Vyatta Router Firewall Rules and Configuration

Ingress IPv4 firewall name is “xxx” which is applied to the router interface that is connected to the ISP.

  1. The default action of this firewall is drop which means if a packet is not matched to any of the firewall rules, it will be dropped.

    Rules 30, 40 and 50 block the incoming packets that their source address is a private IP (RFC 1918).

    Rule 60 is anti-spoofing rule for ingress packets, which blocks any packet from outside that its source IP address is in one of our subnets.

    Rules 70, 72, 74 and 76 allow the packets that their source or destination IP has been added to the allow list of ThreatStop

    Rules 78, 80, 82 and 84 block the packets that are in the ThreatStop Block list (Both user defined and others)

    Rule 90 is catch all for all the packet that their state is “Established” or “ Related” which means the the corresponding packets with the state of “New” have passed the filters that come after this rule and prevents them from unnecessarily going through the same rules again.

    Rule 100 limits the number of new inbound DNS connections from the source IP to 4 connections in 4 seconds and if it exceeds that source IP is blocked for 4 seconds.

    Rule 104 blocks all inbound TCP connections to port 445

    Rule 106 blocks all inbound UDP connections to port 1434

    Rules 108 and 110 block all inbound TCP and UDP connections to ports 135-139

    Rules 123-140 block  TCP packets with flag SYN and without flags ACK, FIN, RST (First TCP segment to establish a TCP session) after “count” attempts in “time” seconds,

    the block time is also “time” seconds. These rules prevent or limit the effect of brute force/dictionary attack or flooding on default port for these protocols that are based on TCP:  SMTP, IMAP, POP, RDP, SSH, VNC, FTP

    Rule 900 is “permit all” rule for all the packets that have passed the previous filters. (Because the default action of the firewall 121 is “drop”)

  2. Egress IPv4 firewall is named TSrtoutrule and is applied to the interfaces that connect the router to core switches and also the interface that is connected to service provider.The reason is that if an egress packet is going to be blocked it is done at the very first interface that enters the router (from core switches) rather than first being processed by router and then it is blocked at the exit interface to ISP.

    Rules 10 , 11 allow the packets that their destination IP is in ThreatStop white list.

    Rules 12, 13 block the packets that their destination address is in ThreatStop block list.

    Rule 19 is anti-spoofing rule that allows only packets that their source address is within our subnets.

    All other packets that are not matched to any of the above rules are dropped because the default action is “drop”

  3. The firewall for ingress IPv6 packets is named IPv6-INGRESS and the default action is drop. (There is no ThreatStop service for IPv6 yet) 

    Rule 60 is anti-spoofing rule for ingress packets, which blocks any packet from outside that its source IP address is in our range (26xx:xxxx::/32)

    Rule 90 is catch all for all the packet that their state is “Established” or “ Related” which means the the corresponding packets with the state of “New” have passed the filters that come after this rule and prevents them from unnecessarily going through the same rules again.

    Rules 100-140 are similar to ingress IPv4 rules with the same number

    Rule 860 allows packets from the link local address of the ISP port that is directly connected to the router.

    Rule 900 verifies that the source address is within the global IPv6 unicast range 2000::/3 All other packets that don’t match one of the above rules are dropped.

  4. The firewall for egress IPv6 packets is named IPv6-EGRESS and the default action is drop.Rule 15 allows all the packets with link-local source address of the interface connecting to ISP.

    Rule 20 allows all the packets with source address of the IPv6 assigned by ISP to the interface connecting to ISP.

    Rule 25 allows all the packets with their source address within the global unicast range assigned to us (26xx:xxxx::/32)

    All other packets that don’t match to one of the above rules are dropped.

  5. Update: The following protocols/ports have been blocked Portmapper, TCP/UDP/111 (rules 142 and 144) mDNS, UDP/5353 (rule 146) TFTP, UDP/69 (rule 148) SNMP, UDP/161 (rule 150, except Cacti) IPMI, TCP/UDP/623 (rules 152,154)The following had already been blocked.

    CIFS/SMB/NetBIOS (TCP/UDP/137-139, TCP/445, rules 104, 108, 110 )

    MS-SQL ( UDP/1434, rule 106)

    RFC1918 private IPs (rule 30, 40, 50)

    Anti-spoof-ingress(rule 60, drops any incoming packet with source address equal to one of our network IPs)

    The following protocols have been limited using “recent” to prevent and limit the attacks and scans

    DNS , UDP/53 (rule 100)

    TCP/8212 (rule 123)

    SSH, TCP/22 (rule 125)

    RDP, TCP/3389 (rule 126)

    SMTP, TCP/25, (rule 132, it is disabled)

    POP3, TCP/110 (rule 134)

    VNC, TCP/5900, (rule 136)

    IMAP, TCP/143, (rule 138)

    FTP, TCP/21, (rule 140)

    ThreatStop allow rules: 70, 72, 74, 76

    ThreatStop block rules: 78, 80, 82, 84