I'd like propose some adjustments to the firewall configuration for a future release (either in 1.3.0 or for 2.0).
Item 1: Firewall Group Behavior ------------------------------- Currently, VyOS impliments the following: network-group is hash:net address-group is hash:ip The hash:ip group type isn't piticurally useful. For EdgeOS, Ubiquiti has rewritten address-group to be implimented using hash:net like network-group, which is a change I agree with. Along with doing so, they've changed the valid syntax for an address group to accept both IP addresses and networks in CIDR notation (limiting prefix-length to 1-31 to prevent input error). I recommend that we modify address-group to work the same way adopted by EdgeOS, and go a step further to depricate "network-group", perhaps having the upgrade process migrate the configuration. Item 2: IPv6 Firewall Group Support ----------------------------------- Self-explaintory, add support for IPv6 address-group. set firewall group ipv6-address-group set policy ipv6-route <name> rule <rule> source|destination group Item 3: Group Support for NAT rules ------------------------------------ set nat source|destination rule <rule> source|destination group Item 4: Update REJECT and add option for TCP RST ------------------------------------------------ Currently: rule <rule> action reject Change to: rule <rule> action reject (change to using code 13 icmp-admin-prohibited for RFC1812 and RFC5508 compliance) rule <rule> action reject-tcp-rst (add TCP RST option) Item 5: Add additional matching options for rules ------------------------------------------------- IPv6 hop-limit module "hl" matching (required to apprpriately secure a lot of LL traffic) rule <rule> hop-limit eq|lt|gt <hop-limit> IPv4 TTL module "ttl" matching. rule <rule> ttl eq|lt|gt <ttl> The length "length" module for IPv4 and IPv6 (useful for some types of UDP traffic): rule <rule> length <length-range> -- Ray Patrick Soucy Senior Cyber Security Engineer Networkmaine, University of Maine System US:IT 207-561-3526 _______________________________________________ Vyos-developers mailing list Vyos-developers@lists.tuxis.nl https://lists.tuxis.nl/listinfo/vyos-developers
