You can monitor the firewall in much the way of a Debug command in Cisco. By using the command “Monitor firewall”. The blocked or allowed attempts will show up on the console.
You can monitor just the rule, or the whole firewall policy. By specifying the monitor to run in the background you still have control of the Vyatta.
The command is:
monitor firewall name OUTSIDE-IN background
You can also use the log keyword in the firewall rule to get the results of the rule to show up in the logs.
To give a better example lets create a firewall policy, assign it to an interface and then monitor the rule. I have two rules, one to block ICMP and one to allow everything else. To make this policy stateful I modified the firewall State-policy and set it to allow return traffic by default. Below are my firewall settings:
Now lets say I want to monitor what gets blocked in rule 5 – my block ICMP rule. I would do the following:
monitor firewall name out rule 5 – the name of my policy is “out”, rule 5 blocks ICMP.
The image shows the output. All traffic matching that rule gets displayed on the screen. This is a great way to debug firewall polices to see what gets blocked or allowed. For example, if I monitored just the firewall policy i would get all traffic allowed or blocked, if I monitored rule 10 then I would get all traffic other than ICMP which would be allowed.
Below are the “show configuration commands” of the firewall policy if you are interested.
set firewall name out rule 5 action ‘drop’
set firewall name out rule 5 log ‘enable’
set firewall name out rule 5 protocol ‘icmp’
set firewall name out rule 10 action ‘accept’
set firewall name out rule 10 log ‘enable’
set firewall name out rule 10 protocol ‘all’
set firewall name out rule 10 source address ‘192.168.60.10’
set firewall state-policy established action ‘accept’
set firewall state-policy invalid action ‘drop’
set interfaces ethernet eth1 firewall out name ‘out’
hi, i need to do exactly the same.
i worked with Microsoft isa server as a firewall, and now im moving to vyatta firewall.
sometimes i need to see the traffic flow, or a rule denying something, but i dont know how.
i try to use
but i didn’t see anything.can you provided me an example of an output when you use the monitor firewall command? sorry for my english.
Hi Jei, you would have to put the log keyword in to get that data. I will modify this post with an example tomorrow.
hi, thank you for the answer, I was on vacation, so now is when i can try it.
i think , for your answer, that i need to configure mi firewall rules with action log to see what happens ?
im waiting anxiously for the example 🙂
thank you for your time.
Hi Jei, I updated the post. Please let me know if this answers the question.
Hi, and thank you, really thank you for your time and for share your knowledge.
I understand clearly the examples, and the output.
I need to try it, and see what happens.
The only difference that i can see, is that im using a zone firewall,i have rules set , applying from a zone to another zone, and the zone have a # of interfaces that belongs to it.
Maybe i cant monitor firewall rules because im using Zone-Based firewall?
Anyway, i’ll try like your example,and if i can monitor the firewall, maybe i need to rethink and reconfigure my firewall, because the fact of monitor its very important to me.
Right now, i solve situations whit conntrack and tcpdump, but i need to be very creative to use it :-)) and many many times , even when i see the traffic , i take my time to understand it.
Anyway, thank you.
hi!, i testing in my lab environment, without zoning, and it work fine.im traying the zoning now, let see whats happens.
thank you for the help.
well, test complete, maybe im doing something wrong, but when i use zoning, not show any statistics or packets using the monitor firewall rule X.
thank you for the help.