The Vyatta network appliance can be used as a firewall to protect Rackspace Cloud Server instances.
In this article you will see how interface-based firewalls can be configured on the Vyatta and applied on the Public interface for local traffic (terminating on the Vyatta) as well as for ingress traffic (traversing the appliance and destined to Cloud Servers).
For a comprehensive guide to configuring the Vyatta appliance as a firewall click here .
The Vyatta firewall features both IPv4 and IPv6 stateful packet inspection to intercept and inspect network activity and allow or deny the attempt. Vyatta's firewall functionality analyzes and filters IP packets between network interfaces. It allows you to filter packets based on their characteristics and perform actions on packets that match the rule. Vyatta system firewall functionality provides the following:
Vyatta’s advanced firewall capabilities include stateful failover, zone-based firewalling and time-based firewalling.
Firewalls filter packets on interfaces. There are two steps for using the firewall feature:
Once the instance is applied to the interface or zone, the rules in the instance begin filtering packets on that location.
There are two types of firewall, Interface-based firewall and zone-based firewall. If only one interface is being protected then interface-based firewall can serve your purpose. However, if more than one interface is being protected, then zone-based firewalls are recommended.
Rules are executed in sequence according to the rule number. If the traffic matches the characteristics specified by the rule, the rule's action is executed; if not, the system "falls through" to the next rule.
The action can be one of the following:
Once a firewall instance is defined it can be applied to an interface, where the instance acts as a packet filter. The firewall instance filters packets in one of the following ways, depending on what you specify when you apply the firewall instance:
A total of three firewall instances can be applied to an interface: one instance as an in filter, one instance as an out filter, and one instance as a local filter.
The following example shows a firewall rule set applied on a Public interface of the Vyatta. This rule set does the following:
1. Log onto the Vyatta Appliance using ssh:
Where X.X.X.X is the IP address of the Vyatta. You'll see a Welcome to Vyatta message and a prompt to enter your password.
Once you're logged onto the appliance, you can enter a ? or press the Tab key for help.
2. Enter configuration mode:
vyatta@vyatta: configure  vyatta@vyatta#
The # symbol indicates you're in configuration mode.
3. Make the firewall stateful (global configuration)
set firewall state-policy established action 'accept' set firewall state-policy related action 'accept'
4. Set the recommended global rules which will apply to all firewall protected interfaces. Anything global can be changed within the interface specific firewall rule
set firewall all-ping 'enable' set firewall broadcast-ping 'disable' set firewall ipv6-receive-redirects 'disable' set firewall ipv6-src-route 'disable' set firewall ip-src-route 'disable' set firewall log-martians 'enable' set firewall receive-redirects 'disable' set firewall send-redirects 'enable' set firewall source-validation 'disable' set firewall syn-cookies 'enable'
5. Start configuring firewall configuration for Public interface
edit firewall name protect-vyatta
Drop everything by default
set default-action 'drop'
Allow IKE and ESP traffic for IPsec
set rule 100 action 'accept' set rule 100 destination port '500' set rule 100 protocol 'udp' set rule 200 action 'accept' set rule 200 protocol 'esp'
Allow L2TP over IPsec
set rule 210 action 'accept' set rule 210 destination port '1701' set rule 210 ipsec 'match-ipsec' set rule 210 protocol 'udp'
Allow NAT traversal of IPsec
set rule 250 action 'accept' set rule 250 destination port '4500' set rule 250 protocol 'udp'
Deter ssh brute-force (only allow 3 new connections within 30 seconds)
set rule 300 action 'drop' set rule 300 destination port '22' set rule 300 protocol 'tcp' set rule 300 recent count '3' set rule 300 recent time '30' set rule 300 state new 'enable'
Allow all other ssh
set rule 310 action 'accept' set rule 310 destination port '22' set rule 310 protocol 'tcp'
set rule 900 action 'accept' set rule 900 description 'allow icmp' set rule 900 protocol 'icmp'
6. Apply locally on Public interface (eth0)
set interfaces ethernet eth0 firewall local name 'protect-vyatta'
7. Create and apply firewall ruleset 'in' (for traffic destined for cloud servers) on Public interface (eth0)
set firewall name untrusted default-action 'drop' set firewall name untrusted description 'deny traffic from internet' set interfaces ethernet eth0 firewall in name 'untrusted'
8. Commit and save the changes.
© 2011-2013 Rackspace US, Inc.
Except where otherwise noted, content on this site is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License