Project

General

Profile

Bug #11841 ยป access-list and prefix-list behaviors in pfsense 2.5.1.txt

Shows the issue of ACLs in pfsense 2.5.1 - Gavin Owen, 04/22/2021 09:23 AM

 
1

    
2
=================================================================================
3
Access-list case with no explict "deny any" on end of access-list "CONNECT" - bad
4
=================================================================================
5

    
6
## firewall B partial config
7
router ospf
8
 ospf router-id 192.168.24.1
9
 log-adjacency-changes detail
10
 auto-cost reference-bandwidth 40000
11
 timers throttle spf 200 1000 10000
12
 redistribute connected metric 20 route-map CONNECT
13
 passive-interface em1
14
 area 0.0.0.0 authentication message-digest
15
!
16
access-list CONNECT seq 10 permit 10.24.194.0/24
17
!
18
route-map CONNECT permit 10
19
 match ip address CONNECT
20
!
21

    
22

    
23
## OSPF routes showing on adjacent firewall A
24
somefirewall.somedomain.local# show ip route ospf
25
Codes: K - kernel route, C - connected, S - static, R - RIP,
26
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
27
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
28
       F - PBR, f - OpenFabric,
29
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
30

    
31
O>* 10.24.10.0/24 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06
32
O>* 10.24.194.0/24 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06       ### Allowed in redistribute ACL. This is fine.
33
O>* 10.24.224.0/29 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06       ### Connected route on firewall B not in OSPF or being redistributed. Should not appear!
34
O   10.254.40.0/28 [110/4] is directly connected, em0.40, weight 1, 00:13:23          ### This is fine (firewall A LAN1)
35
O   10.254.100.0/24 [110/4] is directly connected, em0.100, weight 1, 00:13:23        ### This is fine (firewall A LAN2)
36
O>* 10.255.195.1/32 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06      ### VPN tunnel IPs. Don't want to be seeing it
37
O>* 10.255.196.1/32 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06      ### VPN tunnel IPs. Don't want to be seeing it
38
O>* 10.255.198.2/32 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06      ### VPN tunnel IPs. Don't want to be seeing it
39
O>* 103.XXX.XXX.1/32 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06     ### firewall B's WAN2 route (PPP) - should not appear!
40
O>* 192.168.24.0/24 [110/8004] via 10.255.195.2, ovpns2 onlink, weight 1, 00:13:23    ### This is fine (firewall B LAN)
41
O   192.168.57.0/24 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06      ### firewall B's lab connectivity - should not appear!
42
O>* 194.XXX.XXX.28/30 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:06    ### firewall B's WAN1 route - should not appear!!
43

    
44

    
45

    
46

    
47

    
48
================================================================================
49
Access-list case with explicit "deny any" on end of access-list "CONNECT" - fine
50
================================================================================
51

    
52
## firewall B partial config
53
router ospf
54
 ospf router-id 192.168.24.1
55
 log-adjacency-changes detail
56
 auto-cost reference-bandwidth 40000
57
 timers throttle spf 200 1000 10000
58
 redistribute connected metric 20 route-map CONNECT
59
 passive-interface em1
60
 area 0.0.0.0 authentication message-digest
61
!
62
access-list CONNECT seq 10 permit 10.24.194.0/24
63
access-list CONNECT seq 20 deny any                         ### note the addition of an explicit "deny any". Shouldn't need this. ACL should implicit deny at the end.
64
!
65
route-map CONNECT permit 10
66
 match ip address CONNECT
67
!
68

    
69

    
70
## OSPF routes showing on adjacent firewall A
71
somefirewall.somedomain.local# show ip route ospf
72
Codes: K - kernel route, C - connected, S - static, R - RIP,
73
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
74
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
75
       F - PBR, f - OpenFabric,
76
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
77

    
78
O>* 10.24.194.0/24 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:22
79
O   10.254.40.0/28 [110/4] is directly connected, em0.40, weight 1, 00:22:18
80
O   10.254.100.0/24 [110/4] is directly connected, em0.100, weight 1, 00:22:18
81
O>* 192.168.24.0/24 [110/8004] via 10.255.195.2, ovpns2 onlink, weight 1, 00:00:46
82

    
83

    
84

    
85

    
86

    
87
=================================================================================== 
88
Prefix-list case with no explicit "deny any" on end of prefix-list "CONNECT" - fine
89
===================================================================================
90

    
91
## firewall B partial config
92
router ospf
93
 ospf router-id 192.168.24.1
94
 log-adjacency-changes detail
95
 auto-cost reference-bandwidth 40000
96
 timers throttle spf 200 1000 10000
97
 redistribute connected metric 20 route-map CONNECT
98
 passive-interface em1
99
 area 0.0.0.0 authentication message-digest
100
!
101
ip prefix-list CONNECT seq 10 permit 10.24.194.0/24
102
!
103
route-map CONNECT permit 10
104
 match ip address prefix-list CONNECT
105
!
106

    
107

    
108
## OSPF routes showing on adjacent firewall A
109
somefirewall.somedomain.local# show ip route ospf
110
Codes: K - kernel route, C - connected, S - static, R - RIP,
111
       O - OSPF, I - IS-IS, B - BGP, E - EIGRP, N - NHRP,
112
       T - Table, v - VNC, V - VNC-Direct, A - Babel, D - SHARP,
113
       F - PBR, f - OpenFabric,
114
       > - selected route, * - FIB route, q - queued, r - rejected, b - backup
115

    
116
O>* 10.24.194.0/24 [110/20] via 10.255.195.2, ovpns2 onlink, weight 1, 00:01:53
117
O   10.254.40.0/28 [110/4] is directly connected, em0.40, weight 1, 00:43:50
118
O   10.254.100.0/24 [110/4] is directly connected, em0.100, weight 1, 00:43:50
119
O>* 192.168.24.0/24 [110/8004] via 10.255.195.2, ovpns2 onlink, weight 1, 00:02:34
120

    
    (1-1/1)