Access lists
-
What information would you need exactly? Then I can answer my precise.
My outside interface is a 2x 1gbit configured in a bond, which has the IP 46.166.184.248 configured, the host itself has IP 46.166.84.249.
To test out the workings of ACL's I want to block icmp to test first so I created the ACL I listed earlier and bound it to my BondEthernet0 which is my outside interface.
Now from a completely different host I sent an icmp request to the tnsr host which has the 2x 1gbit as it's dpdk interfaces where I would expect it to not ping, however I still get icmp replies.
-
What kind of bond are you using?
-
My current one is 2x 1Gbit in LACP bonding.
show interface bond
Interface name: BondEthernet0
Mode: lacp
Load balance: l34
Active slaves: 2
Slaves: 2
Slave interfaces:
GigabitEthernet7/0/0
GigabitEthernet7/0/2Interface name: BondEthernet1
Mode: lacp
Load balance: l34
Active slaves: 2
Slaves: 2
Slave interfaces:
GigabitEthernet7/0/1
GigabitEthernet7/0/3My BondEthernet1 isn't doing anything yet, that is going to hold all my inside VLANS and such, my BondEthernet0 is the one having the ACL. If you need it I can share my config, but would rather not do that in public.
-
I just tested this in the lab on an lacp bond and it works exactly as expected.
tnsr-2 tnsr# show interface BondEthernet0 Interface: BondEthernet0 Admin status: up Link up, unknown duplex Link MTU: 1500 bytes MAC address: 00:90:0b:7c:0b:9c IPv4 MTU: 0 bytes IPv4 Route Table: ipv4-VRF:0 IPv4 addresses: 172.25.228.20/24 IPv6 MTU: 0 bytes IPv6 Route Table: ipv6-VRF:0 IPv6 addresses: fe80::290:bff:fe7c:b9c/64 Input ACLs 10: ping-none Slave interfaces: GigabitEthernet6/0/0 GigabitEthernet6/0/1 VLAN tag rewrite: disable counters: received: 132296 bytes, 1229 packets, 0 errors transmitted: 2652 bytes, 33 packets, 0 errors protocols: 12 IPv4, 34 IPv6 368 drops, 0 punts, 0 rx miss, 0 rx no buffer tnsr-2 tnsr# show acl ping-none Access Control List: ping-none Description: Block all ICMP IPv Seq Action Source Dest Proto SP/T DP/C Flag Mask ---- --- ------ ---------- ---------- ----- -------- -------- ---- ---- ipv4 10 deny 0.0.0.0/0 0.0.0.0/0 icmp 0-65535 0-65535 -- --And an inside interface that is routed to:
tnsr-2 tnsr# show int GigabitEthernet8/0/0 Interface: GigabitEthernet8/0/0 Admin status: up Link down, unknown duplex Link MTU: 9000 bytes MAC address: 00:90:0b:7c:0b:9e IPv4 MTU: 0 bytes IPv4 Route Table: ipv4-VRF:0 IPv4 addresses: 172.25.248.1/24 IPv6 MTU: 0 bytes IPv6 Route Table: ipv6-VRF:0 IPv6 addresses: fe80::290:bff:fe7c:b9e/64 VLAN tag rewrite: disable Rx-queues queue-id 0 : cpu-id 1 counters: received: 0 bytes, 0 packets, 0 errors transmitted: 0 bytes, 0 packets, 15 errors protocols: 0 IPv4, 0 IPv6 0 drops, 0 punts, 0 rx miss, 0 rx no bufferWhile I was pinging:
tnsr-2 tnsr(config)# int BondEthernet0 tnsr-2 tnsr(config-interface)# access-list input acl ping-none seq 10 tnsr-2 tnsr(config-interface)# exit tnsr-2 tnsr(config)# int BondEthernet0 tnsr-2 tnsr(config-interface)# no access-list input acl ping-none seq 10 tnsr-2 tnsr(config-interface)# exit tnsr-2 tnsr(config)# int BondEthernet0 tnsr-2 tnsr(config-interface)# access-list input acl ping-none seq 10 tnsr-2 tnsr(config-interface)# exit tnsr-2 tnsr(config)# Request timeout for icmp_seq 22 Request timeout for icmp_seq 23 Request timeout for icmp_seq 24 Request timeout for icmp_seq 25 Request timeout for icmp_seq 26 Request timeout for icmp_seq 27 Request timeout for icmp_seq 28 Request timeout for icmp_seq 29 Request timeout for icmp_seq 30 64 bytes