[Resolved, user error] Unable to set port-group to firewall rule with protocol tcp_udp

blackhole · February 15, 2020, 5:25am

Hi all, not sure if I have just stumbled on a bug maybe?

I have a zone based firewall and am now converting my port numbers to port-groups for ease.
I am trying to change a rule that has protocol tcp_udp on port 53 to use port-group “dns” but get error

Firewall configuration error: “dns” is not a valid port name for protocol “tcp”

My port-group:

mario@router# show firewall group port-group
 port-group dns {
     port 53
 }
 port-group ntp {
     port 123
 }
[edit]

My firewall rule change attempt:

mario@router# show firewall name public-dmz rule 500
 action accept
 description "Allow DNS"
 destination {
     group {
         address-group dns-piholes
     }
>    port dns
 }
 protocol tcp_udp
[edit]

Can someone please tell me if this is either a bug, or something that should be allowed, seems silly to me and possibly a bug that port-groups can not be set on protocol tcp_udp.

Thanks!
Mario

blackhole · February 15, 2020, 12:03pm

There could be more at play here. Forgot to mention I am on vyos-1.3-rolling-202002030754-amd64.iso
Just got time to play again, made another port group for ssh/port 22, tried to apply to 2 rules to test, out of many others im yet to apply.
I am getting the same error and this protocol is only TCP. hmm!

Weirdly my first port-group for NTP worked without a hitch.

mario@router# set firewall name lan-cam rule 900 destination port pg-ssh
[edit]
mario@router# set firewall name lan-firewall rule 900 destination port pg-ssh
[edit]
mario@router# commit
[ firewall name lan-firewall ]
Firewall configuration error: "pg-ssh" is not a valid port name for protocol "tcp"

[[firewall name lan-firewall]] failed
[ firewall name lan-cam ]
Firewall configuration error: "pg-ssh" is not a valid port name for protocol "tcp"

[[firewall name lan-cam]] failed
Commit failed

blackhole · February 15, 2020, 12:21pm

Well, I think I may have had a moment… used the wrong command syntax.
For reference if anyone is searching it is
set firewall name lan-cam rule 900 destination group port-group pg-ssh

Slightly not intuitive as I thought the port-group may fit under port, and didnt pick up it goes under destination group port-group…

Yeah, here is working rule after the commit accepted…

mario@router# show firewall name lan-firewall rule 900
action accept
description “Allow SSH”
destination {
group {
port-group pg-ssh
}
}
protocol tcp
source {
group {
address-group mgmtfromlan
}
}
[edit]

system · February 17, 2020, 12:21pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.