Virtual Router/ Firewall/ VPN

Reply
New Contributor
Posts: 3
Registered: ‎09-13-2016

Newbie Vyatta Firewall Rule Port question

Hi all.  I'm new to Vyatta but have used software firewalls in the past.  I'm trying to simply allow 50 Ports and block all the other ports.  I can't find an example of how this a)is done (step by step) or b)what an example looks like.

 

I can find really complex examples with IPs and domains, etc.  but we don't care about that...I just want to allow a bunch of ports and block every other port.  I am hoping this is very easy and straightforward.

 

I've looked at:  http://wiki.vyos.net/wiki/User_Guide#Firewall   and   Chapter 2 at http://www.brocade.com/content/html/en/administration-guide/vyatta_5400_manual/wwhelp/wwhimpl/js/html/wwhelp.htm#href=Firewall/Configuration%20Examples.03.05.html     and https://knowledgelayer.softlayer.com/learning/network-gateway-devices-vyatta         as well as Googling for quite awhile.  This Vyatta device is on IBM Softlayer.

 

Can someone help me out?

 

Thanks in advance!

New Contributor
Posts: 3
Registered: ‎09-13-2016

Re: Newbie Vyatta Firewall Rule Port question

Hi. There have been a lot of views but no replies...I would greatly appreciate some help as this is my first time using Vyatta. Thanks again.
Brocade Moderator
Posts: 79
Registered: ‎06-10-2009

Re: Newbie Vyatta Firewall Rule Port question

Hello,

 

You don't say whether it is source or destination ports or whether they are TCP or UDP.  Here is an example, hopefully this all makes sense.

 

set firewall name deny_ports default-action 'drop'
set firewall name deny_ports rule 1 action 'accept'
set firewall name deny_ports rule 1 destination port '22,23,80,443'
set firewall name deny_ports rule 1 protocol 'tcp'
set firewall name deny_ports rule 2 action 'accept'
set firewall name deny_ports rule 2 destination port '53'
set firewall name deny_ports rule 2 protocol 'udp'

 

You can add further rules as required.

 

You will then need to apply it to an interface and specify direction

eg

set int eth eth0 firewall out name deny_ports

 

Regards

 

Steve

New Contributor
Posts: 3
Registered: ‎09-13-2016

Re: Newbie Vyatta Firewall Rule Port question

Thanks, Steve.  2 other questions:

 

1)If I am reading the script correctly, the first line states set firewall name deny_ports default-action 'drop' which means to block anything that I don't expliclity allow later in the script.  Your next 2 blocks are rule1 and rule2 which are allowing a few TCP and UDP ports...and then I need to apply these rules to an Interface and then tell that interface if the rules apply to incoming traffic or outgoing traffic..right?

 

 

2)What is the limit of the # of Ports I can list in a single rule?  I have about 50 ports I want to accept and would like to keep the script somewhat short (unless I can use multiple destination port commands within a single rule.  My proposed sample script would be one of 2 syntaxes (I hope):

 

set firewall name deny_ports default-action 'drop'
set firewall name deny_ports rule 1 action 'accept'
set firewall name deny_ports rule 1 destination port '22,23,80,443,345,123'

set firewall name deny_ports rule 1 destination port '366,567,534,26,177,1716,999,888,777,666,55555,4444

set firewall name deny_ports rule 1 destination port '333,222,111,77777,66666,555,44444,33333,2222'
set firewall name deny_ports rule 1 protocol 'tcp'

 

or

 

set firewall name deny_ports default-action 'drop'
set firewall name deny_ports rule 1 action 'accept'
set firewall name deny_ports rule 1 destination port '22,23,80,443,345,123,366,567,534,26,177,1716,999,888,777,666,55555,4444'
set firewall name deny_ports rule 1 protocol 'tcp'

set firewall name deny_ports rule 2 action 'accept'
set firewall name deny_ports rule 2 destination port '333,222,111,77777,66666,555,44444,33333,2222'
set firewall name deny_ports rule 2 protocol 'tcp'

 

 

Thanks so much again.

 

-Eric

Brocade Moderator
Posts: 79
Registered: ‎06-10-2009

Re: Newbie Vyatta Firewall Rule Port question

Hello Eric,

 

1.  That is correct.

 

2. Each rule can only support 15 ports.  The syntax specified in your first example - ie multiple destination ports under the same rule is not accepted as you can only have one destination port statement within each rule

 

This means that you would have to expand out your 50 ports across at least 4 rules.

 

An alternative that you can use is to define a port group which lists all of your ports individually or in ranges.  The vrouter accepts more than fifty in this case.  The port group can then be applied into a rule

eg

set firewall group port-group my_ports port '1001-1050'
set firewall group port-group my_ports port '1100-1150'
set firewall group port-group my_ports port '1'
set firewall group port-group my_ports port '2'
set firewall group port-group my_ports port '3'

continue for as many ports as you need

 

set firewall name deny_ports rule 3 action 'accept'
set firewall name deny_ports rule 3 destination group port-group 'my_ports'
set firewall name deny_ports rule 3 protocol 'tcp'

 

The use of the port group structure would also make it easier to manage as you can easily delete individually ports as required and re-use the same port-groups across multiple firewall rules.

 

I did a quick test with my vrouter and nmap performing a port scan and it worked fine.

 

Steve

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.

vADC is now Pulse Secure
Download FREE NVMe eBook