Basic Configuration

Zone Setup

# Create security zone
set zone-policy zone LAN
set zone-policy zone WAN

# Interface assignment
set zone-policy zone LAN interface eth0
set zone-policy zone WAN interface eth1

Basic Ruleset

# Create named firewall
set firewall name WAN-LAN
set firewall name LAN-WAN

# Default policies
set firewall name WAN-LAN default-action drop
set firewall name LAN-WAN default-action accept

Rule Application

# Apply to zones
set zone-policy zone LAN to WAN firewall name LAN-WAN
set zone-policy zone WAN to LAN firewall name WAN-LAN

# Verify configuration
show firewall
show zone-policy

Rule Management

Basic Rules

# Allow established/related
set firewall name WAN-LAN rule 10 action accept
set firewall name WAN-LAN rule 10 state established enable
set firewall name WAN-LAN rule 10 state related enable

# Block invalid
set firewall name WAN-LAN rule 20 action drop
set firewall name WAN-LAN rule 20 state invalid enable

Advanced Rules

# Port forwarding
set nat destination rule 10 description "Web Server"
set nat destination rule 10 destination port 80
set nat destination rule 10 inbound-interface eth1
set nat destination rule 10 protocol tcp
set nat destination rule 10 translation address 192.168.1.100

# Rate limiting
set firewall name WAN-LAN rule 30 action accept
set firewall name WAN-LAN rule 30 destination port 22
set firewall name WAN-LAN rule 30 protocol tcp
set firewall name WAN-LAN rule 30 limit rate 10/minute

Address Groups

Group Management

# Create address group
set firewall group address-group SERVERS
set firewall group address-group SERVERS address 192.168.1.10
set firewall group address-group SERVERS address 192.168.1.11

# Create port group
set firewall group port-group WEB_PORTS
set firewall group port-group WEB_PORTS port 80
set firewall group port-group WEB_PORTS port 443

Group Usage

# Apply groups in rules
set firewall name WAN-LAN rule 40 action accept
set firewall name WAN-LAN rule 40 destination group address-group SERVERS
set firewall name WAN-LAN rule 40 destination group port-group WEB_PORTS

Advanced Features

DDOS Protection

# SYN flood protection
set firewall name WAN-LAN rule 50 action drop
set firewall name WAN-LAN rule 50 protocol tcp
set firewall name WAN-LAN rule 50 tcp flags SYN
set firewall name WAN-LAN rule 50 limit rate 100/second
set firewall name WAN-LAN rule 50 recent count 100
set firewall name WAN-LAN rule 50 recent time 60

Time-Based Rules

# Business hours access
set firewall name WAN-LAN rule 60 action accept
set firewall name WAN-LAN rule 60 time starttime 09:00:00
set firewall name WAN-LAN rule 60 time stoptime 17:00:00
set firewall name WAN-LAN rule 60 time weekdays Mon,Tue,Wed,Thu,Fri

Monitoring & Troubleshooting

Logging

# Enable logging
set firewall name WAN-LAN rule 100 action drop
set firewall name WAN-LAN rule 100 log enable

# View logs
show log firewall
show log firewall name WAN-LAN

Statistics

# View statistics
show firewall statistics
show firewall name WAN-LAN statistics
show firewall group statistics

# Clear statistics
clear firewall name WAN-LAN counters
clear firewall statistics

References

  • Based on VyOS 1.4 (Sagitta)
  • Official VyOS Documentation: https://docs.vyos.io/
  • VyOS Wiki: https://wiki.vyos.net/
0 Comments for this cheatsheet. Write yours!