# Zone-Based Firewall plugin

This plugin creates simple Zone-Based Firewall configuration for specific nodes.

For now, the plugin supports only default *zone to zone* rules, with `permit` or `deny` actions.

## Supported Platforms

The plugin includes Jinja2 templates for the following platforms:

| Operating system    | Default Policies |
| ------------------- | :--: |
| Juniper vSRX        |  ✅  |
| VyOS                |  ✅  |

## Using the Plugin

* Add `plugin: [ firewall.zonebased ]` to the lab topology.
* Include the **firewall.zonebased.default_rules** attribute in the firewall node
* Include the **firewall.zone** attribute in the firewall links/interfaces

### Supported attributes

The plugin adds the following attributes defined at node level:
* **firewall.zonebased.default_rules** (list) -- List of defaults *zone to zone* policies. Each item is a *dict* with the following attributes:
    * **from_zone** (id, mandatory) -- Policy Source Zone
    * **to_zone** (id, mandatory) -- Policy Destination Zone
    * **action** (string, mandatory, one of `permit`, `deny`) -- Policy Action

Additional interface level attributes:
* **firewall.zone** (id) -- the firewall zone for this firewall interface

## Example

```

plugin: [ firewall.zonebased ]

nodes:
  fw:
    firewall.zonebased:
      default_rules:
      - from_zone: trusted
        to_zone: trusted
        action: permit
      - from_zone: trusted
        to_zone: untrusted
        action: permit
  h1:
  h2:

links:
- fw:
    firewall.zone: trusted
  h1:
- fw:
    firewall.zone: untrusted
  h2:
```