Migration Script Error while loading firewall rules

greenman1969 · May 12, 2023, 3:18am

Hello All,

I’m getting an error when I try to load firewall rules into a 1.4 rolling VyOS router running as an LXC virtual machine. I’m attempting to use ansible to configure it using the vyos_command ansible module to delete the current firewall rule configuration, commit, then load in the updated firewall rule configuration. To keep it as simple as possible I’m trying to start by loading the rules of the firewall set before loading the zones into the firewall. These rules came from my configured VyOS router that is currently working without issue.

VyOS version is 1.4 built on April 10th, 2023 (I build them myself).

I keep running into the error: "Migration script error: /opt/vyatta/etc/config-migrate/migrate/firewall/7-to-8: [Errno 1] failed to run command: [‘/opt/vyatta/etc/config-migrate/migrate/firewall/7-to-8’, ‘/tmp/tmpqj70wj71’]
returned:
exit code: 1.
"
The config I’m trying to merge in is:

firewall {
    all-ping enable
    broadcast-ping disable
    config-trap disable
    group {
        address-group HAProxy {
            address 10.0.30.150
            address 10.0.30.10
            address 10.0.30.11
            address 10.0.30.12
            description "HAProxy Hosts"
        }
    }
    ipv6-name default-relatedestablished-6 {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name DMZ-DNSDHCP {
        default-action drop
        rule 10 {
            action accept
            destination {
                port 53
            }
            protocol tcp_udp
        }
    }
    name DMZ-GenDev {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name DMZ-Infra {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
        rule 10 {
            action accept
            source {
                group {
                    address-group HAProxy
                }
            }
        }
    }
    name DMZ-RouterLocal {
        default-action drop
        description "DMZ to Router Address"
        rule 1 {
            action accept
            destination {
                address 10.0.30.0/24
            }
            disable
        }
    }
    name DMZ-WAN {
        default-action accept
    }
    name DNSDHCP-GenDev {
        default-action accept
    }
    name DNSDHCP-Infra {
        default-action accept
    }
    name DNSDHCP-RouterLocal {
        default-action accept
    }
    name DNSDHCP-WAN {
        default-action accept
    }
    name GenDev-DMZ {
        default-action accept
    }
    name GenDev-DNSDHCP {
        default-action accept
    }
    name GenDev-IOT {
        default-action accept
    }
    name GenDev-Infra {
        default-action accept
    }
    name GenDev-RouterLocal {
        default-action accept
        description "GenDev to Router Address"
    }
    name GenDev-WAN {
        default-action accept
    }
    name Guest-RouterLocal {
        default-action drop
        description "Guest to Router Address"
        rule 1 {
            action accept
            destination {
                address 10.0.110.0/24
            }
            disable
        }
    }
    name Guest-WAN {
        default-action accept
    }
    name IOT-GenDev {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name IOT-Infra {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
    }
    name IOT-RouterLocal {
        default-action drop
        description "IOT to Router Address"
        rule 1 {
            action accept
            destination {
                address 10.0.20.0/24
            }
            disable
        }
    }
    name IOT-WAN {
        default-action drop
        rule 10 {
            action accept
            disable
            source {
                address 10.0.20.10-10.0.20.19
            }
        }
    }
    name Infra-DMZ {
        default-action accept
    }
    name Infra-DNSDHCP {
        default-action accept
    }
    name Infra-GenDev {
        default-action accept
    }
    name Infra-IOT {
        default-action accept
    }
    name Infra-RouterLocal {
        default-action accept
        description "Infrastructure to Router Address"
    }
    name Infra-WAN {
        default-action accept
    }
    name RouterLocal-DNSDHCP {
        default-action accept
    }
    name RouterLocal-GenDev {
        default-action accept
    }
    name WAN-DMZ {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
        rule 10 {
            action accept
            destination {
                address 10.0.30.10
                port 80,443
            }
            protocol tcp_udp
            state {
                new enable
            }
        }
        rule 11 {
            action accept
            destination {
                address 10.0.30.151
                port 19132
            }
            protocol udp
        }
    }
    name WAN-IOT {
        default-action drop
        rule 10 {
            action accept
            destination {
                address 10.0.20.10-10.0.20.19
            }
            disable
            state {
                established enable
                related enable
            }
        }
    }
    name WAN-Infra {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
        rule 10 {
            action accept
            destination {
                address 10.0.0.58
                port 1194
            }
            protocol tcp_udp
            state {
                new enable
            }
        }
        rule 20 {
            action accept
            destination {
                address 10.0.0.60
                port 1194
            }
            protocol tcp_udp
            state {
                new enable
            }
        }
        rule 30 {
            action accept
            destination {
                address 10.0.0.53
                port 51820
            }
            protocol tcp_udp
            state {
                new enable
            }
        }
    }
    name WAN-Local {
        default-action drop
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            state {
                invalid enable
            }
        }
        rule 3 {
            action accept
            protocol icmp
        }
        rule 10 {
            action accept
            description WireGuard
            destination {
                port 36730
            }
            log enable
            protocol udp
        }
    }
    name default-relatedestablished {
        default-action drop
        description "Drops traffic not related/established"
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
    }
    name local-Guest {
        default-action accept
    }
    name local-Infra {
        default-action accept
    }
    name local-WAN {
        default-action accept
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
    twa-hazards-protection disable
}

