Can't block IP range

system · February 17, 2015, 8:38pm

Hello,
I am trying to block a couple IP ranges, but it isn’t working-I can connect from those IP addresses.
Here is my Ethernet settings:

 bridge br0 {
     aging 300
     hello-time 2
     max-age 20
     priority 0
     stp false
 }
 ethernet eth0 {
     bridge-group {
         bridge br0
     }
     duplex auto
     firewall {
         in {
             name DENY-ALL
         }
         local {
             name DENY-ALL
         }
     }
     hw-id 00:11:11:d4:03:65
     smp_affinity auto
     speed auto
 }
 ethernet eth1 {
     bridge-group {
         bridge br0
     }
     duplex auto
     hw-id 00:e0:4f:d9:2e:90
     smp_affinity auto
     speed auto
 }
 ethernet eth3 {
     address 10.0.0.180/24
     duplex auto
     hw-id 00:00:c5:0d:49:f6
     smp_affinity auto
     speed auto
 }
 loopback lo {
 }

And here is my Firewall settings:

vyos@vyos# show firewall
 group {
     network-group DENY-ALL {
         network xx.xx.xx.0/24
         network xx.xx.xx.0/24
     }
 }
 name DENY-ALL {
     default-action drop
     rule 10 {
         action drop
     }
 }

Can anyone please tell me what I am doing wrong. I have been trying to get this to work for a long time, but I can’t figure it out.

fox123 · February 17, 2015, 8:53pm

Heave not dealt with Bridge groups before, but have you tried applying the firewall ruleset to the bridge group instead of the ethernet interface?

system · February 17, 2015, 9:14pm

Yes, I have tried all the interfaces.

carl.byington · February 18, 2015, 1:40am

Vyos cannot (currently) do firewalling between the components of a bridge group. Eth0 and eth1 are in the same bridge group, so all that traffic is never seen by the firewall code. Bridge firewalling is controlled by ebtables (like iptables controls normal firewalls), which is not yet included in Vyos.

You can firewall traffic between br0 and eth3 however.

system · February 18, 2015, 2:17am

I don’t understand. What would firewalling traffic between br0 and eth3 do? I realistically will not have eth3 even hooked up once I get it in place. I just have eth3 as a maintenance line.

So unless I run the vyos as a router it cannot do ip blocking?

microlinux · February 19, 2015, 12:54am

I wonder if it would work to use an ifb on one of the interfaces and apply the firewall there?

system · February 20, 2015, 3:34pm

Micro, what is an IFB and how would I use it?
I am trying to just add an IP blocking solution to the network that has a lot setup in the modem, and I don’t want to have to set everything up all over again and take the network down. Any suggestions? Is there a different router that would allow me to add an IP block list? I really would like to use Vyos or Vyatta to accomplish this in bridge mode and not through router mode.

microlinux · February 20, 2015, 5:00pm

It’s basically a virtual input interface you can redirect to, i.e.:

set interfaces input ifb0 firewall out FWNAME
set interfaces ethernet eth0 redirect ifb0

system · February 20, 2015, 9:17pm

Holy crap that worked! I can block IP’s using bridge mode cool!

Thank you very much for your knowledge Micro!!!

microlinux · February 22, 2015, 5:03pm

Great, glad it worked!