firewall in an output mirror interface


#1

Hello,
could you help me?

I have two output mirror interfaces eth10 and eth11 and I only want that dns traffic port 53 pass and tcp protocol is dropped. But it is not working. Do you know if firewall works in mirror interfaces?

vyos@vyos# show firewall name mirror-dest
default-action drop
rule 1 {
action accept
destination {
port 53
}
protocol udp
}
rule 2 {
action reject
protocol tcp
}

[edit]
vyos@vyos# show firewall name mirror-orig
default-action drop
rule 1 {
action reject
protocol tcp
}
rule 2 {
action accept
protocol udp
source {
port 53
}
}

[edit]
vyos@vyos# show firewall interface ethernet eth11

Configuration path: firewall [interface] is not valid
Show failed

[edit]
vyos@vyos# show interface ethernet eth11
address 10.51.241.21/28
duplex auto
firewall {
in {
name mirror-orig
}
local {
name mirror-orig
}
out {
name mirror-orig
}
}


#2

Could you please clarify what you are trying to achieve? What does you “output mirror interface” configuration looks like?


#3

i am doing mirroring of eth12 in eth10, and mirroring of eth10 in eth11:

vyos@vyos# show interfaces ethernet eth10
address 10.51.241.5/28
duplex auto
firewall {
in {
name mirror-dest
}
local {
name mirror-dest
}
out {
name mirror-dest
}
}
hw-id 52:54:00:21:ca:32
mirror eth11
smp_affinity auto
speed auto

[edit]
vyos@vyos# show interfaces ethernet eth11
address 10.51.241.21/28
duplex auto
firewall {
in {
name mirror-orig
}
local {
name mirror-orig
}
out {
name mirror-orig
}
}
hw-id 52:54:00:dd:3c:33
smp_affinity auto
speed auto

[edit]


I am trying to achieve to pass only dns udp port 53 traffic through eth10 and eth11.


#4

Under the hood you are starting two captures using tshark, this will take all inbound traffic on one interface and send out on the other. This traffic will not pass through the iptables chains on the output interface.

Perhaps you could use some thshark capture filter to achieve what you want.

Is this for debugging or is it more permanent monitoring of DNS traffic? I would probably use port mirroring on a switch interface and have a network monitoring probe for the capture and analysis of the DNS traffic in a permanent monitoring solution.

For debugging I just start a capture with capture filters. For deeper analysis for a packet trace I use Wireshark to open the trace. Permanently running two packettraces on your router will impact on your performance.


#5

What do you mean by tshark? Is it mirroring done in vyos using tshark?


#6

I assume there are some packet capture stuff and not a creation of a bridge between the interfaces which are the mechanism. In your router with this configuration you could just look if there are some bridge interfaces created. And using ps to find if there are some capturing processes started.

I have not used this feature, so I’m just guessing…


#7

This is not for debugging, it is for implementing a functionality. We need to pass to a system only dns traffic and not http traffic. It is for the implementation of a use case in our scenario.

It seems there are no tshark/wireshark or bridges created.
vyos@vyos:~$ sudo ps aux | grep -i wire
vyos 5368 0.0 0.1 6080 576 pts/1 S+ 13:59 0:00 grep -i wire
vyos@vyos:~$ sudo ps aux | grep -i tsh
vyos 5371 0.0 0.1 6080 576 pts/1 S+ 13:59 0:00 grep -i tsh
vyos@vyos:~$ sudo ps aux | grep -i sha
vyos 5374 0.0 0.1 6080 572 pts/1 S+ 13:59 0:00 grep -i sha

