Zone-Based Firewall
Zone-based firewall обеспечивает granular security policy между different network segments (zones).
Сценарий
- Enterprise Security: Разделение LAN, WAN, DMZ
- Granular Control: Traffic filtering между zones
- Stateful Inspection: Connection tracking
Zones
┌─────────────────────────────────────┐
│ VyOS Firewall │
│ │
│ ┌────┐ ┌─────┐ ┌──────┐ ┌────┐ │
│ │LAN │ │ DMZ │ │ WAN │ │LOC │ │
│ └─┬──┘ └──┬──┘ └──┬───┘ └────┘ │
└────┼───────┼────────┼──────────────┘
│ │ │
Users Servers InternetVyOS Zone Configuration
# Define Zones
set firewall zone LAN interface 'eth1'
set firewall zone LAN default-action 'drop'
set firewall zone DMZ interface 'eth2'
set firewall zone DMZ default-action 'drop'
set firewall zone WAN interface 'eth0'
set firewall zone WAN default-action 'drop'
set firewall zone LOCAL local-zone
# Zone Policies (LAN → WAN)
set firewall ipv4-name LAN-TO-WAN default-action 'accept'
set firewall ipv4-name LAN-TO-WAN rule 1 state established 'enable'
set firewall ipv4-name LAN-TO-WAN rule 1 state related 'enable'
set firewall zone LAN from WAN firewall name 'LAN-TO-WAN'
# LAN → DMZ (only HTTP/HTTPS to web servers)
set firewall ipv4-name LAN-TO-DMZ default-action 'drop'
set firewall ipv4-name LAN-TO-DMZ rule 10 action 'accept'
set firewall ipv4-name LAN-TO-DMZ rule 10 protocol 'tcp'
set firewall ipv4-name LAN-TO-DMZ rule 10 destination port '80,443'
set firewall zone LAN from DMZ firewall name 'LAN-TO-DMZ'
# WAN → DMZ (только на web servers)
set firewall ipv4-name WAN-TO-DMZ default-action 'drop'
set firewall ipv4-name WAN-TO-DMZ rule 10 action 'accept'
set firewall ipv4-name WAN-TO-DMZ rule 10 protocol 'tcp'
set firewall ipv4-name WAN-TO-DMZ rule 10 destination address '10.20.1.10'
set firewall ipv4-name WAN-TO-DMZ rule 10 destination port '443'
set firewall zone WAN from DMZ firewall name 'WAN-TO-DMZ'
commitYandex/VK Cloud Integration
В cloud environments DMZ может быть dedicated subnet для public-facing services.