OUTSIDE-LOCAL default-action 'drop' Unexpected Behavior

Net_Admin · July 29, 2022, 2:32pm

Hello,

When I put the default action on an outside-local rule the connection that I have is dropped. Is this an expected behavior? My thoughts are that if a rule is matched, ssh allowed from “10.10.10.1” the session should be allowed. As soon as I run a commit-confirm and add in <set firewall name OUTSIDE-LOCAL default-action 'drop> the connection drops. Any ideas on what I might be doing wrong?

set firewall name OUTSIDE-LOCAL default-action ‘drop’
set firewall name OUTSIDE-LOCAL enable-default-log
set firewall name OUTSIDE-LOCAL rule 10 action ‘drop’
set firewall name OUTSIDE-LOCAL rule 10 destination port ‘22’
set firewall name OUTSIDE-LOCAL rule 10 protocol ‘tcp’
set firewall name OUTSIDE-LOCAL rule 10 recent count ‘4’
set firewall name OUTSIDE-LOCAL rule 10 recent time ‘minute’
set firewall name OUTSIDE-LOCAL rule 10 state new ‘enable’
set firewall name OUTSIDE-LOCAL rule 20 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 20 destination port ‘22’
set firewall name OUTSIDE-LOCAL rule 20 protocol ‘tcp’
set firewall name OUTSIDE-LOCAL rule 20 source group network-group ‘ALLOW_SSH_FROM’
set firewall name OUTSIDE-LOCAL rule 20 state new ‘enable’
set firewall name OUTSIDE-LOCAL rule 30 action ‘drop’
set firewall name OUTSIDE-LOCAL rule 30 destination port ‘22’
set firewall name OUTSIDE-LOCAL rule 30 protocol ‘tcp’
set firewall name OUTSIDE-LOCAL rule 30 source group network-group ‘DENY_SSH_FROM’
set firewall name OUTSIDE-LOCAL rule 30 state new ‘enable’

set firewall group network-group ALLOW_SSH_FROM network ‘10.10.10.1/32’
set firewall group network-group DENY_SSH_FROM network ‘10.10.10.0/24’

Id Original src Original dst Reply src Reply dst Protocol State Timeout Mark Zone

2967931533 127.0.0.1:43542 127.0.0.1:53 127.0.0.1:53 127.0.0.1:43542 udp 4 0
2790450277 127.0.0.1:39339 127.0.0.1:53 127.0.0.1:53 127.0.0.1:39339 udp 4 0
3026652793 10.10.10.1:13025 172.x.x.x:22 172.x.x.x:22 10.10.10.1:13025 tcp ESTABLISHED 431999 0

-Nathan

n.fort · July 29, 2022, 8:27pm

Did you try adding connection state rules?

Korikaze · July 30, 2022, 1:25am

You need a rule for related/established connections.

Net_Admin · August 10, 2022, 12:07pm

This seems to have the desired effect , excluding all traffic that is not within the headquarters /24 range.

set firewall name OUTSIDE-LOCAL rule 40 action ‘drop’
set firewall name OUTSIDE-LOCAL rule 40 source address ‘!headquatersaddy/24’

Can you point me to some more detailed documentation about the established / related concepts in the Vyos fw? Can I understand established to be the firewall has already made a decision and somewhat sees return connections via a fastpath? If so then I think I have a grasp on established but I am not sure what related means?
Any insight is appreciated.
-Nathan

n.fort · August 10, 2022, 2:27pm

Here there’r a brief description of connection states defined in netfilter

Net_Admin · August 11, 2022, 12:30pm

N.fort,

That is great info. I often forget we can review underlying documentation for iptables and netfilter etc. to investigate these issues. Thanks for your help.

-Nathan

new	Netfilter has so far seen packets between this pair of hosts in only one direction. At least one of these packets is part of a valid initialization sequence, e.g. SYN packet for a TCP connection.
established	Netfilter has seen valid packets travel in both directions between this pair of hosts. For TCP connections, the three-way-handshake has been successfully completed.
related	This connection was initiated after the main connection, as expected from normal operation of the main connection. A common example is an FTP data channel established at the behest of an FTP control channel.
invalid	Assigned to packets that do not follow the expected behavior of a connection.
untracked	Dummy state assigned to packets that have been explicitly excluded from conntrack. See notrack.