Substantial work has been done by Marian Tudosoiu to bring IPv6 firewall groups to the current implementation of firewall configuration scripts even before we give it a complete rewrite. It's already merged into the current branch and is expected to be included in the 1.2.0-rc1 release. Now it's probably a good time to make a post about using firewall groups for those who haven't used them yet.



Of course there's still a lot of work to be done, such as integrating groups into NAT, which likely does require a complete rewrite to be feasible.





The concept is simple enough: instead of creating multiple rules that only differ in one address or port number, you create a group with all those addresses and ports, and reference it in a rule.



VyOS has three group types: address groups, network groups, and port groups. In 1.1.8 they can only be used with IPv4 firewall rulesets, including "policy route" rules.



Let's create some groups:



set firewall group port-group ManagementPorts port 22

set firewall group port-group ManagementPorts port 23

set firewall group port-group ManagementPorts port 443 set firewall group address-group Servers address 10.10.0.10

set firewall group address-group Servers address 10.10.0.15

set firewall group address-group Servers address 10.10.0.20 set firewall group network-group TrustedNets network 192.168.5.0/24

set firewall group network-group TrustedNets network 172.18.19.128/25

set firewall group network-group TrustedNets network 10.20.30.144/32

Now we can create a ruleset that uses them. Let's make a rule that references nothing but groups:

set firewall name DMZ-In rule 10 action accept

set firewall name DMZ-In rule 10 protocol tcp

set firewall name DMZ-In rule 10 source group network-group TrustedNets

set firewall name DMZ-In rule 10 destination group port-group ManagementPorts

set firewall name DMZ-In rule 10 destination group address-group Servers

An important part is that you can modify groups on the fly without updating any rules.

As you can see, groups is a simple concept that can be learnt in minutes. Once they are in IPv6 and NAT, their use will be very similar.

