How to configure limited office ip only can ssh


#1

Hi sifus,
I am new in vyos…i want to configure only allow our office LAN ip to ssh, other ip all block to use ssh.

I have start the ssh service and try implement firewall rules as below to the LAN interface but failed…

set firewall name LAN-Local-In rule 10 action ‘accept’
set firewall name LAN-Local-In rule 10 destination port ‘22’
set firewall name LAN-Local-In rule 10 protocol ‘tcp’
set firewall name LAN-Local-In rule 10 source group network-group ‘Router-SSH-ALLOW’
set firewall group network-group Router-SSH-ALLOW network 192.168.168.168/32
set interfaces ethernet eth3 firewall local name LAN-Local-In
commit

After i take out the firewall rules, i am able to ssh again… :frowning:
can anyone give me a good suggestion? thank you very much


#3

Sorry about the spam, didn’t read the post correctly the first time. I think you want to change the configuration to:

set interfaces ethernet eth3 firewall in name LAN-Local-In

From the docs:

Important note on usage of terms: The firewall makes use of the terms in, out, and local for firewall policy. Users experienced with netfilter often confuse in to be a reference to the INPUT chain, and out the OUTPUT chain from netfilter. This is not the case. These instead indicate the use of the FORWARD chain and either the input or output interface. The INPUT chain, which is used for local traffic to the OS, is a reference to as local with respect to its input interface.

Mine works similarly with firewall rules created for in and out:

set interfaces ethernet eth3 firewall in name ‘LAN-IN’
set interfaces ethernet eth3 firewall local name ‘LAN-IN’
set interfaces ethernet eth3 firewall out name ‘LAN-OUT’

Edit: Didn’t paste in the local line


#4

Your rules look ok, please enable logging, the you will see if a rule drops your traffic.
set firewall name LAN-Local-In rule 10 log enable
Also do you have set a default action for your fw rules?