Firewall default-action drop behaves as reject

vabello · August 5, 2019, 12:23pm

VyOS 1.2.2

I have an interface based firewall defined inbound. I’m using the default:

set firewall name eth0_in default-action drop

Through all my testing this results in packets being rejected instead of dropped. It seems there is no difference in functionality between the two. I’m unsure if this is intended based on anything else in my configuration, but it doesn’t seem like it should behave in this manner.

This is my whole firewall config for reference with one IP obscured:

 broadcast-ping disable
 ipv6-receive-redirects disable
 ipv6-src-route disable
 ip-src-route disable
 log-martians enable
 name eth0_in {
     default-action drop
     rule 1 {
         action accept
         destination {
             port 22
         }
         protocol tcp
     }
     rule 2 {
         action accept
         destination {
             port 25
         }
         protocol tcp
     }
     rule 3 {
         action accept
         destination {
             port 80
         }
         protocol tcp
     }
     rule 4 {
         action accept
         destination {
             port 443
         }
         protocol tcp
     }
     rule 5 {
         action accept
         destination {
             port 587
         }
         protocol tcp
     }
     rule 6 {
         action accept
         destination {
             port 993
         }
         protocol tcp
     }
     rule 7 {
         action accept
         destination {
             port 3389
         }
         protocol tcp
         source {
             address x.x.x.x
         }
     }
     rule 8 {
         action accept
         destination {
             port 32400
         }
         protocol tcp
     }
 }
 receive-redirects disable
 send-redirects disable
 source-validation loose
 state-policy {
     established {
         action accept
     }
     invalid {
         action reject
     }
     related {
         action accept
     }
 }

Dmitry · August 5, 2019, 1:18pm

Hello @vabello, are you created this rule set for forwarded packets or input packets for VyOS router?
Can you provide configuration command for eth0?

vabello · August 5, 2019, 7:04pm

Hello,

The purpose of this is to filter forwarded packets entering the eth0 interface.

Configuration of eth0 is as follows:

interfaces {
ethernet eth0 {
address dhcp
duplex auto
firewall {
in {
name eth0_in
}
}
hw-id 00:15:5d:64:05:0b
smp-affinity auto
speed auto
}

Thank you.

Dmitry · August 6, 2019, 2:12pm

I created lab for test this, all works normally.

vyos@R2# run show configuration commands 
set firewall name transit default-action 'drop'
set firewall name transit rule 1 action 'accept'
set firewall name transit rule 1 destination port '22'
set firewall name transit rule 1 protocol 'tcp'

set interfaces ethernet eth1 address '100.64.0.5/30'
set interfaces ethernet eth1 description 'to_R3'
set interfaces ethernet eth1 firewall in name 'transit'

From R3 was send packet via telnet to R1 100.64.0.1 dst port 23 which is not allowed.

vyos@R2# sudo tcpdump -n -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:03:51.411725 IP 100.64.0.6.41550 > 100.64.0.1.23: Flags [S], seq 1245352906, win 29200, options [mss 1460,sackOK,TS val 1327891048 ecr 0,nop,wscale 6], length 0
14:03:52.430088 IP 100.64.0.6.41550 > 100.64.0.1.23: Flags [S], seq 1245352906, win 29200, options [mss 1460,sackOK,TS val 1327892066 ecr 0,nop,wscale 6], length 0
14:03:54.445171 IP 100.64.0.6.41550 > 100.64.0.1.23: Flags [S], seq 1245352906, win 29200, options [mss 1460,sackOK,TS val 1327894081 ecr 0,nop,wscale 6], length 0

With default-action 'drop' don’t any replies.

If we changed to default-action 'reject' and run same telnet command from R3 in tcpdump on R2 we see reject.

vyos@R2# sudo tcpdump -n -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
14:08:58.534563 IP 100.64.0.6.41554 > 100.64.0.1.23: Flags [S], seq 27694511, win 29200, options [mss 1460,sackOK,TS val 1328198133 ecr 0,nop,wscale 6], length 0
14:08:58.534782 IP 100.64.0.5 > 100.64.0.6: ICMP 100.64.0.1 tcp port 23 unreachable, length 68

Can you provide your full configuration?
show configuration commands | strip-private

vabello · August 6, 2019, 6:49pm

Sure, here you go. By the way, the strip-private command doesn’t obfuscate IPv6 addresses so I did that by hand. It also doesn’t obfuscate any name past the first word if surrounded by quotes in the login full name.

