March 19, 2014
Posted by on
You can monitor the firewall in much the way of a Debug command in Cisco. By using the command “Monitor firewall”. The blocked or allowed attempts will show up on the console.
You can monitor just the rule, or the whole firewall policy. By specifying the monitor to run in the background you still have control of the Vyatta.
The command is:
monitor firewall name OUTSIDE-IN background
You can also use the log keyword in the firewall rule to get the results of the rule to show up in the logs.
To give a better example lets create a firewall policy, assign it to an interface and then monitor the rule. I have two rules, one to block ICMP and one to allow everything else. To make this policy stateful I modified the firewall State-policy and set it to allow return traffic by default. Below are my firewall settings:
Now lets say I want to monitor what gets blocked in rule 5 – my block ICMP rule. I would do the following:
monitor firewall name out rule 5 – the name of my policy is “out”, rule 5 blocks ICMP.
The image shows the output. All traffic matching that rule gets displayed on the screen. This is a great way to debug firewall polices to see what gets blocked or allowed. For example, if I monitored just the firewall policy i would get all traffic allowed or blocked, if I monitored rule 10 then I would get all traffic other than ICMP which would be allowed.
Below are the “show configuration commands” of the firewall policy if you are interested.
set firewall name out rule 5 action ‘drop’
set firewall name out rule 5 log ‘enable’
set firewall name out rule 5 protocol ‘icmp’
set firewall name out rule 10 action ‘accept’
set firewall name out rule 10 log ‘enable’
set firewall name out rule 10 protocol ‘all’
set firewall name out rule 10 source address ‘192.168.60.10’
set firewall state-policy established action ‘accept’
set firewall state-policy invalid action ‘drop’
set interfaces ethernet eth1 firewall out name ‘out’