Firewall Enqueue
This scenario shows how to configure the traffic-proxy service to enqueue the intercepted traffic in a firewall instance.
Test Traffic-Proxy Enqueue
Description
This example demonstrates how to enqueue the intercepted
flows in a traffic queue where a firewall instance
is ready to inspect the traffic.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces eth0.100 traffic policy in TPROXY set interfaces eth0.100 address 10.0.0.1/24 set interfaces eth0.100 tcp-mss 1400 set interfaces eth1.200 address 192.168.1.1/24 set interfaces eth1.200 tcp-mss 1400 set traffic policy TPROXY rule 5 selector TCP_TRAFFIC set traffic policy TPROXY rule 5 action proxy tcp 3128 set traffic selector TCP_TRAFFIC rule 1 protocol tcp set traffic selector TCP_TRAFFIC rule 1 destination port 80,443,8080,4430 set service traffic-proxy TRAFFIC_PROXY mode ssl set service traffic-proxy TRAFFIC_PROXY port 3128 set service traffic-proxy TRAFFIC_PROXY x509 ca-cert running://test.crt set service traffic-proxy TRAFFIC_PROXY x509 ca-key running://test.key set service traffic-proxy TRAFFIC_PROXY queue Q1 set service traffic-proxy TRAFFIC_PROXY logging queue set service firewall FWL logging outputs fast set service firewall FWL mode inline queue Q1 set service firewall FWL ruleset file running://traffic-proxy.rules set traffic queue Q1 elements 0
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set protocols static route 0.0.0.0/0 next-hop 10.0.0.1
Step 3: Set the following configuration in DUT2:
set interfaces ethernet eth0 vif 200 address 192.168.1.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.1.1
Step 4: Ping IP address 192.168.1.2 from DUT1:
admin@DUT1$ ping 192.168.1.2 count 1 size 56 timeout 1Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=1 ttl=63 time=0.781 ms --- 192.168.1.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.781/0.781/0.781/0.000 ms
Step 5: Ping IP address 10.0.0.2 from DUT2:
admin@DUT2$ ping 10.0.0.2 count 1 size 56 timeout 1Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=63 time=3.84 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 3.840/3.840/3.840/0.000 ms
Step 6: Run command file show running://traffic-proxy.rules at DUT0 and expect this output:
Show output
alert tcp any any -> any 443 (msg: "Allowed traffic"; sid: 1;) drop tcp any any -> any 4430 (msg: "Disallowed traffic"; sid: 2;)
Step 7: Initiate a ssl connection from DUT1 to DUT2 and try to send some messages between both endpoints
admin@DUT2$ monitor test connection server 443 ssl cert running://test.crt key running://test.key admin@DUT1$ monitor test connection client 192.168.1.2 443 ssl source-port 1234
Step 8: Run command service traffic-proxy TRAFFIC_PROXY show stats at DUT0 and check if output does not match the following regular expressions:
intercepted\s+0\s+0Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- queue - reply 4 178 queue - orig 6 258 intercepted 12 1098 error 0 0
Step 9: Run command service firewall FWL show logging fast | tail -n 2 at DUT0 and expect this output:
Show output
12/13/2023-00:27:11.706142 [**] [1:1:0] Allowed traffic [**] [Classification: (null)] [Priority: 3] {TCP} 10.0.0.2:1234 -> 192.168.1.2:443
Test Traffic-Proxy Enqueue And Early-Drop
Description
This example demonstrates how to enqueue the intercepted
flows in a traffic queue where a firewall instance
is ready to inspect the traffic. In this case, a
different port is used to trigger a rule with a drop
action that will install an early-drop policy at XDP.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces eth0.100 traffic policy in TPROXY set interfaces eth0.100 address 10.0.0.1/24 set interfaces eth0.100 tcp-mss 1400 set interfaces eth1.200 address 192.168.1.1/24 set interfaces eth1.200 tcp-mss 1400 set traffic policy TPROXY rule 5 selector TCP_TRAFFIC set traffic policy TPROXY rule 5 action proxy tcp 3128 set traffic selector TCP_TRAFFIC rule 1 protocol tcp set traffic selector TCP_TRAFFIC rule 1 destination port 80,443,8080,4430 set service traffic-proxy TRAFFIC_PROXY mode ssl set service traffic-proxy TRAFFIC_PROXY port 3128 set service traffic-proxy TRAFFIC_PROXY x509 ca-cert running://test.crt set service traffic-proxy TRAFFIC_PROXY x509 ca-key running://test.key set service traffic-proxy TRAFFIC_PROXY queue Q1 set service traffic-proxy TRAFFIC_PROXY logging queue set service firewall FWL logging outputs fast set service firewall FWL mode inline queue Q1 set service firewall FWL ruleset file running://traffic-proxy.rules set traffic queue Q1 elements 0 set service firewall FWL stream bypass action drop set xdp-early-drop eth0,eth1
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 vif 100 address 10.0.0.2/24 set protocols static route 0.0.0.0/0 next-hop 10.0.0.1
Step 3: Set the following configuration in DUT2:
set interfaces ethernet eth0 vif 200 address 192.168.1.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.1.1
Step 4: Ping IP address 192.168.1.2 from DUT1:
admin@DUT1$ ping 192.168.1.2 count 1 size 56 timeout 1Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=1 ttl=63 time=0.852 ms --- 192.168.1.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.852/0.852/0.852/0.000 ms
Step 5: Ping IP address 10.0.0.2 from DUT2:
admin@DUT2$ ping 10.0.0.2 count 1 size 56 timeout 1Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=63 time=0.620 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.620/0.620/0.620/0.000 ms
Step 6: Run command file show running://traffic-proxy.rules at DUT0 and expect this output:
Show output
alert tcp any any -> any 443 (msg: "Allowed traffic"; sid: 1;) drop tcp any any -> any 4430 (msg: "Disallowed traffic"; sid: 2;)
Note
The first attempt will be allowed but it should attach an early drop policy in the source Ethernet interface.
Step 7: Initiate a ssl connection from DUT1 to DUT2 and try to send some messages between both endpoints
admin@DUT2$ monitor test connection server 4430 ssl cert running://test.crt key running://test.key admin@DUT1$ monitor test connection client 192.168.1.2 4430 ssl source-port 1234
Step 8: Run command service traffic-proxy TRAFFIC_PROXY show stats at DUT0 and check if output does not match the following regular expressions:
intercepted\s+0\s+0Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- queue - reply 5 218 queue - orig 5 218 intercepted 8 871 error 0 0
Step 9: Run command service firewall FWL show logging fast | tail -n 2 at DUT0 and expect this output:
Show output
12/13/2023-00:27:29.822466 [Drop] [**] [1:2:0] Disallowed traffic [**] [Classification: (null)] [Priority: 3] {TCP} 10.0.0.2:1234 -> 192.168.1.2:4430
Note
The second attempt should fail because of the XDP hook.
Step 10: Expect a failure in the following command:
Initiate a ssl connection from DUT1 to DUT2 and try to send some messages between both endpoints
admin@DUT2$ monitor test connection server 4430 ssl cert running://test.crt key running://test.key admin@DUT1$ monitor test connection client 192.168.1.2 4430 ssl source-port 1234
Step 11: Run command service firewall FWL show logging fast | tail -n 2 at DUT0 and expect this output:
Show output
12/13/2023-00:27:29.822466 [Drop] [**] [1:2:0] Disallowed traffic [**] [Classification: (null)] [Priority: 3] {TCP} 10.0.0.2:1234 -> 192.168.1.2:4430