Skip to content

Default firewall rules don't match up with RFD 21 #1821

New issue
New issue
Closed
#1906
Closed
Default firewall rules don't match up with RFD 21#1821
#1906
Assignees
rzezeskiplotnick
Labels
networkingRelated to the networking.
@rzezeski

Description

@rzezeski
rzezeski
opened on Oct 14, 2022

Taking the latest omicron + OPTE for a spin, I noticed the firewall rules don't seem to line up with the defaults described in RFD 21 §2.8.1.

Here's what I see via opteadm (note this is using my latest dev branch, the "default deny" feature does not exist in the version of OPTE that Omicron is current using. In that version the default is to allow.

rpz@kalm:~/oxidecomputer/opte$ pfexec opteadm dump-layer -p opte0 firewall
Layer firewall
======================================================================
Inbound Flows
----------------------------------------------------------------------
PROTO  SRC IP           SPORT  DST IP           DPORT  HITS     ACTION                

Outbound Flows
----------------------------------------------------------------------
PROTO  SRC IP           SPORT  DST IP           DPORT  HITS     ACTION                

Inbound Rules [Default: deny]
----------------------------------------------------------------------
ID       PRI    PREDICATES                                       ACTION            
3        65534  inner.ip.proto=TCP                               "Stateful: Firewall"
                inner.ulp.dst=22                                

2        65534  inner.ip.proto=TCP                               "Stateful: Firewall"
                inner.ulp.dst=3389                              

1        65534  inner.ip.src=172.30.0.5                          "Stateful: Firewall"
0        65534  inner.ip.proto=ICMP                              "Stateful: Firewall"

Outbound Rules [Default: deny]
----------------------------------------------------------------------
ID       PRI    PREDICATES                                       ACTION

Below is a list of what we should have.

Default Rule Current Omicron Omicron w/ latest OPTE Notes
Implied allow outbound CORRECT INCORRECT Needs explicit allow now that OPTE has default deny. Actually, thinking about it more, perhaps the default outbound action for the firewall layer should be allow.
Implied deny inbound INCORRECT CORRECT Current is missing an explicit rule to deny inbound. We get it for free with latest OPTE because it sets firewall to deny by default in both directions.
Default allow internal inbound INCORRECT INCORRECT I think this is supposed to be rule id 1, but it assigned the guest's IP, instead of the subnet CIDR.
Default allow ssh CORRECT CORRECT Covered by rule id 3.
Default allow ICMP CORRECT CORRECT Covered by rule id 0.
Default allow RDP CORRECT CORRECT Covered by rule id 2.

So in general, anyone currently using Omicron should be fine, as their guest connectivity will remain how it's always been before the firewall rule plumbing landed. But as part of upgrading to the next version of OPTE we'll also want to update the firewall rules to get it 100% in line with RFD 21.

Metadata

Metadata

Assignees

Labels

networkingRelated to the networking.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions