Virtual Router/ Firewall/ VPN

Reply
New Contributor
Posts: 2
Registered: ‎07-10-2015

vrouter 5600 applying local filter using zone-configuration

Im trying to figure out how to apply a local-zone filter in a zone policy on the 5600. I want to fitler the inbound traffic to the vyatta itself. On the 5400 that was accomplished by creating zone local on the interface, which does not seem to be possible on the 5600. I realize that I can still apply a local filter in an interface based policy but I would like to be able to filter via zone-base. I hope there is a distinction between local traffic and forwarded traffic per interface in zone configuration.

Visitor
Posts: 1
Registered: ‎08-31-2017

Re: vrouter 5600 applying local filter using zone-configuration

I am also interested in knowing the anwser to this question. Is there a local-zone option for the 5600?

 

Any help would be appreciated.

 

 

New Contributor
Posts: 4
Registered: ‎02-09-2016

Re: vrouter 5600 applying local filter using zone-configuration

Hello, I went into the same problem.

 

I opened a case with Brocade and they advised me that there is no "local-zone" pseudo interface to assign to zone-policy. They told that this behavior can be simulated by applying zone-based firewall to physical interfaces, and a interface-firewall in the loopback interface. The firewall in loopback interface filters everything that ingress AND egress from the router. Here is an example:

 

set security zone-policy zone external default-action 'drop'
set security zone-policy zone external description 'Internet zone'
set security zone-policy zone external interface 'dp0bond1'
set security zone-policy zone external to internal firewall 'external-2-internal'
set security zone-policy zone external to ovpn firewall 'external-2-ovpn'


set security zone-policy zone internal default-action 'drop'
set security zone-policy zone internal description 'Private zone'
set security zone-policy zone internal interface 'dp0bond0'
set security zone-policy zone internal to external firewall 'internal-2-external'
set security zone-policy zone internal to ovpn firewall 'internal-2-ovpn'


set security zone-policy zone ovpn default-action 'drop'
set security zone-policy zone ovpn description 'OpenVPN'
set security zone-policy zone ovpn interface 'vtun0'
set security zone-policy zone ovpn to external firewall 'ovpn-2-external'
set security zone-policy zone ovpn to internal firewall 'ovpn-2-internal'

 

set interfaces loopback lo firewall local 'Local'

 

set security firewall name ovpn-2-external default-action accept

set security firewall name ovpn-2-internal default-action accept

 

set security firewall name external-2-ovpn default-action accept

set security firewall name external-2-internal default-action accept

 

set security firewall name internal-2-external default-action accept

set security firewall name internal-2-ovpn default-action accept

 

set security firewall name Local default-action 'drop'
set security firewall name Local 'default-log'
set security firewall name Local rule 10 action 'accept'
set security firewall name Local rule 10 description 'RIP'

... any other rules you might like. Example file in path "/opt/vyatta/etc/cpp.conf" (Vyatta5600 17.2.0)

 

 

 

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.