Error when applying filter rule in an interface

pendragon69 · August 8, 2023, 4:20pm

Hello all,

I intend to block ssh on port 22 on my vyos device and after running the below command it populates an error.
Error: unable to find [PREROUTING] [VYATTA_CT_PREROUTING_HOOK]

IMG-20230808-WA0010

Below are the commands:

set firewall all-ping ‘enable’
set firewall broadcast-ping ‘disable’
set firewall ipv6-receive-redirects ‘disable’
set firewall ipv6-src-route ‘disable’
set firewall ip-src-route ‘disable’
set firewall log-martians ‘enable’
set firewall receive-redirects ‘disable’
set firewall send-redirects ‘enable’
set firewall source-validation ‘disable’
set firewall syn-cookies ‘enable’

Defining state policy

set firewall state-policy established action ‘accept’
set firewall state-policy related action ‘accept’

Filter rule

set firewall name WAN-LOCAL default-action ‘drop’
set firewall name WAN-LOCAL rule 100 action ‘drop’
set firewall name WAN-LOCAL rule 100 destination port ‘22’
set firewall name WAN-LOCAL rule 100 protocol ‘tcp’
set firewall name WAN-LOCAL rule 100 source address 192.168.4.29
set firewall name WAN-LOCAL rule 100 state new ‘enable’
set firewall name WAN-LOCAL rule 110 action ‘accept’
set firewall name WAN-LOCAL rule 110 destination port ‘22’
set firewall name WAN-LOCAL rule 110 protocol ‘tcp’
set firewall name WAN-LOCAL rule 100 source address 192.168.4.29
set firewall name WAN-LOCAL rule 110 state new ‘enable’

set interface ethernet eth2 vif 71 firewall local name WAN-LOCAL

n.fort · August 8, 2023, 4:25pm

What VyOS version you are using? You can try:
1- Removing all firewall → commit → add all firewall rules → commit
2- Reboot router if possible

pendragon69 · August 8, 2023, 5:23pm

Vyos VyOS 1.3.0-rc6 and VyOS 1.3.1 I tried it and reported the same error.

Reboot was done and it did not work.

a.apostoliuk · August 9, 2023, 7:14am

If you have support please update to 1.3.3 else please use 1.4.
I have checked your config on 1.3.3 and there is no error after commit.

pendragon69 · August 9, 2023, 8:50am

Thank you @a.apostoliuk , I’m currently running on 1.3.0 and I have support so I will reach out to upgrade as advised. However, on my lab using the latest rolling release for testing after running this command set interface ethernet eth2 vif 71 firewall local name WAN-LOCAL to apply it on an interface, the vyos respond as an invalid command and does not accept it.

n.fort · August 9, 2023, 9:35am

In 1.4, command for attaching firewall rulest to interface is different:

# Command for vyos 1.3:
set interface ethernet eth2 vif 71 firewall local name WAN-LOCAL

# Command for vyos 1.4
set firewall interface eth2.71 local name WAN-LOCAL

Docs for 1.4: Firewall — VyOS 1.4.x (sagitta) documentation

Docs for 1.3: Firewall — VyOS 1.3.x (equuleus) documentation

pendragon69 · August 9, 2023, 11:06am

Thank you

This works

system · August 11, 2023, 11:06am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.