Is is possible to apply firewall rules to a dummy interface

sam999 · July 1, 2022, 3:49am

Hello,

I have applied below rules on dummy interface, suppose it should deny all SSH to dum1, but I still able access. I have to apply this rules to my eth0(WAN), then it can block SSH access. It seems dummy interface just didn’t support firewall rules?

Is there any way to restrict access to the management dummy interface? I know that I can apply rules on the incoming interface, but the problem is my interface has over 10Gbps, I am afraid appling firewall rules may bring additional CPU overhead.

set firewall name ACL-MGMT-PUB rule 999 action 'drop'
set firewall name ACL-MGMT-PUB rule 999 destination port '22'
set firewall name ACL-MGMT-PUB rule 999 protocol 'tcp'

set interfaces dummy dum1 firewall local name 'ACL-MGMT-PUB'

RyVolodya · July 1, 2022, 1:03pm

Hello @sam999

You can use the listening address for ssh:

set service ssh listen-address <your listen address>

16again · July 1, 2022, 4:37pm

I guess the firewall rule will only match for ssh packets entering on interface dummy1.
But for sure, your packets originate somewhere else

sam999 · July 8, 2022, 4:37pm

Yes, my lisent-address is on dummy interface and it’s a public IP, so I would like to apply firewall rules to protection. It seems dummy interface is not support firewall rules.

16again · July 9, 2022, 9:11am

Even if you assign a public IP to dummy interface, that’s still not where the packet enters. Or leaves.
As it comes in on some WAN link , like eth0.
Use tcpdump on dummy1 interface to verify