Trying to block https via firewall and fail to do so


#1

Hello,
I’m trying to add firewall rules (just playing around with it to get to know how it works). My first goal is to block 443 port.
I’ve attached my network topology so you’ll understand how it works (see: “MyNetwork.png”).

Basically, I have a VYOS router which has 2 interfaces: ETH0 goes out to the outside world (internet) and ETH1 goes into the inner network.
I’ve attached my firewall rules as a picture (there are only 3 rules there) and the idea is that because i don’t have a rule to accept 443 port, it should drop by default. However, I can view it from the browser on one of the hosts.

Few questions:

  1. Because I have 2 interfaces (one for the outside world and one for the inside) => How should i attach the firewall to the interfaces?. Should “MonitorOutgoingData-Out” be on the out of ETH0 and “MonitorOutgoingData-In” be on the “in” of eth1?. would be happy to get an explenation on how it works (how do we know which interface to assign firewall rule to, and should it be the “in” “out” or “local”).

Many Thanks.!


#2

Hello,
see this one
http://soucy.org/vyos/UsingVyOSasaFirewall.pdf


#3

Hi,
First, thank you for the reply!, great guide!.

I think i’m getting things wrong, but i can’t figure out a small simple thingy. I took the following firewall rule:

name MonitorOutgoingData-Out {
default-action drop
rule 1010 {
action accept
icmp {
type-name any
}
protocol icmp
source {
address 192.168.1.2
}
}

and i put it on the following:
set interfaces ethernet eth0 firewall out name MonitorOutgoingData-Out

Now… I still can’t send a simple ping request from the host: 192.168.1.2 (which is found in the inside network). I thought that if i would put “what to accept” on the out of the external interface, then it would allow the ping request from the lan (eth1) to go throw. what am i doing wrong?.

I even added the following firewall to the “in” of eth1 interface:
name AcceptAll {
default-action accept
}

Just trying to forward (succesfully) a simple ping request from the host via vyos to the outside world and get a reply back.
NAT is configured for that host (source NAT only)

Thank you.!