Setting destination-address on firewall rule stops traffic

jake_9 · October 22, 2023, 9:47pm

When I set a destination-address on a firewall rule, the rule stops accepting packets and they hit my deny rule 999. If I remove the destination address, the rule performs as expected and I can reach the host. What am I doing wrong please? This is a VyOS 1.3 instance with three VIFs; I have also tried VYos 1.4.

Monitor interface shows the packet being sent to the destination server. If I change the IP address, there is no difference. If I set a source or port, there is also no difference. I observe the same behaviour on other protocols. Below are the the only firewall rules on this router. If I set a generic rule 5 with a destination 10.3.0.3 and an action accept, I face the same issue.

set interfaces ethernet eth1 vif 3 firewall in name ‘eth1.v3inbound’

set firewall name eth1.v3inbound default-action ‘drop’
set firewall name eth1.v3inbound enable-default-log

set firewall name eth1.v3inbound rule 10 action ‘accept’
set firewall name eth1.v3inbound rule 10 log ‘enable’
set firewall name eth1.v3inbound rule 10 protocol ‘icmp’

set firewall name eth1.v3inbound rule 11 action ‘accept’
> set firewall name eth1.v3inbound rule 11 destination address ‘10.3.0.3’
set firewall name eth1.v3inbound rule 11 protocol ‘tcp’

set firewall name eth1.v3inbound rule 999 action ‘drop’
set firewall name eth1.v3inbound rule 999 destination address ‘10.0.0.0/8’

set firewall name eth1.v3inbound rule 1000 action ‘accept’
set firewall name eth1.v3inbound rule 1000 destination address ‘0.0.0.0/0’

16again · October 22, 2023, 10:34pm

Is dnat in place? Then filter on new address.
Or try adding /32 subnet mask
Using iptables/nftables command, you can verify how your rules end up

jake_9 · October 22, 2023, 11:11pm

Hello 16again - thank you, I’ve just tried a /32 and no change unfortunately. No DNAT in place, only SNAT for outbound internet. The source host is inside another VIF on the VyOS; would that require NAT?

n.fort · October 23, 2023, 10:44am

You could share traffic dump taken on interface eth1.3, or at least image in wireshark where destination address is shown: expected to be 10.3.0.3.

Can you enable log for default-action=drop? Then share logs when desired traffic gets drop. There you should see dst-address too.

Finally, also, you can also check current firewall ruleset: sudo nft list ruleset

jake_9 · October 23, 2023, 4:42pm

Hi @n.fort thank you for your comment, please see below:

* Export of above requests → https://pastebin.com/85LCmkVw* Conf → https://pastebin.com/ - Pastebin.com

To confirm testing steps so far:

Tried three versions of VyOS
Tried a /32 network
Tried changing destination and source IPs

Only thing that has worked:

Setting destination to 10.3.0.0/16 which defeats the purpose

I am stumped. The packets are being transmitted and then skipping rule 11 and going straight to the block rule.

n.fort · October 23, 2023, 4:57pm

without deep analysis:

 IN=eth1.3 OUT=eth1.6 MAC=00:50:56:a3:7a:85:00:0c:29:95:e9:66:08:00 SRC=10.3.0.3 DST=10.6.0.10 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=40256 DF PROTO=TCP SPT=3389 DPT=53437 WINDOW=64000 RES=0x00 ACK SYN URGP=0

In that dump, I see dst address is not 10.3.0.3… that is source address, not dst address

jake_9 · October 23, 2023, 4:59pm

Bingo and thank you. If I add a return rule on the same interface, it works as expected. It would appear that the outbound packet is not blocked, but the return is.

 rule 11 {
     action accept
     destination {
         address 10.3.0.3
     }
     log enable
     protocol tcp
 }
 rule 12 {
     action accept
     destination {
         address 10.6.0.0/16
     }
     source {
         address 10.3.0.3
     }
 }

system · November 22, 2023, 5:00pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.