vyos@vyos:~$ sudo brctl show
bridge name bridge id STP enabled interfaces

12:46 0:00 /sbin/netplugd -P -p /var/run/netplugd.pid
daemon 2271 0.0 0.0 18768 376 ? Ss 12:46 0:00 /usr/sbin/atd
root 2312 0.0 0.1 20960 928 ? Ss 12:46 0:00 /usr/sbin/cron
quagga 2344 0.0 0.3 39416 1744 ? Ss 12:46 0:00 /usr/sbin/zebra -d -P 0 -i /var/run/quagga/zebra.pid -S -s 1048576
quagga 2346 0.0 0.3 39304 1752 ? Ss 12:46 0:00 /usr/sbin/ripd -d -P 0 -i /var/run/quagga/ripd.pid
quagga 2348 0.0 0.2 39112 1128 ? Ss 12:46 0:00 /usr/sbin/ripngd -d -P 0 -i /var/run/quagga/ripngd.pid
root 2350 0.0 0.1 3972 632 ? Ss 12:46 0:00 /usr/sbin/acpid
quagga 2358 0.0 0.4 42220 2456 ? Ss 12:46 0:01 /usr/sbin/ospfd -d -P 0 -i /var/run/quagga/ospfd.pid
quagga 2360 0.0 0.2 39500 1292 ? Ss 12:46 0:00 /usr/sbin/ospf6d -d -P 0 -i /var/run/quagga/ospf6d.pid
quagga 2364 0.0 0.5 43872 2852 ? Ss 12:46 0:00 /usr/sbin/bgpd -d -P 0 -i /var/run/quagga/bgpd.pid -I
root 2611 0.0 0.2 54176 1364 ? Sl 12:46 0:00 /usr/sbin/rsyslogd -c4
ntp 3570 0.0 0.4 38528 2052 ? Ss 12:46 0:00 /usr/sbin/ntpd -p /var/run/ntpd.pid -g -u 102:107
root 3613 0.0 0.2 49160 1080 ? Ss 12:46 0:00 /usr/sbin/sshd -p 22
root 3659 0.0 2.2 22000 11580 ? Ss 12:46 0:00 uacctd: Core Process [default]
root 3666 0.0 1.2 27652 6528 ? S 12:46 0:00 uacctd: IMT Plugin [default]
root 3716 0.0 1.6 83664 8496 ? Ss 12:46 0:00 /usr/bin/perl /opt/vyatta/sbin/vyos-intfwatchd
root 3717 0.0 0.1 6300 724 ? S 12:46 0:00 ip monitor link
root 3738 0.0 0.1 5984 624 tty1 Ss+ 12:46 0:00 /sbin/getty 38400 tty1
root 3739 0.0 0.1 5984 620 tty2 Ss+ 12:46 0:00 /sbin/getty 38400 tty2
root 3740 0.0 0.1 5984 624 tty3 Ss+ 12:46 0:00 /sbin/getty 38400 tty3
root 3741 0.0 0.1 5984 620 tty4 Ss+ 12:46 0:00 /sbin/getty 38400 tty4
root 3742 0.0 0.1 5984 624 tty5 Ss+ 12:46 0:00 /sbin/getty 38400 tty5
root 3743 0.0 0.1 5984 620 tty6 Ss+ 12:46 0:00 /sbin/getty 38400 tty6
root 3744 0.0 0.1 5984 632 ttyS0 Ss+ 12:46 0:00 /sbin/getty -L ttyS0 9600 vt100
root 3747 0.0 0.6 76644 3208 ? Ss 12:52 0:00 sshd: vyos [priv]
vyos 3750 0.0 0.3 76644 1552 ? S 12:52 0:00 sshd: vyos@pts/0
vyos 3751 0.0 0.9 24624 4652 pts/0 Ss 12:52 0:00 -vbash
root 3903 0.0 0.1 14612 920 pts/0 S 12:54 0:00 newgrp vyattacfg
vyos 3904 0.0 1.0 25260 5376 pts/0 S+ 12:54 0:00 vbash
vyos 5008 0.0 0.0 114160 500 ? Ssl 13:06 0:00 unionfs-fuse -o cow -o allow_other /opt/vyatta/config/tmp/changes_only_3904=RW:/optroot 5075 0.0 0.6 76644 3220 ? Ss 13:44 0:00 sshd: vyos