from 172.25.248.1: icmp_seq=31 ttl=63 time=0.242 ms 64 bytes from 172.25.248.1: icmp_seq=32 ttl=63 time=0.291 ms 64 bytes from 172.25.248.1: icmp_seq=33 ttl=63 time=0.242 ms 64 bytes from 172.25.248.1: icmp_seq=34 ttl=63 time=0.300 ms 64 bytes from 172.25.248.1: icmp_seq=35 ttl=63 time=0.276 ms 64 bytes from 172.25.248.1: icmp_seq=36 ttl=63 time=0.233 ms 64 bytes from 172.25.248.1: icmp_seq=37 ttl=63 time=0.279 ms 64 bytes from 172.25.248.1: icmp_seq=38 ttl=63 time=0.194 ms 64 bytes from 172.25.248.1: icmp_seq=39 ttl=63 time=0.269 ms 64 bytes from 172.25.248.1: icmp_seq=40 ttl=63 time=0.225 ms 64 bytes from 172.25.248.1: icmp_seq=41 ttl=63 time=0.237 ms 64 bytes from 172.25.248.1: icmp_seq=42 ttl=63 time=0.300 ms 64 bytes from 172.25.248.1: icmp_seq=43 ttl=63 time=0.181 ms 64 bytes from 172.25.248.1: icmp_seq=44 ttl=63 time=0.292 ms 64 bytes from 172.25.248.1: icmp_seq=45 ttl=63 time=0.179 ms 64 bytes from 172.25.248.1: icmp_seq=46 ttl=63 time=0.210 ms 64 bytes from 172.25.248.1: icmp_seq=47 ttl=63 time=0.272 ms Request timeout for icmp_seq 48 Request timeout for icmp_seq 49 Request timeout for icmp_seq 50 Request timeout for icmp_seq 51 Request timeout for icmp_seq 52 Request timeout for icmp_seq 53 Request timeout for icmp_seq 54 Request timeout for icmp_seq 55 Request timeout for icmp_seq 56 Request timeout for icmp_seq 57 Request timeout for icmp_seq 58 -
In the sense I'm a bit at a loss since I can't see why it won't work here so below you can see my config, maybe you can spot what I did wrong. I'm trying to ping 46.166.184.248 from 188.209.55.1 but which ever ACL I use it keeps sending replies.
I do thank you for all your help of course, as I first want to test it out in the home lab version for some time and if that works like I want it I want to get a subscription for updates and such.
r2.dbc.nl.linservers.com tnsr(config)# show configuration running <acl-config xmlns="urn:netgate:xml:yang:netgate-acl"> <acl-table> <acl-list> <acl-name>internet-in</acl-name> <acl-rules> <acl-rule> <sequence>10</sequence> <action>deny</action> <ip-version>ipv4</ip-version> <protocol>icmp</protocol> </acl-rule> </acl-rules> </acl-list> <acl-list> <acl-name>internet-outbound</acl-name> <acl-rules> <acl-rule> <sequence>10</sequence> <acl-rule-description>Reflect all Outbound</acl-rule-description> <action>reflect</action> <ip-version>ipv4</ip-version> </acl-rule> </acl-rules> </acl-list> </acl-table> </acl-config> <dataplane-config xmlns="urn:netgate:xml:yang:netgate-dataplane"> <dpdk> <uio-driver>igb_uio</uio-driver> </dpdk> </dataplane-config> <interfaces-config xmlns="urn:netgate:xml:yang:netgate-interface"> <interface> <name>BondEthernet0</name> <description><![CDATA[Public]]></description> <enabled>true</enabled> <ipv4> <address> <ip>46.166.184.248/28</ip> </address> </ipv4> <access-list> <input> <acl-list> <acl-name>internet-in</acl-name> <sequence>10</sequence> </acl-list> </input> </access-list> </interface> <interface> <name>BondEthernet1</name> <enabled>true</enabled> <access-list> <input> <acl-list> <acl-name>internet-outbound</acl-name> <sequence>10</sequence> </acl-list> </input> </access-list> </interface> <interface> <name>GigabitEthernet7/0/0</name> <enabled>true</enabled> <bond> <instance>0</instance> <passive>false</passive> <long-timeout>false</long-timeout> </bond> </interface> <interface> <name>GigabitEthernet7/0/1</name> <enabled>true</enabled> <bond> <instance>1</instance> <passive>false</passive> <long-timeout>false</long-timeout> </bond> </interface> <interface> <name>GigabitEthernet7/0/2</name> <enabled>true</enabled> <bond> <instance>0</instance> <passive>false</passive> <long-timeout>false</long-timeout> </bond> </interface> <interface> <name>GigabitEthernet7/0/3</name> <enabled>true</enabled> <bond> <instance>1</instance> <passive>false</passive> <long-timeout>false</long-timeout> </bond> </interface> <bond-table> <bond> <instance>0</instance> <mode>lacp</mode> <load-balance>l34</load-balance> </bond> <bond> <instance>1</instance> <mode>lacp</mode> <load-balance>l34</load-balance> </bond> </bond-table> </interfaces-config> <route-table-config xmlns="urn:netgate:xml:yang:netgate-route-table"> <static-routes> <route-table> <name>ipv4-VRF:0</name> <address-family>ipv4</address-family> <id>0</id> <ipv4-routes> <route> <destination-prefix>0.0.0.0/0</destination-prefix> <next-hop> <hop> <hop-id>0</hop-id> <ipv4-address>46.166.184.254</ipv4-address> </hop> </next-hop> </route> </ipv4-routes> </route-table> </static-routes> </route-table-config> <system xmlns="urn:netgate:xml:yang:netgate-system"> <name>r2.dbc.nl.linservers.com</name> <dns-resolver> <namespace>dataplane</namespace> <server> <name>8.8.8.8</name> <udp-and-tcp> <address>8.8.8.8</address> </udp-and-tcp> </server> <server> <name>8.8.4.4</name> <udp-and-tcp> <address>8.8.4.4</address> </udp-and-tcp> </server> <server> <name>127.0.0.1</name> <udp-and-tcp> <address>127.0.0.1</address> </udp-and-tcp> </server> </dns-resolver> <auth> <user> <user-name>jimmy</user-name> <user-password><![CDATA[$6$mYw6m4p7fUjkfOwr$DkFgDtyEaHNSPTqHM/kubRwP0P8pYzCHxYlVodRl793pzlfhGI8TvTHviZ9iUjAhTNVYfpqKaB6VG8qjc0eIs1]]></user-password> </user> </auth> </system> <unbound-config xmlns="urn:netgate:xml:yang:netgate-unbound"> <parameters> <enable>true</enable> </parameters> <server> <interfaces> <interface> <ip-address>127.0.0.1</ip-address> </interface> </interfaces> <do-ip4>true</do-ip4> <do-tcp>true</do-tcp> <do-udp>true</do-udp> <harden-glue>true</harden-glue> <hide-identity>true</hide-identity> <outgoing-range>4096</outgoing-range> </server> <forward-zones> <zone> <zone-name>.</zone-name> <forward-addresses> <address> <ip-address>1.1.1.1</ip-address> </address> <address> <ip-address>8.8.8.8</ip-address> </address> </forward-addresses> </zone> </forward-zones> </unbound-config> -
The reflect rule should be on the outside interface in the outbound direction.
-
That seemed to work indeed, were I made a Allow ICMP rule now as that would be handy anyway.
I can see indeed that access-lists really do their work since I could not resolve hosts names, with a reflect rule in place, forgetting that DNS uses UDP port 53.
I there a way I can look at an access-list while working on it? Since now I would have to exit out each time I want to view it where if you make a mistake you can start over again.
-
Right now the confguration CLI is what it is. You could have another ssh session into clixon and show from there while you are in the config exec mode on another terminal.
-
I'm not putting blame on how it is now so don't feel attacked please as that was not my intention was just wondering if I missed a command since just getting started with it. :)
I really like the quick responses on here even it being a community forum, and thanks for the quick help with this!
-
I have felt some of the same pain with the ACL config being a little bulky. On the bright side, it's actually made me plan ACLs out a bit better and forced me into having many ACLs with fewer rules each. That being said, I miss being able to see a rule as a single line sometimes.