set firewall all-ping ‘enable’
set firewall broadcast-ping ‘disable’
set firewall config-trap ‘disable’
set firewall ipv6-receive-redirects ‘disable’
set firewall ipv6-src-route ‘disable’
set firewall ip-src-route ‘disable’
set firewall log-martians ‘enable’
set firewall name eth0_in default-action ‘drop’
set firewall name eth0_in rule 1 action ‘accept’
set firewall name eth0_in rule 1 destination port ‘22’
set firewall name eth0_in rule 1 protocol ‘tcp’
set firewall name eth0_in rule 2 action ‘accept’
set firewall name eth0_in rule 2 destination port ‘25’
set firewall name eth0_in rule 2 protocol ‘tcp’
set firewall name eth0_in rule 3 action ‘accept’
set firewall name eth0_in rule 3 destination port ‘80’
set firewall name eth0_in rule 3 protocol ‘tcp’
set firewall name eth0_in rule 4 action ‘accept’
set firewall name eth0_in rule 4 destination port ‘443’
set firewall name eth0_in rule 4 protocol ‘tcp’
set firewall name eth0_in rule 5 action ‘accept’
set firewall name eth0_in rule 5 destination port ‘587’
set firewall name eth0_in rule 5 protocol ‘tcp’
set firewall name eth0_in rule 6 action ‘accept’
set firewall name eth0_in rule 6 destination port ‘993’
set firewall name eth0_in rule 6 protocol ‘tcp’
set firewall name eth0_in rule 7 action ‘accept’
set firewall name eth0_in rule 7 destination port ‘3389’
set firewall name eth0_in rule 7 protocol ‘tcp’
set firewall name eth0_in rule 7 source address ‘xxx.xxx.175.42’
set firewall name eth0_in rule 8 action ‘accept’
set firewall name eth0_in rule 8 destination port ‘32400’
set firewall name eth0_in rule 8 protocol ‘tcp’
set firewall receive-redirects ‘disable’
set firewall send-redirects ‘disable’
set firewall source-validation ‘loose’
set firewall state-policy established action ‘accept’
set firewall state-policy invalid action ‘reject’
set firewall state-policy related action ‘accept’
set firewall syn-cookies ‘enable’
set firewall twa-hazards-protection ‘enable’
set interfaces ethernet eth0 address ‘dhcp’
set interfaces ethernet eth0 duplex ‘auto’
set interfaces ethernet eth0 firewall in name ‘eth0_in’
set interfaces ethernet eth0 hw-id ‘XX:XX:XX:64:05:0b’
set interfaces ethernet eth0 ip source-validation ‘loose’
set interfaces ethernet eth0 smp-affinity ‘auto’
set interfaces ethernet eth0 speed ‘auto’
set interfaces ethernet eth1 address ‘xxx.xxx.100.1/24’
set interfaces ethernet eth1 address ‘xxxx:xxxx:1f07:224::1/64’
set interfaces ethernet eth1 duplex ‘auto’
set interfaces ethernet eth1 hw-id ‘XX:XX:XX:64:05:0c’
set interfaces ethernet eth1 ipv6 dup-addr-detect-transmits ‘1’
set interfaces ethernet eth1 ipv6 router-advert cur-hop-limit ‘64’
set interfaces ethernet eth1 ipv6 router-advert link-mtu ‘1480’
set interfaces ethernet eth1 ipv6 router-advert managed-flag ‘true’
set interfaces ethernet eth1 ipv6 router-advert max-interval ‘600’
set interfaces ethernet eth1 ipv6 router-advert name-server ‘xxxx:xxxx:1f07:224:: 10’
set interfaces ethernet eth1 ipv6 router-advert other-config-flag ‘true’
set interfaces ethernet eth1 ipv6 router-advert reachable-time ‘0’
set interfaces ethernet eth1 ipv6 router-advert retrans-timer ‘0’
set interfaces ethernet eth1 ipv6 router-advert send-advert ‘true’
set interfaces ethernet eth1 smp-affinity ‘auto’
set interfaces ethernet eth1 speed ‘auto’
set interfaces loopback lo
set interfaces tunnel tun0 address ‘xxxx:xxxx:1f06:224::2/64’
set interfaces tunnel tun0 description ‘HE.NET IPv6 Tunnel’
set interfaces tunnel tun0 encapsulation ‘sit’
set interfaces tunnel tun0 local-ip ‘xxx.xxx.0.0’
set interfaces tunnel tun0 multicast ‘disable’
set interfaces tunnel tun0 remote-ip ‘xxx.xxx.161.14’
set nat destination rule 10 destination port ‘22’
set nat destination rule 10 inbound-interface ‘eth0’
set nat destination rule 10 protocol ‘tcp’
set nat destination rule 10 translation address ‘xxx.xxx.100.10’
set nat destination rule 20 destination port ‘25’
set nat destination rule 20 inbound-interface ‘eth0’
set nat destination rule 20 protocol ‘tcp’
set nat destination rule 20 translation address ‘xxx.xxx.100.10’
set nat destination rule 30 destination port ‘80’
set nat destination rule 30 inbound-interface ‘eth0’
set nat destination rule 30 protocol ‘tcp’
set nat destination rule 30 translation address ‘xxx.xxx.100.10’
set nat destination rule 40 destination port ‘443’
set nat destination rule 40 inbound-interface ‘eth0’
set nat destination rule 40 protocol ‘tcp’
set nat destination rule 40 translation address ‘xxx.xxx.100.10’
set nat destination rule 50 destination port ‘587’
set nat destination rule 50 inbound-interface ‘eth0’
set nat destination rule 50 protocol ‘tcp’
set nat destination rule 50 translation address ‘xxx.xxx.100.10’
set nat destination rule 60 destination port ‘993’
set nat destination rule 60 inbound-interface ‘eth0’
set nat destination rule 60 protocol ‘tcp’
set nat destination rule 60 translation address ‘xxx.xxx.100.10’
set nat destination rule 70 destination port ‘3389’
set nat destination rule 70 inbound-interface ‘eth0’
set nat destination rule 70 protocol ‘tcp’
set nat destination rule 70 translation address ‘xxx.xxx.100.50’
set nat destination rule 80 destination port ‘32400’
set nat destination rule 80 inbound-interface ‘eth0’
set nat destination rule 80 protocol ‘tcp’
set nat destination rule 80 translation address ‘xxx.xxx.100.10’
set nat source rule 9999 outbound-interface ‘eth0’
set nat source rule 9999 translation address ‘masquerade’
set protocols static interface-route6 ::/0 next-hop-interface tun0
set service dns dynamic interface eth0 service dyndns host-name xxxxxx
set service dns dynamic interface eth0 service dyndns host-name xxxxxx
set service dns dynamic interface eth0 service dyndns host-name xxxxxx
set service dns dynamic interface eth0 service dyndns host-name xxxxxx
set service dns dynamic interface eth0 service dyndns host-name xxxxxx
set service dns dynamic interface eth0 service dyndns host-name xxxxxx
set service dns dynamic interface eth0 service dyndns login ‘vabello’
set service dns dynamic interface eth0 service dyndns password xxxxxx
set service dns dynamic interface eth0 service dyndns protocol ‘dyndns2’
set service ssh listen-address ‘xxx.xxx.100.1’
set system config-management commit-revisions ‘100’
set system console device ttyS0 speed ‘115200’
set system domain-name xxxxxx
set system host-name xxxxxx
set system login user xxxxxx authentication encrypted-password xxxxxx
set system login user xxxxxx authentication plaintext-password xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx key xxxxxx
set system login user xxxxxx authentication public-keys xxxx@xxx.xxx type ssh-xx x
set system login user xxxxxx full-name xxxxxx’
set system login user xxxxxx level ‘admin’
set system name-server ‘xxx.xxx.100.10’
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system ntp server xxxxx.tld
set system syslog global facility all level ‘info’
set system syslog global facility protocols level ‘debug’
set system time-zone ‘America/New_York’

