Skip to content

ZoBo helps you bootstrap your VyOS Zone-Based Firewall through an easy config file.

License

Notifications You must be signed in to change notification settings

cschlesselmann/zobo

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

ZoBo - Zone Based Firewall Bootstrapper for VyOS

ZoBo helps you bootstrap your VyOS Zone-Based Firewall through an easy config file to get you up and running asap.

Running

From Source

Note: You need to have the Dotnet Core SDK installed!

git clone https://github.com/cschlesselmann/zobo.git
cd zobo
dotnet restore
dotnet run

Config Syntax

TODO

Example

zones.yaml

zones:
  - wan
  - local
  - lan
  - mgmt

definitions:
  wan:
    interface: ["eth0"]
    description: "WAN Network"
    allow_ping_to: "local"
    allow_traffic_to:
      local:
        ports: ["22"]
  local:
    description: "Local Zone"
    is_local_zone: true
    allow_traffic_to: "*"
  lan:
    description: "LAN Network"
    interface: ["eth1"]
    allow_traffic_to:
      local:
        # Whitelist DNS
        ports: ["53/tcp_udp"]
      wan:
  mgmt:
    description: "Management Network"
    interface: ["eth1.1"]
    allow_ping_to: "*"
    allow_traffic_to:
      # Allow SSH to any zone
      "*":
        ports: ["22"]
      wan:

