What am i missing? simple firewall config

nktech1135 · April 22, 2025, 9:49am

Hello.
I’m coming back to vyos after not needing to use something like it for the last couple of years. There seem to be a lot of new and interesting features that we didn’t have in 1.3 which is what i would have been familiar with.
The biggest change for me is the new way of using groups in the firewall config. I originally came from a juniper config which used zone based firewalls and i could recreate that in vyos 1.3. However, it’s likely time i learn something new so i’m trying to adjust my thinking around firewall to use the current process.
So i need a sanity check. I’m using the current stream version and trying to follow the guide here.
https://docs.vyos.io/en/latest/quick-start.html

If i read this right ssh should be allowed from internal and also from the internet side. However, putting the example in place from the article i can’t access the router from either inside or internet.
Is there a problem with the example? or am i actually missing something?

Nicolas · April 22, 2025, 10:17am

can you post configuration you are running?

nktech1135 · April 22, 2025, 11:32am

Sure, this is the firewall config.

[edit]
vyos@vyos# show firewall
 global-options {
     all-ping enable
     state-policy {
         established {
             action accept
         }
         invalid {
             action drop
         }
         related {
             action accept
         }
     }
 }
 group {
     interface-group internal {
         interface eth1
     }
     interface-group internet {
         interface eth0
     }
     network-group servers {
         network 10.x.x.x/23
     }
 }
 ipv4 {
     forward {
         filter {
             rule 100 {
                 action jump
                 destination {
                     group {
                         network-group servers
                     }
                 }
                 inbound-interface {
                     group internet
                 }
                 jump-target internet-servers
             }
         }
     }
     input {
         filter {
             default-action drop
             rule 20 {
                 action jump
                 destination {
                     port 22,2222
                 }
                 jump-target router-managemant
                 protocol tcp
             }
             rule 50 {
                 action accept
                 source {
                     address 127.0.0.0/8
                 }
             }
         }
     }
     name internet-servers {
         default-action drop
     }
     name router-managemant {
         default-action return
         rule 15 {
             action accept
             inbound-interface {
                 group internal
             }
         }
         rule 20 {
             action drop
             inbound-interface {
                 group internet
             }
             recent {
                 count 4
                 time minute
             }
             state new
         }
         rule 21 {
             action accept
             inbound-interface {
                 group internet
             }
             state new
         }
     }
 }

Nicolas · April 22, 2025, 11:57am

Can’t spot something obviously wrong, did you run set service ssh port '22' to start the ssh service?

nktech1135 · April 22, 2025, 12:10pm

Yes ssh is running although on port 2222, which is why it’s listed in the firewall config.
I was able to use ssh until i applied the firewall settings so pretty sure it’s the firewall.

L0crian · April 22, 2025, 1:32pm

Which version are you using?

nktech1135 · April 22, 2025, 3:49pm

vyos@vyos# run show version
Version:          VyOS 1.5-stream-2025-Q1
Release train:    circinus
Release flavor:   generic

Built by:         VyOS Networks Iberia S.L.U.
Built on:         Thu 13 Feb 2025 18:06 UTC
Build UUID:       b38b28e0-a516-4f56-a596-5502ae094d3b
Build commit ID:  5128f5e45cdb73-dirty

Architecture:     x86_64
Boot via:         installed image
System type:      KVM guest

Hardware vendor:  QEMU
Hardware model:   Standard PC (i440FX + PIIX, 1996)
Hardware S/N:
Hardware UUID:    4eb4404e-3f85-4685-9198-888a0d1ece74

Copyright:        VyOS maintainers and contributors

L0crian · April 22, 2025, 6:57pm

That’s what I was thinking. There’s a bug in there. Delete the invalid out of the global policies and you should be good.

More info:

nktech1135 · April 22, 2025, 8:07pm

Wow! that’s obscure, not sure i’d ever have found that.

system · April 24, 2025, 8:07pm

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.