============ Traffic Zone ============ .. sidebar:: Contents .. contents:: :depth: 2 :local: This chapter covers some aspects related to ``traffic zone``. A ``traffic zone`` (or *security zone*) is a high-level abstraction with specific security requirements. On OSDx, it is a portion of the network namespace (i.e., a group of at least one interface) where the network traffic is being processed by combining different ``traffic policies``. From the point of view of the traffic zones, two types of traffic can be distinguished: intra-zone and extra-zone traffic. The former refers to the traffic that is generated between interfaces in the same zone. By default, this traffic is allowed. On the other hand, the latter refers to the traffic generated between interfaces of different zones. By default, this traffic is dropped. Interfaces can only belong to a single traffic zone. Moreover, only one zone can be configured as ``local``. If a zone is set as local, then all local traffic; i.e., directed to/from that device, will belong to that zone. .. note:: ``traffic zone`` has a lower priority than interface/system ``traffic policy``. Therefore, if a ``traffic policy``; for example, drops a packet, the ``traffic zone policies`` (if any) will not be processed. It is advisable to take a look at :doc:`traffic policy <../policy/index>` and :doc:`traffic selector <../selector/index>`. Configuration ============= This is the syntax to create a ``traffic zone``: .. code-block:: none set traffic zone [ ... ] In order to configure the relation between the different zones, you need to use the following command: set traffic zone from-zone policy .. note:: Please, be aware that `` can be equal to ``. If this is the case, we would be replacing the default action for *intra-zone* traffic, which is to allow all network traffic. In order to attach an interface to a specific ``traffic zone``, you have to use the following command: .. code-block:: none set interfaces traffic zone Examples ======== Let's suppose we want to define three security zones in our system: WAN, LAN and TUNNEL. In our LAN, we have a web-server, so we would like to allow incoming HTTP requests from WAN and allow all outgoing traffic towards WAN (only forwarding). Regarding the TUNNEL zone, we might want to be able to configure any device in the network from outside (including our system), using for example, SSH. So, in this case, our device will not only forward traffic, but also will receive and send its own traffic. In order to achieve that, you can use the following configuration: .. code-block:: none set traffic zone LAN set traffic zone WAN set traffic zone TUNNEL local set traffic zone LAN from-zone WAN policy ALLOW_HTTP set traffic zone WAN from-zone LAN policy ALLOW_ALL_TRAFFIC set traffic zone TUNNEL from-zone TUNNEL policy ALLOW_SSH set interfaces tunnel tun0 traffic zone TUNNEL set interfaces tunnel tun1 traffic zone TUNNEL set interfaces ethernet eth0 traffic zone WAN set interfaces ethernet eth1 traffic zone LAN .. note:: Since we have not specified any relation between WAN-TUNNEL, LAN-TUNNEL or vice versa, the default-action to perform on the packets that go through those interfaces is to drop them. .. warning:: Previous configuration does not include the commands to create ``traffic policies``, ``traffic selector`` or ``interfaces``. :ref:`Here `, you can find more examples related to ``traffic zones``. Command Summary =============== .. osdx:cmdtree:: cfg traffic zone .. osdx:cmdtree:: op traffic policy traffic selector