Firewall Enqueue

This scenario shows how to configure the traffic-proxy service to enqueue the intercepted traffic in a firewall instance.

Test Traffic-Proxy Enqueue

Description

This example demonstrates how to enqueue the intercepted flows in a traffic queue where a firewall instance is ready to inspect the traffic.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces eth0 traffic policy in TPROXY
set interfaces eth0 address 192.168.1.1/24
set interfaces eth0 tcp-mss 1400
set interfaces eth1.100 address 10.0.0.1/24
set interfaces eth1.100 tcp-mss 1400
set traffic policy TPROXY rule 5 selector TCP_TRAFFIC
set traffic policy TPROXY rule 5 action proxy tcp 3128
set traffic selector TCP_TRAFFIC rule 1 protocol tcp
set traffic selector TCP_TRAFFIC rule 1 destination port 80,443,8080,4430
set service traffic-proxy TRAFFIC_PROXY mode ssl
set service traffic-proxy TRAFFIC_PROXY port 3128
set service traffic-proxy TRAFFIC_PROXY x509 ca-cert running://test.crt
set service traffic-proxy TRAFFIC_PROXY x509 ca-key running://test.key
set service traffic-proxy TRAFFIC_PROXY queue Q1
set service traffic-proxy TRAFFIC_PROXY logging queue
set service firewall FWL logging outputs fast
set service firewall FWL mode inline queue Q1
set service firewall FWL ruleset file running://traffic-proxy.rules
set traffic queue Q1 elements 0

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 address 192.168.1.2/24
set protocols static route 0.0.0.0/0 next-hop 192.168.1.1

Step 3: Set the following configuration in DUT2:

set interfaces ethernet eth0 vif 100 address 10.0.0.2/24
set protocols static route 0.0.0.0/0 next-hop 10.0.0.1

Step 4: Ping IP address 10.0.0.2 from DUT1:

admin@DUT1$ ping 10.0.0.2 count 1 size 56 timeout 1

Show output

PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=63 time=0.834 ms

--- 10.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.834/0.834/0.834/0.000 ms

Step 5: Ping IP address 192.168.1.2 from DUT2:

admin@DUT2$ ping 192.168.1.2 count 1 size 56 timeout 1

Show output

PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=63 time=0.578 ms

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.578/0.578/0.578/0.000 ms

Step 6: Run command file show running://traffic-proxy.rules at DUT0 and expect this output:

Show output

alert tcp any any -> any 443 (msg: "Allowed traffic"; sid: 1;)
drop tcp any any -> any 4430 (msg: "Disallowed traffic"; sid: 2;)

Step 7: Initiate a ssl connection from DUT1 to DUT2 and try to send some messages between both endpoints

admin@DUT2$ monitor test connection server 443 ssl cert running://test.crt key running://test.key
admin@DUT1$ monitor test connection client 10.0.0.2 443 ssl source-port 1234

Step 8: Run command service traffic-proxy TRAFFIC_PROXY show stats at DUT0 and check if output does not match the following regular expressions:

intercepted\s+0\s+0

Show output

Statistics for instance "TRAFFIC_PROXY":

-----------------------------
name           packets  bytes
-----------------------------
queue - reply        4    180
queue - orig         6    260
intercepted         12   1100
error                0      0

Step 9: Run command service firewall FWL show logging fast | tail -n 2 at DUT0 and expect this output:

Show output

06/20/2024-18:19:05.652267  [**] [1:1:0] Allowed traffic [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.2:1234 -> 10.0.0.2:443

---

Test Traffic-Proxy Enqueue And Early-Drop

Description

This example demonstrates how to enqueue the intercepted flows in a traffic queue where a firewall instance is ready to inspect the traffic. In this case, a different port is used to trigger a rule with a drop action that will install an early-drop policy at XDP.

Scenario

Step 1: Set the following configuration in DUT0:

set interfaces eth0 traffic policy in TPROXY
set interfaces eth0 address 192.168.1.1/24
set interfaces eth0 tcp-mss 1400
set interfaces eth1.100 address 10.0.0.1/24
set interfaces eth1.100 tcp-mss 1400
set traffic policy TPROXY rule 5 selector TCP_TRAFFIC
set traffic policy TPROXY rule 5 action proxy tcp 3128
set traffic selector TCP_TRAFFIC rule 1 protocol tcp
set traffic selector TCP_TRAFFIC rule 1 destination port 80,443,8080,4430
set service traffic-proxy TRAFFIC_PROXY mode ssl
set service traffic-proxy TRAFFIC_PROXY port 3128
set service traffic-proxy TRAFFIC_PROXY x509 ca-cert running://test.crt
set service traffic-proxy TRAFFIC_PROXY x509 ca-key running://test.key
set service traffic-proxy TRAFFIC_PROXY queue Q1
set service traffic-proxy TRAFFIC_PROXY logging queue
set service firewall FWL logging outputs fast
set service firewall FWL mode inline queue Q1
set service firewall FWL ruleset file running://traffic-proxy.rules
set traffic queue Q1 elements 0
set service firewall FWL stream bypass action drop set xdp-early-drop eth0,eth1

