Firewall `recent` seems to block all requests

I’m following the examples here Quick Start — VyOS 1.4.x (sagitta) documentation, but when I add the firewall SSH rate limit — I am blocked out completely.

Ruleset Name    Description    References
--------------  -------------  ------------
OUTSIDE-IN                     (eth0,in)
OUTSIDE-LOCAL                  (eth0,local)

 name OUTSIDE-LOCAL {
     default-action drop
     rule 10 {
         action accept
         state {
             established enable
             related enable
         }
     }
     rule 20 {
         action accept
         icmp {
             type-name echo-request
         }
         protocol icmp
         state {
             new enable
         }
     }
     rule 30 {
         action reject
         destination {
             port 22
         }
         log enable
         protocol tcp
         recent {
             count 4
             time 60
         }
         state {
             new enable
         }
     }
     rule 31 {
         action accept
         destination {
             port 22
         }
         protocol tcp
         state {
             new enable
         }
     }
 }

If rule 30 is enabled, I am unable to SSH into VyOS. Confirmed by the log:

[OUTSIDE-LOCAL-30-R] IN=eth0 OUT= MAC=x SRC=192.168.1.222 DST=192.168.1.187 LEN=60 TOS=0x08 PREC=0x40 TTL=64 ID=5155 DF PROTO=TCP SPT=36298 DPT=22 WINDOW=64240 RES=0x00 SYN URGP=0

I am using VyOS 1.4-rolling-202201230317.

Is there something I’m not understanding about recent?

Firewall was rewritten
I created a task T4209

Thanks for the feedback, do you want me to add a note to the Quick Guide?

It is a bug in the new firewall.
I hope it will be fixed soon

Great, I’ll follow the bug and retest once fixed.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.