Access lists
-
So either I am doing something wrong or this is not working. (I would assume the former)
I just finished a basic part of my TNSR config, created the bonding interfaces Bond 0 and 1, and added an access-list to my BondEthernet0 (it has my public Internet IP).
Access Control List: internet-in
IPv Seq Action Source Dest Proto SP/T DP/C Flag Mask
ipv4 10 deny 0.0.0.0/0 0.0.0.0/0 icmp 0-65535 0-65535 -- --
ipv4 200 deny 0.0.0.0/0 0.0.0.0/0 any [deny all]The above is just a test of course, not the one I will be using in the end.
(config)# show interface access-list
Interface: BondEthernet0
Input ACLs
10: internet-inBut even with the ACL above bound to my BondEthernet0 I can still ping the IP from the outside, I am aware of the concept of needing to rebind an acl, so I even removed it and added it back again without results.
Can someone tell me what I'm not doing correctly here? As I won't start using it without having working ACL's since it needs to replace my current Fortigate.
-
Need more information such as where you are pinging from, to, etc. This is pinging from out on a VPS somewhere. Texas I think.
edge-tnsr tnsr# show interface access-list Interface: ix0 Input ACLs 10: dhcp-outside 20: ping-any 30: ipsec-outside 40: haproxy-outside Output ACLs 10: outbound-reflect $ ping 198.51.100.50 PING 198.51.100.50 (198.51.100.50): 56 data bytes 64 bytes from 198.51.100.0: icmp_seq=0 ttl=52 time=24.230 ms 64 bytes from 198.51.100.50: icmp_seq=1 ttl=52 time=24.214 ms 64 bytes from 198.51.100.50: icmp_seq=2 ttl=52 time=24.343 ms 64 bytes from 198.51.100.50: icmp_seq=3 ttl=52 time=24.162 ms 64 bytes from 198.51.100.50: icmp_seq=4 ttl=52 time=24.290 ms ^C --- 198.51.100.50 ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 24.162/24.248/24.343/0.063 ms edge-tnsr tnsr(config)# acl ping-none edge-tnsr tnsr(config-acl)# rule 10 edge-tnsr tnsr(config-acl-rule)# action deny edge-tnsr tnsr(config-acl-rule)# description Block all inbound ICMP edge-tnsr tnsr(config-acl-rule)# protocol icmp edge-tnsr tnsr(config-acl-rule)# ip-version ipv4 edge-tnsr tnsr(config-acl-rule)# exit edge-tnsr tnsr(config-acl)# exit edge-tnsr tnsr(config)# exit edge-tnsr tnsr(config)# interface ix0 edge-tnsr tnsr(config-interface)# access-list input acl ping-none sequence 15 edge-tnsr tnsr(config-interface)# exit edge-tnsr tnsr# show interface access-list Interface: ix0 Input ACLs 10: dhcp-outside 15: ping-none 20: ping-any 30: ipsec-outside 40: haproxy-outside Output ACLs 10: outbound-reflect $ ping 198.51.100.50 PING 198.51.100.50 (198.51.100.50): 56 data bytes ^C --- 198.51.100.50 ping statistics --- 8 packets transmitted, 0 packets received, 100.0% packet loss edge-tnsr tnsr(config)# interface ix0 edge-tnsr tnsr(config-interface)# no access-list input acl ping-none seq 15 edge-tnsr tnsr(config-interface)# exit $ ping 198.51.100.50 PING 198.51.100.50 (198.51.100.50): 56 data bytes 64 bytes from 198.51.100.50: icmp_seq=0 ttl=52 time=24.244 ms 64 bytes from 198.51.100.50: icmp_seq=1 ttl=52 time=24.262 ms 64 bytes from 198.51.100.50: icmp_seq=2 ttl=52 time=24.239 ms 64 bytes from 198.51.100.50: icmp_seq=3 ttl=52 time=24.193 ms 64 bytes from 198.51.100.50: icmp_seq=4 ttl=52 time=24.330 ms ^C --- 198.51.100.50 ping statistics --- 5 packets transmitted, 5 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 24.193/24.254/24.330/0.044 ms -
With the ACL I made shouldn't it just drop all ICMP? I was pinging the IP 46.166.184.248 from an outside source (server in different location.)
It's set as an IP inside tnsr, not on the host itself.
-
Still not enough information to go on. As I demonstrated it works fine.
-
What information would you need exactly? Then I can answer my precise.
My outside interface is a 2x 1gbit configured in a bond, which has the IP 46.166.184.248 configured, the host itself has IP 46.166.84.249.
To test out the workings of ACL's I want to block icmp to test first so I created the ACL I listed earlier and bound it to my BondEthernet0 which is my outside interface.
Now from a completely different host I sent an icmp request to the tnsr host which has the 2x 1gbit as it's dpdk interfaces where I would expect it to not ping, however I still get icmp replies.
-
What kind of bond are you using?
-
My current one is 2x 1Gbit in LACP bonding.
show interface bond
Interface name: BondEthernet0
Mode: lacp
Load balance: l34
Active slaves: 2
Slaves: 2
Slave interfaces:
GigabitEthernet7/0/0
GigabitEthernet7/0/2Interface name: BondEthernet1
Mode: lacp
Load balance: l34
Active slaves: 2
Slaves: 2
Slave interfaces:
GigabitEthernet7/0/1
GigabitEthernet7/0/3My BondEthernet1 isn't doing anything yet, that is going to hold all my inside VLANS and such, my BondEthernet0 is the one having the ACL. If you need it I can share my config, but would rather not do that in public.
-
I just tested this in the lab on an lacp bond and it works exactly as expected.
tnsr-2 tnsr# show interface BondEthernet0 Interface: BondEthernet0 Admin status: up Link up, unknown duplex Link MTU: 1500 bytes MAC address: 00:90:0b:7c:0b:9c IPv4 MTU: 0 bytes IPv4 Route Table: ipv4-VRF:0 IPv4 addresses: 172.25.228.20/24 IPv6 MTU: 0 bytes IPv6 Route Table: ipv6-VRF:0 IPv6 addresses: fe80::290:bff:fe7c:b9c/64 Input ACLs 10: ping-none Slave interfaces: GigabitEthernet6/0/0 GigabitEthernet6/0/1 VLAN tag rewrite: disable counters: received: 132296 bytes, 1229 packets, 0 errors transmitted: 2652 bytes, 33 packets, 0 errors protocols: 12 IPv4, 34 IPv6 368 drops, 0 punts, 0 rx miss, 0 rx no buffer tnsr-2 tnsr# show acl ping-none Access Control List: ping-none Description: Block all ICMP IPv Seq Action Source Dest Proto SP/T DP/C Flag Mask ---- --- ------ ---------- ---------- ----- -------- -------- ---- ---- ipv4 10 deny 0.0.0.0/0 0.0.0.0/0 icmp 0-65535 0-65535 -- --And an inside interface that is routed to:
tnsr-2 tnsr# show int GigabitEthernet8/0/0 Interface: GigabitEthernet8/0/0 Admin status: up Link down, unknown duplex Link MTU: 9000 bytes MAC address: 00:90:0b:7c:0b:9e IPv4 MTU: 0 bytes IPv4 Route Table: ipv4-VRF:0 IPv4 addresses: 172.25.248.1/24 IPv6 MTU: 0 bytes IPv6 Route Table: ipv6-VRF:0 IPv6 addresses: fe80::290:bff:fe7c:b9e/64 VLAN tag rewrite: disable Rx-queues queue-id 0 : cpu-id 1 counters: received: 0 bytes, 0 packets, 0 errors transmitted: 0 bytes, 0 packets, 15 errors protocols: 0 IPv4, 0 IPv6 0 drops, 0 punts, 0 rx miss, 0 rx no bufferWhile I was pinging:
tnsr-2 tnsr(config)# int BondEthernet0 tnsr-2 tnsr(config-interface)# access-list input acl ping-none seq 10 tnsr-2 tnsr(config-interface)# exit tnsr-2 tnsr(config)# int BondEthernet0 tnsr-2 tnsr(config-interface)# no access-list input acl ping-none seq 10 tnsr-2 tnsr(config-interface)# exit tnsr-2 tnsr(config)# int BondEthernet0 tnsr-2 tnsr(config-interface)# access-list input acl ping-none seq 10 tnsr-2 tnsr(config-interface)# exit tnsr-2 tnsr(config)# Request timeout for icmp_seq 22 Request timeout for icmp_seq 23 Request timeout for icmp_seq 24 Request timeout for icmp_seq 25 Request timeout for icmp_seq 26 Request timeout for icmp_seq 27 Request timeout for icmp_seq 28 Request timeout for icmp_seq 29 Request timeout for icmp_seq 30 64 bytes from 172.25.248.1: icmp_seq=31 ttl=63 time=0.242 ms 64 bytes from 172.25.248.1: icmp_seq=32 ttl=63 time=0.291 ms 64 bytes from 172.25.248.1: icmp_seq=33 ttl=63 time=0.242 ms 64 bytes from 172.25.248.1: icmp_seq=34 ttl=63 time=0.300 ms 64 bytes from 172.25.248.1: icmp_seq=35 ttl=63 time=0.276 ms 64 bytes from 172.25.248.1: icmp_seq=36 ttl=63 time=0.233 ms 64 bytes from 172.25.248.1: icmp_seq=37 ttl=63 time=0.279 ms 64 bytes from 172.25.248.1: icmp_seq=38 ttl=63 time=0.194 ms 64 bytes from 172.25.248.1: icmp_seq=39 ttl=63 time=0.269 ms 64 bytes from 172.25.248.1: icmp_seq=40 ttl=63 time=0.225 ms 64 bytes from 172.25.248.1: icmp_seq=41 ttl=63 time=0.237 ms 64 bytes from 172.25.248.1: icmp_seq=42 ttl=63 time=0.300 ms 64 bytes from 172.25.248.1: icmp_seq=43 ttl=63 time=0.181 ms 64 bytes from 172.25.248.1: icmp_seq=44 ttl=63 time=0.292 ms 64 bytes from 172.25.248.1: icmp_seq=45 ttl=63 time=0.179 ms 64 bytes from 172.25.248.1: icmp_seq=46 ttl=63 time=0.210 ms 64 bytes from 172.25.248.1: icmp_seq=47 ttl=63 time=0.272 ms Request timeout for icmp_seq 48 Request timeout for icmp_seq 49 Request timeout for icmp_seq 50 Request timeout for icmp_seq 51 Request timeout for icmp_seq 52 Request timeout for icmp_seq 53 Request timeout for icmp_seq 54 Request timeout for icmp_seq 55 Request timeout for icmp_seq 56 Request timeout for icmp_seq 57 Request timeout for icmp_seq 58 -
In the sense I'm a bit at a loss since I can't see why it won't work here so below you can see my config, maybe you can spot what I did wrong. I'm trying to ping 46.166.184.248 from 188.209.55.1 but which ever ACL I use it keeps sending replies.
I do thank you for all your help of course, as I first want to test it out in the home lab version for some time and if that works like I want it I want to get a subscription for updates and such.
r2.dbc.nl.linservers.com tnsr(config)# show configuration running <acl-config xmlns="urn:netgate:xml:yang:netgate-acl"> <acl-table> <acl-list> <acl-name>internet-in</acl-name> <acl-rules> <acl-rule> <sequence>10</sequence> <action>deny</action> <ip-version>ipv4</ip-version> <protocol>icmp</protocol> </acl-rule> </acl-rules> </acl-list> <acl-list> <acl-name>internet-outbound</acl-name> <acl-rules> <acl-rule> <sequence>10</sequence> <acl-rule-description>Reflect all Outbound</acl-rule-description> <action>reflect</action> <ip-version>ipv4</ip-version> </acl-rule> </acl-rules> </acl-list> </acl-table> </acl-config> <dataplane-config xmlns="urn:netgate:xml:yang:netgate-dataplane"> <dpdk> <uio-driver>igb_uio</uio-driver> </dpdk> </dataplane-config> <interfaces-config xmlns="urn:netgate:xml:yang:netgate-interface"> <interface> <name>BondEthernet0</name> <description><![CDATA[Public]]></description> <enabled>true</enabled> <ipv4> <address> <ip>46.166.184.248/28</ip> </address> </ipv4> <access-list> <input> <acl-list> <acl-name>internet-in</acl-name> <sequence>10</sequence> </acl-list> </input> </access-list> </interface> <interface> <name>BondEthernet1</name> <enabled>true</enabled> <access-list> <input> <acl-list> <acl-name>internet-outbound</acl-name> <sequence>10</sequence> </acl-list> </input> </access-list> </interface> <interface> <name>GigabitEthernet7/0/0</name> <enabled>true</enabled> <bond> <instance>0</instance> <passive>false</passive> <long-timeout>false</long-timeout> </bond> </interface> <interface> <name>GigabitEthernet7/0/1</name> <enabled>true</enabled> <bond> <instance>1</instance> <passive>false</passive> <long-timeout>false</long-timeout> </bond> </interface> <interface