Hello all!
I am having a heck of a time configuring the firewall to work how I want it to work on my network. I thought everything was good until, I discovered that all of my internally hosted services are available to the internet.
It is a really simple setup.
Internet → Router → Vyos → Network of Web Services
The only services that should be available to the internet are…
VPN over 1194 to vyos
SSH over 12131 pointed to X.X.8.51
SLDAP over 6363 pointed to X.X.20
443 pointed to X.X.8.30
ICMP to vyos
When I take a look at the firewall settings (shown below), it’s pretty simple and looks like it should do what i want (all 443 traffic from outside the network to be forwarded to X.X.8.30)
At X.X.8.30 I have an nginx server that does reverse proxying, but only to two of the services. (there is a dozen or so). And all I’m saying here, is if web traffic comes in over 443, it should only be able to route to those two services. Not my other servers.
Having said that, it seems that it’s only websites on a particular domain. I have 3 domain names that point back to this centralized server.
What am I missing?
Here is a dump of the firewall.
show firewall ipv4
Rulesets ipv4 Information
---------------------------------
ipv4 Firewall "forward filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- -------- --------------------------------------------
5 jump all 16306 12991881 iifname "eth0" jump NAME_OUTSIDE-TO-NETWORK
default accept all 13735 3927755
---------------------------------
ipv4 Firewall "input filter"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- -----------------------------------------
5 jump all 378 64291 iifname "eth0" jump NAME_OUTSIDE-TO-VYOS
default accept all 1408 125853
---------------------------------
ipv4 Firewall "name OUTSIDE-TO-NETWORK"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- -------- -------------------------------------------------------------------------------------------------------------------------------------------
10 accept all 16300 12991513 ct state { established, related } accept
11 accept tcp 6 368 ct state new ip daddr X.X.8.30 tcp dport 443 accept
13 accept tcp 0 0 ct state new ip daddr X.X.8.20 tcp dport 6363 accept
30 drop tcp 0 0 ct state new ip daddr X.X.8.51 tcp dport 22 add @RECENT_NAM_OUTSIDE-TO-NETWORK_30 { ip saddr limit rate over 4/minute burst 4 packets }
31 accept tcp 0 0 ct state new ip daddr X.X.8.51 tcp dport 22 accept
default drop all 0 0
---------------------------------
ipv4 Firewall "name OUTSIDE-TO-VYOS"
Rule Action Protocol Packets Bytes Conditions
------- -------- ---------- --------- ------- ----------------------------------------------------------
5 drop tcp_udp 0 0 ct state new meta l4proto { tcp, udp } th dport 53
6 drop tcp_udp 0 0 ct state established meta l4proto { tcp, udp } th dport 53
7 drop tcp_udp 0 0 ct state related meta l4proto { tcp, udp } th dport 53
10 accept all 300 59753 ct state { established, related } accept
20 accept icmp 0 0 ct state new icmp type echo-request accept
21 accept udp 0 0 udp dport 1194 accept
default drop all 78 4538
Here is the firewall
firewall {
global-options {
all-ping "enable"
broadcast-ping "disable"
ip-src-route "disable"
ipv6-receive-redirects "disable"
ipv6-src-route "disable"
log-martians "enable"
receive-redirects "disable"
send-redirects "enable"
source-validation "disable"
state-policy {
related {
action "accept"
}
}
syn-cookies "enable"
twa-hazards-protection "disable"
}
ipv4 {
forward {
filter {
default-action "accept"
rule 5 {
action "jump"
inbound-interface {
name "eth0"
}
jump-target "OUTSIDE-TO-NETWORK"
}
}
}
input {
filter {
default-action "accept"
rule 5 {
action "jump"
inbound-interface {
name "eth0"
}
jump-target "OUTSIDE-TO-VYOS"
}
}
}
name OUTSIDE-TO-NETWORK {
default-action "drop"
rule 10 {
action "accept"
state "established"
state "related"
}
rule 11 {
action "accept"
destination {
address "192.168.8.30"
port "443"
}
protocol "tcp"
state "new"
}
rule 13 {
action "accept"
destination {
address "192.168.8.20"
port "6363"
}
protocol "tcp"
state "new"
}
rule 30 {
action "drop"
destination {
address "192.168.8.51"
port "22"
}
protocol "tcp"
recent {
count "4"
time "minute"
}
state "new"
}
rule 31 {
action "accept"
destination {
address "192.168.8.51"
port "22"
}
protocol "tcp"
state "new"
}
}
name OUTSIDE-TO-VYOS {
default-action "drop"
rule 5 {
action "drop"
destination {
port "53"
}
protocol "tcp_udp"
state "new"
}
rule 6 {
action "drop"
destination {
port "53"
}
protocol "tcp_udp"
state "established"
}
rule 7 {
action "drop"
destination {
port "53"
}
protocol "tcp_udp"
state "related"
}
rule 10 {
action "accept"
state "established"
state "related"
}
rule 20 {
action "accept"
icmp {
type-name "echo-request"
}
protocol "icmp"
state "new"
}
rule 21 {
action "accept"
destination {
port "1194"
}
protocol "udp"
}
}
}
}
Here is the nat section.
nat {
destination {
rule 10 {
description "HTTPS->Hosting"
destination {
port "443"
}
inbound-interface {
name "eth0"
}
protocol "tcp"
translation {
address "192.168.8.30"
}
}
rule 12 {
description "SSH->Bastion"
destination {
port "12131"
}
inbound-interface {
name "eth0"
}
protocol "tcp"
translation {
address "192.168.8.51"
port "22"
}
}
rule 13 {
description "External LDAP"
destination {
port "6363"
}
inbound-interface {
name "eth0"
}
protocol "tcp"
translation {
address "192.168.8.20"
port "636"
}
}
}
