Zone default action is drop; help adding log to default action

pragmattic · June 30, 2022, 6:07pm

Version: VyOS 1.4-rolling-202204122016
Release train: sagitta
Built by: [email protected]
Build UUID: 8f421307-0d16-4724-84a8-5a7d8cf8d7f3
Build commit ID: 3f39a47863426c

Hello,

Looking for suggestions on how to implement a ‘default-log and drop’ rule for zones added to this firewall. I have been examining changing the firewall templates, and also considering using the vyos-postconfig-bootup.script. Any suggestions on how to go about this?

Thank you for any feedback!

Scenario/reason: Have at least 10 zones to configure in vyos. I would like to avoid having to create rule-sets for every zone-to-zone combination, due to large # of zones. For zone combinations not needed, the zone’s default-drop does not log.

See example from nftables: I have a ruleset applied for packets from Core to Infrastructure; packets coming from other zones (i.e. Front) destined for Infrastructure will be dropped, but not logged.

---- Here are some configuration snips for visual ----

set firewall name Core_to_Infrastructure enable-default-log
set firewall name Core_to_Infrastructure default-action ‘drop’

set zone-policy zone Infrastructure default-action ‘drop’
set zone-policy zone Infrastructure from CORE firewall name ‘Core_to_Infrastructure’
set zone-policy zone Infrastructure interface ‘eth2.400’
set zone-policy zone Infrastructure intra-zone-filtering action ‘drop’

set zone-policy zone CORE default-action ‘drop’
set zone-policy zone CORE interface ‘eth1’
set zone-policy zone CORE interface ‘eth2.200’

set zone-policy zone Front default-action ‘drop’
set zone-policy zone Front interface ‘eth2.500’

---- nftables ----

chain NAME_Core_to_Infrastructure {
counter packets 0 bytes 0 log prefix "[Core_to_Infrastruct-default-D] " drop comment “Core_to_Infrastructure default-action drop”
}
chain VZONE_Infrastructure {
iifname { “eth2.400” } counter packets 0 bytes 0 drop
iifname { “eth2.400” } counter packets 0 bytes 0 return
iifname { “eth1”, “eth2.200” } counter packets 0 bytes 0 jump NAME_Core_to_Infrastructure
iifname { “eth1”, “eth2.200” } counter packets 0 bytes 0 return
counter packets 0 bytes 0 drop <-------------- “suggestions on how to make this log by default?”
}
…

sarthurdev · July 1, 2022, 11:43am

Can you make a feature request on https://phabricator.vyos.net? Doesn’t look like it would be much work to implement a enable-default-log on zones.

pragmattic · July 1, 2022, 10:50pm

Thanks! Will do so.
For now I modified the template file /usr/share/vyos/templates/zone_policy/nftables.tmpl
Changed: “counter {{ zone_conf.default_action }}” to "counter log prefix “[{{ zone_name }}-default-D] " drop”.
That does the trick for my scenario where I always want the default-drop; but I’m guessing any updates could change the template file.