Hi all, not sure if I have just stumbled on a bug maybe?
I have a zone based firewall and am now converting my port numbers to port-groups for ease.
I am trying to change a rule that has protocol tcp_udp on port 53 to use port-group “dns” but get error
Firewall configuration error: “dns” is not a valid port name for protocol “tcp”
My port-group:
mario@router# show firewall group port-group
port-group dns {
port 53
}
port-group ntp {
port 123
}
[edit]
My firewall rule change attempt:
mario@router# show firewall name public-dmz rule 500
action accept
description "Allow DNS"
destination {
group {
address-group dns-piholes
}
> port dns
}
protocol tcp_udp
[edit]
Can someone please tell me if this is either a bug, or something that should be allowed, seems silly to me and possibly a bug that port-groups can not be set on protocol tcp_udp.
There could be more at play here. Forgot to mention I am on vyos-1.3-rolling-202002030754-amd64.iso
Just got time to play again, made another port group for ssh/port 22, tried to apply to 2 rules to test, out of many others im yet to apply.
I am getting the same error and this protocol is only TCP. hmm!
Weirdly my first port-group for NTP worked without a hitch.
mario@router# set firewall name lan-cam rule 900 destination port pg-ssh
[edit]
mario@router# set firewall name lan-firewall rule 900 destination port pg-ssh
[edit]
mario@router# commit
[ firewall name lan-firewall ]
Firewall configuration error: "pg-ssh" is not a valid port name for protocol "tcp"
[[firewall name lan-firewall]] failed
[ firewall name lan-cam ]
Firewall configuration error: "pg-ssh" is not a valid port name for protocol "tcp"
[[firewall name lan-cam]] failed
Commit failed
Well, I think I may have had a moment… used the wrong command syntax.
For reference if anyone is searching it is
set firewall name lan-cam rule 900 destination group port-group pg-ssh
Slightly not intuitive as I thought the port-group may fit under port, and didnt pick up it goes under destination group port-group…
Yeah, here is working rule after the commit accepted…
mario@router# show firewall name lan-firewall rule 900
action accept
description “Allow SSH”
destination {
group {
port-group pg-ssh
}
}
protocol tcp
source {
group {
address-group mgmtfromlan
}
}
[edit]