Professional Documents
Culture Documents
Robert Thompson
VyOS FIREWALL CONFIGURATION 2
Contents
Post Installation ............................................................................................................................... 3
References ....................................................................................................................................... 8
VyOS FIREWALL CONFIGURATION 3
Post Installation
After the second network interface is added to the VM, drop into the configure interface
in the command line by typing configure. The first interface, eth0, should be the interface which
connects to the internet, as well as the interface which receives an address via DHCP. The
second interface, eth1, should be the internal facing interface which your isolated network will
communicate through; its address should be statically set to an unallocated address available on
your network. In this write-up, the address range used is the 192.168.112.0/24 range. We also
want the ssh service to be available from remote hosts into this system; running the command set
service ssh port 22 will start the SSH daemon and allow connections.
First, we need to set up NAT for packets traversing the firewall and route through
appropriately from the hosts behind the firewall to the public net.
The first command sets the eth0 interface as the outbound interface, routing traffic from the
internal network to the public network. The second command specifies which internal address
range is allowed to traverse through that interface to the public network. The final command
specifies that the interface associated with the rule as the translation address for the network.
VyOS FIREWALL CONFIGURATION 4
Once NAT is configured, we will configure our firewall to be our internal DHCP server.
The first command starts the DHCP service on the system; the second command establishes the
systems as the default router for the internal network the 192.168.112.0/24 range is the eth1
(internal) interface in this example, and 192.168.112.1 address is the address of the interface on
this machine. The third command establishes the system as the DHCP server for the internal
network. The fourth command sets the domain name for the internal network. The fifth
command sets the lease for each address to 24 hours; when the lease expires, the host will have
to request a new address from the DHCP server. The final command sets the scope of addresses
Next, we will configure DNS forwarding. The following commands will ensure that our
local DNS records do not cache results, and that all internal network DNS is resolved using
Now we need to set our firewall rules. Firewall rules are set up using a numeric system
the lower labeled rule numbers are applied first. Under this logic, stricter rules should be applied
with higher values, so if the prior rules do not apply to the type of traffic traversing the firewall,
the stricter ones will act as a catch-all for all unwanted traffic.
The first ruleset we will set up will be labeled OUTSIDE-IN these rules will apply to packets
destined to traverse the VyOS system. The default action in Vyatta based systems is equivalent
to rule 10,000. The following will allow connections to the protected systems from the outside:
The second ruleset will be labeled OUTSIDE-LOCAL these rules will apply to packets destined
to the VyOS system itself. The default action is set to drop all packets; rule 10 will be set to
Rule 30 and 31 will define that TCP connections over port 20 over SSH will be permitted, but
Finally, we will apply the new firewall policies and exit the configure interface:
Testing Connectivity
With a Xubuntu client VM on the same VLAN as the Inside-NIC on the VyOS system,
we received a DHCP address from our system and have successfully connected out to the
internet.
VyOS FIREWALL CONFIGURATION 8
References
http://www.brocade.com/content/html/en/vrouter5600/40r1/vrouter-40r1-nat/GUID-
B0CF4865-CF5D-43D1-BCC8-A810BBA153C8.html
Satyam, S. (2015, April 16). Configuring and interface-based firewall on the Vyatta network
interface-based-firewall-on-the-vyatta-network-appliance/
https://www.sans.org/reading-room/whitepapers/firewalls/deploying-vyatta-core-firewall-
33493
http://wiki.vyos.net/wiki/Zone-policy_example
http://wiki.vyos.net/wiki/User_Guide