VyOS 1.3.0 show firewall output

Hello,

Just thought I would share in the event someone else has a moment of panic like I did. It seems that VyOS 1.3.0 does not show state configuration in the output of ‘show firewall’ like VyOS 1.2.X does. This made me panic as it looked like my internet facing rules were allowing everything in from the internet instead of just traffic ESTABLISHED,RELATED. I worried that maybe the firewall rules were not applied correctly but checking the output of iptables shows the rules are correct, it is just not reflected in the VyOS CLI. E.g.

Firewall rule:

vyos@vyos:~$ show config commands | match "inet_local"
set firewall name inet_local default-action 'drop'
set firewall name inet_local rule 10 action 'accept'
set firewall name inet_local rule 10 state established 'enable'
set firewall name inet_local rule 10 state related 'enable'
set firewall name inet_local rule 20 action 'accept'
set firewall name inet_local rule 20 icmp type-name 'echo-request'
set firewall name inet_local rule 20 protocol 'icmp'
set firewall name inet_local rule 20 state new 'enable'

Show the firewall rule:

vyos@vyos:~$ show firewall name inet_local

-----------------------------
Rulesets Information
-----------------------------

IPv4 Firewall "inet_local":

 Active on (eth0,LOCAL)

rule  action   proto     packets  bytes                                   
----  ------   -----     -------  -----                                   
10    accept   all       3907     721561                                  
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 inet_local-10 */                  

20    accept   icmp      1171     88050                                   
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 8 /* inet_local-20 */             

10000 drop     all       9409     430969                                  
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0              

As you can see rule 10 does not show state so it looks like I’m allowing anything to anything. Also rule 20 does not show state NEW. However, iptables does show the state configured properly:

vyos@vyos:~$ sudo iptables -nvL inet_local
Chain inet_local (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 3920  723K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED /* inet_local-10 */
 1171 88050 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW icmptype 8 /* inet_local-20 */
 9410  431K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* inet_local-10000 default-action drop */

Here is an example of the ‘show firewall’ output from VyOS 1.2.8 which lists the state properly on rule 10:

vyos@vyos-test:~$ show firewall name inet_local

-----------------------------
Rulesets Information
-----------------------------

IPv4 Firewall "inet_local":

 Active on (eth0,LOCAL)

rule  action   proto     packets  bytes                                   
----  ------   -----     -------  -----                                   
10    accept   all       14       1962                                    
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 state RELATED,ESTABLISHED         

20    accept   icmp      0        0                                       
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0 state NEW icmptype 8              

10000 drop     all       0        0                                       
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0                                   

It is a different format between 1.2 and 1.3 output column comment and ports T2194

Thanks. I figured it was something like that. It just gave me one of those “oh crap!” moments when I saw it.