Host ACLs

TNSR can also create host ACLs to control traffic on host interfaces, such as the management interface. These ACLs are implemented using Netfilter.

As mentioned in Default Allowed Traffic, TNSR includes a default set of host ACLs which protect host OS interfaces. Host ACLs created by administrators can override or augment the default blocking behavior.

ACLs are ordered by sequence number, and evaluated from the start to the end, stopping when a match is found. Each ACL contains one or more rules which define matching criteria and actions taken.

To create a new ACL, from config mode, use the command host acl <acl-name>, with the name to use for the new ACL. This command enters config-host-acl mode, where the following commands are available:

description <text>:

A text description of the host ACL.

sequence <acl-seq>:

The sequence number of this ACL. This sequence number controls the order of the ACLs when TNSR generates the host OS ruleset.

rule <rule-seq>:

Creates a new rule in this ACL with the given sequence number and enters config-host-acl-rule mode. The sequence number of the rule controls the order of the individual rules inside this ACL.

Inside config-host-acl-rule mode, the following commands are available:

action (deny|permit):

Controls whether packets matching this rule will be passed (permit) or dropped (deny).

description <text>:

A text description of this rule.

match input-interface <host-interface>:

When set, this rule will only match traffic on the given host interface name. This is an interface name as seen by the host operating system, and not a TNSR interface.

match ip address (source|destination) <ip-prefix>:

Matches based on a given source or destination network.

match ip icmp type <type> [code <code>]:

Matches a specific IPv4 ICMP type and optionally matches the ICMP code as well. To match ICMP, the IP protocol must be set to icmp.

Allowed types include: address-mask-reply, address-mask-request, destination-unreachable, echo-reply, echo-request, info-reply, info-request, parameter-problem, redirect, router-advertisement, router-solicitation, source-quench, time-exceeded, timestamp-reply, timestamp-request.

match ip icmpv6 type <type> [code <code>]:

Matches a specific IPv6 ICMP type and optionally matches the ICMP code as well. To match ICMP, the IP protocol must be set to icmp.

Allowed types include: destination-unreachable, echo-reply, echo-request, mld-listener-query, mld-listener-reduction, mld-listener-report, nd-neighbor-advert, nd-neighbor-solicit, nd-redirect, nd-router-advert, nd-router-solicit, packet-too-big, parameter-problem, router-renumbering, time-exceeded.

match ip port (source|destination) <port-num>:

Matches the given source or destination port number. To match a port, the protocol must be tcp or udp.

match ip port (source|destination) range start <low-port-num> [end <high-port-num>]:

Matches the given source or destination port range, given as a lower start port number and a higher ending port number. To match a port, the protocol must be tcp or udp.

match ip protocol (icmp|tcp|udp|<proto-number>):

Matches the specified IP protocol. When unset, any protocol will match the rule. However, this option must be set to enable protocol-specific matching such as ports (TCP or UDP) or ICMP types/codes. To match protocols other than TCP, UDP, and ICMP, specify the protocol number from 0-255.

match ip tcp flag (ack|cwr|ece|fin|psh|rst|syn|urg):

Matches specific TCP Flags. May only be used when protocol is set to tcp.

match ip version (4|6):

Matches based on whether a packet is IPv4 (4), or IPv6 (6). This is required when matching by source or destination address.

match mac address (source|destination) <mac>:

Matches based on the source or destination MAC address. This is only valid for neighboring hosts on interfaces which provide layer 2 information, such as Ethernet.

Host ACL Example

This example configures a rule to allow traffic from the remote system 203.0.113.54 to reach a local host OS daemon on port 12345, used by the TNSR IDS daemon:

tnsr(config)# host acl tnsrids
tnsr(config-host-acl)# sequence 10
tnsr(config-host-acl)# description TNSR IDS
tnsr(config-host-acl)# rule 100
tnsr(config-host-acl-rule)# description Pass to tnsrids
tnsr(config-host-acl-rule)# action permit
tnsr(config-host-acl-rule)# match ip address source 203.0.113.54/32
tnsr(config-host-acl-rule)# match ip version 4
tnsr(config-host-acl-rule)# match ip protocol tcp
tnsr(config-host-acl-rule)# match ip port destination 12345

Host ACL Status

To see the list of current host ACLs, use the following command:

tnsr# show host acl
Access Control List: tnsrids
 IPv Seq Action            Src IP   Dst IP           Src MAC           Dst MAC Proto    SP/T    DP/C Flag bytes  pkts
---- --- ------ ----------------- -------- ----------------- ----------------- ----- ------- ------- ---- ----- -----
ipv4 100 accept   203.0.113.54/32                                                tcp           12345          0     0

Alternately, to see the host ACL ruleset directly:

tnsr# show host ruleset
table inet tnsr_filter {
        chain tnsr_input_mgmt_local {
                jump tnsrids
        }

        chain tnsr_input_mgmt_default {
                tcp dport 22 accept
                tcp dport 80 accept
                tcp dport 443 accept
                ip protocol 1 accept
                ip6 nexthdr 58 accept
                tcp dport 123 accept
                udp dport 123 accept
                udp dport 161 accept
                ip ttl 1 udp dport 33434-33524 counter packets 0 bytes 0 accept
                ip6 hoplimit 1 udp dport 33434-33524 counter packets 0 bytes 0 accept
                tcp dport 9482 accept
        }

        chain tnsr_input {
                type filter hook input priority 0; policy accept;
                iifname "lo" accept
                ct state 0x2,0x4 accept
                jump tnsr_input_mgmt_local
                jump tnsr_input_mgmt_default
                drop
        }
        chain tnsr_forward {
                type filter hook forward priority 0; policy drop;
        }

        chain tnsrids {
                meta nfproto 2 meta nfproto 2 ip saddr 203.0.113.54 tcp dport 12345 counter packets 0 bytes 0 accept
        }
}