With the above configuration, this is an example result for a port (TCP 5000) that is not opened in the firewall rules showing the reject. IP addresses are obfuscated.

vyos@vyos:~$ sudo tcpdump -n -i eth0 port 5000
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
14:51:26.242184 IP 1.2.3.4.55825 > 5.6.7.8.5000: Flags [SEW], seq 1794801785, win 9572, options [mss 1380,wscale 9,sackOK,eol], length 0
14:51:26.242219 IP 5.6.7.8.5000 > 1.2.3.4.55825: Flags [R.], seq 0, ack 1794801786, win 0, length 0
14:51:26.763973 IP 1.2.3.4.55825 > 5.6.7.8.5000: Flags [S], seq 1766059221, win 9572, options [mss 1380,wscale 9,sackOK,eol], length 0
14:51:26.764006 IP 5.6.7.8.5000 > 1.2.3.4.55825: Flags [R.], seq 0, ack 4266224733, win 0, length 0
14:51:27.276428 IP 1.2.3.4.55825 > 5.6.7.8.5000: Flags [S], seq 1259193073, win 9572, options [mss 1380,sackOK,eol], length 0
14:51:27.276464 IP 5.6.7.8.5000 > 1.2.3.4.55825: Flags [R.], seq 0, ack 3759358585, win 0, length 0
<

I have a sneaking suspicion that it’s related to

set firewall state-policy established action ‘accept’

but it’s difficult for me to verify that in my configuration without me taking time to setup some more virtual routers which I’d just need need time to do.

vabello · August 6, 2019, 7:06pm

After looking at all of this, I just realized, should I be making this filter “local” instead of “in” because I’m performing NAT through the eth0 interface?

vabello · August 6, 2019, 7:12pm

To answer my own question, I modified this to be “local” instead of “in” on the eth0 interface and I get the expected behavior. I was confused as the order of packet processing in other platforms I’m familiar with works differently. I think I’m good now and this is not a bug.

I would still look into enhancing the strip-private command though based on my above comments.

Thank you very much for your time and effort. If this isn’t the expected outcome, please let me know and I’d be happy to provide any further testing or information, but it looks like it was just my own misunderstanding of the order of evaluation of the packets.

system · August 8, 2019, 7:12pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.