Sagitta-rc1 zone-based firewall can't do state filtering?

frankhorowitz · January 9, 2024, 11:50pm

As I understand the state of play for sagitta’s zone-based firewall capabilities, after the initial changes were commited, the zone-based firewall config syntax from sagitta-rolling was deleted, then reinstated. Nearly(?) the old syntax was maintained, but the semantics were migrated to the new infrastructure’s firewalls.

I recently tried to migrate to sagitta-rc1, and ran into the following issue. Rather than being migrated, the state filtering syntax of my old config was silently removed. Obviously, this broke my firewall.

My old config snippet looks like:

    name WAN-LAN {
        default-action drop
        rule 5 {
            action accept
            description "Allow established/related traffic"
            state {
                established enable
                related enable
            }
        }
    }

After loading that config in the sagitta-rc1 config.boot, the entire state stanza is missing after a commit/save. Indeed, trying to implement it with the command line in config mode fails to recognized the state syntax.

Given that I want to continue using zone-based firewalling, what are my options to regain that functionality in sagitta-rc1?

Is this simply a bug?

Korikaze · January 10, 2024, 12:21am

Are you copying and pasting verbatim? The enable on the end was dropped in 1.4-1.5. I’m not using zones anymore but this is what my equivalent looks likes. Don’t copy my return action, that’s from how my rules are setup.

name CONN_FILTER {
            default-action return
            description "Stateful Packet Filtering"
            rule 10 {
                action accept
                state established
                state related
            }
            rule 20 {
                action drop
                state invalid
            }
        }

frankhorowitz · January 10, 2024, 1:08am

Yes indeed, that got me past my syntax error. Thanks!

Now I’m struggling with the fact that my WanToLan firewall is seeing zero traffic. Did you happen to face that one too?

Korikaze · January 10, 2024, 1:12am

I just reconfigured my firewall by hand since I was getting rid of no longer used zones. If you post some more of the config, I might be able to help. Double check zones are assigned to interfaces too.

frankhorowitz · January 10, 2024, 1:44am

OK, at the bottom is a slightly elided and obfuscated copy of my firewall config.

The symptom is that:

show firewall ipv4 name WAN-LAN
Ruleset Information

---------------------------------
ipv4 Firewall "name WAN-LAN"

Rule     Action    Protocol      Packets    Bytes  Conditions
-------  --------  ----------  ---------  -------  ---------------------------------------------------------------------------------------------------
5        accept    all                 0        0  ct state { established, related }  accept
10       accept    esp                 0        0  ct state { established, related, new } meta l4proto esp ip saddr @D_TELSTRA-VOWIFI  accept
11       accept    udp                 0        0  ct state { established, related, new } ip saddr @D_TELSTRA-VOWIFI udp sport @P_VOWIFI-PORTS  accept
30       accept    icmp                0        0  ct state new meta l4proto icmp  accept
default  drop      all                 0        0

Begin firewall config:

