Ok, so I’ve been messing around with VyOS some more, and I came across zone policy. From my testing, it looks like I can block traffic outbound from the firewall itself using zone policy. I have created a firewall that looks like this
name LOCAL-WAN {
default-action "accept"
rule 5 {
action "drop"
protocol "gre"
}
}
and applied it to my WAN zone from traffic coming from my LOCAL zone. This does solve the problem of preventing cleartext gre outbound, but also has the unintended effect of preventing the IPSec tunnel from actually coming up. At least, I think that is what is happening. This is what I get when I do a tcpdump on the “WAN” bridge
07:11:41.740912 IP 192.168.7.101.isakmp > 192.168.7.100.isakmp: isakmp: phase 2/others I inf[E]
07:11:41.741697 IP 192.168.7.101.isakmp > 192.168.7.100.isakmp: isakmp: phase 1 I ident
07:11:41.742137 IP 192.168.7.100.isakmp > 192.168.7.101.isakmp: isakmp: phase 2/others R inf[E]
07:11:41.742965 IP 192.168.7.100.isakmp > 192.168.7.101.isakmp: isakmp: phase 1 R ident
07:11:41.745304 IP 192.168.7.101.isakmp > 192.168.7.100.isakmp: isakmp: phase 1 I ident
07:11:41.748848 IP 192.168.7.100.isakmp > 192.168.7.101.isakmp: isakmp: phase 1 R ident
07:11:41.751049 IP 192.168.7.101.isakmp > 192.168.7.100.isakmp: isakmp: phase 1 I ident[E]
07:11:41.751977 IP 192.168.7.100.isakmp > 192.168.7.101.isakmp: isakmp: phase 1 R ident[E]
07:11:41.754859 IP 192.168.7.101.isakmp > 192.168.7.100.isakmp: isakmp: phase 2/others I oakley-quick[E]
07:11:41.760351 IP 192.168.7.100.isakmp > 192.168.7.101.isakmp: isakmp: phase 2/others R oakley-quick[E]
07:11:41.763177 IP 192.168.7.101.isakmp > 192.168.7.100.isakmp: isakmp: phase 2/others I oakley-quick[E]
Then a second or two later
07:11:42.713122 IP 192.168.7.100.isakmp > 192.168.7.101.isakmp: isakmp: phase 2/others R inf[E]
192.168.7.100 is the hub while 192.168.7.101 is the spoke
I think I understand the first two and last lines of your nftables rules, but I don’t quite understand the third one. My understanding of IPSec is that the payload is completely encrypted, so the firewall shouldn’t be able to match a gre packet inside of an IPSec packet, no? I don’t understand the reqid *, reqid != 0, and counter bits at all. I briefly looked up reqid as it pertains to nftables and IPSec, but couldn’t find much information. Could you point me towards a resource that would explain it?
Is it possible to make a rule that includes the same parameters using the VyOS firewall?
I ask because I’d much prefer to have the rules as part of the VyOS config itself. That is partly for simpler administration and partly to minimize risk of accidentally not moving the startup script file during a migration or upgrade - especially since there’s no warning or failsafe if the file doesn’t run and apply the firewall “patch”)
Thank you for your help!