Block /32 ip using vyos

Hello guys,

You are eable to help me into blocking some ips into my router?
i have this one until now:

set firewall group address-group ag-Blacklist
set firewall group network-group ag-Blacklist network ‘62.183.2.224/32’
set firewall group network-group ng-Blacklist
set firewall name WAN_IN rule 1010 action ‘drop’
set firewall name WAN_IN rule 1010 description ‘Drop traffic from blacklisted networks’
set firewall name WAN_IN rule 1010 source group network-group ‘ng-Blacklist’
set firewall name WAN_IN rule 1011 action ‘drop’
set firewall name WAN_IN rule 1011 description ‘Drop traffic from blacklisted addresses’
set firewall name WAN_IN rule 1011 source group address-group ‘ag-Blacklist’

But that ip it’s not blocked into my network.
I have the next arhitecture:
eth0-in
eth1-in
eth3-out to my network (i have bgp enable and 4 subnets)
Well i want to block all incming traffic from 62.183.2.224 (only example) on both eth0 and eth1.

Thanks a lot!

Hi @BIT2GB
Try to replace the network-group to address-group and don’t mix it with the same names. Add “default action” for firewall (example accept)
set firewall name WAN_IN default-action accept

If you need to deny addresses from Blacklist to the local router
set interfaces ethernet eth0 firewall local WAN_IN
set interfaces ethernet eth1 firewall local WAN_IN
If you need to deny addresses from Blacklist for forwarded packets on the inbound interface
set interfaces ethernet eth0 firewall in WAN_IN
set interfaces ethernet eth1 firewall in WAN_IN

You can combine them.

Ok Thanks,
And one more question, you have any script who cand take from a txt file all ips and add into firewall?
something like this vyos/updateBlacklist.sh at master · bradpeczka/vyos · GitHub
I test it but dosent work for me because i cant acces domaains from my router and instead i want toc reate a txt file who will be updated and automatic loaded into firewall.

Thanks.

I have something like this
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper begin
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper delete firewall group address-group ag-Blacklist
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set firewall group address-group ag-Blacklist description “Designated threat addresses”

cat address.txt | while read line || [[ -n $line ]];
do
echo $line
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper set firewall group address-group ag-Blacklist address $line
done;
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper commit
/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper end

but i have o problem, into set firewall command $line doesn’t take any value and it’s use like $line even if with echo it’s printed the correct value.
Someoane know why?

Thanks

@BIT2GB Those lists with addresses
104.238.80.237
202.27.100.0/22

For address group you can use only /24 or address without prefix
For network group you can use any prefix.
But you can’t use network group without prefix.
You need to build own logic.

So how about some change in your script?
$ cat /tmp/address.txt
103.9.226.57
103.97.95.221
104.131.41.185
104.168.96.122
104.182.56.131

sudo cat /tmp/script.sh

#!/bin/vbash

cfg="/opt/vyatta/sbin/vyatta-cfg-cmd-wrapper"

$cfg begin
$cfg delete firewall group address-group ag-Blacklist
$cfg set firewall group address-group ag-Blacklist description "Designated threat addresses"

for line in $(cat /tmp/address.txt)
 do
  echo $line
  $cfg set firewall group address-group ag-Blacklist address ${line} 
 done;

$cfg commit
$cfg end

Show firewall

sever@vyos-1.3# show firewall 
 group {
     address-group ag-Blacklist {
         address 103.9.226.57
         address 103.97.95.221
         address 104.131.41.185
         address 104.168.96.122
         address 104.182.56.131
         description "Designated threat addresses"
     }
 }

Thanks for info Viacheslav
I have only another question.
Task sqedueler dosent work and i dont know why.
i have this lines into configure:

set system task-scheduler task updateBlacklist crontab-spec ‘30 10 * * *’
set system task-scheduler task updateBlacklist executable path ‘/home/vyos/script.sh’

Try to move script to directory /config/scripts/
Also set execute
chmod +x /config/scripts/script.sh

Thanks,
But i have other problem.
i add manualy 2 ip’s in my address group and after that i delete it but somehow if i use show firewall group are still there. I check config.boot and it’s not there.
I try to load config , same issue.
What can i do?

