Can not specify multiple deny ports in FW rule
Closed, ResolvedPublicBUG
Actions

Assigned To

None

Authored By

	c-po
	Nov 29 2020, 9:56 AM

Description

[email protected]# set firewall ipv6-name WAN-TO-VLAN810-6 rule 1000 destination port
Possible completions:
   <port name>  Named port (any name in /etc/services, e.g., http)
   <1-65535>    Numbered port
   <start>-<end>
                Numbered port range (e.g., 1001-1005)


Detailed information:
  Multiple destination ports can be specified as a comma-separated list.
  The whole list can also be "negated" using '!'. For example:
    '!22,telnet,http,123,1001-1005'

[email protected]# set firewall ipv6-name WAN-TO-VLAN810-6 rule 1000 destination port "!22"
[edit]
[email protected]# set firewall ipv6-name WAN-TO-VLAN810-6 rule 1000 destination port "!22,!80"

  Value validation failed
  Set failed

Details

Difficulty level: Unknown (require assessment)
Version: 1.2.6
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)

Event Timeline

c-po created this task.Nov 29 2020, 9:56 AM

c-po added a project: VyOS 1.2 Crux (VyOS 1.2.7).

pasik added a subscriber: pasik.Nov 29 2020, 10:39 AM

@c-po It's mean all NOT ports. If you want to drop not 22,23,24,25

set firewall ipv6-name FOO rule 1000 action 'drop'
set firewall ipv6-name FOO rule 1000 destination port '!22,23,24,25'
set firewall ipv6-name FOO rule 1000 protocol 'tcp'

-A FOO -p tcp -m multiport ! --dports 22,23,24,25 -m comment --comment FOO-1000 -j DROP

Ah, thanks for the clarification.

c-po closed this task as Resolved.Dec 1 2020, 2:29 PM

c-po moved this task from Needs Triage to Finished on the VyOS 1.2 Crux (VyOS 1.2.7) board.Jan 2 2021, 12:02 PM

dmbaturin removed a project: VyOS 1.3 Equuleus.Sep 10 2021, 2:39 PM

Can not specify multiple deny ports in FW ruleClosed, ResolvedPublicBUGActions

Description

Details

Event Timeline

Can not specify multiple deny ports in FW rule
Closed, ResolvedPublicBUG
Actions