search

ibehren1 / fw-gui

GUI for the management of VyOS firewall configurations.
https://fw-gui.com
MIT License
38 stars 3 forks source link

[Feature request] Will you implement Flowtable for forward chain? #44

Open MaurUppi opened 1 day ago

MaurUppi commented 1 day ago

Hi there

This is my first time using the tool; it is a beautiful tool for the domain.

However, the flowable should support zone-based firewall configuration. If I don't have a wrong understanding of this thread: https://vyos.dev/T4502#167277

If so, will you consider adding the flowable to this tool?

Thanks again.

ibehren1 commented 18 hours ago

@MaurUppi

Thanks for the feedback and request. I will consider adding visual support for Flowtables in the future. They are not something that I am currently using and will need to do some research before implementing visually within the FW-GUI tool.

That said, the FW-GUI tool does currently support "Extra Configurations" where you are able to put configuration commands for any non-implemented items.

So as of today, you can do this by placing commands such as you sited in https://vyos.dev/T4502#167277 in your configuration as seen below.

Within your firewall configuration, on the right side click on the Extra Configurations button. image

Then add your configurations in the text box as seen here and click Add Configuration Items. image

On the resulting screen which displays the configuration, you will see your extra configurations at the top. image

These configuration commands will then be pushed to your Vyos instance and maintained along with the rest of the configuration.

Hope this helps!

For my own knowledge, will you share the following information with me?

Are you using FW-GUI today or just considering it?

How long have you been using FW-GUI?

How many VyOS firewall instances are you managing with FW-GUI?

Are these VyOS firewall instances used for business or personal?

What version of FW-GUI are you using? Have you upgraded through multiple versions?

Have you deployed via Docker or manually from source?

What if any issues have you had while using FW-GUI?

MaurUppi commented 13 hours ago

@ibehren1

First and formost. I'm newbie to manual configure Firewall settings. Thus, I'm looking for a tool help to impelment a basical with best practiced configuration for home use via PPPoE. That's why I'm trying and learning to use FW-GUI.

Are you using FW-GUI today or just considering it?

How long have you been using FW-GUI?

How many VyOS firewall instances are you managing with FW-GUI?

Are these VyOS firewall instances used for business or personal?

What version of FW-GUI are you using? Have you upgraded through multiple versions?

Have you deployed via Docker or manually from source?

What if any issues have you had while using FW-GUI?

let me konw if you have more questions. thanks for your help.

MaurUppi commented 10 hours ago

Meanwhile, would you mind helping me enhance or fine-tune the configuration below if you have time? Let me know if there is something i should have included but missed regarding home network circumstances. Thanks in advance.

Details

```shell # # Global Configuration Items # set firewall global-options all-ping 'enable' set firewall global-options broadcast-ping 'disable' set firewall global-options ip-src-route 'disable' set firewall global-options ipv6-src-route 'disable' set firewall global-options log-martians 'enable' set firewall global-options receive-redirects 'disable' set firewall global-options send-redirects 'disable' set firewall global-options source-validation 'strict' set firewall global-options state-policy established action 'accept' set firewall global-options state-policy invalid action 'drop' set firewall global-options state-policy invalid log set firewall global-options state-policy invalid log-level 'warn' set firewall global-options state-policy related action 'accept' set firewall global-options syn-cookies 'enable' set firewall global-options resolver-cache # # IPV4 # # Group: Network, Interfaces, Ports set firewall group network-group HomeLAN-v4 network '192.168.1.0/24' set firewall group ipv6-network-group HomeLAN-v6 network 'fd12:3456:789a:1::/64' set firewall group interface-group WAN interface eth2 set firewall group interface-group WAN interface pppoe0 set firewall group interface-group LAN interface eth3 set firewall group interface-group LAN interface eth1 set firewall group interface-group Mgmt interface eth0 set firewall group port-group PORT-TEAMS-UDP port '3478-3481' set firewall group port-group Web-TCP port '80' set firewall group port-group Web-TCP port '443' set firewall group port-group Service_TCP-UDP port '53' set firewall group port-group Service_TCP-UDP port '7777' set firewall group port-group Service_TCP-UDP port '67' set firewall group port-group Service_TCP-UDP port '68' # Rules set firewall ipv4 name CONN_FILTER default-action 'return' set firewall ipv4 name CONN_FILTER rule 10 action 'accept' set firewall ipv4 name CONN_FILTER rule 10 state established set firewall ipv4 name CONN_FILTER rule 10 state related set firewall ipv4 name WAN-IN default-action 'drop' set firewall ipv4 name VyOS_Mgmt default-action 'return' set firewall ipv4 name VyOS_Mgmt rule 10 action 'accept' set firewall ipv4 name VyOS_Mgmt rule 10 state new set firewall ipv4 name VyOS_Mgmt rule 10 state established set firewall ipv4 name VyOS_Mgmt rule 10 inbound-interface group 'Mgmt' set firewall ipv4 name VyOS_Mgmt rule 20 action 'accept' set firewall ipv4 name VyOS_Mgmt rule 20 state related set firewall ipv4 name VyOS_Mgmt rule 20 inbound-interface group 'Mgmt' # Chains ## Forward set firewall ipv4 forward filter rule 10 action 'jump' set firewall ipv4 forward filter rule 10 jump-target CONN_FILTER set firewall ipv4 forward filter rule 100 action jump set firewall ipv4 forward filter rule 100 jump-target WAN-IN set firewall ipv4 forward filter rule 100 inbound-interface group WAN set firewall ipv4 forward filter rule 100 destination group network-group HomeLAN-v4 ## Input ### Allow internet access. set firewall ipv4 input filter default-action 'drop' set firewall ipv4 input filter rule 10 action 'jump' set firewall ipv4 input filter rule 10 jump-target CONN_FILTER ### Allow Management access. set firewall ipv4 input filter rule 20 action jump set firewall ipv4 input filter rule 20 jump-target VyOS_Mgmt set firewall ipv4 input filter rule 20 destination group port-group Service_TCP-UDP set firewall ipv4 input filter rule 20 protocol tcp ### Allow services access set firewall ipv4 input filter rule 30 action 'accept' set firewall ipv4 input filter rule 30 icmp type-name 'echo-request' set firewall ipv4 input filter rule 30 protocol 'icmp' set firewall ipv4 input filter rule 30 state new set firewall ipv4 input filter rule 30 inbound-interface group '!WAN' set firewall ipv4 input filter rule 40 action 'accept' set firewall ipv4 input filter rule 40 destination group port-group Service_TCP-UDP set firewall ipv4 input filter rule 40 protocol 'tcp_udp' set firewall ipv4 input filter rule 40 source group network-group HomeLAN-v4 ### Allowing all connections coming from localhost set firewall ipv4 input filter rule 50 action 'accept' set firewall ipv4 input filter rule 50 source address 127.0.0.0/8 ```

ibehren1 commented 1 hour ago

@MaurUppi

With regard to

but found that I can't delete preseted ssh_group or other config of your example config. Only able to add something.

This was a bug... I have published v1.4.5 that addresses this. Thanks for bringing it up!

Regarding fine-tuning the firewall configuration, I think I will stay away from giving advice on the specific rules or the level of granularity and effectiveness.

I will tag you when I am able to add Flowtables and will leave the issue open until then.

Thanks for using the tool and please do provide feedback as you have it but please do keep individual issues to a single topic.