| Solution |
Below is the local in policy configuration for this example where trying to block HTTP access to the firewall IP 10.109.52.6 when traffic is received on port1 from any source:
config firewall local-in-policy
edit 1
set uuid f95c52e0-5887-51ef-31e7-12ba136b2228
set intf "port1"
set srcaddr "all"
set dstaddr "10.109.52.6"
set service "HTTP"
set schedule "always"
next
end
- It will be possible to validate if the traffic matches the local in policy using the debug flow.
- Run the below commands:
di de reset
di de flow filter clear
di de flow filter addr x.x.x.x
di de flow filter dport xyz
di de flow show iprope enable
di de flow trace start 100
di de enable
Note:
Above x.x.x.x can be the source or destination IP, based on the traffic expected. Use whichever captures the low rate of logs accordingly. xyz is the destination port.
- Once the traffic is initiated, and logs are seen, stop the debug using:
di de di
di de reset
Below is the debug output :
id=65308 trace_id=13 func=print_pkt_detail line=5980 msg="vd-root:0 received a packet(proto=6, 10.109.63.254:50356->10.109.52.6:80) tun_id=0.0.0.0 from port1. flag [S], seq 947917669, ack 0, win 64240" <----- Traffic incoming on port1 and dst as 10.109.52.6 and dport 80.
id=65308 trace_id=13 func=init_ip_session_common line=6179 msg="allocate a new session-000764d8"
id=65308 trace_id=13 func=iprope_dnat_check line=5532 msg="in-[port1], out-[]"
id=65308 trace_id=13 func=iprope_dnat_tree_check line=826 msg="len=0"
id=65308 trace_id=13 func=iprope_dnat_check line=5557 msg="result: skb_flags-02000000, vid-0, ret-no-match, act-accept, flag-00000000"
id=65308 trace_id=13 func=__vf_ip_route_input_rcu line=1989 msg="find a route: flag=80000000 gw-0.0.0.0 via root" <----- Firewall checked the route and considers for self.
id=65308 trace_id=13 func=iprope_access_proxy_check line=457 msg="in-[port1], out-[], skb_flags-02000000, vid-0"
id=65308 trace_id=13 func=__iprope_check line=2437 msg="gnum-100017, check-ffffffffa002cc57"
id=65308 trace_id=13 func=iprope_policy_group_check line=4954 msg="after check: ret-no-match, act-accept, flag-00000000, flag2-00000000"
id=65308 trace_id=13 func=iprope_in_check line=495 msg="in-[port1], out-[], skb_flags-02000000, vid-0"
id=65308 trace_id=13 func=__iprope_check line=2437 msg="gnum-100011, check-ffffffffa002e275"
id=65308 trace_id=13 func=iprope_policy_group_check line=4954 msg="after check: ret-no-match, act-drop, flag-00000000, flag2-00000000"
id=65308 trace_id=13 func=__iprope_check line=2437 msg="gnum-100001, check-ffffffffa002cc57"
id=65308 trace_id=13 func=__iprope_check_one_policy line=2154 msg="checked gnum-100001 policy-1, ret-matched, act-accept" <----- Firewall checked the policy 1 in group number 100001, 100001 is the group number for local in policies.
id=65308 trace_id=13 func=__iprope_user_identity_check line=1917 msg="ret-matched"
id=65308 trace_id=13 func=__iprope_check_one_policy line=2407 msg="policy-1 is matched, act-drop"
id=65308 trace_id=13 func=__iprope_check line=2454 msg="gnum-100001 check result: ret-matched, act-drop, flag-08010000, flag2-00000000"
id=65308 trace_id=13 func=iprope_policy_group_check line=4954 msg="after check: ret-matched, act-drop, flag-08010000, flag2-00000000"
id=65308 trace_id=13 func=fw_local_in_handler line=623 msg="iprope_in_check() check failed on policy 1, drop" <----- Dropped the packet matching the local in policy ID 1.
Firewall Kernel level policy output:
rimmer-esx27 (Interim)# diagnose firewall iprope list 00100001 <----- In this command, 00100001 lists the local in policies.
policy index=1 uuid_idx=15850 action=drop <----- Indicates the same in the debug.
flag (8010000): master pol_stats
schedule(always)
cos_fwd=0 cos_rev=0
group=00100001 av=00000000 au=00000000 split=00000000
host=0 chk_client_info=0x0 app_list=0 ips_view=0
misc=0
zone(1): 3 -> zone(1): 0
source(1): 0.0.0.0-255.255.255.255, uuid_idx=15745,
dest(1): 10.109.52.6-10.109.52.6, uuid_idx=15849,
service(1):
[6:0x0:0/(1,65535)->(80,80)] flags:0 helper:auto
rimmer-esx27 (Interim)#
|