Output

set zone-policy zone 'wan' default-action 'drop'
set zone-policy zone 'wan' description 'WAN Network'
set zone-policy zone 'wan' interface 'eth0'
set zone-policy zone 'local' default-action 'drop'
set zone-policy zone 'local' description 'Local Zone'
set zone-policy zone 'local' local-zone
set zone-policy zone 'lan' default-action 'drop'
set zone-policy zone 'lan' description 'LAN Network'
set zone-policy zone 'lan' interface 'eth1'
set zone-policy zone 'mgmt' default-action 'drop'
set zone-policy zone 'mgmt' description 'Management Network'
set zone-policy zone 'mgmt' interface 'eth1.1'
set firewall name 'wan-local' default-action drop
set firewall name 'wan-local' enable-default-log
set firewall name 'wan-local' rule 10 action accept
set firewall name 'wan-local' rule 10 state established enable
set firewall name 'wan-local' rule 10 state related enable
set firewall name 'wan-local' rule 10 description 'Allow established connections'
set firewall name 'wan-local' rule 15 action accept
set firewall name 'wan-local' rule 15 protocol icmp
set firewall name 'wan-local' rule 15 description 'Allow pings'
set firewall name 'wan-local' rule 50 action accept
set firewall name 'wan-local' rule 50 protocol tcp
set firewall name 'wan-local' rule 50 destination port 22
set zone-policy zone local from wan firewall name wan-local
set firewall name 'wan-lan' default-action drop
set firewall name 'wan-lan' enable-default-log
set firewall name 'wan-lan' rule 10 action accept
set firewall name 'wan-lan' rule 10 state established enable
set firewall name 'wan-lan' rule 10 state related enable
set firewall name 'wan-lan' rule 10 description 'Allow established connections'
set zone-policy zone lan from wan firewall name wan-lan
set firewall name 'wan-mgmt' default-action drop
set firewall name 'wan-mgmt' enable-default-log
set firewall name 'wan-mgmt' rule 10 action accept
set firewall name 'wan-mgmt' rule 10 state established enable
set firewall name 'wan-mgmt' rule 10 state related enable
set firewall name 'wan-mgmt' rule 10 description 'Allow established connections'
set zone-policy zone mgmt from wan firewall name wan-mgmt
set firewall name 'local-wan' default-action accept
set firewall name 'local-wan' enable-default-log
set firewall name 'local-wan' rule 10 action accept
set firewall name 'local-wan' rule 10 state established enable
set firewall name 'local-wan' rule 10 state related enable
set firewall name 'local-wan' rule 10 description 'Allow established connections'
set zone-policy zone wan from local firewall name local-wan
set firewall name 'local-lan' default-action accept
set firewall name 'local-lan' enable-default-log
set firewall name 'local-lan' rule 10 action accept
set firewall name 'local-lan' rule 10 state established enable
set firewall name 'local-lan' rule 10 state related enable
set firewall name 'local-lan' rule 10 description 'Allow established connections'
set zone-policy zone lan from local firewall name local-lan
set firewall name 'local-mgmt' default-action accept
set firewall name 'local-mgmt' enable-default-log
set firewall name 'local-mgmt' rule 10 action accept
set firewall name 'local-mgmt' rule 10 state established enable
set firewall name 'local-mgmt' rule 10 state related enable
set firewall name 'local-mgmt' rule 10 description 'Allow established connections'
set zone-policy zone mgmt from local firewall name local-mgmt
set firewall name 'lan-wan' default-action accept
set firewall name 'lan-wan' enable-default-log
set firewall name 'lan-wan' rule 10 action accept
set firewall name 'lan-wan' rule 10 state established enable
set firewall name 'lan-wan' rule 10 state related enable
set firewall name 'lan-wan' rule 10 description 'Allow established connections'
set zone-policy zone wan from lan firewall name lan-wan
set firewall name 'lan-local' default-action drop
set firewall name 'lan-local' enable-default-log
set firewall name 'lan-local' rule 10 action accept
set firewall name 'lan-local' rule 10 state established enable
set firewall name 'lan-local' rule 10 state related enable
set firewall name 'lan-local' rule 10 description 'Allow established connections'
set firewall name 'lan-local' rule 50 action accept
set firewall name 'lan-local' rule 50 protocol tcp_udp
set firewall name 'lan-local' rule 50 destination port 53
set zone-policy zone local from lan firewall name lan-local
set firewall name 'lan-mgmt' default-action drop
set firewall name 'lan-mgmt' enable-default-log
set firewall name 'lan-mgmt' rule 10 action accept
set firewall name 'lan-mgmt' rule 10 state established enable
set firewall name 'lan-mgmt' rule 10 state related enable
set firewall name 'lan-mgmt' rule 10 description 'Allow established connections'
set zone-policy zone mgmt from lan firewall name lan-mgmt
set firewall name 'mgmt-wan' default-action accept
set firewall name 'mgmt-wan' enable-default-log
set firewall name 'mgmt-wan' rule 10 action accept
set firewall name 'mgmt-wan' rule 10 state established enable
set firewall name 'mgmt-wan' rule 10 state related enable
set firewall name 'mgmt-wan' rule 10 description 'Allow established connections'
set firewall name 'mgmt-wan' rule 15 action accept
set firewall name 'mgmt-wan' rule 15 protocol icmp
set firewall name 'mgmt-wan' rule 15 description 'Allow pings'
set firewall name 'mgmt-wan' rule 50 action accept
set firewall name 'mgmt-wan' rule 50 protocol tcp
set firewall name 'mgmt-wan' rule 50 destination port 22
set zone-policy zone wan from mgmt firewall name mgmt-wan
set firewall name 'mgmt-local' default-action drop
set firewall name 'mgmt-local' enable-default-log
set firewall name 'mgmt-local' rule 10 action accept
set firewall name 'mgmt-local' rule 10 state established enable
set firewall name 'mgmt-local' rule 10 state related enable
set firewall name 'mgmt-local' rule 10 description 'Allow established connections'
set firewall name 'mgmt-local' rule 15 action accept
set firewall name 'mgmt-local' rule 15 protocol icmp
set firewall name 'mgmt-local' rule 15 description 'Allow pings'
set firewall name 'mgmt-local' rule 50 action accept
set firewall name 'mgmt-local' rule 50 protocol tcp
set firewall name 'mgmt-local' rule 50 destination port 22
set zone-policy zone local from mgmt firewall name mgmt-local
set firewall name 'mgmt-lan' default-action drop
set firewall name 'mgmt-lan' enable-default-log
set firewall name 'mgmt-lan' rule 10 action accept
set firewall name 'mgmt-lan' rule 10 state established enable
set firewall name 'mgmt-lan' rule 10 state related enable
set firewall name 'mgmt-lan' rule 10 description 'Allow established connections'
set firewall name 'mgmt-lan' rule 15 action accept
set firewall name 'mgmt-lan' rule 15 protocol icmp
set firewall name 'mgmt-lan' rule 15 description 'Allow pings'
set firewall name 'mgmt-lan' rule 50 action accept
set firewall name 'mgmt-lan' rule 50 protocol tcp
set firewall name 'mgmt-lan' rule 50 destination port 22
set zone-policy zone lan from mgmt firewall name mgmt-lan

Versioning

We use SemVer for versioning. For the versions available, see the tags on this repository.

License

This project is licensed under the AGPLv3 License - see the LICENSE file for details.