I use VyOS 1.3rc6 as a home firewall/router.
I have set up some simple firewall rules using policies.
For some strange reason I am not able to see all the traffic shown in the logs.
For example I have a bunch of VMs that require internet access. I created the following rule
set firewall name INSIDE-OUTSIDE default-action ‘drop’
set firewall name INSIDE-OUTSIDE enable-default-log
…
set firewall name INSIDE-OUTSIDE rule 1101 action ‘accept’
set firewall name INSIDE-OUTSIDE rule 1101 description ‘Allow INSIDE VM Web OUTSIDE’
set firewall name INSIDE-OUTSIDE rule 1101 destination port ‘80,443’
set firewall name INSIDE-OUTSIDE rule 1101 log ‘enable’
set firewall name INSIDE-OUTSIDE rule 1101 protocol ‘tcp’
set firewall name INSIDE-OUTSIDE rule 1101 source group address-group ‘AG_VM_DEVICES’
set firewall name INSIDE-OUTSIDE rule 1101 state new ‘enable’
When I tail -f /var/log/messages | grep INSIDE-OUTSIDE-1101 I get nothing. If I use monitor firewall name INSIDE-OUTSIDE rule 1101 I also get nothing. Yet the VMs are able to access the web.
Is anyone able to tell me what am I missing? I’d like to see all traffic going in and out of the firewall.
After some testing it looks like it will only log the initial connection? For example if I open a browser I will get a few hits logged. If I then open another browser and search other pages these don’t get any logs. This also happens with pings. If I ping a web host I will get some logs. if I ping to another place or open a new ping these don’t get logged?
Of course, rule 1101 will only log the intial packet ! The rule has state=new enabled (which isn’t necessary, rules 50 and 51 only leave new packets). All subsequent packets belonging to a flow hit rule 50
In general, your firewall rules looks OK.
You may need to test if behavior is as you expected. As @16again said, you can see few hits at first in specific firewall entries, such as 1101, because then traffic matches the policy state defined in previous entries.
I removed the state new enabled out of all of my rules and it seems to be logging correctly and the rules are still being applied. The question is why would you use state new enabled? I tried finding info about the states and how they affect the rules without luck.
Firewall rules are processed in order. So, if you see firewall examples, you may find that in most cases, policies states are defined at the very first… Why?
As you said, in your example you have removed state policies. So for every connection, firewall are going to be processed until it matches one entry. So, this will be analyze in multiple firewall entries, until, for example, matches your rule 1101.
But, with state policies defined at first, only the first connection will pass through all the firewall rules until it matches rule 1101. Then, all established and related connections will only hit the very first firewall rules.
Comparing both scenarios, CPU load in first case would be higher, since more firewall rules are evaluated every time, while in second scenario, this just happens once.