firewall {
    group {
        address-group DMZ-ADDRESS {
            address "172.30.xxx.1"
        }
        address-group LAN-ADDRESS {
            address "172.30.yyy.1"
        }
        domain-group TELSTRA-VOWIFI {
            address "epdg.epc.mnc001.mcc505.pub.3gppnetwork.org"
            address "epdg.epc.mnc071.mcc505.pub.3gppnetwork.org"
            address "epdg.epc.mnc072.mcc505.pub.3gppnetwork.org"
            description "Explicit domains for Telstra VoWiFi."
        }
        network-group DMZ-NETWORK {
            network "172.30.xxx.0/24"
        }
        network-group LAN-NETWORK {
            network "172.30.yyy.0/24"
        }
        port-group VOWIFI-PORTS {
            port "isakmp"
            port "ipsec-nat-t"
        }
    }
    ipv4 {
        name LAN-DMZ {
            default-action "accept"
        }
        name LAN-LOCAL {
            default-action "accept"
        }
        name LAN-WAN {
            default-action "accept"
        }
        name LAN-WG {
            default-action "accept"
        }
        name LOCAL-LAN {
            default-action "accept"
        }
        name LOCAL-WAN {
            default-action "accept"
        }
        name WAN-LAN {
            default-action "drop"
            rule 5 {
                action "accept"
                description "Allow established/related traffic"
                state "established"
                state "related"
            }
            rule 10 {
                action "accept"
                description "Allow esp from Telstra VoWiFi servers"
                protocol "esp"
                source {
                    group {
                        domain-group "TELSTRA-VOWIFI"
                    }
                }
                state "established"
                state "new"
                state "related"
            }
            rule 11 {
                action "accept"
                description "Allow ISAKMP and IPSEC-NAT-T from Telstra VoWiFi servers"
                protocol "udp"
                source {
                    group {
                        domain-group "TELSTRA-VOWIFI"
                        port-group "VOWIFI-PORTS"
                    }
                }
                state "established"
                state "new"
                state "related"
            }
            rule 30 {
                action "accept"
                description "Allow icmp to LAN"
                protocol "icmp"
                state "new"
            }
        }
        name WAN-LOCAL {
            default-action "drop"
            rule 5 {
                action "accept"
                description "Allow established/related traffic"
                state "established"
                state "related"
            }
            rule 30 {
                action "accept"
                protocol "icmp"
                state "new"
            }
        }
    }
    zone LAN {
        default-action "drop"
        from LOCAL {
            firewall {
                name "LOCAL-LAN"
            }
        }
        from WAN {
            firewall {
                name "WAN-LAN"
            }
        }
        interface "eth3"
    }
    zone LOCAL {
        default-action "drop"
        from LAN {
            firewall {
                name "LAN-LOCAL"
            }
        }
        from WAN {
            firewall {
                name "WAN-LOCAL"
            }
        }
        local-zone
    }
    zone WAN {
        default-action "drop"
        from LAN {
            firewall {
                name "LAN-WAN"
            }
        }
        from LOCAL {
            firewall {
                name "LOCAL-WAN"
            }
        }
        interface "eth2"
    }
}

Any help would be greatly appreciated!!!

n.fort · January 10, 2024, 9:56am

Please share output of:

show config commands | grep firewall
sudo nft list table ip vyos_filter

frankhorowitz · January 10, 2024, 2:28pm

OK, slightly obfuscated and redacted again.

The config commands output:

set firewall group address-group DMZ-ADDRESS address '172.30.xxx.1'
set firewall group address-group LAN-ADDRESS address '172.30.yyy.1'
set firewall group domain-group TELSTRA-VOWIFI address 'epdg.epc.mnc001.mcc505.pub.3gppnetwork.org'
set firewall group domain-group TELSTRA-VOWIFI address 'epdg.epc.mnc071.mcc505.pub.3gppnetwork.org'
set firewall group domain-group TELSTRA-VOWIFI address 'epdg.epc.mnc072.mcc505.pub.3gppnetwork.org'
set firewall group domain-group TELSTRA-VOWIFI description 'Explicit domains for Telstra VoWiFi.'
set firewall group ipv6-network-group NET-6-BLACKLIST
set firewall group ipv6-network-group NET-6-MANAGEMENT
set firewall group network-group DMZ-NETWORK network '172.30.xxx.0/24'
set firewall group network-group LAN-NETWORK network '172.30.yyy.0/24'
set firewall group port-group VOWIFI-PORTS port 'isakmp'
set firewall group port-group VOWIFI-PORTS port 'ipsec-nat-t'
set firewall ipv4 name LAN-DMZ default-action 'accept'
set firewall ipv4 name LAN-LOCAL default-action 'accept'
set firewall ipv4 name LAN-WAN default-action 'accept'
set firewall ipv4 name LAN-WG default-action 'accept'
set firewall ipv4 name LOCAL-LAN default-action 'accept'
set firewall ipv4 name LOCAL-WAN default-action 'accept'
set firewall ipv4 name WAN-LAN default-action 'drop'
set firewall ipv4 name WAN-LAN rule 5 action 'accept'
set firewall ipv4 name WAN-LAN rule 5 description 'Allow established/related traffic'
set firewall ipv4 name WAN-LAN rule 5 state 'established'
set firewall ipv4 name WAN-LAN rule 5 state 'related'
set firewall ipv4 name WAN-LAN rule 10 action 'accept'
set firewall ipv4 name WAN-LAN rule 10 description 'Allow esp from Telstra VoWiFi servers'
set firewall ipv4 name WAN-LAN rule 10 protocol 'esp'
set firewall ipv4 name WAN-LAN rule 10 source group domain-group 'TELSTRA-VOWIFI'
set firewall ipv4 name WAN-LAN rule 10 state 'established'
set firewall ipv4 name WAN-LAN rule 10 state 'new'
set firewall ipv4 name WAN-LAN rule 10 state 'related'
set firewall ipv4 name WAN-LAN rule 11 action 'accept'
set firewall ipv4 name WAN-LAN rule 11 description 'Allow ISAKMP and IPSEC-NAT-T from Telstra VoWiFi servers'
set firewall ipv4 name WAN-LAN rule 11 protocol 'udp'
set firewall ipv4 name WAN-LAN rule 11 source group domain-group 'TELSTRA-VOWIFI'
set firewall ipv4 name WAN-LAN rule 11 source group port-group 'VOWIFI-PORTS'
set firewall ipv4 name WAN-LAN rule 11 state 'established'
set firewall ipv4 name WAN-LAN rule 11 state 'new'
set firewall ipv4 name WAN-LAN rule 11 state 'related'
set firewall ipv4 name WAN-LAN rule 30 action 'accept'
set firewall ipv4 name WAN-LAN rule 30 description 'Allow icmp to LAN'
set firewall ipv4 name WAN-LAN rule 30 protocol 'icmp'
set firewall ipv4 name WAN-LAN rule 30 state 'new'
set firewall ipv4 name WAN-LOCAL default-action 'drop'
set firewall ipv4 name WAN-LOCAL rule 5 action 'accept'
set firewall ipv4 name WAN-LOCAL rule 5 description 'Allow established/related traffic'
set firewall ipv4 name WAN-LOCAL rule 5 state 'established'
set firewall ipv4 name WAN-LOCAL rule 5 state 'related'
set firewall ipv4 name WAN-LOCAL rule 30 action 'accept'
set firewall ipv4 name WAN-LOCAL rule 30 protocol 'icmp'
set firewall ipv4 name WAN-LOCAL rule 30 state 'new'
set firewall zone LAN default-action 'drop'
set firewall zone LAN from LOCAL firewall name 'LOCAL-LAN'
set firewall zone LAN from WAN firewall name 'WAN-LAN'
set firewall zone LAN interface 'eth3'
set firewall zone LOCAL default-action 'drop'
set firewall zone LOCAL from LAN firewall name 'LAN-LOCAL'
set firewall zone LOCAL from WAN firewall name 'WAN-LOCAL'
set firewall zone LOCAL local-zone
set firewall zone WAN default-action 'drop'
set firewall zone WAN from LAN firewall name 'LAN-WAN'
set firewall zone WAN from LOCAL firewall name 'LOCAL-WAN'
set firewall zone WAN interface 'eth2'

The nft table output:

sudo nft list table ip vyos_filter
table ip vyos_filter {
	set A_DMZ-ADDRESS {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { 172.30.xxx.1 }
	}

	set A_LAN-ADDRESS {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { 172.30.yyy.1 }
	}

	set D_TELSTRA-VOWIFI {
		type ipv4_addr
		flags interval
	}

	set N_DMZ-NETWORK {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { 172.30.xxx.0/24 }
	}

	set N_LAN-NETWORK {
		type ipv4_addr
		flags interval
		auto-merge
		elements = { 172.30.yyy.0/24 }
	}

	set P_VOWIFI-PORTS {
		type inet_service
		flags interval
		auto-merge
		elements = { 500, 4500 }
	}

	chain VYOS_FORWARD_filter {
		type filter hook forward priority filter; policy accept;
		counter packets 1219 bytes 107204 accept comment "FWD-filter default-action accept"
	}

	chain VYOS_INPUT_filter {
		type filter hook input priority filter; policy accept;
		counter packets 10827 bytes 2286463 accept comment "INP-filter default-action accept"
	}

