Outside-Local vs Service SSH - Firewall Rules Considering SSH and Outside-Local Chain

Hello,

I have some questions about the order of the process by which Vyos/ Debian processes traffic related to services terminating on the outside-local address.

For instance, setting up ssh does not require any adjustments to the outside local but can be initiated through the “set service ssh” . A question arises, what firewall chain does this tie to and is it visible in logs?

Also I would like to limit the ranges that can access the device. e.g. 10.1.1.0/24 . There does not appear to be an access control through the SSH commands. It allows you to access

set service ssh access-control allow
Possible completions:

  • group Allow members of a group to login <<---- is this a network group or user group?>?
  • user Allow specific users to login

If not a network group , I don’t see where below it allows you to put a user in a group.

set system login user vyos
Possible completions:

authentication
Password authentication
full-name Full name of the user (use quotes for names with spaces)
home-directory
Home directory

Is a better way to use the outside-local in conjunction with the “set service ssh” commands to create more granular access controls?

set firewall group network-group INTERNAL_NETWORKS network ‘10.1.1.0/24’

set firewall name OUTSIDE-LOCAL rule 20 action ‘accept’
set firewall name OUTSIDE-LOCAL rule 20 destination port ‘22’
set firewall name OUTSIDE-LOCAL rule 20 protocol ‘tcp’
set firewall name OUTSIDE-LOCAL rule 20 source group network-group ‘INTERNAL_NETWORKS’
set firewall name OUTSIDE-LOCAL rule 20 state new ‘enable’
set firewall name OUTSIDE-LOCAL rule 20 state established ‘enable’
set firewall name OUTSIDE-LOCAL rule 20 state related ‘enable’

Any insight on the best method would be appreciated.

Thank you,
-Nathan

Greetings Nathan welcome back,

By default you listen ssh service on all of your interfaces and there is no firewall rule attached, because there is no firewall at all, when you “set service ssh port XX” you start listening for ssh service, not “allowing it”.

Users members of a group

This should work to allow access via ssh from your network 10.1.1.0/24
Dont forget to attach the ruleset to your interface

vyos@vyos# set interfaces ethernet eth0 firewall local name OUTSIDE-LOCAL

Another thing you can do is to be more specific about the addresses that will listen ssh

vyos@vyos# set service ssh listen-address 
Possible completions:
   <x.x.x.x>    IP address to listen for incoming connections
   <h:h:h:h:h:h:h:h>
                IPv6 address to listen for incoming connections