Hello, community.
I’m trying to figure out how I can configure a firewall and have run into difficulties as I’ve never encountered anything like this before.
I’m trying to figure out how I can configure a firewall with port 25 blocked, port 111 blocked, port 123 blocked, all other ports allowed. I do not have NAT and it is not planned. Can you show me how to configure it correctly ?
Have you gone through the documenation over at this page yet?
Firewall — VyOS 1.4.x (sagitta) documentation should answer your questions.
There are several ways to achieve the same goal.
Either you do it one rule per port or you use a single rule which matches multiple ports “25,111,123” with action drop.
Another method is to first create a port group and use that in your ruleset.
Doing so brings your readability and easier to maintain your ruleset over time (given that you give the groups sane names).
Note however that when it comes to firewalling the best common practice is to use “default drop” rather than “default allow”.
That is in your case you should have default-action drop and then the rule act on “!25,!111,!123” with action allow.
So if I just block the port I need, it’s the only one that won’t work? The others will be available without adding rules?
Please do look at the documentation but this should accomplish what you want (going by @Apachez recommendation).
set firewall group port-group FORBIDDEN-PORTS port '25'
set firewall group port-group FORBIDDEN-PORTS port '111'
set firewall group port-group FORBIDDEN-PORTS port '123'
set firewall name BLOCK-FORBIDDEN default-action 'drop'
set firewall name BLOCK-FORBIDDEN description 'Block forbidden but allow the rest through'
set firewall name BLOCK-FORBIDDEN rule 10 action 'accept'
set firewall name BLOCK-FORBIDDEN rule 10 destination group port-group '!FORBIDDEN-PORTS'
set firewall name BLOCK-FORBIDDEN rule 10 protocol 'tcp_udp'
# DISCLAIMER: Additional assembly required. Be sure to allow additional protocols in subsequent rules
And you block all protocols except TCP and UDP.
This chain is far from finished and you know it 
- fine… DISCLAIMER: Additional assembly required. Be sure to allow additional protocols in subsequent rules. And be sure to associate to the concerned interface.
Yes I know it 
But this simple example shows that “best practice” is not always the best option.
You should always analyze your requirements and then choose best option for you.
In this case, it is better to allow all connections and block only new connections to selected ports.
set firewall group port-group FORBIDDEN-PORTS port '25'
set firewall group port-group FORBIDDEN-PORTS port '111'
set firewall group port-group FORBIDDEN-PORTS port '123'
set firewall name BLOCK-FORBIDDEN default-action 'accept'
set firewall name BLOCK-FORBIDDEN rule 10 action 'drop'
set firewall name BLOCK-FORBIDDEN rule 10 destination group port-group 'FORBIDDEN-PORTS'
set firewall name BLOCK-FORBIDDEN rule 10 protocol 'tcp_udp'
set firewall name BLOCK-FORBIDDEN rule 10 state new 'enable'
And don’t forget to attach rule-set to interface.
Oh, thank you very much. I think I understand the logic. I’ll go check it out.
Well thats what you wanted in the original post. Block 25, 11 and 123 and let through anything else.
The way you do that is to create a rule that will negate the FORBIDDEN-PORTS group as an allow.
Or do it in two steps:
Since nftables (and iptables) are first-match aka top-down it will halt execution when it finds an action for a rule that matches the current packet. Its not like ipf/pf on *bsd who rather does “best-match” meaning it will continue to scan the ruleset if there is some better match who will override identified action.
Again its strongly recommended that default rules for INPUT, OUTPUT and FORWARD should be “drop”.