Virtual Router/ Firewall/ VPN

Reply
New Contributor
Posts: 2
Registered: ‎07-10-2015

vrouter 5600 applying local filter using zone-configuration

Im trying to figure out how to apply a local-zone filter in a zone policy on the 5600. I want to fitler the inbound traffic to the vyatta itself. On the 5400 that was accomplished by creating zone local on the interface, which does not seem to be possible on the 5600. I realize that I can still apply a local filter in an interface based policy but I would like to be able to filter via zone-base. I hope there is a distinction between local traffic and forwarded traffic per interface in zone configuration.

Visitor
Posts: 1
Registered: ‎08-31-2017

Re: vrouter 5600 applying local filter using zone-configuration

I am also interested in knowing the anwser to this question. Is there a local-zone option for the 5600?

 

Any help would be appreciated.

 

 

New Contributor
Posts: 4
Registered: ‎02-09-2016

Re: vrouter 5600 applying local filter using zone-configuration

Hello, I went into the same problem.

 

I opened a case with Brocade and they advised me that there is no "local-zone" pseudo interface to assign to zone-policy. They told that this behavior can be simulated by applying zone-based firewall to physical interfaces, and a interface-firewall in the loopback interface. The firewall in loopback interface filters everything that ingress AND egress from the router. Here is an example:

 

set security zone-policy zone external default-action 'drop'
set security zone-policy zone external description 'Internet zone'
set security zone-policy zone external interface 'dp0bond1'
set security zone-policy zone external to internal firewall 'external-2-internal'
set security zone-policy zone external to ovpn firewall 'external-2-ovpn'


set security zone-policy zone internal default-action 'drop'
set security zone-policy zone internal description 'Private zone'
set security zone-policy zone internal interface 'dp0bond0'
set security zone-policy zone internal to external firewall 'internal-2-external'
set security zone-policy zone internal to ovpn firewall 'internal-2-ovpn'


set security zone-policy zone ovpn default-action 'drop'
set security zone-policy zone ovpn description 'OpenVPN'
set security zone-policy zone ovpn interface 'vtun0'
set security zone-policy zone ovpn to external firewall 'ovpn-2-external'
set security zone-policy zone ovpn to internal firewall 'ovpn-2-internal'

 

set interfaces loopback lo firewall local 'Local'

 

set security firewall name ovpn-2-external default-action accept

set security firewall name ovpn-2-internal default-action accept

 

set security firewall name external-2-ovpn default-action accept

set security firewall name external-2-internal default-action accept

 

set security firewall name internal-2-external default-action accept

set security firewall name internal-2-ovpn default-action accept

 

set security firewall name Local default-action 'drop'
set security firewall name Local 'default-log'
set security firewall name Local rule 10 action 'accept'
set security firewall name Local rule 10 description 'RIP'

... any other rules you might like. Example file in path "/opt/vyatta/etc/cpp.conf" (Vyatta5600 17.2.0)

 

 

 

Occasional Contributor
Posts: 9
Registered: ‎06-13-2016

Re: vrouter 5600 applying local filter using zone-configuration

@rcastrilThanks for clarifying  "local-zone" from zone-policy in v5600 and how to handle it but i am still unclear and wants to understand following issues.

 

1.Which firewall name should i use while creating set interfaces loopback lo firewall local ?" based on below mentioned command ?

 

Assume its v5400 configs

set  zone-policy zone external default-action 'drop'
set  zone-policy zone external description 'Internet zone'
set  zone-policy zone external interface 'dp0bond1'
set  zone-policy zone external to internal firewall 'external-2-internal'
set  zone-policy zone external to ovpn firewall 'external-2-ovpn'


set  zone-policy zone internal default-action 'drop'
set  zone-policy zone internal description 'Private zone'
set  zone-policy zone internal interface 'dp0bond0'
set  zone-policy zone internal to external firewall 'internal-2-external'
set  zone-policy zone internal to ovpn firewall 'internal-2-ovpn'

set zone-policy zone internal  'local-zone'


set zone-policy zone ovpn default-action 'drop'
set zone-policy zone ovpn description 'OpenVPN'
set zone-policy zone ovpn interface 'vtun0'
set zone-policy zone ovpn to external firewall 'ovpn-2-external'
set zone-policy zone ovpn to internal firewall 'ovpn-2-internal'

 

2. Assume i am using control plane policy for example cpp.conf on loopback lo  interface will it affect it cpp config if i apply this firewall local command ?

 

 

 

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook