Tip

This is the documentation for the 19.08 version. Looking for the documentation of the latest version? Have a look here.

Host ACLs

TNSR can also create host ACLs to control traffic on host interfaces, such as the management interface. These ACLs are implemented using Netfilter.

As mentioned in Default Allowed Traffic, TNSR includes a default set of host ACLs which protect host OS interfaces. Host ACLs created by administrators can override or augment the default blocking behavior.

ACLs are ordered by sequence number, and evaluated from the start to the end, stopping when a match is found. Each ACL contains one or more rules which define matching criteria and actions taken.

To create a new ACL, from config mode, use the command host acl <acl-name>, with the name to use for the new ACL. This command enters config-host-acl mode, where the following commands are available:

description <text>

A text description of the host ACL.

sequence <acl-seq>

The sequence number of this ACL. This sequence number controls the order of the ACLs when TNSR generates the host OS ruleset.

rule <rule-seq>

Creates a new rule in this ACL with the given sequence number and enters config-host-acl-rule mode. The sequence number of the rule controls the order of the individual rules inside this ACL.

Inside config-host-acl-rule mode, the following commands are available:

action (deny|permit)

Controls whether packets matching this rule will be passed (permit) or dropped (deny).

description <text>

A text description of this rule.

match input-interface <host-interface>

When set, this rule will only match traffic on the given host interface name. This is an interface name as seen by the host operating system, and not a TNSR interface.

match ip address (source|destination) <ip-prefix>

Matches based on a given source or destination network.

match ip icmp type <type> [code <code>]

Matches a specific IPv4 ICMP type and optionally matches the ICMP code as well. To match ICMP, the IP protocol must be set to icmp. Allowed types include: address-mask-reply, address-mask-request, destination-unreachable, echo-reply, echo-request, info-reply, info-request, parameter-problem, redirect, router-advertisement, router-solicitation, source-quench, time-exceeded, timestamp-reply, and timestamp-request.

match ip icmpv6 type <type> [code <code>]

Matches a specific IPv6 ICMP type and optionally matches the ICMP code as well. To match ICMP, the IP protocol must be set to icmp. Allowed types include: destination-unreachable, echo-reply, echo-request, mld-listener-query, mld-listener-reduction, mld-listener-report, nd-neighbor-advert, nd-neighbor-solicit, nd-redirect, nd-router-advert, nd-router-solicit, packet-too-big, parameter-problem, router-renumbering, and time-exceeded.

match ip port (source|destination) <port-num>

Matches the given source or destination port number. To match a port, the protocol must be tcp or udp.

match ip port (source|destination) range start <low-port-num> [end <high-port-num>]

Matches the given source or destination port range, given as a lower start port number and a higher ending port number. To match a port, the protocol must be tcp or udp.

match ip protocol (icmp|tcp|udp|<proto-number>)

Matches the specified IP protocol. When unset, any protocol will match the rule. However, this option must be set to enable protocol-specific matching such as ports (TCP or UDP) or ICMP types/codes. To match protocols other than TCP, UDP, and ICMP, specify the protocol number from 0-255.

match ip tcp flag (ack|cwr|ece|fin|psh|rst|syn|urg)

Matches a specific TCP flag. May only be used when protocol is set to tcp.

match ip version (4|6)

Matches based on whether a packet is IPv4 (4), or IPv6 (6). This is required when matching by source or destination address.

match mac address (source|destination) <mac>

Matches based on the source or destination MAC address. This is only valid for neighboring hosts on interfaces which provide layer 2 information, such as Ethernet.

Host ACL Example

This example configures a rule to allow traffic from the remote system 203.0.113.54 to reach a local host OS daemon on port 12345, used by the TNSR IDS daemon:

tnsr(config)# host acl tnsrids
tnsr(config-host-acl)# sequence 10
tnsr(config-host-acl)# description TNSR IDS
tnsr(config-host-acl)# rule 100
tnsr(config-host-acl-rule)# description Pass to tnsrids
tnsr(config-host-acl-rule)# action permit
tnsr(config-host-acl-rule)# match ip address source 203.0.113.54/32
tnsr(config-host-acl-rule)# match ip version 4
tnsr(config-host-acl-rule)# match ip protocol tcp
tnsr(config-host-acl-rule)# match ip port destination 12345

Host ACL Status

To see the list of current host ACLs, use the following command:

tnsr# show host ruleset
table inet tnsr_filter {
        chain tnsr_input_mgmt_local {
                jump tnsrids
        }

        chain tnsr_input_mgmt_default {
                tcp dport ssh accept
                tcp dport http accept
                tcp dport https accept
                ip protocol icmp accept
                ip6 nexthdr ipv6-icmp accept
                tcp dport bgp accept
                ip protocol ospf accept
                udp dport isakmp accept
                tcp dport ntp accept
                udp dport ntp accept
                tcp dport domain accept
                udp dport domain accept
                udp dport snmp accept
                udp dport bootps accept
                ip ttl 1 udp dport 33434-33524 counter packets 0 bytes 0 accept
        }

        chain tnsr_input {
                type filter hook input priority 0; policy accept;
                iifname "lo" accept
                ct state established,related accept
                jump tnsr_input_mgmt_local
                jump tnsr_input_mgmt_default
                drop
        }

        chain tnsr_forward {
                type filter hook forward priority 0; policy drop;
        }

        chain tnsrids {
                tcp dport 12345 counter packets 0 bytes 0 accept
        }
}