Page MenuHomeVyOS Platform
Create Task
Maniphest T5509

Add capability to add firewall rules similar to CoPP through VyOS configuration
Closed, WontfixPublicFEATURE REQUEST
Actions

Description

Today a default installed VyOS uses "default-action: accept" for INPUT, OUTPUT and FORWARD.

Since VyOS today allow ALL ports for ALL services on ALL interfaces by default the only workaround to this is if the admin dig into which ports each service must be configured with for INPUT and OUTPUT chain and configure this for whatever interface the traffic is expected to exist on.

There is a great risk that admin fails to set proper rules and instead open up to much (or defaults to "default-action: allow" which will allow ALL traffic).

When the VyOS is configured with various services such as NTP, DNS, DHCP, VRRP, BGP etc it would be handy to ease the administration of protecting these services.

Suggestion is to add a "set firewall auto-ruleset" capability to make life easier for the admin.

Something like (default is disable):

set firewall auto-ruleset bgp enable
set firewall auto-ruleset dhcp-client enable
set firewall auto-ruleset dhcp-server enable
set firewall auto-ruleset dns-client enable
set firewall auto-ruleset dns-server enable
set firewall auto-ruleset ntp-client enable
set firewall auto-ruleset ntp-server enable
set firewall auto-ruleset ssh-client enable
set firewall auto-ruleset ssh-server enable
set firewall auto-ruleset vrrp enable

along with (default is none, "any" or "all" should exist as an option aswell):

set firewall auto-ruleset bgp interface 'eth0 eth1'
set firewall auto-ruleset dhcp-client interface 'eth0 eth1'
set firewall auto-ruleset dhcp-server interface 'eth0 eth1'
set firewall auto-ruleset dns-client interface 'eth2 eth3'
set firewall auto-ruleset dns-server interface 'eth2 eth3'
set firewall auto-ruleset ntp-client interface 'eth0 eth5'
set firewall auto-ruleset ntp-server interface 'eth0 eth5'
set firewall auto-ruleset ssh-client interface 'eth7 eth8'
set firewall auto-ruleset ssh-server interface 'eth7 eth8'
set firewall auto-ruleset vrrp enable interface 'eth9'

With the above the admin can set default-action to drop for INPUT and OUTPUT and for the case of bgp the auto-ruleset would allow dstport TCP179 for interface eth0 and eth1 for both INPUT and OUTPUT chain.

While "auto-ruleset dns-server" would in this case allow for dstport TCP53 and UDP53 for interface eth2 and eth3 for INPUT chain.

The above is dependent on that ESTABLISHED and RELATED (which it usually is) is already allowed.

Since this feature is by default disabled the admin can still (as today) configure the needed firewall rules manually (or if the admin for whatever reason want to further limit who can speak to each service other than based on interface).

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Unspecified (possibly destroys the router)
Issue type
Feature (new functionality)

Related Objects

Event Timeline

Apachez created this task.Aug 25 2023, 2:22 PM
Apachez mentioned this in T5160: Firewall refactor.
pasik added a subscriber: pasik.Aug 25 2023, 5:47 PM
I-n-d-y added a subscriber: I-n-d-y.Aug 26 2023, 9:40 PM
chenxiaolong added a subscriber: chenxiaolong.Sep 20 2023, 8:19 PM
Apachez mentioned this in T5694: NTP should always be allowed from localhost and bindaddress/binddevice can only exist once.Oct 28 2023, 3:01 AM
danhusan added a subscriber: danhusan.Dec 7 2023, 6:52 PM
dmbaturin triaged this task as Low priority.Jan 11 2024, 12:00 PM
Apachez mentioned this in T5835: UPnP port mapping / rule installation fails.Jan 17 2024, 11:51 AM
Viacheslav added a subscriber: Viacheslav.Jan 17 2024, 12:09 PM

I'm against this implementation. We agree do not use boolean values yes|no enable|disable on|off
It will add more mess than usefulness. Configuring features in 2-3 places is a bad idea!
What will be if I add "ssh server" ? Which port will it see? Does it allow all addresses to ssh? What sense in this rule?
The same goes for VRRP; which addresses will it use? Multicast/unicast?
And there are also questions about priorities and what to do it it is accepted via this feature and dropped by a regular firewall.

It's better to set up a firewall without those things.

Viacheslav closed this task as Wontfix.Jan 18 2024, 8:42 AM
Viacheslav claimed this task.

We agree not to implement this, at least in the proposed format.
Close it as wontfix.

Apachez added a comment.Jan 18 2024, 9:25 PM
set firewall auto-ruleset ssh-server enable
set firewall auto-ruleset ssh-server interface 'eth7 eth8'

Would use the port defined by set service ssh port <port>.

So no it wont be configuration at 3 places.

It will be in 2 dedicated places where the service is configured at "set service ssh" and the firewall autoconfiguration is configured at "set firewall auto-ruleset".

Apachez mentioned this in T6091: [1.3.3->1.4.0-epa1 Migration] NTP "listen-address" config removed.Mar 15 2024, 5:08 PM