Vyatta - How to create a Firewall Policy

Within this article we will show you how to create a firewall policy for a Brocade Vyatta router. Firewalls policies are created much like any other device, using a combination such  source IP , destination IP etc etc. Once created it is then applied to an interface.

Group Types

There are 3 types of groups they are address groups, network groups and port-groups.

Address group - groups a IPs and IP ranges.

set firewall group address-group ADDGROUP address x.x.x.x|x.x.x.x-x.x.x.x

Network group - groups networks.

set firewall group network-group NETGROUP x.x.x.x/x

Port group - groups ports or port-ranges

set firewall group port-group PORTGROUP x|x-x

Create Firewall POlicy

When creating a firewall policy there is a huge range of options. In this example we will provide the main 4. Action, source, destination and protocol.

set firewall name OUTSIDE rule 10 action accept
set firewall name OUTSIDE rule 10 source (x.x.x.x|address-group <GROUP>|network-group <GROUP>)
set firewall name OUTSIDE rule 10 destination (x.x.x.x|address-group <GROUP>|network-group <GROUP>|port-group <GROUP>)
set firewall name OUTSIDE rule 10 protocol (tcp_udp|all)

Assign to Interface

Next the firewall policy is assigned to an interface. To confirm the interface mappings i.e eth3 equals OUTSIDE. Run the command show interfaces.

set interfaces ethernet eth0 firewall in name 'OUTSIDE'


Finally save your changes. This is a 2 step process. First we save the changes to the save config and then we commit the changes to the running configuration.

save - save to saved config
commit - commit to running config


Tags: Vyatta, Brocade, ACL