Please see:

show configuration commands
set firewall group address-group ag-Blacklist address '216.218.131.2’
set firewall group address-group ag-Blacklist address '79.113.230.222’
set firewall group address-group ag-Blacklist address '82.118.236.189’
set firewall group address-group ag-Blacklist address '82.77.69.8’
set firewall group address-group ag-Blacklist description 'Designated threat addresses’
set firewall group network-group ng-Blacklist description 'Designated threat addresses’
set firewall group network-group ng-Blacklist network '1.10.16.0/20’
set firewall group network-group ng-Blacklist network '1.19.0.0/16’

and into firewall group:

Name : ag-Blacklist
Type : address
Description: Designated threat addresses
References : WAN_IN-1011-source
Members :
** 79.113.230.222**
** 82.77.69.8**
** 82.77.69.9**
** 82.77.69.10**
** 82.118.236.189**
** 216.218.131.2**

How it’s possible?

delete firewall group address-group ag-Blacklist
commit
set firewall group address-group ag-Blacklist
commit

Can you try to reproduce it again?

I do this operation allready and i receive the same behavior…
Any other ideea?
Please see the output:

vyos@vyos# delete firewall group address-group ag-Blacklist
[edit]
vyos@vyos# commit
[ firewall group address-group ag-Blacklist ]
Error: group [ag-Blacklist] still in use.

[edit]
vyos@vyos# delete firewall group address-group ag-Blacklist

** Nothing to delete (the specified node does not exist)**

[edit]
vyos@vyos# commit
No configuration changes to commit
[edit]
vyos@vyos# set firewall group address-group ag-Blacklist
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# save
Saving configuration to ‘/config/config.boot’…
Done
[edit]
vyos@vyos# exit
exit
vyos@vyos:/opt/vyatta/config/active$ show firewall group ag-Blacklist
Name : ag-Blacklist
Type : address
References : WAN_IN-1011-source
Members :
** 79.113.230.222**
** 82.77.69.8**
** 82.77.69.9**
** 82.77.69.10**
** 82.118.236.189**
** 216.218.131.2**
vyos@vyos:/opt/vyatta/config/active$

The first commit didn’t work, because group is used in firewall.

delete firewall group address-group ag-Blacklist
set firewall group address-group ag-Blacklist
commit

Ok but the behavior ar still the same

vyos@vyos:/opt/vyatta/config/active$ configure
[edit]
vyos@vyos# delete firewall group address-group ag-Blacklist
[edit]
vyos@vyos#
[edit]
vyos@vyos# set firewall group address-group ag-Blacklist
[edit]
vyos@vyos# commit
[edit]
vyos@vyos# save
Saving configuration to ‘/config/config.boot’…
Done
[edit]
vyos@vyos# exit
exit
vyos@vyos:/opt/vyatta/config/active$ show firewall group ag-Blacklist
Name : ag-Blacklist
Type : address
Description: Designated threat addresses
References : WAN_IN-1011-source
Members :
** 79.113.230.222**
** 82.77.69.8**
** 82.77.69.9**
** 82.77.69.10**
** 82.118.236.189**
** 216.218.131.2**

P.S. can i know what need to be de user and group seted up for files from:
/opt/vyatta/config/active

Thanks

Your config is conflict now with the current configuration because part of commites was wrong.

vyos@vyos# delete firewall group address-group ag-Blacklist
[edit]
vyos@vyos# commit
[ firewall group address-group ag-Blacklist ]
Error: group [ag-Blacklist] still in use.

vyos@vyos# delete firewall group address-group ag-Blacklist

Nothing to delete (the specified node does not exist)

Addresses are not correct cleared from the firewall, but are no longer present in the current configuration.
To fix it.

