Hi everyone,
sorry because of this basic question but I need to created a whitelist for some IP addresses that we need have access to them, I created a group list for these tree addresses:
set firewall group network-group Whitelist1
but when I want to add IP address like this:
set firewall group network-group Whitelist1 ‘104.16.x.38/32’
I got this message:
Configuration path: firewall group network-group Whitelist1 [104.16.x.38] is not valid
Set failed
I’m not sure what should I do and do I need to create or anything else or not but I have some comments like these for each network group that I have in firewall:
set firewall name ACL-WAN-IN rule 9 action ‘drop’
set firewall name ACL-WAN-IN rule 9 protocol ‘all’
set firewall name ACL-WAN-IN rule 9 source group network-group ‘DROP-TRAFFIC’
set firewall name ACL-WAN-IN rule 10 action ‘accept’
set firewall name ACL-WAN-IN rule 10 protocol ‘all’
set firewall name ACL-WAN-IN rule 10 source group network-group ‘VCH’
set firewall name ACL-WAN-IN rule 11 action ‘accept’
set firewall name ACL-WAN-IN rule 11 protocol ‘all’
set firewall name ACL-WAN-IN rule 11 source group network-group ‘L2TP’
set firewall name ACL-WAN-IN rule 25 action ‘accept’
set firewall name ACL-WAN-IN rule 25 destination port ‘443’
set firewall name ACL-WAN-IN rule 25 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 29 action ‘accept’
set firewall name ACL-WAN-IN rule 29 destination port ‘80’
set firewall name ACL-WAN-IN rule 29 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 30 action ‘accept’
set firewall name ACL-WAN-IN rule 30 destination port ‘8000’
set firewall name ACL-WAN-IN rule 30 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 31 action ‘accept’
set firewall name ACL-WAN-IN rule 31 destination port ‘554’
set firewall name ACL-WAN-IN rule 31 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 33 action ‘accept’
set firewall name ACL-WAN-IN rule 33 destination port ‘636’
set firewall name ACL-WAN-IN rule 33 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 33 source group address-group ‘ex1’
set firewall name ACL-WAN-IN rule 34 action ‘drop’
set firewall name ACL-WAN-IN rule 34 protocol ‘all’
set firewall name ACL-WAN-IN rule 34 source group address-group ‘blacklist1’
set firewall name ACL-WAN-IN rule 98 action ‘accept’
set firewall name ACL-WAN-IN rule 98 destination port ‘22’
set firewall name ACL-WAN-IN rule 98 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 98 source group address-group ‘Fili’
set firewall name ACL-WAN-OUT default-action ‘accept’
set firewall name ACL-WAN-OUT rule 9 action ‘drop’
set firewall name ACL-WAN-OUT rule 9 destination group address-group ‘blacklist1’
set firewall name ACL-WAN-OUT rule 9 protocol ‘all’
set firewall name ACL-WAN-OUT rule 9 source group
Please I need your help with full commands if you can <3
I have eth0 as a LAN and also eth1 is my WAN interface.
Thanks @acrane
I did and could add my rules but I don’t have access yet!
I found IP’s are changing because they are using cloudflare or something like this:
As a last question is it a way to add address like “stream.cradlepointecm.com” in VyOS as a whitelist rule and if yes how?
and also is it enough when I added a IP in “set firewall group network-group” or need to create another rules for it like:
set firewall name ACL-WAN-IN rule 9 action ‘drop’
set firewall name ACL-WAN-IN rule 9 protocol ‘all’
set firewall name ACL-WAN-IN rule 9 source group network-group ‘DROP-TRAFFIC’
set firewall name ACL-WAN-IN rule 10 action ‘accept’
set firewall name ACL-WAN-IN rule 10 protocol ‘all’
set firewall name ACL-WAN-IN rule 10 source group network-group ‘VCH’
set firewall name ACL-WAN-IN rule 11 action ‘accept’
set firewall name ACL-WAN-IN rule 11 protocol ‘all’
set firewall name ACL-WAN-IN rule 11 source group network-group ‘L2TP’
set firewall name ACL-WAN-IN rule 25 action ‘accept’
set firewall name ACL-WAN-IN rule 25 destination port ‘443’
set firewall name ACL-WAN-IN rule 25 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 29 action ‘accept’
set firewall name ACL-WAN-IN rule 29 destination port ‘80’
set firewall name ACL-WAN-IN rule 29 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 30 action ‘accept’
set firewall name ACL-WAN-IN rule 30 destination port ‘8000’
set firewall name ACL-WAN-IN rule 30 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 31 action ‘accept’
set firewall name ACL-WAN-IN rule 31 destination port ‘554’
set firewall name ACL-WAN-IN rule 31 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 33 action ‘accept’
set firewall name ACL-WAN-IN rule 33 destination port ‘636’
set firewall name ACL-WAN-IN rule 33 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 33 source group address-group ‘ex1’
set firewall name ACL-WAN-IN rule 34 action ‘drop’
set firewall name ACL-WAN-IN rule 34 protocol ‘all’
set firewall name ACL-WAN-IN rule 34 source group address-group ‘blacklist1’
set firewall name ACL-WAN-IN rule 98 action ‘accept’
set firewall name ACL-WAN-IN rule 98 destination port ‘22’
set firewall name ACL-WAN-IN rule 98 protocol ‘tcp’
set firewall name ACL-WAN-IN rule 98 source group address-group ‘Fili’
set firewall name ACL-WAN-OUT default-action ‘accept’
set firewall name ACL-WAN-OUT rule 9 action ‘drop’
set firewall name ACL-WAN-OUT rule 9 destination group address-group ‘blacklist1’
set firewall name ACL-WAN-OUT rule 9 protocol ‘all’
set firewall name ACL-WAN-OUT rule 9 source group
Ali, as I recall VyOS does not support addresses like xxxxxxxx.xxxxxxxxx.com/net/etc so it should be an direct IP.
Also if you need to add IP’s to your whitelist - you can just add it with the same command ‘set firewall group network-group Whitelist1 network xxx.xxx.xxx.xxx/32’
Or if you want to make a blacklist - it should be a different group with another rule numbers according to rule number priority (lower number - higher priority)