Substantial work has been done by Marian Tudosoiu to bring IPv6 firewall groups to the current implementation of firewall configuration scripts even before we give it a complete rewrite. It's already merged into the current branch and is expected to be included in the 1.2.0-rc1 release. Now it's probably a good time to make a post about using firewall groups for those who haven't used them yet.
Of course there's still a lot of work to be done, such as integrating groups into NAT, which likely does require a complete rewrite to be feasible.
Of course there's still a lot of work to be done, such as integrating groups into NAT, which likely does require a complete rewrite to be feasible.
The concept is simple enough: instead of creating multiple rules that only differ in one address or port number, you create a group with all those addresses and ports, and reference it in a rule.
VyOS has three group types: address groups, network groups, and port groups. In 1.1.8 they can only be used with IPv4 firewall rulesets, including "policy route" rules.
Let's create some groups:
set firewall group port-group ManagementPorts port 22 set firewall group port-group ManagementPorts port 23 set firewall group port-group ManagementPorts port 443 set firewall group address-group Servers address 10.10.0.10 set firewall group address-group Servers address 10.10.0.15 set firewall group address-group Servers address 10.10.0.20 set firewall group network-group TrustedNets network 192.168.5.0/24 set firewall group network-group TrustedNets network 172.18.19.128/25 set firewall group network-group TrustedNets network 10.20.30.144/32
Now we can create a ruleset that uses them. Let's make a rule that references nothing but groups:
set firewall name DMZ-In rule 10 action accept set firewall name DMZ-In rule 10 protocol tcp set firewall name DMZ-In rule 10 source group network-group TrustedNets set firewall name DMZ-In rule 10 destination group port-group ManagementPorts set firewall name DMZ-In rule 10 destination group address-group Servers
An important part is that you can modify groups on the fly without updating any rules.
As you can see, groups is a simple concept that can be learnt in minutes. Once they are in IPv6 and NAT, their use will be very similar.