The article discusses the effective techniques for configuring Vyatta Border Gateway Passthrough Filtering, emphasizing the importance of multi-layered security for any infrastructure. ZZ Servers uses the Vyatta router for core routing devices, which supports extensive filtering capabilities. The article focuses on the configuration needed for restricting access to, from, and through the router, particularly highlighting zone-based firewalling. This approach groups interfaces into security “zones” with the same security level, and filtering policies are applied to traffic flowing between these zones. The article also provides specific notes for configuring the router for zone-based routing and outlines rules for router to internet egress filters.
It is generally a best practice to include multiple layers of security for any infrastructure. Even if you are just routing packets, your routers are your outside perimeter and should include tools to restrict traffic to the device and the traffic that passes through.
This doesn’t mean the router should be your firewall. Firewalls serve a different purpose for segmentation. The border router has only the outside & inside; no real segmentation but at the same time the best place to block a wide variety of traffic at a single point.
We here at ZZ Servers leverage the best technology for a situation and utilize the Vyatta router for our core routing devices (well, custom hardware but running Vyatta). There is extensive documentation on Vyatta filtering, but it is mainly focused on directly filtering traffic into and out of the router. The little there is on the traffic going “through” the device was focused on the Vyatta box in a small office or home environment performing NAT and other “gateway” services.
When your router is a border gateway vs a network gateway, the configuration is a little different and can be expanded to provide easy ways to block traffic.
The Vyatta documentation is exceptional and a great starting point for getting a new system online and configuring it as a NAT gateway, so I will focus only on the filtering configuration needed for restricting access to/from and through the router as it simply routes traffic between networks.
From the Vyatta firewall documentation, “The Vyatta firewall features IPv4/IPv6 stateful packet inspection to intercept and inspect network activity and allow or deny the attempt. Vyatta advanced firewall capabilities include stateful failover, zone and time-based firewalling, P2P filtering, and more.”
We will be working with the zone features for ingress and egress filters for traffic going through our border router. The Vyatta documentation best describes its approach to interface and “zone” filtering:
Ordinary firewall rule sets are applied on a per-interface basis to act as a packet filter for the interface. In zone-based firewall, interfaces are grouped into security “zones,” where each interface in the zone has the same security level.
Packet-filtering policies are applied to traffic flowing between zones. Traffic flowing traffic flowing between interfaces lying in the same zone is not filtered and flows freely, as the interfaces share the same security level.
When configuring the router for zone based routing there are a few notes highlighted in the vyatta documentation:
- An interface can be associated with only one zone.
- An interface belonging to a zone cannot have a per-interface firewall rule set applied and vice versa.
- Traffic between interfaces not belonging to any zone flows unfiltered and per-interface firewall rule sets can be applied to those interfaces.
- By default, all traffic to a zone is dropped unless explicitly allowed by a filtering policy for a from_zone.
- Filtering policies are unidirectional: they are defined as a “zone pair” defining the zone from which traffic is sourced (the from_zone) and the zone to which traffic is destined (the to_zone). In Figure 1-6, these unidirectional policies can be seen as follows:
- From Private to DMZ
- From Public to DMZ
- From Private to Public
- From DMZ to Public
- From Public to Private
- From DMZ to Private
The configuration used in the example presented in this post has a router with 2 interfaces, one “Internet” and the other “ ZZ Servers” (or your inside; name yours as you will), with the Internet on eth0 and zzservers on eth1.
The network segments for this Vyatta configuration are then set to:
- ZZ Servers – The ZZ Servers public (internet) networks
- Internet – The Internet (outside ZZ Servers)
- Local – The local Vyatta router
With these segments, the vyatta zones will be configured as follows:
- Internet / Routed Network Traffic
- Internet -> ZZ Servers
- ZZ Servers -> Internet
- Traffic directly to or from the router
- Internet -> Local
- Local -> Internet
- ZZ Servers -> Local
- Local -> ZZ Servers
With the zones defined and the router configured, the steps needed to configure the filtering include:
- Define various groups used
- Set rules from the Internet directly to the router
- Set rules from router to Internet
- Set rules from ZZ Servers directly to the router
- Set rules from router to ZZ Servers
- Set rules for the Internet to ZZ Servers
- Set rules for ZZ Servers to Internet
The differences between the router ingress & egress rules and the network rules is the direct rules will only allow what is specifically allowed and then deny all, and the rules for the flow of traffic between the Internet and ZZ Servers will, by default, route (allow) all traffic and then deny only what we specify.
