Firewall Enqueue
This scenario shows how to configure the traffic-proxy service to enqueue the intercepted traffic in a firewall instance.
Test Traffic-Proxy Enqueue
Description
This example demonstrates how to enqueue the intercepted
flows in a traffic queue where a firewall instance
is ready to inspect the traffic.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 vif 100 address 192.168.1.1/24 set interfaces ethernet eth0 vif 100 tcp-mss 1400 set interfaces ethernet eth0 vif 100 traffic policy in TPROXY set interfaces ethernet eth1 vif 200 address 10.0.0.1/24 set interfaces ethernet eth1 vif 200 tcp-mss 1400 set service firewall FWL logging outputs fast set service firewall FWL mode inline queue Q1 set service firewall FWL ruleset file 'running://traffic-proxy.rules' set service traffic-proxy TRAFFIC_PROXY logging queue set service traffic-proxy TRAFFIC_PROXY mode ssl set service traffic-proxy TRAFFIC_PROXY port 3128 set service traffic-proxy TRAFFIC_PROXY queue Q1 set service traffic-proxy TRAFFIC_PROXY x509 ca-cert 'running://test.crt' set service traffic-proxy TRAFFIC_PROXY x509 ca-key 'running://test.key' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy TPROXY rule 5 action proxy tcp 3128 set traffic policy TPROXY rule 5 selector TCP_TRAFFIC set traffic queue Q1 elements 0 set traffic selector TCP_TRAFFIC rule 1 destination port 80,443,8080,4430 set traffic selector TCP_TRAFFIC rule 1 protocol tcp
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 vif 100 address 192.168.1.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2:
set interfaces ethernet eth0 vif 200 address 10.0.0.2/24 set protocols static route 0.0.0.0/0 next-hop 10.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.0.0.2 from DUT1:
admin@DUT1$ ping 10.0.0.2 count 1 size 56 timeout 1Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=63 time=1.34 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.337/1.337/1.337/0.000 ms
Step 5: Ping IP address 192.168.1.2 from DUT2:
admin@DUT2$ ping 192.168.1.2 count 1 size 56 timeout 1Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=1 ttl=63 time=0.453 ms --- 192.168.1.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.453/0.453/0.453/0.000 ms
Step 6: Run command file show running://traffic-proxy.rules at DUT0 and expect this output:
Show output
alert tcp any any -> any 443 (msg: "Allowed traffic"; sid: 1;) drop tcp any any -> any 4430 (msg: "Disallowed traffic"; sid: 2;)
Step 7: Initiate a ssl connection from DUT1 to DUT2 and try to send some messages between both endpoints
admin@DUT2$ monitor test connection server 443 ssl cert running://test.crt key running://test.key admin@DUT1$ monitor test connection client 10.0.0.2 443 ssl source-port 1234
Step 8: Run command service traffic-proxy TRAFFIC_PROXY show stats at DUT0 and check if output does not match the following regular expressions:
intercepted\s+0\s+0Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- queue - reply 4 180 queue - orig 6 260 intercepted 13 1237 error 0 0
Step 9: Run command service firewall FWL show logging fast | tail -n 2 at DUT0 and expect this output:
Show output
12/04/2024-15:56:18.127454 [**] [1:1:0] Allowed traffic [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.2:1234 -> 10.0.0.2:443
Test Traffic-Proxy Enqueue And Early-Drop
Description
This example demonstrates how to enqueue the intercepted
flows in a traffic queue where a firewall instance
is ready to inspect the traffic. In this case, a
different port is used to trigger a rule with a drop
action that will install an early-drop policy at XDP.
