Latest nightly: show firewall in config and show log all do not show any firewall information

Looks like a bug I hope?

I am on latest nightly and nothing is there in config mode for “show firewall”, firewall is simply unavailable.
No firewall logs at all appear in normal mode when using show log all or show log firewall, as if the firewall simply disappeared!

mario@vyos007# show f

  Configuration path: [f] is not valid

[edit]
mario@vyos007# show
Possible completions:
 > high-availability
                High availability settings
 > interfaces   Network interfaces
 > load-balancing
                Configure load-balancing
 > nat          Network Address Translation (NAT) parameters
 > policy       Routing policy
 > protocols    Routing protocols
 > service      System services
 > system       System parameters


[edit]
mario@vyos007# show

And normal mode, show log all, no firewall rules appear at all, all my rules log apart from established and related

EDIT: further to that show firewall name bleh also shows nothing

mario@vyos007:~$ show firewall name lan-wan
Ruleset Information

OK something much weirder is going on here, my whole firewall actually seems to not be loaded.
FFFFFF

Not sure whats going on now but reboot results in no firewall getting loaded, need to determine what sort of damage control mode to enter, this was my perimiter. Hopefully I am still behind the NAT to protect me from internet baddies

Interesting, both today’s and yesterday nightlies will not work on my firewall configuration

Errors out when I manually try to load last know working config.
Apologies for screenshot but internet is currently unplugged

I tried to upgrade from 202112150318

The debug option is not being super helpful unfortunately

I had to revert back to 202112150318, that was scary.

Anyone have any input to share what may be happening here?

Can you share the firewall section of your config?

Yep! Had to pastebin it as too long vyos fw - Pastebin.com

It’s probably this rule in download-wan chain:

        rule 202 {
            action accept
            destination {
                group {
                    port-group pg-pia_wguard
                }
            }
            log enable
            protocol icmp
        }

port-group with protocol icmp, not sure why that doesn’t error in the old firewall.

I would also be interested to see how much quicker the new rolling loads for you with so many firewall rules. It should be a lot faster at boot.

I must have buggered up my grep earlier but I got a few of these with other protocols than the set ones in my earlier phone screen capture. Hmm! interesting!

EDIT: I missed the part about port or port-group, so this list below is not that big, and your entry may indeed be the only one

