Firewall Policy Issue – SSH Restriction Also Blocking Other Services (VyOS 1.4)

We have configured a router with a public static IP on the WAN interface and would like to restrict SSH access to specific source IP addresses.

OS Version: VyOS 1.4 (March 20, 2024 release)

We created a firewall policy that successfully controls SSH access; however, it is also blocking all other services along with SSH.

Could you please help us understand what might be missing in the policy configuration below? Additionally, please provide sample configurations for:

• Destination IP and port-based traffic filtering

• Source IP and port-based traffic filtering

set firewall ipv4 name SSH_BLOCK default-action ‘accept’

set firewall ipv4 name SSH_BLOCK default-log

set firewall ipv4 name SSH_BLOCK rule 10 action ‘accept’

set firewall ipv4 name SSH_BLOCK rule 10 log

set firewall ipv4 name SSH_BLOCK rule 10 protocol ‘all’

set firewall ipv4 name SSH_BLOCK rule 10 state ‘established’

set firewall ipv4 name SSH_BLOCK rule 10 state ‘related’

set firewall ipv4 name SSH_BLOCK rule 20 action ‘drop’

set firewall ipv4 name SSH_BLOCK rule 20 destination port ‘22’

set firewall ipv4 name SSH_BLOCK rule 20 protocol ‘tcp’

set firewall ipv4 name SSH_BLOCK rule 20 source address ‘!49.248.84.136/29’

set firewall zone GLOBAL default-action ‘drop’

set firewall zone GLOBAL from LOCAL firewall name ‘ALLOW_ALL’

set firewall zone GLOBAL interface ‘eth0’

set firewall zone LOCAL default-action ‘drop’

set firewall zone LOCAL from GLOBAL firewall name ‘SSH_BLOCK’

set firewall zone LOCAL local-zone

In your SSH_BLOCK policy you’re allowing related/established, then dropping any traffic going to TCP/22 that’s not from 49.248.84.136/29, then it hits the zone’s default action of drop.

You’re not allowing anything else…

It would be better to write your firewall policies as an allowlist instead of a denylist. For example, you could have the below policy for what’s allowed to the router itself. When you want to allow additional things, eg SNMP for this example, you just add a new rule to allow it, then everything else is blocked by default.

set firewall ipv4 name ALLOW_ALL default-action ‘accept’

set firewall ipv4 name FIREWALL-LOCAL default-action ‘drop’
set firewall ipv4 name FIREWALL-LOCAL default-log
set firewall ipv4 name FIREWALL-LOCAL rule 10 action ‘accept’
set firewall ipv4 name FIREWALL-LOCAL rule 10 description “Allow related/established”
set firewall ipv4 name FIREWALL-LOCAL rule 10 state ‘established’
set firewall ipv4 name FIREWALL-LOCAL rule 10 state ‘related’

set firewall ipv4 name FIREWALL-LOCAL rule 20 action ‘accept’
set firewall ipv4 name FIREWALL-LOCAL rule 20 description “Allow SSH from Trusted”
set firewall ipv4 name FIREWALL-LOCAL rule 20 destination port ‘22’
set firewall ipv4 name FIREWALL-LOCAL rule 20 protocol ‘tcp’
set firewall ipv4 name FIREWALL-LOCAL rule 20 source address ‘49.248.84.136/29’

set firewall ipv4 name FIREWALL-LOCAL rule 30 action ‘accept’
set firewall ipv4 name FIREWALL-LOCAL rule 30 description “Allow SNMP from Trusted”
set firewall ipv4 name FIREWALL-LOCAL rule 30 destination port ‘161’
set firewall ipv4 name FIREWALL-LOCAL rule 30 protocol ‘udp’
set firewall ipv4 name FIREWALL-LOCAL rule 30 source address ‘49.248.84.136/29’

set firewall zone GLOBAL default-action ‘drop’
set firewall zone GLOBAL from LOCAL firewall name ‘ALLOW_ALL’
set firewall zone GLOBAL interface ‘eth0’

set firewall zone LOCAL default-action ‘drop’
set firewall zone LOCAL from GLOBAL firewall name ‘FIREWALL-LOCAL’
set firewall zone LOCAL local-zone

Thanks Adam for your swift response !

We have already tested this using an allowlist and were able to successfully restrict SSH access; however, users connected on the LAN side were unable to access the internet.

