Hi,
i had a list of:
set firewall ipv4 prerouting raw rule 1 action 'accept'
set firewall ipv4 prerouting raw rule 1 destination address 10.10.10.0/24'
set firewall ipv4 prerouting raw rule 1 source address '12.12.12.1/32'
set firewall ipv4 prerouting raw rule 2 action 'accept'
set firewall ipv4 prerouting raw rule 2 destination address '10.10.10.0/24'
set firewall ipv4 prerouting raw rule 2 source address '192.168.1.2/32'
[...]
set firewall ipv4 prerouting raw rule 99999 action 'drop'
set firewall ipv4 prerouting raw rule 99999 destination address '10.10.10.0/24'
And that worked fine for 2 days. Then i wanted to add rule number 11 and 12, but they did not work.
While debugging i realized that just no config changes will be activated.
My config now is:
# run show configuration commands | grep firewall
[edit]
… no firewall rules at all in the config.
But in fact in the server itself all firewall rules are active like they were before…
Thats:
Version: VyOS 1.5-rolling-202410180006
Release train: current
Release flavor: generic
Built by: autobuild@vyos.net
Built on: Fri 18 Oct 2024 00:07 UTC
Build UUID: a6dc3e7c-619f-4051-937a-93b4adac485f
Build commit ID: 2359180068a653
tjh
October 23, 2024, 5:04pm
2
What is the output if you remove the |
?
“show configuration” doesn’t tend to work if you’ve edited your config at all.
Hi,
$ show configuration commands
will start with the set interface definitions.
No firewall rules existing.
What would be the command to let nft print out the rules that are set for the ipv4 prerouting raw configs? So we would know the perspective of the linux system.
I searched it but did not find it up until now.
n.fort
October 23, 2024, 6:42pm
5
And more specific:
sudo nft list table ip vyos_filter
Can you share more details on how this config had disappeared? Are you using custom scripts or something similar?
Hi,
well this i found too, but:
$ sudo nft list table ip vyos_filter
table ip vyos_filter {
chain VYOS_FORWARD_filter {
type filter hook forward priority filter; policy accept;
counter packets 8091587053 bytes 5860894892479 accept comment "FWD-filter default-action accept"
}
chain VYOS_INPUT_filter {
type filter hook input priority filter; policy accept;
counter packets 293644 bytes 47720395 accept comment "INP-filter default-action accept"
}
chain VYOS_OUTPUT_raw {
type filter hook output priority raw; policy accept;
counter packets 4786981 bytes 1054243658 accept comment "OUT-raw default-action accept"
}
chain VYOS_OUTPUT_filter {
type filter hook output priority filter; policy accept;
counter packets 4786981 bytes 1054243658 accept comment "OUT-filter default-action accept"
}
chain VYOS_PREROUTING_raw {
type filter hook prerouting priority raw; policy accept;
counter packets 8098280915 bytes 5865583960773 accept comment "PRE-raw default-action accept"
}
chain VYOS_FRAG_MARK {
type filter hook prerouting priority -450; policy accept;
ip frag-off & 0x3fff != 0x0 meta mark set 0x000ffff1 return
}
}
Is actually not showing any rules. At least not the way i would understand them.
But in fact rules are in power.
# delete firewall
# commit
Thats how they were removed. But again, already before, no changes in the firewall config in vyos were actually becoming active.
Even now, after deleting all, the old rules are in fact in power. I would just like to know where they are defined in the linux system.
I dont see anywhere rules in all this:
$ sudo nft list ruleset
table ip nat {
chain VYOS_PRE_SNAT_HOOK {
type nat hook postrouting priority srcnat - 1; policy accept;
return
}
}
table inet mangle {
chain FORWARD {
type filter hook forward priority mangle; policy accept;
}
}
table ip raw {
chain VYOS_TCP_MSS {
type filter hook forward priority raw; policy accept;
}
chain vyos_global_rpfilter {
return
}
chain vyos_rpfilter {
type filter hook prerouting priority raw; policy accept;
counter packets 149210159183 bytes 144082794473950 jump vyos_global_rpfilter
}
chain VYOS_PREROUTING_HOOK {
type filter hook prerouting priority raw; policy accept;
}
}
table ip6 raw {
chain VYOS_TCP_MSS {
type filter hook forward priority raw; policy accept;
}
chain vyos_global_rpfilter {
return
}
chain vyos_rpfilter {
type filter hook prerouting priority raw; policy accept;
counter packets 9975264 bytes 1522744657 jump vyos_global_rpfilter
}
chain VYOS_PREROUTING_HOOK {
type filter hook prerouting priority raw; policy accept;
}
}
table inet vrf_zones {
map ct_iface_map {
typeof iifname : ct zone
}
chain vrf_zones_ct_in {
type filter hook prerouting priority raw; policy accept;
}
chain vrf_zones_ct_out {
type filter hook output priority raw; policy accept;
}
}
table ip vyos_filter {
chain VYOS_FORWARD_filter {
type filter hook forward priority filter; policy accept;
counter packets 8144368040 bytes 5902177228939 accept comment "FWD-filter default-action accept"
}
chain VYOS_INPUT_filter {
type filter hook input priority filter; policy accept;
counter packets 295567 bytes 48068484 accept comment "INP-filter default-action accept"
}
chain VYOS_OUTPUT_raw {
type filter hook output priority raw; policy accept;