n.fort · May 12, 2023, 2:40pm

Migration 7-to-8 moves zones policy and interfaces firewall configuration into firewall node.
Since involves multiple sections, we need full configuration for testing migration procedure.

If it contains sensitive data, you can hide it. If you preferred to shared it privately, feel free do direct message me

greenman1969 · May 12, 2023, 3:18pm

I just removed my public ssh keys from it for safety but everything else is the same. I’m trying to build an collection of ansible roles that merge in the different pieces of the configuration. I just need to find the right order to ensure things exist when trying to configure them.

Here you go:

 interfaces {
     ethernet eth0 {
         address 10.0.0.5/24
         hw-id 00:16:3e:80:43:e3
         offload {
             gro
             gso
             sg
             tso
         }
         vif 10 {
             address 10.0.10.5/24
             description DNSDHCP
         }
         vif 20 {
             address 10.0.20.5/24
             description IOT
         }
         vif 30 {
             address 10.0.30.5/24
             description DMZ
         }
         vif 40 {
             address 10.0.40.5/24
             description GenDev
         }
         vif 110 {
             address 10.0.110.5/24
             description Guest
         }
         vif 1000 {
             description Internet0
         }
         vif 1001 {
             description Internet1
         }
     }
     loopback lo {
     }
 }
 service {
     ntp {
         allow-client {
             address 0.0.0.0/0
             address ::/0
         }
         server time1.vyos.net {
         }
         server time2.vyos.net {
         }
         server time3.vyos.net {
         }
     }
     ssh {
         client-keepalive-interval 180
         port 22
     }
 }
 system {
     config-management {
         commit-revisions 200
     }
     conntrack {
         modules {
             ftp
             h323
             nfs
             pptp
             sip
             sqlnet
             tftp
         }
     }
     host-name VyOS2
     login {
         user gage {
             authentication {
                 encrypted-password $6$rounds=656000$ObtqiviNP3TkOIvc$ppFFzSE4VxjSG2kzoB0i1GqNTNCGEATcXNtvgySAGqdmohQWrggnWKYx9B.rOzKVYl18gi7FIypbAHXM93hDN0
             }
         }
         user vyos {
             authentication {
                 encrypted-password $6$rounds=656000$2tRuhQ5N4vsySmu8$TbgVqbLGtFMqHuuLzdXJzi0CMBkB1viGkhssZIFot6SHk2yG0qeRYy4P8MMVK3QVexqPGIwFokqxlgVSQRoaD0
             }
         }
     }
     name-server eth0
     syslog {
         global {
             facility all {
                 level notice
             }
             facility protocols {
                 level debug
             }
         }
     }
 }

n.fort · May 12, 2023, 3:22pm

You haven’t attach any interface to firewall rulesets.
Is this correct? Maybe zone configuration is missing?

greenman1969 · May 12, 2023, 10:38pm

Yes that is correct. I’m using the zone based firewall but to prevent a chicken/egg problem I’m trying to load in the firewall rules first then come back later with the zones to ensure that, a) the firewall rules are there when the zones are created, and b) the zones aren’t created empty since the default is to block all intrazone traffic and I’m trying to configure this via ansible over the network.

greenman1969 · May 15, 2023, 2:44am

I figured out the issue. The 7-to-8 migration script requires that interfaces be defined in the merge file. By adding the two lines:
interfaces {
}

It was able to merge in successfully. I’m sure the interface check was there to ensure that the firewall rules and their interface chains were all intact during a merge in so I’m not recommending to remove it, but this will give some people who are experiencing this issue some knowledge that all you have to do is ensure that you have an empty interfaces block in the merge-in config.

system · May 30, 2023, 12:19pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.