The first step is to enter the Vyatta configuration mode and edit the firewall configuration, starting with the groups used in the rules.
The groups include:
- REJECTED-SERVERS: Will contain a list of IP addresses blocked from passing through to or from ZZ Servers and the Internet.
- REJECTED-NETWORKS: Will contain a list of network segments blocked from passing through to or from ZZ Servers and the Internet.
- REJECTED-PORTS: Will contain a list of connection ports passing through to or from ZZ Servers and the Internet.
- SSH-FROM: Contains a list of IP addresses allowed to connect to the device
- SMB: Contains a list of ports used in SMB traffic (to block and not log the annoying Microsoft broadcast traffic); NOTE – only blocking on direct access to/from the device, not from passing through to or from ZZ Servers & the Internet.
configure
edit firewall# Rejected Servers Group
set group address-group REJECT-SERVERS description “Block IP List”# Rejected Networks Group
set group network-group REJECT-NETWORKS description “Block Network List”# Rejected Ports Group
set group port-group REJECT-PORTS description “Block Port List”# SSH Allowed Hosts List
set group address-group SSH-FROM description “IPs allowed to SSH into router”
set group address-group SSH-FROM address <management ip 1>
set group address-group SSH-FROM address <management ip 2># SMB Ports to drop and not log
set group port-group SMB description “SMB Ports to block and not log from ZZ Windows customers to local router”
set group port-group SMB port 67
set group port-group SMB port 135
set group port-group SMB port 137
set group port-group SMB port 138
set group port-group SMB port 139
Now with the groups defined, the next thing is to set up the rules to filter traffic from the internet directly into the router. The rule syntax is similar to a Cisco configuration; but significantly different as it sits on top of iptables which has extensive capabilities beyond basic filtering that will not be explored here.
We will not be doing anything fancy with this configuration, only defining what is and is not allowed.
The rules for ingress and egress directly on the router are very similar in structure:
- Set default policy to Deny, dropping any unauthorized connection
- Allow established and related connections
- Drop all invalid states
- Drop and do not log SMB broadcasts
- Accept ICMP
- Accept VRRP
- Accept BGP
- Accept HEARTBEAT
- Accept SSH
- Deny and log everything else
BGP packets are broadcast from peers with source port 179 and sent to peers on source port 179
HEARTBEAT packets are broadcast from peers to destination port 694.
With both BGP & HEARTBEAT, I have set up source & destination port filters. From my tests so far, these may be adjusted; I’ve just not tested all situations, so it may not need both sets of source & destination filters, so any feedback is welcome.
# Default deny
set name internet-local default-action drop# Accept established & related
set name internet-local rule 1 action accept
set name internet-local rule 1 state established enable
set name internet-local rule 1 state related enable
set name internet-local rule 2 action drop
set name internet-local rule 2 log enable
set name internet-local rule 2 state invalid enable# Drop and do not log Customer SMB
set name internet-local rule 3 action drop
set name internet-local rule 3 log disable
set name internet-local rule 3 destination group port-group SMB# Allow inbound ICMP
set name internet-local rule 4 action accept
set name internet-local rule 4 protocol icmp# Allow inbound VRRP
set name internet-local rule 5 action accept
set name internet-local rule 5 protocol vrrp# Allow inbound BGP
set name internet-local rule 6 action accept
set name internet-local rule 6 port 179
set name internet-local rule 6 protocol tcp# Allow inbound BGP
set name internet-local rule 7 action accept
set name internet-local rule 7 source port 179
set name internet-local rule 7 protocol tcp# Allow inbound HEARTBEAT
set name internet-local rule 8 action accept
set name internet-local rule 8 destination port 694
set name internet-local rule 8 protocol udp# Allow inbound HEARTBEAT
set name internet-local rule 9 action accept
set name internet-local rule 9 source port 694
set name internet-local rule 9 protocol udp# Allow inbound SSH
set name internet-local rule 10 action accept
set name internet-local rule 10 log enable
set name internet-local rule 10 source group address-group SSH-FROM
set name internet-local rule 10 destination port 22
set name internet-local rule 10 protocol tcp# Logging rule
set name internet-local rule 9999 action drop
set name internet-local rule 9999 log enable
The router-to-internet egress filters are similar but add additional rules for outbound upgrades, DNS, and NTP all of which could use groups for more specific filters.
- Set default policy to Deny, dropping any unauthorized connection.
