Tip
This is the documentation for the 19.12 version. Looking for the documentation of the latest version? Have a look here.
Host ACLs¶
TNSR can also create host ACLs to control traffic on host interfaces, such as the management interface. These ACLs are implemented using Netfilter.
As mentioned in Default Allowed Traffic, TNSR includes a default set of host ACLs which protect host OS interfaces. Host ACLs created by administrators can override or augment the default blocking behavior.
ACLs are ordered by sequence number, and evaluated from the start to the end, stopping when a match is found. Each ACL contains one or more rules which define matching criteria and actions taken.
To create a new ACL, from config mode, use the command host acl
<acl-name>, with the name to use for the new ACL. This command enters
config-host-acl mode, where the following commands are available:
- description <text>:
A text description of the host ACL.
- sequence <acl-seq>:
The sequence number of this ACL. This sequence number controls the order of the ACLs when TNSR generates the host OS ruleset.
- rule <rule-seq>:
Creates a new rule in this ACL with the given sequence number and enters
config-host-acl-rulemode. The sequence number of the rule controls the order of the individual rules inside this ACL.
Inside config-host-acl-rule mode, the following commands are available:
- action (deny|permit):
Controls whether packets matching this rule will be passed (
permit) or dropped (deny).- description <text>:
A text description of this rule.
- match input-interface <host-interface>:
When set, this rule will only match traffic on the given host interface name. This is an interface name as seen by the host operating system, and not a TNSR interface.
- match ip address (source|destination) <ip-prefix>:
Matches based on a given source or destination network.
- match ip icmp type <type> [code <code>]:
Matches a specific IPv4 ICMP type and optionally matches the ICMP code as well. To match ICMP, the IP
protocolmust be set toicmp. Allowed types include:address-mask-reply,address-mask-request,destination-unreachable,echo-reply,echo-request,info-reply,info-request,parameter-problem,redirect,router-advertisement,router-solicitation,source-quench,time-exceeded,timestamp-reply, andtimestamp-request.- match ip icmpv6 type <type> [code <code>]:
Matches a specific IPv6 ICMP type and optionally matches the ICMP code as well. To match ICMP, the IP
protocolmust be set toicmp. Allowed types include:destination-unreachable,echo-reply,echo-request,mld-listener-query,mld-listener-reduction,mld-listener-report,nd-neighbor-advert,nd-neighbor-solicit,nd-redirect,nd-router-advert,nd-router-solicit,packet-too-big,parameter-problem,router-renumbering, andtime-exceeded.- match ip port (source|destination) <port-num>:
Matches the given source or destination port number. To match a port, the
protocolmust betcporudp.- match ip port (source|destination) range start <low-port-num> [end <high-port-num>]:
Matches the given source or destination port range, given as a lower start port number and a higher ending port number. To match a port, the
protocolmust betcporudp.- match ip protocol (icmp|tcp|udp|<proto-number>):
Matches the specified IP protocol. When unset, any protocol will match the rule. However, this option must be set to enable protocol-specific matching such as ports (TCP or UDP) or ICMP types/codes. To match protocols other than TCP, UDP, and ICMP, specify the protocol number from
0-255.- match ip tcp flag (ack|cwr|ece|fin|psh|rst|syn|urg):
Matches a specific TCP flag. May only be used when
protocolis set totcp.- match ip version (4|6):
Matches based on whether a packet is IPv4 (
4), or IPv6 (6). This is required when matching by source or destination address.- match mac address (source|destination) <mac>:
Matches based on the source or destination MAC address. This is only valid for neighboring hosts on interfaces which provide layer 2 information, such as Ethernet.
Host ACL Example¶
This example configures a rule to allow traffic from the remote system
203.0.113.54 to reach a local host OS daemon on port 12345, used by the
TNSR IDS daemon:
tnsr(config)# host acl tnsrids
tnsr(config-host-acl)# sequence 10
tnsr(config-host-acl)# description TNSR IDS
tnsr(config-host-acl)# rule 100
tnsr(config-host-acl-rule)# description Pass to tnsrids
tnsr(config-host-acl-rule)# action permit
tnsr(config-host-acl-rule)# match ip address source 203.0.113.54/32
tnsr(config-host-acl-rule)# match ip version 4
tnsr(config-host-acl-rule)# match ip protocol tcp
tnsr(config-host-acl-rule)# match ip port destination 12345
Host ACL Status¶
To see the list of current host ACLs, use the following command:
tnsr# show host ruleset
table inet tnsr_filter {
chain tnsr_input_mgmt_local {
jump tnsrids
}
chain tnsr_input_mgmt_default {
tcp dport ssh accept
tcp dport http accept
tcp dport https accept
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
tcp dport bgp accept
ip protocol ospf accept
udp dport isakmp accept
tcp dport ntp accept
udp dport ntp accept
tcp dport domain accept
udp dport domain accept
udp dport snmp accept
udp dport bootps accept
ip ttl 1 udp dport 33434-33524 counter packets 0 bytes 0 accept
}
chain tnsr_input {
type filter hook input priority 0; policy accept;
iifname "lo" accept
ct state established,related accept
jump tnsr_input_mgmt_local
jump tnsr_input_mgmt_default
drop
}
chain tnsr_forward {
type filter hook forward priority 0; policy drop;
}
chain tnsrids {
tcp dport 12345 counter packets 0 bytes 0 accept
}
}