Step 2: Set the following configuration in DUT1:

set interfaces ethernet eth0 address 192.168.1.2/24
set protocols static route 0.0.0.0/0 next-hop 192.168.1.1

Step 3: Set the following configuration in DUT2:

set interfaces ethernet eth0 vif 100 address 10.0.0.2/24
set protocols static route 0.0.0.0/0 next-hop 10.0.0.1

Step 4: Ping IP address 10.0.0.2 from DUT1:

admin@DUT1$ ping 10.0.0.2 count 1 size 56 timeout 1

Show output

PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.
64 bytes from 10.0.0.2: icmp_seq=1 ttl=63 time=0.981 ms

--- 10.0.0.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.981/0.981/0.981/0.000 ms

Step 5: Ping IP address 192.168.1.2 from DUT2:

admin@DUT2$ ping 192.168.1.2 count 1 size 56 timeout 1

Show output

PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=63 time=0.629 ms

--- 192.168.1.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.629/0.629/0.629/0.000 ms

Step 6: Run command file show running://traffic-proxy.rules at DUT0 and expect this output:

Show output

alert tcp any any -> any 443 (msg: "Allowed traffic"; sid: 1;)
drop tcp any any -> any 4430 (msg: "Disallowed traffic"; sid: 2;)

Note

The first attempt will be allowed but it should attach an early drop policy in the source Ethernet interface.

Step 7: Initiate a ssl connection from DUT1 to DUT2 and try to send some messages between both endpoints

admin@DUT2$ monitor test connection server 4430 ssl cert running://test.crt key running://test.key
admin@DUT1$ monitor test connection client 10.0.0.2 4430 ssl source-port 1234

Step 8: Run command service traffic-proxy TRAFFIC_PROXY show stats at DUT0 and check if output does not match the following regular expressions:

intercepted\s+0\s+0

Show output

Statistics for instance "TRAFFIC_PROXY":

-----------------------------
name           packets  bytes
-----------------------------
queue - reply        5    220
queue - orig         5    220
intercepted          8    873
error                0      0

Step 9: Run command service firewall FWL show logging fast | tail -n 2 at DUT0 and expect this output:

Show output

06/20/2024-18:19:22.676697  [Drop] [**] [1:2:0] Disallowed traffic [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.2:1234 -> 10.0.0.2:4430

Step 10: Run command service firewall FWL show early-drop-stats eth0 at DUT0 and check if output matches the following regular expressions:

yes\s+\d+\s+\d+\s+[1-9]\d*\s+[1-9]\d*

Show output

------------------------------------------------------------------------------
    src          dst      src port  dst port  tcp  vlan_0  vlan_1  pkts  bytes
------------------------------------------------------------------------------
192.168.1.2  10.0.0.2         1234      4430  yes       0       0     7    457
10.0.0.2     192.168.1.2      4430      1234  yes       0       0     0      0

Note

The second attempt should fail because of the XDP hook.

Step 11: Expect a failure in the following command: Initiate a ssl connection from DUT1 to DUT2 and try to send some messages between both endpoints

admin@DUT2$ monitor test connection server 4430 ssl cert running://test.crt key running://test.key
admin@DUT1$ monitor test connection client 10.0.0.2 4430 ssl source-port 1234

Step 12: Run command service firewall FWL show logging fast | tail -n 2 at DUT0 and expect this output:

Show output

06/20/2024-18:19:22.676697  [Drop] [**] [1:2:0] Disallowed traffic [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.2:1234 -> 10.0.0.2:4430

Step 13: Run command service firewall FWL show early-drop-stats eth0 at DUT0 and check if output matches the following regular expressions:

yes\s+\d+\s+\d+\s+[1-9]\d*\s+[1-9]\d*

Show output

------------------------------------------------------------------------------
    src          dst      src port  dst port  tcp  vlan_0  vlan_1  pkts  bytes
------------------------------------------------------------------------------
192.168.1.2  10.0.0.2         1234      4430  yes       0       0    16   1023
10.0.0.2     192.168.1.2      4430      1234  yes       0       0     0      0

---