mario@vyos007:~$ show configuration commands | grep protocol | grep -v tcp | grep -v udp
set firewall name cam-firewall rule 10 protocol 'vrrp'
set firewall name dmz-download rule 100 protocol 'icmp'
set firewall name dmz-firewall rule 10 protocol 'vrrp'
set firewall name dmz-mgmt rule 100 protocol 'icmp'
set firewall name dmz-wan rule 100 protocol 'icmp'
set firewall name download-dmz rule 100 protocol 'icmp'
set firewall name download-firewall rule 10 protocol 'vrrp'
set firewall name download-wan rule 100 protocol 'icmp'
set firewall name download-wan rule 202 protocol 'icmp'
set firewall name firewall-cam rule 10 protocol 'vrrp'
set firewall name firewall-cam rule 100 protocol 'icmp'
set firewall name firewall-dmz rule 10 protocol 'vrrp'
set firewall name firewall-dmz rule 100 protocol 'icmp'
set firewall name firewall-download rule 10 protocol 'vrrp'
set firewall name firewall-download rule 100 protocol 'icmp'
set firewall name firewall-guest rule 10 protocol 'vrrp'
set firewall name firewall-guest rule 100 protocol 'icmp'
set firewall name firewall-iot rule 10 protocol 'vrrp'
set firewall name firewall-iot rule 100 protocol 'icmp'
set firewall name firewall-lan rule 10 protocol 'vrrp'
set firewall name firewall-lan rule 100 protocol 'icmp'
set firewall name firewall-mgmt rule 10 protocol 'vrrp'
set firewall name firewall-mgmt rule 100 protocol 'icmp'
set firewall name firewall-mgmt rule 651 protocol 'igmp'
set firewall name firewall-public rule 10 protocol 'vrrp'
set firewall name firewall-public rule 100 protocol 'icmp'
set firewall name firewall-wan rule 100 protocol 'icmp'
set firewall name guest-firewall rule 10 protocol 'vrrp'
set firewall name guest-wan rule 100 protocol 'icmp'
set firewall name iot-dmz rule 100 protocol 'icmp'
set firewall name iot-firewall rule 10 protocol 'vrrp'
set firewall name iot-firewall rule 100 protocol 'icmp'
set firewall name iot-wan rule 100 protocol 'icmp'
set firewall name lan-dmz rule 100 protocol 'icmp'
set firewall name lan-download rule 100 protocol 'icmp'
set firewall name lan-firewall rule 10 protocol 'vrrp'
set firewall name lan-firewall rule 100 protocol 'icmp'
set firewall name lan-firewall rule 101 protocol 'icmp'
set firewall name lan-iot rule 100 protocol 'icmp'
set firewall name lan-mgmt rule 100 protocol 'icmp'
set firewall name lan-public rule 100 protocol 'icmp'
set firewall name lan-wan rule 100 protocol 'icmp'
set firewall name mgmt-dmz rule 100 protocol 'icmp'
set firewall name mgmt-firewall rule 10 protocol 'vrrp'
set firewall name mgmt-firewall rule 100 protocol 'icmp'
set firewall name mgmt-lan rule 100 protocol 'icmp'
set firewall name mgmt-public rule 100 protocol 'icmp'
set firewall name mgmt-wan rule 100 protocol 'icmp'
set firewall name public-dmz rule 100 protocol 'icmp'
set firewall name public-download rule 100 protocol 'icmp'
set firewall name public-firewall rule 10 protocol 'vrrp'
set firewall name public-mgmt rule 100 protocol 'icmp'
set firewall name public-wan rule 100 protocol 'icmp'

That would be very interesting indeed, I am around 360 seconds currently

Yep, you have excellent eyes! It was the only one, all the rule 10 and 100 do not have port information, nor rule 651 that is for IGMP

WEIRD, was able to load an old config from 2020.01.18 that I used to revert back with, remove rule 202 and commit without issue this time on latest nightly. Evaluating…

Well after rebooting (with config saved) it appears I am back in action apart from rule 202, ill deal with that tomorrow.

Thanks @sdev

BTW it appears it took only 66 seconds on the reboot with latest nightly, and the firewall does appear to be loaded up now! Ill leave it overnight while I go sleep and continue in the morning.

Glad to hear it.

You can add that rule back, from the looks of it you just need to fix the protocol to udp, if it’s for wireguard.

1 Like

Yeah! Thanks much again, will deal with that tomorrow.

I am hoping there was some changes to firewall logging that I need to read up on, dont have the rule identifier and the handy rule thats allowing/blocking, eg: download-wan-2-D in the log anymore, small sample

Jan 20 02:59:18 vyos007 kernel: [  554.319215] IN=eth0.7 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:9f:2b:05:08:00 SRC=192.168.7.196 DST=255.255.255.255 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=5039 DF PROTO=UDP SPT=46247 DPT=65001 LEN=28
Jan 20 02:59:18 vyos007 kernel: [  554.319259] IN=eth0.11 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:9f:c9:7b:08:00 SRC=192.168.11.196 DST=255.255.255.255 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=48825 DF PROTO=UDP SPT=34195 DPT=65001 LEN=28
Jan 20 02:59:18 vyos007 kernel: [  554.319270] IN=eth0.7v7 OUT= MAC=ff:ff:ff:ff:ff:ff:00:50:56:9f:2b:05:08:00 SRC=192.168.7.196 DST=255.255.255.255 LEN=48 TOS=0x00 PREC=0x00 TTL=64 ID=5039 DF PROTO=UDP SPT=46247 DPT=65001 LEN=28 MARK=0xc9

Good catch on the logging prefix, will try and fix that shortly.

1 Like

Brilliant, thanks again!

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.