Issues with rules WAN-LOCAL , firewall didn't work

tuanama00 · October 11, 2024, 4:10am

Hi,
I have issues dropping package from internet to VyOS ( use 1.4)
wan → eth0

firewall config:
set firewall ipv4 name WAN-LOCAL default-action ‘drop’

set firewall ipv4 name WAN-LOCAL rule 10 action ‘drop’

set firewall ipv4 name WAN-LOCAL rule 10 destination port ‘22’

set firewall ipv4 name WAN-LOCAL rule 10 protocol ‘tcp’

set firewall ipv4 name WAN-LOCAL rule 10 recent count ‘4’

set firewall ipv4 name WAN-LOCAL rule 10 recent time ‘minute’

set firewall ipv4 name WAN-LOCAL rule 11 action ‘drop’

set firewall ipv4 name WAN-LOCAL rule 11 destination port ‘22’

set firewall ipv4 name WAN-LOCAL rule 11 inbound-interface name ‘eth0’

set firewall ipv4 name WAN-LOCAL rule 11 outbound-interface name ‘eth0’

set firewall ipv4 name WAN-LOCAL rule 11 protocol ‘tcp’

set firewall ipv4 name WAN-LOCAL rule 11 state ‘new’

ipv4 Firewall “name WAN-LOCAL”

Rule Action Protocol Packets Bytes Conditions

10 drop tcp 0 0 tcp dport 22 add @RECENT_NAM_WAN-LOCAL_10 { ip saddr limit rate over 4/minute burst 4 packets }
11 drop tcp 0 0 ct state new tcp dport 22 iifname “eth0” oifname “eth0”
default drop all 0 0

When I try to connect from internet to VyOS using ssh (port 22), this work and connect, I need to know why can’t drop this package is rule appear is drop.

Thanks

n.fort · October 15, 2024, 10:44am

So rule 10 works as expected for you but rule 11 no?
For rule 11, you need to delete outbound-interface (since it’s for the router itself)

delete firewall ipv4 name WAN-LOCAL rule 11 outbound-interface

tuanama00 · October 15, 2024, 1:17pm

Hi Nicolas,

I have issues applying WAN-LOCAL to WAN interface
My config have zone WAN eth0

I think the issue is because need set this rule to WAN interface.

Please yoou can help with command to apply WAN-LOCAL to my WAN interface.

Thanks

Jose

n.fort · October 15, 2024, 6:25pm

Maybe start from sending all traffic received on WAN interface (eth0) towards the router to your custom chain:

set firewall ipv4 input filter rule 10 inbound-interface name eth0
set firewall ipv4 input filter rule 10 action jump
set firewall ipv4 input filter rule 10 jump-target 'WAN-LOCAL'

n.fort · October 15, 2024, 6:27pm

Ohh, it looks you are using zones.
Did you define local zone? Did you define traffic from WAN zone to Local zone?

tuanama00 · October 15, 2024, 6:39pm

Hi Nicolas,

I define WAN but I don’t know how define local and how assign WAN-to-Local to inbound traffic to router.

Maybe can share example?

thanks

Goofball · October 16, 2024, 8:42pm

https://docs.vyos.io/en/latest/configuration/firewall/zone.html

From my running setup:

$ show firewall zone-policy
Zone     Interfaces    From Zone    Firewall IPv4    Firewall IPv6
-------  ------------  -----------  ---------------  ---------------
lan      eth3          local        local_lan        local_lan-6
                       wan          wan_lan          wan_lan-6
local    LOCAL         lan          lan_local        lan_local-6
                       wan          wan_local        wan_local-6
wan      eth0          lan          lan_wan          lan_wan-6
                       local        local_wan        local_wan-6

$ show configuration commands | grep "global-options" | strip-private
set firewall global-options state-policy established action 'accept'
set firewall global-options state-policy invalid action 'drop'
set firewall global-options state-policy related action 'accept'

$ show configuration commands | grep "zone lan" | strip-private
set firewall zone lan default-action 'reject'
set firewall zone lan from local firewall ipv6-name 'local_lan-6'
set firewall zone lan from local firewall name 'local_lan'
set firewall zone lan from wan firewall ipv6-name 'wan_lan-6'
set firewall zone lan from wan firewall name 'wan_lan'
set firewall zone lan interface 'eth3'

