Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

T6329: firewall: add a patch for op-mode command <show firewall group> #3442

Merged
merged 2 commits into from
May 12, 2024
Merged

T6329: firewall: add a patch for op-mode command <show firewall group> #3442

merged 2 commits into from
May 12, 2024

Conversation

nicolas-fort
Copy link
Contributor

Change Summary

Add a patch for op-mode command

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Code style update (formatting, renaming)
  • Refactoring (no functional changes)
  • Migration from an old Vyatta component to vyos-1x, please link to related PR inside obsoleted component
  • Other (please describe):

Related Task(s)

Related PR(s)

Component(s) name

firewall

Proposed changes

How to test

Define firewall groups

set firewall group address-group SERVERS address '198.51.100.101'
set firewall group address-group SERVERS address '198.51.100.102'
set firewall group dynamic-group address-group ALLOWED
set firewall group dynamic-group address-group PN_01
set firewall group dynamic-group address-group PN_02
set firewall group dynamic-group address-group TEST
set firewall group interface-group LAN interface 'eth2.2001'
set firewall group interface-group LAN interface 'bon0'
set firewall group ipv6-network-group TRUSTEDv6 network '2001:db8::/64'
set firewall group network-group TRUSTEDv4 network '192.0.2.0/30'
set firewall group network-group TRUSTEDv4 network '203.0.113.128/25'
set firewall group port-group PORT-SERVERS port 'http'
set firewall group port-group PORT-SERVERS port '443'
set firewall group port-group PORT-SERVERS port '5000-5010'

Firewall rules that uses groups:

set firewall ipv4 forward filter rule 20 action 'accept'
set firewall ipv4 forward filter rule 20 source group network-group 'TRUSTEDv4'
set firewall ipv4 forward filter rule 99921 action 'drop'
set firewall ipv4 forward filter rule 99921 source group dynamic-address-group '!ALLOWED'
set firewall ipv4 input filter default-action 'drop'
set firewall ipv4 input filter rule 2 action 'drop'
set firewall ipv4 input filter rule 2 add-address-to-group source-address address-group 'TEST'
set firewall ipv4 input filter rule 2 destination port '7777'
set firewall ipv4 input filter rule 2 protocol 'tcp'
set firewall ipv4 input filter rule 5 action 'accept'
set firewall ipv4 input filter rule 5 protocol 'icmp'
set firewall ipv4 input filter rule 10 action 'drop'
set firewall ipv4 input filter rule 10 add-address-to-group source-address address-group 'PN_01'
set firewall ipv4 input filter rule 10 add-address-to-group source-address timeout '2m'
set firewall ipv4 input filter rule 10 description 'Port_nock 01'
set firewall ipv4 input filter rule 10 destination port '9990'
set firewall ipv4 input filter rule 10 protocol 'tcp'
set firewall ipv4 input filter rule 20 action 'drop'
set firewall ipv4 input filter rule 20 add-address-to-group source-address address-group 'PN_02'
set firewall ipv4 input filter rule 20 add-address-to-group source-address timeout '3m'
set firewall ipv4 input filter rule 20 description 'Port_nock 02'
set firewall ipv4 input filter rule 20 destination port '9991'
set firewall ipv4 input filter rule 20 protocol 'tcp'
set firewall ipv4 input filter rule 20 source group dynamic-address-group 'PN_01'
set firewall ipv4 input filter rule 30 action 'drop'
set firewall ipv4 input filter rule 30 add-address-to-group source-address address-group 'ALLOWED'
set firewall ipv4 input filter rule 30 add-address-to-group source-address timeout '2h'
set firewall ipv4 input filter rule 30 description 'Port_nock 03'
set firewall ipv4 input filter rule 30 destination port '9992'
set firewall ipv4 input filter rule 30 protocol 'tcp'
set firewall ipv4 input filter rule 30 source group dynamic-address-group 'PN_02'
set firewall ipv4 input filter rule 99 action 'accept'
set firewall ipv4 input filter rule 99 description 'Port_nock 04 - Allow ssh'
set firewall ipv4 input filter rule 99 destination port '22'
set firewall ipv4 input filter rule 99 protocol 'tcp'
set firewall ipv4 input filter rule 99 source group dynamic-address-group 'ALLOWED'
set firewall ipv4 output filter rule 10 action 'accept'
set firewall ipv4 output filter rule 10 outbound-interface group '!LAN'
set firewall ipv6 input filter rule 10 action 'accept'
set firewall ipv6 input filter rule 10 source group network-group 'TRUSTEDv6'