- Allow established and related connections
- Drop all invalid states
- Accept ICMP
- Accept VRRP
- Accept BGP
- Accept HEARTBEAT
- Accept DNS
- Accept NTP
- Upgrade rules
- Deny and log everything else
# Default deny
set name local-internet default-action drop# Accept established & related
set name local-internet rule 1 action accept
set name local-internet rule 1 state established enable
set name local-internet rule 1 state related enable
set name local-internet rule 2 action drop
set name local-internet rule 2 log enable
set name local-internet rule 2 state invalid enable# Allow outbound ICMP
set name local-internet rule 4 action accept
set name local-internet rule 4 protocol icmp# Allow outbound VRRP
set name local-internet rule 5 action accept
set name local-internet rule 5 protocol vrrp# Allow outbound BGP
set name local-internet rule 6 action accept
set name local-internet rule 6 destination port 179
set name local-internet rule 6 protocol tcp# Allow outbound BGP
set name local-internet rule 7 action accept
set name local-internet rule 7 source port 179
set name local-internet rule 7 protocol tcp# Allow outbound HEARTBEAT
set name local-internet rule 8 action accept
set name local-internet rule 8 destination port 694
set name local-internet rule 8 protocol udp# Allow outbound HEARTBEAT
set name local-internet rule 9 action accept
set name local-internet rule 9 source port 694
set name local-internet rule 9 protocol udp# Accept outbound DNS requests
set name local-internet rule 10 action accept
set name local-internet rule 10 destination port 53
set name local-internet rule 10 protocol tcp_udp# Accept outbound NTP
set name local-internet rule 15 action accept
set name local-internet rule 15 destination port 123
set name local-internet rule 15 protocol tcp_udp# Allow upgrade – only during valid changes
#set name local-internet rule 69 action accept
#set name local-internet rule 69 log enable
#set name local-internet rule 69 destination port 80
#set name local-internet rule 69 protocol tcp# Logging rule
set name local-internet rule 9999 action drop
set name local-internet rule 9999 log enable
The rules between the router & the internal ( ZZ Servers) public networks are the same as the internet rules.
- Set default policy to Deny, dropping any unauthorized connection
- Allow established and related connections
- Drop all invalid states
- Drop and do not log SMB broadcasts
- Accept ICMP
- Accept VRRP
- Accept BGP
- Accept HEARTBEAT
- Accept SSH
- Deny and log everything else
# Default Deny
set name zzservers-local default-action drop# Accept established and related
set name zzservers-local rule 1 action accept
set name zzservers-local rule 1 state established enable
set name zzservers-local rule 1 state related enable
set name zzservers-local rule 2 action drop
set name zzservers-local rule 2 log enable
set name zzservers-local rule 2 state invalid enable# Drop and do not log Customer SMB
set name zzservers-local rule 3 action drop
set name zzservers-local rule 3 log disable
set name zzservers-local rule 3 destination group port-group SMB
set name zzservers-local rule 3 protocol udp# Allow inbound ICMP
set name zzservers-local rule 4 action accept
set name zzservers-local rule 4 protocol icmp# Allow inbound VRRP
set name zzservers-local rule 5 action accept
set name zzservers-local rule 5 protocol vrrp# Allow inbound BGP
set name zzservers-local rule 6 action accept
set name zzservers-local rule 6 destination port 179
set name zzservers-local rule 6 protocol tcp# Allow inbound BGP
set name zzservers-local rule 7 action accept
set name zzservers-local rule 7 source port 179
set name zzservers-local rule 7 protocol tcp# Allow inbound HEARTBEAT
set name zzservers-local rule 8 action accept
set name zzservers-local rule 8 destination port 694
set name zzservers-local rule 8 protocol udp# Allow inbound HEARTBEAT
set name zzservers-local rule 9 action accept
set name zzservers-local rule 9 source port 694
set name zzservers-local rule 9 protocol udp# Allow inbound SSH
set name zzservers-local rule 10 action accept
set name zzservers-local rule 10 log enable
set name zzservers-local rule 10 source group address-group SSH-FROM
set name zzservers-local rule 10 destination port 22
set name zzservers-local rule 10 protocol tcp# Logging rule
set name zzservers-local rule 9999 action drop
set name zzservers-local rule 9999 log enable
And the final rules for direct access from the router are the rules from the local interface to zzservers.