	chain VYOS_OUTPUT_filter {
		type filter hook output priority filter; policy accept;
		counter packets 4579 bytes 483922 accept comment "OUT-filter default-action accept"
	}

	chain VYOS_FRAG_MARK {
		type filter hook prerouting priority -450; policy accept;
		ip frag-off & 16383 != 0 meta mark set 0x000ffff1 return
	}

	chain NAME_LAN-DMZ {
		counter packets 0 bytes 0 accept comment "LAN-DMZ default-action accept"
	}

	chain NAME_LAN-LOCAL {
		counter packets 499 bytes 52286 accept comment "LAN-LOCAL default-action accept"
	}

	chain NAME_LAN-WAN {
		counter packets 1219 bytes 107204 accept comment "LAN-WAN default-action accept"
	}

	chain NAME_LOCAL-LAN {
		counter packets 384 bytes 69710 accept comment "LOCAL-LAN default-action accept"
	}

	chain NAME_LOCAL-WAN {
		counter packets 13 bytes 1016 accept comment "LOCAL-WAN default-action accept"
	}

	chain NAME_WAN-LAN {
		ct state { established, related } counter packets 0 bytes 0 accept comment "ipv4-NAM-WAN-LAN-5"
		ct state { established, related, new } meta l4proto esp ip saddr @D_TELSTRA-VOWIFI counter packets 0 bytes 0 accept comment "ipv4-NAM-WAN-LAN-10"
		ct state { established, related, new } ip saddr @D_TELSTRA-VOWIFI udp sport @P_VOWIFI-PORTS counter packets 0 bytes 0 accept comment "ipv4-NAM-WAN-LAN-11"
		ct state new meta l4proto icmp counter packets 0 bytes 0 accept comment "ipv4-NAM-WAN-LAN-30"
		counter packets 0 bytes 0 drop comment "WAN-LAN default-action drop"
	}

	chain NAME_WAN-LOCAL {
		ct state { established, related } counter packets 3 bytes 496 accept comment "ipv4-NAM-WAN-LOCAL-5"
		ct state new meta l4proto icmp counter packets 0 bytes 0 accept comment "ipv4-NAM-WAN-LOCAL-30"
		counter packets 6143 bytes 1820485 drop comment "WAN-LOCAL default-action drop"
	}

	chain VYOS_ZONE_FORWARD {
		type filter hook forward priority filter + 1; policy accept;
		oifname "eth3" counter packets 0 bytes 0 jump VZONE_LAN
		oifname "eth2" counter packets 1219 bytes 107204 jump VZONE_WAN
	}

	chain VYOS_ZONE_LOCAL {
		type filter hook input priority filter + 1; policy accept;
		counter packets 10827 bytes 2286463 jump VZONE_LOCAL_IN
	}

	chain VYOS_ZONE_OUTPUT {
		type filter hook output priority filter + 1; policy accept;
		counter packets 4579 bytes 483922 jump VZONE_LOCAL_OUT
	}

	chain VZONE_LAN {
		iifname "eth3" counter packets 0 bytes 0 return
		iifname "eth2" counter packets 0 bytes 0 jump NAME_WAN-LAN
		iifname "eth2" counter packets 0 bytes 0 return
		counter packets 0 bytes 0 drop comment "zone_LAN default-action drop"
	}

	chain VZONE_LOCAL_IN {
		iifname "lo" counter packets 4182 bytes 413196 return
		iifname "eth3" counter packets 499 bytes 52286 jump NAME_LAN-LOCAL
		iifname "eth3" counter packets 0 bytes 0 return
		iifname "eth2" counter packets 6146 bytes 1820981 jump NAME_WAN-LOCAL
		iifname "eth2" counter packets 0 bytes 0 return
		counter packets 0 bytes 0 drop comment "zone_LOCAL default-action drop"
	}

	chain VZONE_LOCAL_OUT {
		oifname "lo" counter packets 4182 bytes 413196 return
		oifname "eth3" counter packets 384 bytes 69710 jump NAME_LOCAL-LAN
		oifname "eth3" counter packets 0 bytes 0 return
		oifname "eth2" counter packets 13 bytes 1016 jump NAME_LOCAL-WAN
		oifname "eth2" counter packets 0 bytes 0 return
		counter packets 0 bytes 0 drop comment "zone_LOCAL default-action drop"
	}

