PR for op-mode importing existing PKI files into config: https://github.com/vyos/vyos-1x/pull/1343
- Queries
- All Stories
- Search
- Advanced Search
- Transactions
- Transaction Logs
Advanced Search
May 31 2022
May 30 2022
May 27 2022
In T1230#123939, @panachoi wrote:1.4 rolling does not help me, so there must be something "wrong" with my configuration. I've attached the private config, it would be awesome if someone might find what's broken.
private.cfg127 KBDownload
May 26 2022
@panachoi If you can share the anonymized config that works in 1.2.8 that would be useful. I'd expect migrating to 1.4 to see a decent improvement in firewall load times.
Apr 20 2022
Apr 14 2022
30 largest packages in 1.4 dev build:
telegraf 144 MB linux-image-5.10.109-amd64-vyos 107 MB libwireshark14 100 MB vyos-linux-firmware 68.8 MB containernetworking-plugins 51.2 MB vyos-http-api-tools 40.4 MB podman 37.3 MB python3-pycryptodome 36.0 MB libicu67 33.9 MB vim-runtime 32.9 MB vyos-1x 29.2 MB libperl5.32 28.5 MB salt-common 27.9 MB nmap-common 21.2 MB frr 20.2 MB libruby2.7 17.9 MB coreutils 17.9 MB perl-modules-5.32 17.9 MB grub-common 17.8 MB systemd 16.4 MB locales 16.4 MB libc6 13.1 MB pmacct 13.0 MB ieee-data 12.3 MB vyos-intel-qat 11.7 MB aptitude-common 10.3 MB gdb 10.0 MB udev 9,184 kB grub-efi-amd64-bin 8,831 kB squid 8,582 kB
Apr 6 2022
Mar 29 2022
Mar 18 2022
Perhaps only in-use sets can be determined and loaded?
Error implies that firewall failed to configure on boot as mangle table is missing. Any logs/config trace from boot?
Feb 24 2022
@n.fort I have been able to reproduce this, it only occurs when installing for UEFI.
Feb 20 2022
sgdisk man says -n should have a partition number followed by start/end values. Looking at the code this bug is present in all versions 1.2 and above.
Feb 15 2022
Feb 6 2022
Feb 4 2022
Feb 2 2022
Adding this issue to this task: https://forum.vyos.io/t/firewall-configuration-issue-after-upgrade/8414
Jan 31 2022
I already have a fix for this from your comment on T4213. Will have it included in a PR shortly.
Jan 29 2022
Jan 28 2022
I've actually found a way to define this properly, resulting rule now looks like below:
tcp dport { 22 } add @FOO_30 { ip saddr limit rate over 4/minute burst 4 packets } counter packets 3 bytes 156 reject comment "FOO-30" ct state { new } tcp dport { 22 } counter packets 5 bytes 260 return comment "FOO-40"
Jan 27 2022
Good to hear, going to mark this as resolved.
In T4209#117579, @thomasjsn wrote:In T4209#117429, @sdev wrote:Would changing the guide to use limit rate 4/minute achieve the same target functionality?
What is the practical difference between limit rate and recent? Is it just two different ways of accomplishing the same?
I've come up with a working idea how to implement but would like feedback before submitting a PR.
Thanks for the report, I believe I know what's caused it to break. Hopefully will have a fix in for the build tomorrow.
@johannrichard Hey sorry I didn't see your comment, I suggest we move the discussion to the dedicated task: https://phabricator.vyos.net/T4209
This was included with the new firewall, going to mark as resolved.
The new firewall niw has no such restrictions on port definitions, going to close this as resolved.
This is now implemented in 1.4
Should be fixed now with https://github.com/vyos/vyos-1x/pull/1193
Above fixed in PR: https://github.com/vyos/vyos-1x/pull/1193
Jan 26 2022
As reproducing the exact issue seems to be difficult, I'm going to instead change the install function so it catches errors and outputs the set pki ... syntax so it behaves like generate pki ... install <name> is run from op-mode anyway.
This issue is due to negated source/destination port not being handled properly in code, not validation.
It looks like it’s trying to directly install the certificate into the config from op-mode, that is only supposed to happen while you're in configure mode calling the command using run generate pki ... install <name>.
Jan 25 2022
I had forgotten about the recent syntax and it was merged in a broken state (https://github.com/vyos/vyos-1x/blob/current/python/vyos/firewall.py#L164). We should try and find a remedy, or remove it from CLI.
Jan 21 2022
PR + migration: https://github.com/vyos/vyos-1x/pull/1184
I can't reproduce this issue on latest rolling
Jan 18 2022
Okay, thanks for the update. I have found a conntrack issue in the code. Will have a fix in shortly.
Fixed in 1.4 PR: https://github.com/vyos/vyos-1x/pull/1176
Jan 17 2022
You need to remove the state new match on the rule and it'll work.
Included those flags in PR: https://github.com/vyos/vyos-1x/pull/1174
Included in PR: https://github.com/vyos/vyos-1x/pull/1174
Jan 16 2022
Thanks, will include a fix in a PR shortly
Jan 13 2022
Thanks for the report, working on the fix now.
Jan 12 2022
Jan 11 2022
Forgot that my PR for WLB was still a draft. That the jump does seem to be created properly with this PR in place.
That build at 08:11 UTC was a couple of hours before the commit was merged: https://github.com/vyos/vyos-1x/commit/f97144259335102c3d96b232cbb0af4970120d62
Seems to be working on my latest build?
Thanks, I really like the include idea and have implemented it in the attached PR. Also added a check in firewall.py to reload policy-route script to keep any group changes updated.