- Set default policy to Deny, dropping any unauthorized connection
- Allow established and related connections
- Drop all invalid states
- Accept ICMP
- Accept VRRP
- Accept BGP
- Accept HEARTBEAT
- Accept DNS
- Deny and log everything else
# Default Deny
set name local-zzservers default-action drop# Accept established and related
set name local-zzservers rule 1 action accept
set name local-zzservers rule 1 state established enable
set name local-zzservers rule 1 state related enable
set name local-zzservers rule 2 action drop
set name local-zzservers rule 2 log enable
set name local-zzservers rule 2 state invalid enable# Allow outbound ICMP
set name local-zzservers rule 4 action accept
set name local-zzservers rule 4 protocol icmp# Allow outbound VRRP
set name local-zzservers rule 5 action accept
set name local-zzservers rule 5 protocol vrrp# Allow outbound BGP
set name local-zzservers rule 6 action accept
set name local-zzservers rule 6 destination port 179
set name local-zzservers rule 6 protocol tcp# Allow outbound BGP
set name local-zzservers rule 7 action accept
set name local-zzservers rule 7 source port 179
set name local-zzservers rule 7 protocol tcp# Allow outbound HEARTBEAT
set name local-zzservers rule 8 action accept
set name local-zzservers rule 8 destination port 694
set name local-zzservers rule 8 protocol udp# Allow outbound HEARTBEAT
set name local-zzservers rule 9 action accept
set name local-zzservers rule 9 source port 694
set name local-zzservers rule 9 protocol udp# Allow outbound dns lookups
set name local-zzservers rule 10 action accept
set name local-zzservers rule 10 destination port 53
set name local-zzservers rule 10 protocol tcp_udp# Allow upgrades – only during valid change
#set name local-zzservers rule 69 action accept
#set name local-zzservers rule 69 log enable
#set name local-zzservers rule 69 destination port 80
#set name local-zzservers rule 69 protocol tcp# Logging rule
set name local-zzservers rule 9999 action drop
set name local-zzservers rule 9999 log enable
Now the rules are defined for inbound and outbound directly to and from the router. The final set of rules to build is the rules for the traffic that flows “through” the router between the Internet & ZZ Servers. There will again be 2 sets of rules for the ingress and egress packets.
The routing rules are different from the other rules in that they:
-
- Default allow all packets
-
- Block Servers specified in REJECT-SERVERS
-
- Block IP address ranges specified in REJECT-NETWORKS
-
- Block Ports specified in REJECT-PORTS
# Default route all packets
set name internet-zzservers default-action accept
# Deny and reject blocked servers / networks / ports
set name internet-zzservers rule 10 action reject
set name internet-zzservers rule 10 log enable
set name internet-zzservers rule 10 source group address-group REJECT-SERVERS
set name internet-zzservers rule 11 action reject
set name internet-zzservers rule 11 log enable
set name internet-zzservers rule 11 destination group address-group REJECT-SERVERS
set name internet-zzservers rule 15 action reject
set name internet-zzservers rule 15 log enable
set name internet-zzservers rule 15 source group network-group REJECT-NETWORKS
set name internet-zzservers rule 16 action reject
set name internet-zzservers rule 16 log enable
set name internet-zzservers rule 16 destination group network-group REJECT-NETWORKS
set name internet-zzservers rule 20 action reject
set name internet-zzservers rule 20 log enable
set name internet-zzservers rule 20 source group port-group REJECT-PORTS
set name internet-zzservers rule 21 action reject
set name internet-zzservers rule 21 log enable
set name internet-zzservers rule 21 destination group port-group REJECT-PORTS
The final set of rules are the same as internet-zzsevers but for traffic going out from zzservers-internet.
# Default route all packets
set name zzservers-internet default-action accept
# Deny and reject blocked servers / networks / ports
set name zzservers-internet rule 10 action reject
set name zzservers-internet rule 10 log enable
set name zzservers-internet rule 10 source group address-group REJECT-SERVERS
set name zzservers-internet rule 11 action reject
set name zzservers-internet rule 11 log enable
set name zzservers-internet rule 11 destination group address-group REJECT-SERVERS
set name zzservers-internet rule 15 action reject
set name zzservers-internet rule 15 log enable
set name zzservers-internet rule 15 source group network-group REJECT-NETWORKS
set name zzservers-internet rule 16 action reject
set name zzservers-internet rule 16 log enable
set name zzservers-internet rule 16 destination group network-group REJECT-NETWORKS
set name zzservers-internet rule 20 action reject
set name zzservers-internet rule 20 log enable
set name zzservers-internet rule 20 source group port-group REJECT-PORTS
set name zzservers-internet rule 21 action reject
set name zzservers-internet rule 21 log enable
set name zzservers-internet rule 21 destination group port-group REJECT-PORTS
With all of the filters now defined the final detail is to assign the segments (internet/zzservers/local) the appropriate devices.
