The firewall does not filter incoming traffic on the interface with vrf.
Closed, InvalidPublic
Actions

Assigned To

None

Authored By

	RyVolodya
	Oct 22 2021, 2:10 PM

Description

Incoming traffic is not filtered firewall on the eth0 interface if vrf is used. This example does not block ssh access to the router. Configuration:

set firewall all-ping 'enable'
set firewall broadcast-ping 'disable'
set firewall config-trap 'disable'
set firewall group address-group MGT-IP address '192.168.122.220'
set firewall ipv6-receive-redirects 'disable'
set firewall ipv6-src-route 'disable'
set firewall ip-src-route 'disable'
set firewall log-martians 'enable'
set firewall name MGT-LOCAL default-action 'drop'
set firewall name MGT-LOCAL description 'MGT-LOCAL'
set firewall name MGT-LOCAL rule 910 action 'accept'
set firewall name MGT-LOCAL rule 910 description 'Allow SSH Login'
set firewall name MGT-LOCAL rule 910 destination port '22'
set firewall name MGT-LOCAL rule 910 log 'enable'
set firewall name MGT-LOCAL rule 910 protocol 'tcp'
set firewall name MGT-LOCAL rule 910 source group address-group 'MGT-IP'
set firewall name MGT-LOCAL rule 910 state established 'enable'
set firewall name MGT-LOCAL rule 910 state new 'enable'
set firewall name MGT-LOCAL rule 910 state related 'enable'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'
set interfaces ethernet eth0 address '192.168.122.100/24'
set interfaces ethernet eth0 firewall local name 'MGT-LOCAL'
set interfaces ethernet eth0 vrf 'MGT'
set service ssh listen-address '192.168.122.100'
set service ssh port '22'
set service ssh vrf 'MGT'
set vrf name MGT table '200'

The problem is that vrf changes the name of the interface "eth0" to "MGT" and the rule does not filtering incoming packets:

trace id ce7870ee ip filter VYATTA_FW_LOCAL_HOOK packet: iif "MGT" ether saddr 0c:50:ab:54:00:00 ether daddr 0c:33:f8:61:00:00 ip saddr 192.168.122.220 ip daddr 192.168.122.100 ip dscp cs0 ip ecn not-ect ip ttl 128 ip id 10429 ip length 52 tcp sport 49263 tcp dport 22 tcp flags == syn tcp window 8192

If you change the configuration:

set interfaces ethernet eth0 firewall in name 'MGT-LOCAL'

The firewall rule does not filter incoming traffic. The input interface "eth0" still name "MGT":

trace id db39c263 ip filter VYATTA_FW_IN_HOOK packet: iif "MGT" oif "eth1" ether saddr 0c:50:ab:54:00:00 ether daddr 0c:33:f8:61:00:00 ip saddr 192.168.122.220 ip daddr 192.168.123.2 ip dscp cs0 ip ecn not-ect ip ttl 127 ip id 17604 ip length 52 tcp sport 49274 tcp dport 22 tcp flags == syn tcp window 8192

Details

Difficulty level: Unknown (require assessment)
Version: VyOS 1.3.0-epa2 and VyOS 1.4-rolling-202110220645
Why the issue appeared?: Will be filled on close
Is it a breaking change?: Unspecified (possibly destroys the router)
Issue type: Bug (incorrect behavior)

Event Timeline

RyVolodya created this task.Oct 22 2021, 2:10 PM

RyVolodya created this object in space S1 VyOS Public.

RyVolodya updated the task description. (Show Details)Oct 22 2021, 2:33 PM

RyVolodya closed this task as Invalid.Oct 23 2021, 6:17 AM

c-po moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.Nov 5 2021, 8:24 PM

pasik added a subscriber: pasik.Nov 5 2021, 9:10 PM

The firewall does not filter incoming traffic on the interface with vrf.Closed, InvalidPublicActions

Description

Details

Event Timeline

The firewall does not filter incoming traffic on the interface with vrf.
Closed, InvalidPublic
Actions