	chain VZONE_WAN {
		iifname "eth2" counter packets 0 bytes 0 return
		iifname "eth3" counter packets 1219 bytes 107204 jump NAME_LAN-WAN
		iifname "eth3" counter packets 0 bytes 0 return
		counter packets 0 bytes 0 drop comment "zone_WAN default-action drop"
	}
}

n.fort · January 10, 2024, 2:47pm

From what I understand, you expect counters != 0 for connections comming from WAN to your LAN:

## WAN:
set firewall zone WAN interface 'eth2'

## LAN:
set firewall zone LAN interface 'eth3'

## And ruleset used for connections from WAN to LAN:
set firewall zone LAN from WAN firewall name 'WAN-LAN'

Are you sure you are receiving a connection in eth2 that should be routed though interface eth3?

chain VYOS_ZONE_FORWARD {
		type filter hook forward priority filter + 1; policy accept;
		oifname "eth3" counter packets 0 bytes 0 jump VZONE_LAN
		oifname "eth2" counter packets 1219 bytes 107204 jump VZONE_WAN
	}

First rule has counter=0, which means that router is not receiving any new connection that should be routed through eth3

Also, for state filtering, you can use options available in global-options section Global Options Firewall Configuration — VyOS 1.5.x (circinus) documentation

frankhorowitz · January 10, 2024, 2:56pm

Well, my description of the symptom was not the whole story. (Sorry!)

When I try to ping the outside world (e.g. the QuadNine DNS server) from onboard the router, the test succeeds:

ping 9.9.9.9
PING 9.9.9.9 (9.9.9.9) 56(84) bytes of data.
64 bytes from 9.9.9.9: icmp_seq=1 ttl=55 time=14.7 ms
64 bytes from 9.9.9.9: icmp_seq=2 ttl=55 time=13.3 ms
64 bytes from 9.9.9.9: icmp_seq=3 ttl=55 time=13.4 ms
64 bytes from 9.9.9.9: icmp_seq=4 ttl=55 time=14.4 ms
^C
--- 9.9.9.9 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 13.331/13.955/14.677/0.584 ms

However, when I try to do the same ping from my laptop directly connected to the LAN port (eth3) I get the following result:

ping 9.9.9.9
PING 9.9.9.9 (9.9.9.9): 56 data bytes
Request timeout for icmp_seq 0
Request timeout for icmp_seq 1
Request timeout for icmp_seq 2
Request timeout for icmp_seq 3
^C
--- 9.9.9.9 ping statistics ---
5 packets transmitted, 0 packets received, 100.0% packet loss

I thought I was setting things up correctly – i.e. this used to work in the old sagitta-rolling zone-firewall config. Perhaps I’m making a silly error now with the new syntax/semantics?

frankhorowitz · January 10, 2024, 3:22pm

Never mind. I found it. Masquerading had fallen off the configuration somehow.

I configured:

show nat
 source {
     rule 10 {
         outbound-interface {
             name eth2
         }
         source {
             group {
                 network-group LAN-DMZ-NETWORKS
             }
         }
         translation {
             address masquerade
         }
     }
 }

Now I’m getting traffic through the router.

Thank you all for the help!!! I am deeply appreciative!

JoeN · January 10, 2024, 6:01pm

Hi @frankhorowitz,

I’m glad you managed to resolve the issue and get your traffic flowing through the router. Thank you for sharing your configuration; this will undoubtedly help others who might encounter the same issue.

Have a great day!

Cheers!

frankhorowitz · January 10, 2024, 6:11pm

@JoeN

I’m beginning to get back into “groking” Vyos. This community is great!

BTW, for the purposes of gaining access to the sagitta-LTS binaries once they are released, does my participation here – along with my filing a bug report for a different matter – count towards enabling me to have access?

JoeN · January 10, 2024, 6:25pm

@frankhorowitz you can apply for the LTS here VyOS Community.

system · February 9, 2024, 6:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.