Block port except from "safe" subnet


#1

I’m using VyOS in a manner where I route an entire subnet over it for the Internet…

I want to block access to 3389 as a port, except from a subnet I declare as safe.

Blocking the port is simple:

    rule 1000 {
        action drop
        destination {
            port 3389
        }
        log enable
        protocol tcp
    }  

What I’m trying to remember, forgive me because I’ve googled and have not found an answer that makes the remotest of sense.

Anyone mind helping out?


#2

Firewall rules are sequential being read from top to bottom.

First you need to decide if you want a default accept or default drop firewall.

If you have a default accept firewall, then you explicitly deny traffic you don’t want.
If you have a default drop firewall, then you need to explicitly accept the traffic you do want.

Default Deny:

firewall {
    name eth0-in {
        default-action drop
        rule 100 {
            action accept
            log enabled
            protocol all
            source {
                address XXX.XXX.XXX.XXX/XX
            }
        }
    }
}

Default Accept:

firewall {
    name eth0-in {
        default-action accept
        rule 100 {
            action accept
            log enabled
            protocol tcp
            source {
                address XXX.XXX.XXX.XXX/XX
            }
            destination {
                port 3389
            }
        }

        rule 101 {
            action drop
            destination {
                port 3389
            }
            log disable
            protocol tcp
        }
    }
}

You then need to assign this access list to an interface:

interfaces {
    ethernet eth0 {
          .........
          .........
        firewall {
            in {
                name eth0-in
            }
        }
    }
}