After testing connections to ensure dynamic elements were added to groups, check op-mode command:

vyos@clear:~$ show firewall group 
Firewall Groups

Name          Type                    References              Members           Timeout    Expires
------------  ----------------------  ----------------------  ----------------  ---------  ---------
SERVERS       address_group           nat-destination-101     198.51.100.101
                                                              198.51.100.102
ALLOWED       address_group(dynamic)  ipv4-input-filter-30    192.168.0.245     7200       3973
                                                              192.168.77.39     7200       3645
PN_01         address_group(dynamic)  ipv4-input-filter-10    192.168.77.39     120        97
PN_02         address_group(dynamic)  ipv4-input-filter-20    N/D               N/D        N/D
TEST          address_group(dynamic)  ipv4-input-filter-2     192.168.0.245     N/D        N/D
                                                              192.168.77.39     N/D        N/D
LAN           interface_group         ipv4-output-filter-10   bon0
                                      nat-destination-101     eth2.2001
TRUSTEDv6     ipv6_network_group      ipv6-input-filter-10    2001:db8::/64
TRUSTEDv4     network_group           ipv4-forward-filter-20  192.0.2.0/30
                                                              203.0.113.128/25
PORT-SERVERS  port_group              route-PBR-201           443
                                      route-PBR-201           5000-5010
                                      nat-destination-101     http
vyos@clear:~$

Smoketest result

Checklist:

  • I have read the CONTRIBUTING document
  • I have linked this PR to one or more Phabricator Task(s)
  • I have run the components SMOKETESTS if applicable
  • My commit headlines contain a valid Task id
  • My change requires a change to the documentation
  • I have updated the documentation accordingly

@sever-sever sever-sever requested review from a team, dmbaturin, sarthurdev, zdc, jestabro, sever-sever and c-po and removed request for a team May 10, 2024 15:08
@c-po c-po merged commit 4fc9d38 into vyos:current May 12, 2024
5 of 6 checks passed
@c-po
Copy link
Member

c-po commented May 12, 2024

@Mergifyio backport sagitta

@mergify Mergify
Copy link

mergify bot commented May 12, 2024
edited

backport sagitta

✅ Backports have been created

@mergify mergify bot mentioned this pull request May 12, 2024
Merged
12 tasks
sever-sever added a commit that referenced this pull request May 12, 2024
@sever-sever
Merge pull request #3448 from vyos/mergify/bp/sagitta/pr-3442
b976dad 
T6329: firewall: add a patch for op-mode command <show firewall group> (backport #3442)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmbaturin dmbaturin Awaiting requested review from dmbaturin dmbaturin is a code owner automatically assigned from vyos/reviewers

@sarthurdev sarthurdev Awaiting requested review from sarthurdev sarthurdev is a code owner automatically assigned from vyos/reviewers

@zdc zdc Awaiting requested review from zdc zdc is a code owner automatically assigned from vyos/reviewers

@jestabro jestabro Awaiting requested review from jestabro jestabro is a code owner automatically assigned from vyos/reviewers

@sever-sever sever-sever Awaiting requested review from sever-sever sever-sever is a code owner automatically assigned from vyos/reviewers

@c-po c-po Awaiting requested review from c-po c-po is a code owner automatically assigned from vyos/reviewers

Assignees

@nicolas-fort nicolas-fort

Labels
current
Milestone
No milestone
3 participants
@nicolas-fort @c-po @sever-sever