Project Soon

Firewall Groups V2

I previously made it possible to make huge firewall groups. This also made it possible to give the group a list of URLs in order to periodically update the list of IPs without manual intervention. As I have some rather big manual lists too, it is time to make this more automatic and expand it further in what it can do.

First off was to rewrite the script for it to work together with both dynamic and static lists. Initially I chose to have multiple data files for the groups, but ended with just pushing a JSON of the lists and its meta-data into a single file. It was easier to implement, and I did not have to deal with handling my own limited format.

Then it was time to make sure to properly follow VyOS name standard. It is set with one or two characters for the type, an optional number 6 if using IPv6, and lastly an underscore with the name of the group right after. Their scheme is compact and easy to understand, but it adds a lot of unnecessary additional code which is easy very easy it could wrong. I will only use two of these, but I might use more in the future. In the end, the final script was only modified slightly.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
---
- name: Handle block lists
  tags: firewall
  # VyOS collection holds connection as hostage, so force through
  connection: ssh
  remote_user: "{{ hostvars[inventory_hostname].ansible_user }}" # Avoid recursive lookup
  delegate_to: "{{ ansible_host }}"
  become: yes
  block:
  - name: Copy over script
    copy:
      src: reload-firewall-groups.py
      dest: /config/scripts/reload-firewall-groups.py
      mode: '0755'
      owner: root
      group: vyattacfg

  - name: Create firewall-groups file
    copy:
      content: "{{ router_vyos_firewall_blocklists | to_json }}"
      dest: /config/user-data/firewall-groups.json
      mode: '0644'
      owner: root
      group: vyattacfg

  - name: Apply script
    command: /config/scripts/reload-firewall-groups.py

  - name: Patch post boot script
    blockinfile:
      path: /config/scripts/vyos-postconfig-bootup.script
      block: /config/scripts/reload-firewall-groups.py

For Ansible, it became more difficult. I tried several ways to figure out why it was possible to set previously mentioned fields, but impossible to modify it within a local action. I reluctantly gave in and created a tasks file, adding the fields to a task and all tasks related to it inside a block. The tasks are to first copy over the script, then create the group file converted stored as a json, run the script to apply them to the firewall, and finally make sure the lists are filled after booting by running script script on post boot. All other firewall rules, and task scheduling for frequent update of groups, are done in other systems of VyOS, but the only difference for firewall was to create groups, but not give them any members.

It is knowns that VyOS is a router OS, while other similar OSes, like OpnSense and pfSense, has better support for dynamic firewall handling, even have this specific feature built in. I know about this, and still I decided to pick VyOS due to working better with Ansible. It is a bit bothersome, but at least it now does work, and I probably should not have to interact with it further, until I add more lists. With my previous lists, it took it half a second to fetch and load the group, but now with 3 additional lists it takes 2.5 seconds, which is understandable. It could be reduced further by having a second service generating more compact lists which VyOS can read from, but it should not be necessary at its current stage.