:~# set interfaces ethernet eth0 firewall in name FROM-EXTERNAL vyos@primary-router:~# set interfaces ethernet eth0 firewall local name TO-ROUTER vyos@primary-router:~# set interfaces ethernet eth1 firewall in name LAN-TO-LAN
Finally, commit and save your changes.
vyos@primary-router:~# commit vyos@primary-router:~# save