Hi,
Trying to apply a firewall configuration similar to whats in the quick start as follows:
block ipv4 inbound on WAN iface, apart from established / related
allow ipv4 inbound on WAN iface, only ICMP “echo-request” packets
allow ipv4/ipv6 outbound on WAN iface from local networks
However I’m getting this error when running commit:
Failed to apply firewall: /run/nftables.conf:12:51-57: Error: No such file or directory ct state {new} meta l4proto icmp iifname @I_eth0 icmp type echo-request counter accept comment "INP- ^^^^^^^
filter-999998
Any ideas?
zsdc
August 23, 2023, 11:50am
2
Hi!
Can you provide the VyOS version, a full configuration before the commit, and the exact config lines which you entered to get this error message?
The firewall was rewritten lately a lot and may contain uncaught bugs. This info would help to find them.
Hi,
Version: 1.4-rolling-202308180646
Commands:
1845 2023-08-22T08:44:36+0000 configure
1846 2023-08-22T08:45:17+0000 set firewall ipv4 output filter rule 10 outbound-interface interface-name eth0
1847 2023-08-22T08:45:29+0000 set firewall ipv4 output filter rule 10 source group network-group RFC1918
1848 2023-08-22T08:45:38+0000 set firewall ipv4 output filter rule 10 action accept
1849 2023-08-22T08:45:59+0000 set firewall ipv4 output filter default-action accept
1850 2023-08-22T08:46:01+0000 commit
1851 2023-08-22T08:48:08+0000 show firewall ipv4 input filter
1852 2023-08-22T08:48:18+0000 set firewall ipv4 input filter default-action drop
1853 2023-08-22T08:48:41+0000 set firewall ipv4 input filter rule 999999 action accept
1854 2023-08-22T08:48:55+0000 set firewall ipv4 input filter rule 999999 state established enable
1855 2023-08-22T08:49:00+0000 set firewall ipv4 input filter rule 999999 state related enable
1856 2023-08-22T08:49:32+0000 set firewall ipv4 input filter rule 999998 action accept
1857 2023-08-22T08:49:50+0000 set firewall ipv4 input filter rule 999999 inbound-interface interface-name eth0
1858 2023-08-22T08:50:13+0000 set firewall ipv4 input filter rule 999998 icmp type-name echo-request
1859 2023-08-22T08:50:21+0000 set firewall ipv4 input filter rule 999998 protocol icmp
1860 2023-08-22T08:50:30+0000 set firewall ipv4 input filter rule 999998 state new enable
1861 2023-08-22T08:50:42+0000 show firewall ipv4
1862 2023-08-22T08:50:58+0000 set firewall ipv4 input filter rule 999998 inbound-interface interface-group eth0
1863 2023-08-22T08:51:00+0000 commit
Configuration before:
firewall {
group {
network-group RFC1918 {
network 192.168.0.0/16
network 10.0.0.0/8
network 172.16.0.0/16
}
}
}
interfaces {
ethernet eth0 {
address 181.215.32.123/27
address 2a06:8184:1:13::a/64
hw-id 00:21:f6:8c:5b:f7
}
ethernet eth1 {
address 172.16.55.14/24
address 2a13:df80:800::1/48
mtu 1460
}
loopback lo {
}
}
nat {
source {
rule 10 {
outbound-interface eth0
source {
group {
network-group RFC1918
}
}
translation {
address masquerade
}
}
}
}
policy {
prefix-list6 AS198075-OUT {
rule 10 {
action permit
prefix 2a13:df80:800::/38
}
}
}
protocols {
bgp {
address-family {
ipv6-unicast {
redistribute {
connected {
}
kernel {
}
}
}
}
neighbor 2a06:8181:1::2 {
address-family {
ipv6-unicast {
}
}
ebgp-multihop 2
remote-as 48605
solo
}
system-as 198075
}
static {
route 0.0.0.0/0 {
next-hop 181.215.32.97 {
}
}
route6 ::/0 {
next-hop 2a06:8181:1::1 {
}
}
route6 2a06:8181::/32 {
interface eth0 {
}
}
route6 2a06:8184::/32 {
interface eth0 {
}
}
route6 2a13:df80:800::/38 {
next-hop ::1 {
}
}
}
}
service {
ntp {
allow-client {
address 0.0.0.0/0
address ::/0
}
server time1.vyos.net {
}
server time2.vyos.net {
}
server time3.vyos.net {
}
}
}
system {
config-management {
commit-revisions 100
}
conntrack {
modules {
ftp
h323
nfs
pptp
sip
sqlnet
tftp
}
}
console {
device ttyS0 {
speed 115200
}
}
host-name vyos
name-server 8.8.8.8
name-server 8.8.4.4
syslog {
global {
facility all {
level info
}
facility local7 {
level debug
}
}
}
}
zsdc
August 23, 2023, 1:29pm
4
Thanks! It was useful.
This is the bug with missed validation - the config is not valid because an interface-group eth0
does not exist. To mitigate the problem before we issue the fix, please create it in advance:
set firewall group interface-group eth0 interface eth0
For the reference / bug report. To reproduce the problem:
set firewall ipv4 name FW1 rule 10 inbound-interface interface-group IG1
set firewall ipv4 name FW1 rule 10 action accept
commit
2 Likes
Ahh I see, thank you. In fact I didn’t even spot that I had entered interface-group rather than interface-name
Glad its nothing too complex
system
Closed
August 25, 2023, 1:34pm
6
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.