Page MenuHomeVyOS Platform
Create Task
Maniphest T4133

Firewall network group error with zone-based firewall rules
Closed, ResolvedPublicBUG
Actions

Description

Error while creating firewall network group:

vyos@R01# set firewall group network-group NG network 198.51.100.0/24
[edit]
vyos@R01# commit
[ firewall ]
Failed to apply firewall

[[firewall]] failed
Commit failed
[edit]
vyos@R01# run show ver

Version:          VyOS 1.4-rolling-202201020317
Release train:    sagitta

Details

Difficulty level
Unknown (require assessment)
Version
VyOS 1.4-rolling-202201020317
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Bug (incorrect behavior)

Event Timeline

n.fort created this task.Jan 3 2022, 7:08 PM
c-po assigned this task to sarthurdev.Jan 3 2022, 7:39 PM
Viacheslav added a subscriber: Viacheslav.Jan 3 2022, 7:46 PM

To reproduce it should be zone-policy firewall rules, for example:

set zone-policy zone WAN interface eth0
set zone-policy zone LAN interface eth2
set zone-policy zone DMZ interface eth1
set zone-policy zone LOCAL local-zone

set zone-policy zone WAN default-action reject
set zone-policy zone WAN from LAN firewall name LAN-to-WAN
set zone-policy zone WAN from DMZ firewall name DMZ-to-WAN
set zone-policy zone WAN from LOCAL firewall name LOCAL-to-WAN

set zone-policy zone LAN default-action reject
set zone-policy zone LAN from WAN firewall name WAN-to-LAN
set zone-policy zone LAN from DMZ firewall name DMZ-to-LAN
set zone-policy zone LAN from LOCAL firewall name LOCAL-to-LAN

set zone-policy zone DMZ default-action reject
set zone-policy zone DMZ from WAN firewall name WAN-to-DMZ
set zone-policy zone DMZ from LAN firewall name LAN-to-DMZ
set zone-policy zone DMZ from LOCAL firewall name LOCAL-to-DMZ

set zone-policy zone LOCAL default-action reject
set zone-policy zone LOCAL from WAN firewall name WAN-to-LOCAL
set zone-policy zone LOCAL from LAN firewall name LAN-to-LOCAL
set zone-policy zone LOCAL from DMZ firewall name DMZ-to-LOCAL

set firewall name LAN-to-WAN default-action reject
set firewall name DMZ-to-WAN default-action reject
set firewall name LOCAL-to-WAN default-action accept
set firewall name WAN-to-LAN default-action reject
set firewall name DMZ-to-LAN default-action reject
set firewall name LOCAL-to-LAN default-action accept
set firewall name WAN-to-DMZ default-action reject
set firewall name LAN-to-DMZ default-action reject
set firewall name LOCAL-to-DMZ default-action accept
set firewall name WAN-to-LOCAL default-action reject
set firewall name LAN-to-LOCAL default-action reject
set firewall name DMZ-to-LOCAL default-action reject


set firewall name LAN-to-WAN default-action reject
set firewall name LAN-to-WAN rule 10 action accept
set firewall name LAN-to-WAN rule 10 state established 'enable'
set firewall name LAN-to-WAN rule 10 state related 'enable'

set firewall name DMZ-to-WAN default-action reject
set firewall name DMZ-to-WAN rule 10 action accept
set firewall name DMZ-to-WAN rule 10 state established 'enable'
set firewall name DMZ-to-WAN rule 10 state related 'enable'

set firewall name WAN-to-LAN default-action reject
set firewall name WAN-to-LAN rule 10 action accept
set firewall name WAN-to-LAN rule 10 state established 'enable'
set firewall name WAN-to-LAN rule 10 state related 'enable'

set firewall name DMZ-to-LAN default-action reject
set firewall name DMZ-to-LAN rule 10 action accept
set firewall name DMZ-to-LAN rule 10 state established 'enable'
set firewall name DMZ-to-LAN rule 10 state related 'enable'


set firewall name WAN-to-DMZ default-action reject
set firewall name WAN-to-DMZ rule 10 action accept
set firewall name WAN-to-DMZ rule 10 state established 'enable'
set firewall name WAN-to-DMZ rule 10 state related 'enable'

set firewall name LAN-to-DMZ default-action reject
set firewall name LAN-to-DMZ rule 10 action accept
set firewall name LAN-to-DMZ rule 10 state established 'enable'
set firewall name LAN-to-DMZ rule 10 state related 'enable'

set firewall name WAN-to-LOCAL default-action reject
set firewall name WAN-to-LOCAL rule 10 action accept
set firewall name WAN-to-LOCAL rule 10 state established 'enable'
set firewall name WAN-to-LOCAL rule 10 state related 'enable'

set firewall name LAN-to-LOCAL default-action reject
set firewall name LAN-to-LOCAL rule 10 action accept
set firewall name LAN-to-LOCAL rule 10 state established 'enable'
set firewall name LAN-to-LOCAL rule 10 state related 'enable'

set firewall name DMZ-to-LOCAL default-action reject
set firewall name DMZ-to-LOCAL rule 10 action accept
set firewall name DMZ-to-LOCAL rule 10 state established 'enable'
set firewall name DMZ-to-LOCAL rule 10 state related 'enable'

After this trying to add or delete any group:

vyos@r11-roll# set firewall group port-group FFFF port 25-30
[edit]
vyos@r11-roll# commit
[ firewall ]
Failed to apply firewall

[[firewall]] failed
Commit failed
[edit]
vyos@r11-roll#
Viacheslav renamed this task from Firewall network group error to Firewall network group error with zone-based firewall rules.Jan 3 2022, 7:47 PM
pasik added a subscriber: pasik.Jan 4 2022, 8:05 AM
sarthurdev changed the task status from Open to In progress.Jan 5 2022, 2:07 PM
sarthurdev changed the task status from In progress to Needs testing.Jan 5 2022, 5:10 PM

PR: https://github.com/vyos/vyos-1x/pull/1139

sarthurdev moved this task from Need Triage to In Progress on the VyOS 1.4 Sagitta board.Jan 6 2022, 5:27 PM
n.fort added a comment.Jan 21 2022, 6:35 PM

Seems solved, Not reproducible on VyOS 1.4-rolling-202201180317

n.fort closed this task as Resolved.Jan 21 2022, 6:35 PM