> <name>GigabitEthernet7/0/2</name> <enabled>true</enabled> <bond> <instance>0</instance> <passive>false</passive> <long-timeout>false</long-timeout> </bond> </interface> <interface> <name>GigabitEthernet7/0/3</name> <enabled>true</enabled> <bond> <instance>1</instance> <passive>false</passive> <long-timeout>false</long-timeout> </bond> </interface> <bond-table> <bond> <instance>0</instance> <mode>lacp</mode> <load-balance>l34</load-balance> </bond> <bond> <instance>1</instance> <mode>lacp</mode> <load-balance>l34</load-balance> </bond> </bond-table> </interfaces-config> <route-table-config xmlns="urn:netgate:xml:yang:netgate-route-table"> <static-routes> <route-table> <name>ipv4-VRF:0</name> <address-family>ipv4</address-family> <id>0</id> <ipv4-routes> <route> <destination-prefix>0.0.0.0/0</destination-prefix> <next-hop> <hop> <hop-id>0</hop-id> <ipv4-address>46.166.184.254</ipv4-address> </hop> </next-hop> </route> </ipv4-routes> </route-table> </static-routes> </route-table-config> <system xmlns="urn:netgate:xml:yang:netgate-system"> <name>r2.dbc.nl.linservers.com</name> <dns-resolver> <namespace>dataplane</namespace> <server> <name>8.8.8.8</name> <udp-and-tcp> <address>8.8.8.8</address> </udp-and-tcp> </server> <server> <name>8.8.4.4</name> <udp-and-tcp> <address>8.8.4.4</address> </udp-and-tcp> </server> <server> <name>127.0.0.1</name> <udp-and-tcp> <address>127.0.0.1</address> </udp-and-tcp> </server> </dns-resolver> <auth> <user> <user-name>jimmy</user-name> <user-password><![CDATA[$6$mYw6m4p7fUjkfOwr$DkFgDtyEaHNSPTqHM/kubRwP0P8pYzCHxYlVodRl793pzlfhGI8TvTHviZ9iUjAhTNVYfpqKaB6VG8qjc0eIs1]]></user-password> </user> </auth> </system> <unbound-config xmlns="urn:netgate:xml:yang:netgate-unbound"> <parameters> <enable>true</enable> </parameters> <server> <interfaces> <interface> <ip-address>127.0.0.1</ip-address> </interface> </interfaces> <do-ip4>true</do-ip4> <do-tcp>true</do-tcp> <do-udp>true</do-udp> <harden-glue>true</harden-glue> <hide-identity>true</hide-identity> <outgoing-range>4096</outgoing-range> </server> <forward-zones> <zone> <zone-name>.</zone-name> <forward-addresses> <address> <ip-address>1.1.1.1</ip-address> </address> <address> <ip-address>8.8.8.8</ip-address> </address> </forward-addresses> </zone> </forward-zones> </unbound-config> -
The reflect rule should be on the outside interface in the outbound direction.
-
That seemed to work indeed, were I made a Allow ICMP rule now as that would be handy anyway.
I can see indeed that access-lists really do their work since I could not resolve hosts names, with a reflect rule in place, forgetting that DNS uses UDP port 53.
I there a way I can look at an access-list while working on it? Since now I would have to exit out each time I want to view it where if you make a mistake you can start over again.
-
Right now the confguration CLI is what it is. You could have another ssh session into clixon and show from there while you are in the config exec mode on another terminal.
-
I'm not putting blame on how it is now so don't feel attacked please as that was not my intention was just wondering if I missed a command since just getting started with it. :)
I really like the quick responses on here even it being a community forum, and thanks for the quick help with this!
-
I have felt some of the same pain with the ACL config being a little bulky. On the bright side, it's actually made me plan ACLs out a bit better and forced me into having many ACLs with fewer rules each. That being said, I miss being able to see a rule as a single line sometimes.
