Step 4: Protect the WAN Interface with VPF

Before proceeding with the VPN IPsec site-to-site tunnel, it is critical to apply Access Control Lists (ACLs) to the WAN interface.

If the WAN interface is exposed to the internet, it will be frequently probed by bots attempting to log in using weak credentials. This can be seen by inspecting lastb from the root user:

$ sudo lastb | head -100

Outbound Traffic Rule

The first task for filtering is to create a ruleset and add a rule to pass outbound traffic in a stateful manner. The stateful property of an VPF filter rule permits the return traffic which matches the original connection. This allows outbound traffic to flow and any responses to that traffic will be allowed as well.

Create a ruleset for the WAN named WAN-filter which will contain all the rules for this example:

vpf filter ruleset WAN-filter
  description Filter rules for WAN
  rule 10
    description Pass outbound from TNSR to any destination and pass return traffic
    pass
    direction out
    stateful
    exit
  exit

# Activate Ruleset
vpf options
  interface WAN filter-ruleset WAN-filter
  exit

Input Filter Rules - DHCP Responses

If using dhcp client ipv4 on the WAN interface, be sure to permit DHCP responses to destination port UDP 68:

vpf filter ruleset WAN-filter
  rule 20
    description DHCP Response to client on WAN interface
    pass
    direction in
    stateful
    ip-version ipv4
    protocol udp
    from port 67 67
    to port 68 68
    exit
  exit

Input Filter Rules - SSH-WAN

To only permit inbound SSH access from specified IP addresses, create rules to specifically allow only the required access.

In this example, rule 221 permits a block of IP addresses from corporate headquarters and rule 222 permits a single IP address for assistance from a service provider:

vpf filter ruleset WAN-filter
  rule 221
    description Allow SSH from HQ
    pass
    direction in
    stateful
    ip-version ipv4
    protocol tcp
    from ipv4-prefix 198.51.100.0/24
    to port 22 22
    exit
  rule 222
    description Allow SSH from service provider
    pass
    direction in
    stateful
    ip-version ipv4
    protocol tcp
    from ipv4-prefix 192.0.2.88/32
    to port 22 22
    exit
  exit

Tip

This could have also been achieved with a single rule using a VPF table.

After those rules are in place, validate that only the specified IP addresses are able to SSH to the WAN IP address of TNSR.

Input Filter Rules - IPsec-WAN

Configure a set of rules to permit three (3) types of IPsec traffic:

  1. IP Protocol ESP: Encapsulated traffic without NAT-T

  2. IP Protocol UDP; Destination Port 500: IKEv2 Message Exchange

  3. IP Protocol UDP; Destination Port 4500: NAT-T floats IPsec to UDP 4500

vpf filter ruleset WAN-filter
  rule 500
    description Permit IPsec ESP
    pass
    direction in
    stateful
    ip-version ipv4
    from ipv4-prefix 198.51.100.120/32
    protocol esp
    exit
  rule 501
    description Allow IPsec IKEv2
    pass
    direction in
    stateful
    ip-version ipv4
    protocol udp
    from ipv4-prefix 198.51.100.120/32
    to port 500
    exit
  rule 502
    description Allow IPsec NAT-T
    pass
    direction in
    stateful
    ip-version ipv4
    protocol udp
    from ipv4-prefix 198.51.100.120/32
    to port 4500
    exit
  exit