counter packets 4820743 bytes 1061379111 accept comment "OUT-raw default-action accept"
}
chain VYOS_OUTPUT_filter {
type filter hook output priority filter; policy accept;
counter packets 4820743 bytes 1061379111 accept comment "OUT-filter default-action accept"
}
chain VYOS_PREROUTING_raw {
type filter hook prerouting priority raw; policy accept;
counter packets 8151067024 bytes 5906867086201 accept comment "PRE-raw default-action accept"
}
chain VYOS_FRAG_MARK {
type filter hook prerouting priority -450; policy accept;
ip frag-off & 0x3fff != 0x0 meta mark set 0x000ffff1 return
}
}
table ip6 vyos_filter {
chain VYOS_IPV6_FORWARD_filter {
type filter hook forward priority filter; policy accept;
counter packets 7166 bytes 572612 accept comment "FWD-filter default-action accept"
}
chain VYOS_IPV6_INPUT_filter {
type filter hook input priority filter; policy accept;
counter packets 135843 bytes 43667669 accept comment "INP-filter default-action accept"
}
chain VYOS_IPV6_OUTPUT_raw {
type filter hook output priority raw; policy accept;
counter packets 143296 bytes 10751257 accept comment "OUT-raw default-action accept"
}
chain VYOS_IPV6_OUTPUT_filter {
type filter hook output priority filter; policy accept;
counter packets 143296 bytes 10751257 accept comment "OUT-filter default-action accept"
}
chain VYOS_IPV6_PREROUTING_raw {
type filter hook prerouting priority raw; policy accept;
counter packets 260442 bytes 57064378 accept comment "PRE-raw default-action accept"
}
chain VYOS_FRAG6_MARK {
type filter hook prerouting priority -450; policy accept;
exthdr frag exists meta mark set 0x000ffff1 return
}
}
table bridge vyos_filter {
chain VYOS_FORWARD_filter {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 accept comment "FWD-filter default-action accept"
}
chain VYOS_INPUT_filter {
type filter hook input priority filter; policy accept;
counter packets 0 bytes 0 accept comment "INP-filter default-action accept"
}
chain VYOS_OUTPUT_filter {
type filter hook output priority filter; policy accept;
counter packets 0 bytes 0 accept comment "OUT-filter default-action accept"
}
chain VYOS_PREROUTING_filter {
type filter hook prerouting priority filter; policy accept;
counter packets 0 bytes 0 accept comment "PRE-filter default-action accept"
}
}
table ip vyos_mangle {
chain VYOS_PBR_PREROUTING {
type filter hook prerouting priority mangle; policy accept;
}
chain VYOS_PBR_POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
}
}
table ip6 vyos_mangle {
chain VYOS_PBR6_PREROUTING {
type filter hook prerouting priority mangle; policy accept;
}
chain VYOS_PBR6_POSTROUTING {
type filter hook postrouting priority mangle; policy accept;
}
}
table ip vyos_conntrack {
chain VYOS_CT_IGNORE {
return
}
chain VYOS_CT_TIMEOUT {
return
}
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
counter packets 8151023843 bytes 5906838989291 jump VYOS_CT_IGNORE
counter packets 8151023843 bytes 5906838989291 jump VYOS_CT_TIMEOUT
counter packets 8151023843 bytes 5906838989291 jump FW_CONNTRACK
counter packets 8151023843 bytes 5906838989291 jump NAT_CONNTRACK
counter packets 8151023843 bytes 5906838989291 jump WLB_CONNTRACK
notrack
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
counter packets 4820727 bytes 1061374307 jump VYOS_CT_IGNORE
counter packets 4820727 bytes 1061374307 jump VYOS_CT_TIMEOUT
counter packets 4820727 bytes 1061374307 jump FW_CONNTRACK
counter packets 4820727 bytes 1061374307 jump NAT_CONNTRACK
notrack
}
chain VYOS_CT_HELPER {
return
}
chain FW_CONNTRACK {
return
}
chain NAT_CONNTRACK {
return
}
chain WLB_CONNTRACK {
return
}
}
table ip6 vyos_conntrack {
chain VYOS_CT_IGNORE {
return
}
chain VYOS_CT_TIMEOUT {
return
}
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
counter packets 260425 bytes 57062705 jump VYOS_CT_IGNORE
counter packets 260425 bytes 57062705 jump VYOS_CT_TIMEOUT
counter packets 260425 bytes 57062705 jump FW_CONNTRACK
counter packets 260425 bytes 57062705 jump NAT_CONNTRACK
notrack
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
counter packets 143295 bytes 10751185 jump VYOS_CT_IGNORE
counter packets 143295 bytes 10751185 jump VYOS_CT_TIMEOUT
counter packets 143295 bytes 10751185 jump FW_CONNTRACK
counter packets 143295 bytes 10751185 jump NAT_CONNTRACK
notrack
}
chain VYOS_CT_HELPER {
return
}
chain FW_CONNTRACK {
return
}
chain NAT_CONNTRACK {
return
}
}
Where are the linux firewall equivalents of
set firewall ipv4 prerouting raw rule 1 action 'accept'
set firewall ipv4 prerouting raw rule 1 destination address 10.10.10.0/24'
set firewall ipv4 prerouting raw rule 1 source address '12.12.12.1/32'
?
Thank you!
Hi,
i took today some more time to debug, and it seems the problem is not vyos, but a layer 8 one with maybe too many night shifts…
Specifically the reference IP i tested against was protected by a 2nd layer of firewall rules of a dedicated firewall device ( fortinet )… so obviously of course nothing changed if anything was changed on vyos.
With vyos, at least with this topic, everything seems to be fine.
Sorry for the trouble!
But thank you very much for your help!
1 Like