Traffic Zone
This chapter covers some aspects related to traffic zone.
A traffic zone (or security zone) is a high-level
abstraction with specific security requirements. On OSDx,
it is a portion of the network namespace (i.e., a group
of at least one interface) where the network traffic is being
processed by combining different traffic policies.
From the point of view of the traffic zones, two types of traffic can be distinguished: intra-zone and extra-zone traffic.
The former refers to the traffic that is generated between interfaces in the same zone. By default, this traffic is allowed.
On the other hand, the latter refers to the traffic generated between interfaces of different zones. By default, this traffic is dropped.
Interfaces can only belong to a single traffic zone. Moreover, only one
zone can be configured as local. If a zone is set as local, then
all local traffic; i.e., directed to/from that device, will belong to
that zone.
Note
traffic zone has a lower priority than interface/system
traffic policy. Therefore, if a traffic policy; for example,
drops a packet, the traffic zone policies (if any) will not be
processed.
It is advisable to take a look at traffic policy and traffic selector.
Configuration
This is the syntax to create a traffic zone:
set traffic zone <zone_name> [ ... ]
In order to configure the relation between the different zones, you need to use the following command:
set traffic zone <zone_name_1> from-zone <zone_name_2> policy <policy_name>
Note
Please, be aware that <zone_name_1> can be equal to <zone_name_2>. If this is the case, we would be replacing the default action for intra-zone traffic, which is to allow all network traffic.
In order to attach an interface to a specific traffic zone, you have to use
the following command:
set interfaces <if_type> <if_name> traffic zone <zone_name>
Examples
Let’s suppose we want to define three security zones in our system: WAN, LAN and TUNNEL. In our LAN, we have a web-server, so we would like to allow incoming HTTP requests from WAN and allow all outgoing traffic towards WAN (only forwarding).
Regarding the TUNNEL zone, we might want to be able to configure any device in the network from outside (including our system), using for example, SSH. So, in this case, our device will not only forward traffic, but also will receive and send its own traffic.
In order to achieve that, you can use the following configuration:
set traffic zone LAN
set traffic zone WAN
set traffic zone TUNNEL local
set traffic zone LAN from-zone WAN policy ALLOW_HTTP
set traffic zone WAN from-zone LAN policy ALLOW_ALL_TRAFFIC
set traffic zone TUNNEL from-zone TUNNEL policy ALLOW_SSH
set interfaces tunnel tun0 traffic zone TUNNEL
set interfaces tunnel tun1 traffic zone TUNNEL
set interfaces ethernet eth0 traffic zone WAN
set interfaces ethernet eth1 traffic zone LAN
Note
Since we have not specified any relation between WAN-TUNNEL, LAN-TUNNEL or vice versa, the default-action to perform on the packets that go through those interfaces is to drop them.
Warning
Previous configuration does not include the commands to create traffic
policies, traffic selector or interfaces.
Here, you can find more examples related
to traffic zones.