Zone-based firewall, probably bug?

Hello there!

I have very weird issues, under my configuration I am using zone-based firewall’ing. As you may know to make it happened I need ACL for each zone.

When Ive create ACL

   # show firewall  name LOCAL-WAN
 description LOCAL_to_WAN
 rule 100 {
     action accept
     description "default rule"
     log disable
     protocol all

When I do check, nothing is in there…

$ show firewall summary 

------------------------
Firewall Global Settings
------------------------

------------------------
Firewall Rulesets
------------------------

IPv4 name:

  Rule-set name             Description    References
  -------------             -----------    ----------

------------------------
Firewall Groups
------------------------

Port Groups:

  Group name                Description    References
  ----------                -----------    ----------
  DNS                                      none
  MS-RDP                                   none
  SSH                                      none
  NTP                                      none
  HTTP-HTTPS                               none

Address Groups:

  Group name                Description    References
  ----------                -----------    ----------
  TERMINAL-SRV01-10.60.2.1                 none

In result of this, when I applied ACL to the zone-based … Almost cut myself from management network.
Any ideas?

Many thanks for your help/

Those firewall rulesets don’t show up until you bind zones/interfaces to them.

You are absolutely wrong, I think this is 1000% bug.
Just forget about zone.based.

I have added ACL that didnt show up.

show firewall name WAN_to_LOCAL 

-----------------------------
Rulesets Information
-----------------------------

IPv4 Firewall "WAN_to_LOCAL":

 Inactive - Not applied to any interfaces or zones.

rule  action   proto     packets  bytes                                   
----  ------   -----     -------  -----                                   
100   accept   all       0        0                                       
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0                                   

10000 accept   all       0        0                                       
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0                                   



$ show firewall summary 

------------------------
Firewall Global Settings
------------------------

------------------------
Firewall Rulesets
------------------------

IPv4 name:

  Rule-set name             Description    References
  -------------             -----------    ----------
  REMOTEMGMT_to_WAN         UIPL-REMOTE-MGMT-10.xx.0/24 to WAN
  WAN_to_MONITORINGCUST     WAN to UIPL-MONITORING-CUST-10.xx.0/24
  WAN_to_REMOTEMGMT         WAN to UIPL-REMOTE-MGMT-1xx.0/24
  LOCAL_to_REMOTEMGMT       LOCAL to UIPL-REMOTE-MGMT-10.xx.0/24
  REMOTEMGMT_to_LOCAL       UIPL-REMOTE-MGMT-10.xx.0/24 to LOCAL

------------------------
Firewall Groups
------------------------

Port Groups:

  Group name                Description    References
  ----------                -----------    ----------
  DNS                                      none
  SSH                                      none
  HTTP-HTTPS                               none
  NTP                                      none
  MS-RDP                                   none

Address Groups:

  Group name                Description    References
  ----------                -----------    ----------
  TERMINAL-SRV01-10.60.2.1                 none

There is no rule !!! WAN_to_LOCAL !!!

You aren’t understanding.

Created a rule named Test:

vyos@vyos# run show firewall name Test

-----------------------------
Rulesets Information
-----------------------------

IPv4 Firewall "Test":

 Inactive - Not applied to any interfaces or zones.

rule  action   proto     packets  bytes
----  ------   -----     -------  -----
100   accept   all       0        0
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

10000 drop     all       0        0
  condition - saddr 0.0.0.0/0 daddr 0.0.0.0/0

[edit]

As you stated, it doesn’t show up:

vyos@vyos# run  show firewall summary

------------------------
Firewall Global Settings
------------------------

------------------------
Firewall Rulesets
------------------------

IPv4 name:

  Rule-set name             Description    References
  -------------             -----------    ----------

------------------------
Firewall Groups
------------------------

Attach it to something:

vyos@vyos# set interfaces ethernet eth2 firewall in  name Test
[edit]
vyos@vyos# commit

It shows up:

vyos@vyos# run  show firewall summary

------------------------
Firewall Global Settings
------------------------

------------------------
Firewall Rulesets
------------------------

IPv4 name:

  Rule-set name             Description    References
  -------------             -----------    ----------
  Test                                     (eth2,IN)

------------------------
Firewall Groups
------------------------
[edit]

Unattached firewalls aren’t part of the currently applied firewall. So they don’t show up with that command.

Okie dokie mate,
I going to deploy zone-based config…

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.