To reproduce:
set firewall name FOO default-action 'reject' set firewall name FOO rule 10 action 'accept' set firewall name FOO rule 10 state established 'enable' set firewall name FOO rule 10 state related 'enable' set firewall name FOO rule 20 action 'accept' set firewall name FOO rule 20 protocol 'icmp' set firewall name FOO rule 20 state new 'enable' set firewall name FOO rule 30 action 'reject' set firewall name FOO rule 30 destination port '22' set firewall name FOO rule 30 protocol 'tcp' set firewall name FOO rule 30 recent count '4' set firewall name FOO rule 30 recent time '60' set firewall name FOO rule 40 action 'accept' set firewall name FOO rule 40 destination port '22' set firewall name FOO rule 40 protocol 'tcp' set firewall name FOO rule 40 state new 'enable' set interfaces ethernet eth0 firewall local name 'FOO'
Generated rules:
chain FOO { ct state { 0x2, 0x4 } counter packets 580 bytes 45488 return comment "FOO-10" ct state { 0x8 } meta l4proto 1 counter packets 0 bytes 0 return comment "FOO-20" tcp dport { 22 } counter packets 9 bytes 540 reject comment "FOO-30" ct state { 0x8 } tcp dport { 22 } counter packets 0 bytes 0 return comment "FOO-40" counter packets 5 bytes 300 reject comment "FOO default-action reject" }
Unable to ssh, rule 30 reject:
$ telnet 192.168.122.11 22 Trying 192.168.122.11... telnet: Unable to connect to remote host: Connection refused
Expected rules:
chain FOO { ct state related,established counter packets 464 bytes 30601 return comment "FOO-10" meta l4proto icmp ct state new counter packets 0 bytes 0 return comment "FOO-20" meta l4proto tcp tcp dport 22 # recent: UPDATE seconds: 60 hit_count: 4 name: FOO-30 side: source mask: 255.255.255.255 counter packets 0 bytes 0 reject comment "FOO-30" meta l4proto tcp tcp dport 22 # recent: SET name: FOO-30 side: source mask: 255.255.255.255 counter packets 1 bytes 60 comment "FOO-30" meta l4proto tcp ct state new tcp dport 22 counter packets 1 bytes 60 return comment "FOO-40" counter packets 0 bytes 0 reject comment "FOO-10000 default-action reject" }
Show firewall:
vyos@r11-roll:~$ show firewall Rulesets Information --------------------------------- IPv4 Firewall "FOO" Active on: (eth0,local) (eth2,in) (eth2,local) Rule Action Protocol Packets Bytes Conditions ------- -------- ---------- --------- ------- ---------------------------------- 10 accept all 621 48244 ct state { established, related } 20 accept icmp 0 0 ct state { new } meta l4proto icmp 30 reject tcp 9 540 tcp dport { 22 } 40 accept tcp 0 0 ct state { new } tcp dport { 22 } default reject all 5 300
Report from the forum https://forum.vyos.io/t/firewall-recent-seems-to-block-all-requests