Sharing the policy configured earlier.

set firewall ipv4 name ALLOW_ALL default-action ‘accept’

set firewall ipv4 name SSH_BLOCK default-action ‘drop’

set firewall ipv4 name SSH_BLOCK default-log

set firewall ipv4 name SSH_BLOCK rule 10 action ‘accept’

set firewall ipv4 name SSH_BLOCK rule 10 log

set firewall ipv4 name SSH_BLOCK rule 10 protocol ‘all’

set firewall ipv4 name SSH_BLOCK rule 10 state ‘established’

set firewall ipv4 name SSH_BLOCK rule 10 state ‘related’

set firewall ipv4 name SSH_BLOCK rule 20 action ‘accept’

set firewall ipv4 name SSH_BLOCK rule 20 destination port ‘22’

set firewall ipv4 name SSH_BLOCK rule 20 protocol ‘tcp’

set firewall ipv4 name SSH_BLOCK rule 20 source address ‘49.248.84.136/29’

set firewall zone GLOBAL default-action ‘drop’

set firewall zone GLOBAL from LOCAL firewall name ‘ALLOW_ALL’

set firewall zone GLOBAL interface ‘eth0’

set firewall zone LOCAL default-action ‘drop’

set firewall zone LOCAL from GLOBAL firewall name ‘SSH_BLOCK’

set firewall zone LOCAL local-zone

Also, we have removed the state related from rule 10 but no luck. Could you help here to conclude this. Thanks !

set firewall ipv4 name SSH_BLOCK rule 10 action ‘accept’

set firewall ipv4 name SSH_BLOCK rule 10 log

set firewall ipv4 name SSH_BLOCK rule 10 protocol ‘all’

Your specific “SSH_BLOCK” policy is a bit of a silly policy since it would end up being the policy you use for any traffic coming from GLOBAL to local, since you’re using zone based firewall. You should set up your policies like below, and have policies like GLOBAL_TO_LOCAL and LOCAL_TO_LAN. This way you have Zone to Zone policies, if you need to add something new, you can add it to the existing policy as a new rule to allow it.

Groups

set firewall group network-group MGMT network 49.248.84.136/29

Policies

set firewall ipv4 name ALLOW_ALL default-action accept

set firewall ipv4 name DENY_ALL default-action drop
set firewall ipv4 name DENY_ALL rule 10 action accept
set firewall ipv4 name DENY_ALL rule 10 description "Allow Established/Related"
set firewall ipv4 name DENY_ALL rule 10 state established
set firewall ipv4 name DENY_ALL rule 10 state related
set firewall ipv4 name DENY_ALL rule 20 action drop
set firewall ipv4 name DENY_ALL rule 20 description "Drop Invalid"
set firewall ipv4 name DENY_ALL rule 20 state invalid

set firewall ipv4 name GLOBAL_TO_LOCAL rule 10 action accept
set firewall ipv4 name GLOBAL_TO_LOCAL rule 10 description "Allow Established/Related"
set firewall ipv4 name GLOBAL_TO_LOCAL rule 10 state established
set firewall ipv4 name GLOBAL_TO_LOCAL rule 10 state related
set firewall ipv4 name GLOBAL_TO_LOCAL rule 20 action drop
set firewall ipv4 name GLOBAL_TO_LOCAL rule 20 description "Drop Invalid"
set firewall ipv4 name GLOBAL_TO_LOCAL rule 20 state invalid
set firewall ipv4 name GLOBAL_TO_LOCAL rule 30 action accept
set firewall ipv4 name GLOBAL_TO_LOCAL rule 30 description "Allow SSH from MGMT"
set firewall ipv4 name GLOBAL_TO_LOCAL rule 30 destination port 22
set firewall ipv4 name GLOBAL_TO_LOCAL rule 30 protocol tcp
set firewall ipv4 name GLOBAL_TO_LOCAL rule 30 source group network-group MGMT

Zones

set firewall zone GLOBAL default-action drop
set firewall zone GLOBAL from LOCAL firewall name ALLOW_ALL
set firewall zone GLOBAL from LAN firewall name ALLOW_ALL
set firewall zone GLOBAL interface eth0

set firewall zone LOCAL default-action drop
set firewall zone LOCAL from GLOBAL firewall name GLOBAL_TO_LOCAL
set firewall zone LOCAL from LAN firewall name ALLOW_ALL
set firewall zone LOCAL local-zone

set firewall zone LAN default-action drop
set firewall zone LAN from GLOBAL firewall name DROP_ALL
set firewall zone LAN from LOCAL firewall name ALLOW_ALL
set firewall zone LAN interface eth1

Thank you once again Adam for sharing the correct policy configuration and clarifying the implementation details.

We have tested it, and it is working as expected. Could you please confirm if there’s an alternative way to achieve this configuration other then zone based policy in VyOS 1.4 (March 2024 release)? Earlier, we used to configure and apply the policy directly on the respective interface to meet this requirement.

Please advise !