Scenario
Step 1: Set the following configuration in DUT0:
set interfaces ethernet eth0 vif 100 address 192.168.1.1/24 set interfaces ethernet eth0 vif 100 tcp-mss 1400 set interfaces ethernet eth0 vif 100 traffic policy in TPROXY set interfaces ethernet eth1 vif 200 address 10.0.0.1/24 set interfaces ethernet eth1 vif 200 tcp-mss 1400 set service firewall FWL logging outputs fast set service firewall FWL mode inline queue Q1 set service firewall FWL ruleset file 'running://traffic-proxy.rules' set service firewall FWL stream bypass action drop set xdp-early-drop eth0,eth1 set service traffic-proxy TRAFFIC_PROXY logging queue set service traffic-proxy TRAFFIC_PROXY mode ssl set service traffic-proxy TRAFFIC_PROXY port 3128 set service traffic-proxy TRAFFIC_PROXY queue Q1 set service traffic-proxy TRAFFIC_PROXY x509 ca-cert 'running://test.crt' set service traffic-proxy TRAFFIC_PROXY x509 ca-key 'running://test.key' set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0' set traffic policy TPROXY rule 5 action proxy tcp 3128 set traffic policy TPROXY rule 5 selector TCP_TRAFFIC set traffic queue Q1 elements 0 set traffic selector TCP_TRAFFIC rule 1 destination port 80,443,8080,4430 set traffic selector TCP_TRAFFIC rule 1 protocol tcp
Step 2: Set the following configuration in DUT1:
set interfaces ethernet eth0 vif 100 address 192.168.1.2/24 set protocols static route 0.0.0.0/0 next-hop 192.168.1.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 3: Set the following configuration in DUT2:
set interfaces ethernet eth0 vif 200 address 10.0.0.2/24 set protocols static route 0.0.0.0/0 next-hop 10.0.0.1 set system login user admin authentication encrypted-password '$6$GSjsCj8gHLv$/VcqU6FLi6CT2Oxn0MJQ2C2tqnRDrYKNF8HIYWJp68nvXvPdFccDsT04.WtigUONbKYrgKg8d6rEs8PjljMkH0'
Step 4: Ping IP address 10.0.0.2 from DUT1:
admin@DUT1$ ping 10.0.0.2 count 1 size 56 timeout 1Show output
PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data. 64 bytes from 10.0.0.2: icmp_seq=1 ttl=63 time=0.895 ms --- 10.0.0.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.895/0.895/0.895/0.000 ms
Step 5: Ping IP address 192.168.1.2 from DUT2:
admin@DUT2$ ping 192.168.1.2 count 1 size 56 timeout 1Show output
PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data. 64 bytes from 192.168.1.2: icmp_seq=1 ttl=63 time=0.399 ms --- 192.168.1.2 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.399/0.399/0.399/0.000 ms
Step 6: Run command file show running://traffic-proxy.rules at DUT0 and expect this output:
Show output
alert tcp any any -> any 443 (msg: "Allowed traffic"; sid: 1;) drop tcp any any -> any 4430 (msg: "Disallowed traffic"; sid: 2;)
Note
The first attempt will be allowed but it should attach an early drop policy in the source Ethernet interface.
Step 7: Initiate a ssl connection from DUT1 to DUT2 and try to send some messages between both endpoints
admin@DUT2$ monitor test connection server 4430 ssl cert running://test.crt key running://test.key admin@DUT1$ monitor test connection client 10.0.0.2 4430 ssl source-port 1234
Step 8: Run command service traffic-proxy TRAFFIC_PROXY show stats at DUT0 and check if output does not match the following regular expressions:
intercepted\s+0\s+0Show output
Statistics for instance "TRAFFIC_PROXY": ----------------------------- name packets bytes ----------------------------- queue - reply 5 220 queue - orig 5 220 intercepted 9 1017 error 0 0
Step 9: Run command service firewall FWL show logging fast | tail -n 2 at DUT0 and expect this output:
Show output
12/04/2024-15:56:32.849623 [Drop] [**] [1:2:0] Disallowed traffic [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.2:1234 -> 10.0.0.2:4430
Step 10: Run command service firewall FWL show early-drop-stats eth0 at DUT0 and check if output matches the following regular expressions:
yes\s+\d+\s+\d+\s+[1-9]\d*\s+[1-9]\d*Show output
------------------------------------------------------------------------------ src dst src port dst port tcp vlan_0 vlan_1 pkts bytes ------------------------------------------------------------------------------ 10.0.0.2 192.168.1.2 4430 1234 yes 100 0 0 0 192.168.1.2 10.0.0.2 1234 4430 yes 100 0 7 478
Note
The second attempt should fail because of the XDP hook.
Step 11: Expect a failure in the following command:
Initiate a ssl connection from DUT1 to DUT2 and try to send some messages between both endpoints
admin@DUT2$ monitor test connection server 4430 ssl cert running://test.crt key running://test.key admin@DUT1$ monitor test connection client 10.0.0.2 4430 ssl source-port 1234
Step 12: Run command service firewall FWL show logging fast | tail -n 2 at DUT0 and expect this output:
Show output
12/04/2024-15:56:32.849623 [Drop] [**] [1:2:0] Disallowed traffic [**] [Classification: (null)] [Priority: 3] {TCP} 192.168.1.2:1234 -> 10.0.0.2:4430
Step 13: Run command service firewall FWL show early-drop-stats eth0 at DUT0 and check if output matches the following regular expressions:
yes\s+\d+\s+\d+\s+[1-9]\d*\s+[1-9]\d*Show output
------------------------------------------------------------------------------ src dst src port dst port tcp vlan_0 vlan_1 pkts bytes ------------------------------------------------------------------------------ 10.0.0.2 192.168.1.2 4430 1234 yes 100 0 0 0 192.168.1.2 10.0.0.2 1234 4430 yes 100 0 19 1294