set firewall group address-group ag-Blacklist address '216.218.131.2'
set firewall group address-group ag-Blacklist address '79.113.230.222'
set firewall group address-group ag-Blacklist address '82.118.236.189'
set firewall group address-group ag-Blacklist address '82.77.69.8'
set firewall group address-group ag-Blacklist address '82.77.69.9'
set firewall group address-group ag-Blacklist address '82.77.69.10'
commit

delete firewall group address-group ag-Blacklist
set firewall group address-group ag-Blacklist
commit

Dosne’t help

vyos@vyos:/opt/vyatta/config/active$ configure
[edit]
vyos@vyos# set firewall group address-group ag-Blacklist address ‘82.77.69.8’

Configuration path: [firewall group address-group ag-Blacklist address 82.77.69.8] already exists

[edit]
vyos@vyos# set firewall group address-group ag-Blacklist address ‘82.77.69.9’
[edit]
vyos@vyos# set firewall group address-group ag-Blacklist address ‘82.77.69.10’
[edit]
vyos@vyos# commit
[ firewall group address-group ag-Blacklist ]
Error: member [82.77.69.9] already exists in [ag-Blacklist]

Failed to generate committed config
[edit]
vyos@vyos#

and now if i try to delete any other ip i receive something like that:

vyos@vyos:/config$ configure
[edit]
vyos@vyos# delete firewall group address-group ag-Blacklist address ‘82.118.236.189’
[edit]
vyos@vyos# commit
[ firewall group address-group ag-Blacklist ]
Error: member [82.118.236.189] doesn’t exists in [ag-Blacklist-24167]

You don’t need to commit after delete because you use it in firewall on interface ethX.
Show my previous reply (section To fix it.)

It’s a total chaos!
And i cant restart this one, it’s my main router and it’s not for home usage…

vyos@vyos:/config$ configure
[edit]
vyos@vyos# set firewall group address-group ag-Blacklist address '216.218.131.2’

** Configuration path: [firewall group address-group ag-Blacklist address 216.218.131.2] already exists**

[edit]
vyos@vyos# set firewall group address-group ag-Blacklist address '79.113.230.222’

** Configuration path: [firewall group address-group ag-Blacklist address 79.113.230.222] already exists**

[edit]
vyos@vyos# set firewall group address-group ag-Blacklist address '82.118.236.189’

** Configuration path: [firewall group address-group ag-Blacklist address 82.118.236.189] already exists**

[edit]
vyos@vyos# set firewall group address-group ag-Blacklist address '82.77.69.8’

** Configuration path: [firewall group address-group ag-Blacklist address 82.77.69.8] already exists**

[edit]
vyos@vyos# set firewall group address-group ag-Blacklist address '82.77.69.9’
[edit]
vyos@vyos# set firewall group address-group ag-Blacklist address '82.77.69.10’
[edit]
vyos@vyos# commit
[ firewall group address-group ag-Blacklist ]
Error: member [82.77.69.9] already exists in [ag-Blacklist]

Failed to generate committed config
[edit]
vyos@vyos# delete firewall group address-group ag-Blacklist
[edit]
vyos@vyos# set firewall group address-group ag-Blacklist
[edit]
vyos@vyos# commit
[ firewall group address-group ag-Blacklist ]
Error: member [216.218.131.2] doesn’t exists in [ag-Blacklist-24639]

Failed to generate committed config
[edit]
vyos@vyos#

vyos@vyos:/config$ sh version
Version: VyOS 1.3-rolling-202001311637
Built by: autobuild@vyos.net
Built on: Fri 31 Jan 2020 16:37 UTC
Build UUID: 6ccdec29-177e-41e1-996b-e6c4862dfeaa
Build Commit ID: ede6915729194e

Architecture: x86_64
Boot via: installed image
System type: bare metal

Hardware vendor: Dell Inc.
Hardware model: PowerEdge R610
Hardware S/N: FBB3T4J
Hardware UUID: 4c4c4544-0042-4210-8033-c6c04f54344a

Copyright: VyOS maintainers and contributors

Ok.
Delete your script from task-scheduler.
For first can you delete firewall from ethX?
So that it doesn’t interfere with delete firewall groups.

After that delete firewall address-group.

And show the result.