$ show configuration commands | grep "zone local" | strip-private
set firewall zone local default-action 'reject'
set firewall zone local from lan firewall ipv6-name 'lan_local-6'
set firewall zone local from lan firewall name 'lan_local'
set firewall zone local from wan firewall ipv6-name 'wan_local-6'
set firewall zone local from wan firewall name 'wan_local'
set firewall zone local local-zone

$ show configuration commands | grep "zone wan" | strip-private
set firewall zone wan default-action 'reject'
set firewall zone wan from lan firewall ipv6-name 'lan_wan-6'
set firewall zone wan from lan firewall name 'lan_wan'
set firewall zone wan from local firewall ipv6-name 'local_wan-6'
set firewall zone wan from local firewall name 'local_wan'
set firewall zone wan interface 'eth0'

$ show configuration commands | grep firewall | grep wan_local | strip-private
set firewall ipv4 name wan_local default-action 'drop'
set firewall ipv4 name wan_local description 'IPv4 traffic rules from WAN to router'
set firewall ipv4 name wan_local rule 10 action 'accept'
set firewall ipv4 name wan_local rule 10 description 'Allow ICMPv4'
set firewall ipv4 name wan_local rule 10 protocol 'icmp'
set firewall ipv4 name wan_local rule 20 action 'accept'
set firewall ipv4 name wan_local rule 20 description 'Allow DHCP Renew'
set firewall ipv4 name wan_local rule 20 destination port '68'
set firewall ipv4 name wan_local rule 20 protocol 'udp'
set firewall ipv4 name wan_local rule 100 action 'drop'
set firewall ipv4 name wan_local rule 100 description 'DROP MultiCast from ISP CMTS'
set firewall ipv4 name wan_local rule 100 destination address 'xxx.xxx.0.1'
set firewall ipv4 name wan_local rule 100 protocol 'igmp'
set firewall ipv4 name wan_local rule 100 source address 'xxx.xxx.64.1'
set firewall ipv6 name wan_local-6 default-action 'drop'
set firewall ipv6 name wan_local-6 description 'IPv6 traffic rules from WAN to router'
set firewall ipv6 name wan_local-6 rule 10 action 'accept'
set firewall ipv6 name wan_local-6 rule 10 description 'Allow ICMPv6 traffic'
set firewall ipv6 name wan_local-6 rule 10 protocol 'icmpv6'
set firewall ipv6 name wan_local-6 rule 20 action 'accept'
set firewall ipv6 name wan_local-6 rule 20 description 'Allow DHCPv6 traffic'
set firewall ipv6 name wan_local-6 rule 20 destination port '546'
set firewall ipv6 name wan_local-6 rule 20 protocol 'udp'
set firewall ipv6 name wan_local-6 rule 20 source port '547'

The global-options state-policy config entries saves having to create those 3 rules in each zone rule set/firewall

You need to create a rule set/firewall for each defined direction between zones, even if all it has is a default-action.

tuanama00 · October 16, 2024, 10:04pm

Hi Goofball,

Thanks for quick reply
I have a question:

Does the local zone have no interface assigned? This means it needs to be attached to a WAN in case I need to block traffic coming from the internet to my Vyos.

show firewall zone local

set firewall zone local default-action ‘reject’
set firewall zone local from lan firewall ipv6-name ‘lan_local-6’
set firewall zone local from lan firewall name ‘lan_local’
set firewall zone local from wan firewall ipv6-name ‘wan_local-6’
set firewall zone local from wan firewall name ‘wan_local’
set firewall zone local local-zone
2. with this command in my config don’t need to add action accept, state-established , state-related. in all my rules, is enough declared in global for work in all my rules?
set global-options state-policy established action ‘accept’
set global-options state-policy invalid action ‘drop’
set global-options state-policy related action ‘accept’

Thanks
Jose

n.fort · October 16, 2024, 10:17pm

Yes:
1- Zone defined as local, with ‘local-zone’ command, doesn’t need an interface. When you define a zone as ‘local’, this means the router itself. It will control traffic towards the router itself (for example ssh to the router)
2- When using those global state policies, there’s no need to re-define state policies in other places. They are inserted at the begging of the ruleset, so if a connection is established, it will be accepted.

tuanama00 · October 21, 2024, 6:54pm

Thanks for all you help !!