You first will exit the firewall editor and edit the “zone-policy”
exit
edit zone-policy
Within the zone-policy we will configure:
- Default policy for all zones (internet/zzservers/local) to be to drop
- Identify the internet with eth0
- Identify the zz servers network with eth1
- Map the various rules to the appropriate policies
- Exit / Save and commit
# Set the default policy for zone internet to drop
set zone internet default-action drop
# For internet zone, traffic from zzservers to internet uses firewall filter zzservers-internet
set zone internet from zzservers firewall name zzservers-internet
# For internet zone, traffic from local router to internet uses firewall filter local-internet
set zone internet from local firewall name local-internet
# Set internet zone assignment to eth0
set zone internet interface eth0# Set the default policy for zzservers zone to drop
set zone zzservers default-action drop
# For zzservers zone, traffic from internet to zzservers uses firewall filter internet-zzservers
set zone zzservers from internet firewall name internet-zzservers
# For zzservers zone, traffic from local router to zzservers uses firewall filter local-zzservers
set zone zzservers from local firewall name local-zzservers
# Set zzservers interface eth1
set zone zzservers interface eth1# Set the default policy for local zone to drop
set zone local default-action drop
# For local zone, traffic from internet to the local router uses firewall filter internet-local
set zone local from internet firewall name internet-local
# For local zone, traffic from zzservers to the local router uses firewall filter zzservers-local
set zone local from zzservers firewall name zzservers-local
set zone local local-zoneexit
save
commit
With the rules now in place, it is easy to block inappropriate traffic by adding the specific host/ip/port to the correct group. The commands to add/remove items from the defined groups are as follows:
To add new IPs to the REJECT-IPS group and cause them to be rejected from the ZZ network, logon to the router and use the following command:
- configure
- set firewall group address-group REJECT-SERVERS address <ip to reject>
- commit
- save
To remove an IP address use a similar command replacing “set” with “delete”:
- configure
- delete firewall group address-group REJECT-SERVERS address <ip to remove>
- commit
- save
To reject subnets or ports use same syntax but change REJECT-SERVERS to REJECT-NETWORKS or REJECT-PORTS
The configuration generated by this example is attached below. Good luck, and remember, security should be a layered risk-based approach, and be sure to use all the resources available.
vyatta-zone-firewall
References:
Vyatta
Vyatta is revolutionizing the networking industry by delivering a software-based, open-source network operating system that is portable to standard x86 hardware, common virtualization, and cloud computing platforms. By deploying Vyatta, users benefit from a flexible enterprise-class routing and security feature set capable of scaling from DSL to 20Gbps performance at a fraction of the cost of proprietary solutions. Thousands of physical and virtual infrastructures worldwide, from small enterprises to Fortune 500, are connected and protected by Vyatta software and appliances.
Vyatta Community Edition
The free community Vyatta Core software(VC) is an award-winning open-source network operating system providing advanced IPv4 and IPv6 routing, stateful firewalling, IPSec and SSL OpenVPN, intrusion prevention, and more. When you add Vyatta to a standard x86 hardware system, you can create an enterprise-grade network appliance that scales from DSL to 10Gbps. Vyatta is also optimized to run in VMware, Citrix XenServer, Xen, KVM, and other hypervisors, providing networking and security services to virtual machines and cloud computing environments. Vyatta has been downloaded over 600,000 times, has a community of hundreds of thousands of registered users, and counts dozens of Fortune 500 businesses among its commercial customers.
Vyatta Documentation
Firewall (IPv4, IPv6, Zone-based Firewall) – Vyatta_Firewall_R6.1_v02.pdf
ZZ Servers
ZZ Servers was founded in 2006 by brothers Peter and David Zendzian to provide affordable business and enterprise-level hosted network environments. Our commitment to a high level of customer service and belief in personalized customer service for every client is an integral component of our business philosophy. Our goal is to work collaboratively with industry professionals, our clients, and consumers to provide a source for affordable and secure hosted network infrastructures and a friendly, family-oriented customer support experience.
ZZ Servers delivers a comprehensive collection of hosting services to organizations of all sizes. Our hosting services are at the core of our security and management services and have been engineered for industry regulations, including PCI, GLBA, SOX, HIPPA, and ISO 27002.
We understand that for your business to remain competitive and profitable, it must be online. We offer web hosting options that are custom tailored to fit your specific business needs. From our ultra-affordable shared web hosting to state-of-the-art geographically redundant solutions, we can meet your needs.