Hi everyone,
hope you guys are doing well.
is there a chance in vyos to get all ports closed/filtered from outside so that only port 22/tcp is open?
i configured the vyos router via zone Policy. Regarding to the configuration, only port 22/tcp should be open.
But a scan with nmap shows the following ports as open
Port State Service
22/tcp open ssh
53/tcp open tcpwrapped
135/tcp filtered msrpc
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
Hope someone can give me a good advice
best regards
Jean
:~$ show configuration
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
log-martians enable
name Extern-nach-Intern {
default-action drop
rule 10 {
action accept
description “ALLOW-VPN Tunnel Zentrale”
destination {
address 192.168.30.0/24
}
source {
address 192.168.10.0/24
}
}
rule 15 {
action accept
description ALLOW-VOIP-VPN-TRAFFIC
destination {
address 192.168.30.0/24
}
source {
address 10.10.200.0/24
}
}
rule 20 {
action accept
description ALLOW-SMTP
destination {
address 192.168.30.1
port 25
}
protocol tcp
}
rule 30 {
action accept
description “ALLOW OWA”
destination {
address 192.168.30.1
port 443
}
protocol tcp
}
rule 40 {
action accept
description ALLOW-OVPN-DATA
destination {
address 192.168.30.253
port 1194
}
protocol udp
}
rule 100 {
action accept
description ALLOW-IPSEC-IKE
destination {
port 500
}
protocol udp
}
rule 200 {
action accept
description ALLOW-IPSEC-ESP
protocol esp
}
}
name Intern-nach-Extern {
default-action accept
}
receive-redirects disable
send-redirects enable
source-validation disable
state-policy {
established {
action accept
}
related {
action accept
}
}
syn-cookies enable
}
interfaces {
ethernet eth0 {
address 13.195.155.114/22
hw-id 00:50:56:bd:38:ff
}
ethernet eth1 {
address 192.168.30.254/24
hw-id 00:50:56:bd:30:c0
}
loopback lo {
}
}
nat {
destination {
rule 30 {
description OVPN-DATA
destination {
port 1194
}
inbound-interface eth0
protocol udp
translation {
address 192.168.30.253
}
}
rule 40 {
description OWA
destination {
port 443
}
inbound-interface eth0
protocol tcp
translation {
address 192.168.30.1
}
}
rule 50 {
description “EXCHANGE SMTP”
destination {
port 25
}
inbound-interface eth0
protocol tcp
translation {
address 192.168.30.1
}
}
}
source {
rule 49 {
description Umleiten-VPN-Traffic-Filale
destination {
address 192.168.10.0/24
}
exclude
outbound-interface eth0
}
rule 50 {
outbound-interface eth0
protocol all
source {
address 192.168.30.0/24
}
translation {
address masquerade
}
}
}
}
protocols {
static {
route 10.10.200.0/24 {
next-hop 192.168.10.254 {
}
}
}
}
service {
dns {
forwarding {
listen-on eth1
}
}
ssh {
}
}
system {
config-management {
commit-revisions 20
}
console {
device ttyS0 {
speed 9600
}
}
gateway-address 13.195.155.114
host-name asanger
login {
user vyos {
authentication {
encrypted-password ****************
plaintext-password ****************
}
level admin
}
}
name-server **********
name-server **********
ntp {
server 0.pool.ntp.org {
}
server 1.pool.ntp.org {
}
server 2.pool.ntp.org {
}
server de.pool.ntp.org {
}
}
package {
repository community {
components main
distribution helium
url http://packages.vyos.net/vyos
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone *********
}
vpn {
ipsec {
auto-update 60
esp-group PHASE_II {
lifetime 14400
pfs dh-group2
proposal 1 {
encryption 3des
hash sha1
}
}
ike-group PHASE_I {
dead-peer-detection {
action restart
timeout 30
}
lifetime 86400
proposal 1 {
dh-group 2
encryption 3des
hash sha1
}
}
ipsec-interfaces {
interface eth0
}
nat-traversal disable
site-to-site {
peer 33.241.16.122 {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
default-esp-group PHASE_II
ike-group PHASE_I
local-address 13.195.155.114
tunnel 0 {
esp-group PHASE_II
local {
prefix 192.168.30.0/24
}
remote {
prefix 192.168.10.0/24
}
}
}
}
}
}
zone-policy {
zone Extern {
from Intern {
firewall {
name Intern-nach-Extern
}
}
interface eth0
}
zone Intern {
from Extern {
firewall {
name Extern-nach-Intern
}
}
interface eth1
}
}
I’m not using zoning but I think a zone is being applied for traffic passing through (iptables FORWARD chain) VyOS by default. The configuration allows you to set a zone to ‘local-zone’. Can you try to apply this?
Thinking of how the firewall is implemented (in/out/local) compared to iptables (forward in/forward out/input) this would make sense.