|
| 1 | +--- |
| 2 | +title: Introduction to Zone-Based Firewall |
| 3 | +author: troglobit |
| 4 | +date: 2025-10-29 08:10:00 +0100 |
| 5 | +categories: [howto] |
| 6 | +tags: [firewall, networking, security, zbf] |
| 7 | +--- |
| 8 | + |
| 9 | +As of Infix v25.10, a zone-based firewall (ZBF) built on [firewalld][2] |
| 10 | +is included. Exposing the most relevant functionality for your network |
| 11 | +security. Rather than managing rules on a per-interface basis, zones |
| 12 | +group interfaces by trust level and policies control traffic flow |
| 13 | +between zones. |
| 14 | + |
| 15 | +{: #fig1 width="600" } |
| 16 | +_**Figure 1**: Zone-based firewall concept._ |
| 17 | + |
| 18 | +### The Zone Concept |
| 19 | + |
| 20 | +A zone defines a level of trust for network connections. All interfaces or |
| 21 | +networks assigned to a zone inherit that trust level. For example, you might |
| 22 | +have a trusted LAN zone for your internal network and an untrusted WAN zone |
| 23 | +for the Internet connection. |
| 24 | + |
| 25 | +Each zone has an action that determines what happens to traffic from that |
| 26 | +zone destined for the local host: |
| 27 | + |
| 28 | +- `accept`: Allow all traffic to the host |
| 29 | +- `reject`: Deny traffic, send rejection response |
| 30 | +- `drop`: Silently discard traffic |
| 31 | + |
| 32 | +When the action is set to `reject` or `drop`, you can explicitly allow |
| 33 | +specific services like SSH or DHCP. |
| 34 | + |
| 35 | +### A Simple Example |
| 36 | + |
| 37 | +Let's set up a basic home router with two zones: a trusted LAN and an |
| 38 | +untrusted WAN. We'll start by creating the zones and assigning interfaces |
| 39 | +to them. |
| 40 | + |
| 41 | +```console |
| 42 | +admin@router:/> configure |
| 43 | +admin@router:/config/> edit firewall |
| 44 | +admin@router:/config/firewall/> set zone lan action accept |
| 45 | +admin@router:/config/firewall/> set zone lan interface eth0 |
| 46 | +admin@router:/config/firewall/> set zone wan action drop |
| 47 | +admin@router:/config/firewall/> set zone wan interface eth1 |
| 48 | +``` |
| 49 | + |
| 50 | +At this point, the LAN zone trusts all traffic to the host, while the WAN |
| 51 | +zone drops everything by default. However, we need to allow certain services |
| 52 | +from the WAN side, like DHCPv6 for address assignment: |
| 53 | + |
| 54 | +```console |
| 55 | +admin@router:/config/firewall/> set zone wan service dhcpv6-client |
| 56 | +``` |
| 57 | + |
| 58 | +Now we need a policy to allow LAN devices to access the Internet through |
| 59 | +the WAN interface. Policies control traffic flow between zones: |
| 60 | + |
| 61 | +```console |
| 62 | +admin@router:/config/firewall/> set policy lan-wan ingress lan |
| 63 | +admin@router:/config/firewall/> set policy lan-wan egress wan |
| 64 | +admin@router:/config/firewall/> set policy lan-wan action accept |
| 65 | +admin@router:/config/firewall/> set policy lan-wan masquerade true |
| 66 | +admin@router:/config/firewall/> leave |
| 67 | +``` |
| 68 | + |
| 69 | +The `masquerade` option enables source NAT, replacing the source IP address |
| 70 | +of LAN clients with the router's WAN address. |
| 71 | + |
| 72 | +Notice that we didn't create a policy for WAN to LAN traffic. By default, |
| 73 | +all inter-zone traffic is blocked unless explicitly allowed by a policy. |
| 74 | +Return traffic from established connections is automatically permitted |
| 75 | +through connection tracking. |
| 76 | + |
| 77 | +### Traffic Flow Types |
| 78 | + |
| 79 | +The firewall handles three types of traffic: |
| 80 | + |
| 81 | +**Host-destined traffic**: Traffic to the router itself, like SSH or web |
| 82 | +management. This is controlled by the zone's action and service list. |
| 83 | + |
| 84 | +**Intra-zone traffic**: Traffic between interfaces in the same zone, such |
| 85 | +as LAN devices talking to each other. This is not forwarded by default and |
| 86 | +requires a policy where both ingress and egress are set to the same zone. |
| 87 | + |
| 88 | +**Inter-zone traffic**: Traffic between different zones, like LAN to WAN. |
| 89 | +This requires an explicit policy and is blocked by default. |
| 90 | + |
| 91 | +{: #fig2 width="600" } |
| 92 | +_**Figure 2**: Traffic flow between zones._ |
| 93 | + |
| 94 | +### The Default Zone |
| 95 | + |
| 96 | +Infix requires a default zone as a safety mechanism. Any interface not |
| 97 | +explicitly assigned to a zone automatically joins the default zone. This |
| 98 | +prevents accidentally leaving an interface unprotected. |
| 99 | + |
| 100 | +To set a zone as the default: |
| 101 | + |
| 102 | +```console |
| 103 | +admin@router:/config/firewall/> set zone wan default true |
| 104 | +``` |
| 105 | + |
| 106 | +### Beyond the Basics |
| 107 | + |
| 108 | +The firewall supports additional features for more complex scenarios: |
| 109 | + |
| 110 | +**Port forwarding**: DNAT rules to expose services in a DMZ to the Internet. |
| 111 | +Traffic can be forwarded to a different IP address and port than the original |
| 112 | +destination. |
| 113 | + |
| 114 | +**Custom filters**: Additional rules can be inserted at specific points in |
| 115 | +the netfilter pipeline for advanced filtering needs. |
| 116 | + |
| 117 | +**Network-based zones**: Instead of assigning interfaces, zones can match |
| 118 | +specific IP networks for forwarding traffic. |
| 119 | + |
| 120 | +For detailed configuration examples, including DMZ setups and port forwarding, |
| 121 | +see the [firewall documentation][1]. |
| 122 | + |
| 123 | +[1]: https://kernelkit.org/infix/latest/firewall/ |
| 124 | +[2]: https://firewalld.org |
0 commit comments