Hello all!
Recently I had an issue, where I mistyped an interface name when setting set firewall interfaces X in name X_in (something like set firewall interfaces eth in name eth0_in instead of set firewall interfaces eth0 in name eth0_in), which caused the entire network behind that interface to have full routable access to all other networks. I’ve tried to use interface wildcards, but with the new lexical sorting, the default-action-drop-ruleset for the wildcard gets applied before any interface-specific rulesets, so that doesn’t work anymore.
I’ve started to implement a proper configuration for this: firewall: support chain policies other than accept (WIP) · glueckself/vyos-1x@197ea70 · GitHub
Right now it’s very bare-bones (I have to build it yet!), however I wanted to ask there is any interest at all in this feature, and if there are any issues with my approach. I’m waiting on my Phorge account, before I can create a ticket there.
The main issue I currently see is the change in vyos/python/template.py. The reason I need this, is because when I set the chain policy to drop and all accept-actions only do “return”, the packet finally lands at the end of the chain where it is dropped, even if there are rules that accept the packet. But this causes a breaking change, where packets could have been accepted by the in-ruleset, but then dropped by the out-ruleset (because both get placed in the VYOS_FW_FORWARD chain, first in then out) would now be accepted without checking the out-rules. I’m not sure if this is a real issue, or if this can be resolved by placing the out-rules into the postrouting chain (but there the rules would affect packets coming from the router itself).
Please let me know if I’m on the right track, and if you have any ideas how to proceed with the out-rules
Thanks!
Kind regards,
Srdjan
