在完成了拨号与内网接入后,最重要的一步就是为路由器穿上“盔甲”。VyOS 推荐使用 Zone-based Firewall (ZBF) 逻辑,这比传统的链式规则更清晰:我们将接口划分为不同的安全区域(Zone),并定义区域之间流动的策略。
1. 核心架构:区域划分
根据我们的网络拓扑,定义三个核心区域:
- LOCAL:路由器自身(VyOS 系统),安全级别最高。
- LAN:受信任的局域网(目前绑定物理接口
eth1)。 - WAN:互联网边界(绑定拨号接口
pppoe0)。
2. 定义安全规则集 (Rule Sets)
策略原则:内部互访默认放行,外部入站默认丢弃,但允许“回程包”。
A. IPv4 规则:状态检测防御
# 内部流量全放行
set firewall ipv4 name LAN-LOCAL default-action 'accept'
set firewall ipv4 name LAN-WAN default-action 'accept'
set firewall ipv4 name LOCAL-LAN default-action 'accept'
set firewall ipv4 name LOCAL-WAN default-action 'accept'
# WAN 入站防御:拦截主动扫描,仅允许 Established/Related 流量
set firewall ipv4 name WAN-LAN default-action 'drop'
set firewall ipv4 name WAN-LAN rule 10 action 'accept'
set firewall ipv4 name WAN-LAN rule 10 state established
set firewall ipv4 name WAN-LAN rule 10 state related
set firewall ipv4 name WAN-LOCAL default-action 'drop'
set firewall ipv4 name WAN-LOCAL rule 10 action 'accept'
set firewall ipv4 name WAN-LOCAL rule 10 state established
set firewall ipv4 name WAN-LOCAL rule 10 state relatedB. IPv6 规则:解决无 NAT 带来的安全风险
在 IPv6 环境下,WAN-LAN 规则至关重要。它确保了虽然内网设备有公网 IP,但外部黑客无法主动连接它们。同时,我们需要放行 ICMPv6 以维持网络通畅。
# 内部流量放行
set firewall ipv6 name LAN-LOCAL default-action 'accept'
set firewall ipv6 name LAN-WAN default-action 'accept'
set firewall ipv6 name LOCAL-LAN default-action 'accept'
set firewall ipv6 name LOCAL-WAN default-action 'accept'
# --- WAN 到 LAN (保护内网设备) ---
set firewall ipv6 name WAN-LAN default-action 'drop'
set firewall ipv6 name WAN-LAN rule 10 action 'accept'
set firewall ipv6 name WAN-LAN rule 10 state established
set firewall ipv6 name WAN-LAN rule 10 state related
set firewall ipv6 name WAN-LAN rule 20 action 'accept'
set firewall ipv6 name WAN-LAN rule 20 protocol 'icmpv6' # 允许 PMTU 发现等
# --- WAN 到 LOCAL (保护路由器) ---
set firewall ipv6 name WAN-LOCAL default-action 'drop'
set firewall ipv6 name WAN-LOCAL rule 10 action 'accept'
set firewall ipv6 name WAN-LOCAL rule 10 state established
set firewall ipv6 name WAN-LOCAL rule 10 state related
set firewall ipv6 name WAN-LOCAL rule 15 action 'accept'
set firewall ipv6 name WAN-LOCAL rule 15 protocol 'icmpv6' # 解决网关发现 RA 问题
set firewall ipv6 name WAN-LOCAL rule 20 action 'accept'
set firewall ipv6 name WAN-LOCAL rule 20 protocol 'udp'
set firewall ipv6 name WAN-LOCAL rule 20 source port '547'
set firewall ipv6 name WAN-LOCAL rule 20 destination port '546' # 解决 DHCPv6 前缀获取3. 激活区域关联 (Zone Assignment)
定义完规则后,将其绑定到 Zone 并关联物理接口。
# 1. LOCAL 区域
set firewall zone LOCAL local-zone
set firewall zone LOCAL from LAN firewall name 'LAN-LOCAL'
set firewall zone LOCAL from LAN firewall ipv6-name 'LAN-LOCAL'
set firewall zone LOCAL from WAN firewall name 'WAN-LOCAL'
set firewall zone LOCAL from WAN firewall ipv6-name 'WAN-LOCAL'
# 2. LAN 区域 (关联物理口 eth1)
set firewall zone LAN member interface 'eth1'
set firewall zone LAN from LOCAL firewall name 'LOCAL-LAN'
set firewall zone LAN from LOCAL firewall ipv6-name 'LOCAL-LAN'
set firewall zone LAN from WAN firewall name 'WAN-LAN'
set firewall zone LAN from WAN firewall ipv6-name 'WAN-LAN'
# 3. WAN 区域
set firewall zone WAN member interface 'pppoe0'
set firewall zone WAN from LAN firewall name 'LAN-WAN'
set firewall zone WAN from LAN firewall ipv6-name 'LAN-WAN'
set firewall zone WAN from LOCAL firewall name 'LOCAL-WAN'
set firewall zone WAN from LOCAL firewall ipv6-name 'LOCAL-WAN'
commit
save4. 避坑总结:为什么需要手动补全路由?
即便放行了 ICMPv6,由于部分运营商不主动发送 RA(路由公告),VyOS 可能无法自动生成 ::/0 默认路由。如果发现有 IPv6 地址但无法上网,请手动补全:
set protocols static route6 ::/0 interface pppoe0
commit
save5.防火墙配置完毕。
只是基础的配置,能满足一般家庭的需求了。
发表回复