The NVOS default firewall rules protect the switch control plane and CPU from DOS and other potentially malicious network attacks.
The default set of firewall rules consists of IP and transport level rules. See Access Control List Configuration for custom ACL rules configurations.
Please note that users cannot bind ACL rules to the Loopback interface (lo).
DoS Rules
DoS rules protect the switch control plane and CPU from DOS attacks. NVOS provides firewall DoS rules to do the following:
-
Allow only internal traffic to the loopback interfaces.
-
Accept already established connections and outbound traffic.
-
Drop packets if the first TCP segment is not SYN.
-
Drop fragmented IP packets.
-
Drop Christmas tree packets; packets with all TCP flags set.
-
Drop NULL packets.
-
Drop invalid packets.
-
Drop strange MSS values.
-
Provide brute-force protection.
-
Drop packets with routing Header Type 0.
-
Drop packets with a hop limit greater than 1.
-
Limit excessive TCP reset packets.
-
Protect against SYN flood.
-
Rate limit new TCP connections for each IP address.
-
Log all remaining packets, then drop them.
Whitelist Rules
Whitelist rules specify the services or application ports enabled on the switch. NVOS provides firewall whitelist rules to enable TCP ports and UDP ports.
The following table lists the ports that NVOS enables by default.
|
Protocol |
Port |
Application |
|---|---|---|
|
TCP |
22 |
SSH |
|
UDP |
68 |
DHCP Client |
|
UDP |
67 |
DHCP Server |
|
UDP |
123 |
NTP |
|
UDP |
161 |
SNMP |
|
TCP |
389 |
LDAP |
|
TCP |
636 |
LDAP TLS |
|
UDP |
546 |
DHCPv6 Client |
|
UDP |
547 |
DHCPv6 Server |
|
UDP |
4500 |
IPSec-NAT |
|
UDP |
500 |
IKE |
|
UDP |
1812,1813,1645,1656 |
RADIUS |
|
TCP |
49 |
TACACS |
|
UDP/TCP |
53 |
DNS |
|
UDP |
5353 |
mDNS |
|
UDP |
514 |
remote syslog |
|
TCP |
443 |
HTTPS |
|
TCP |
9339 |
gNMI |
|
ICMP |
NA |
Ping |
Unset the Default Firewall Rules
The rules will be applied on first boot from the initial configuration. An unset operation will unbind them at any level. To rebind the rules, the user must explicitly use a ‘set’ command.
Add Firewall Rules
You cannot modify the acl-default-dos, acl-default-whitelist, acl-default-dos-ipv6, acl-default-whitelist-ipv6, acl-default-outbound, acl-default-outbound-ipv6, acl-default-loopback and acl-default-loopback-ipv6 rules. However, you can append or insert additional rules.
The rules are applied in lexicographical order, so acl-default-dos will take precedence over acl-user-dos rule. Keep that in mind, as some rules may overlap other and it may not match as expected.
If you use non-default ports for an application, NVIDIA recommends that you add a whitelist rule for the non-default port. For example, if you use ports 3020 and 3022 for radius server accounting and authentication instead of 1812 and 1813, you can add the following whitelist rules:
nvos@switch:~$ nv set acl acl-default-dos rule 765 match ip udp source-port 3020
nvos@switch:~$ nv set acl acl-default-dos rule 765 match ip connection-state new
nvos@switch:~$ nv set acl acl-default-dos rule 765 match ip connection-state established
nvos@switch:~$ nv set acl acl-default-dos rule 765 action permit
nvos@switch:~$ nv set acl acl-default-dos rule 766 match ip udp source-port 3022
nvos@switch:~$ nv set acl acl-default-dos rule 766 match ip connection-state new
nvos@switch:~$ nv set acl acl-default-dos rule 766 match ip connection-state established
nvos@switch:~$ nv set acl acl-default-dos rule 766 action permit
nvos@switch:~$ nv config apply
Show Firewall Rules
To show the default rules, run the nv show acl <default-acl-id> command, where <default-acl-id> is one of acl-default-dos, acl-default-whitelist, acl-default-dos-ipv6, acl-default-whitelist-ipv6, acl-default-outbound, acl-default-outbound-ipv6, acl-default-loopback and acl-default-loopback-ipv6:
nvos@switch:~$ nv show acl acl-default-dos
operational applied
---- ----------- -------
type ipv4 ipv4
rule
=======
Number Summary
------ ----------------------------------------
10 action: deny
match.ip.dest-ip: 127.0.0.0/8
20 action: permit
30 action: deny
match.ip.protocol: tcp
40 action: deny
match.ip.protocol: tcp
50 action: deny
match.ip.protocol: tcp
60 action: deny
match.ip.protocol: tcp
70 action: deny
80 action: deny
match.ip.protocol: tcp
90 action: deny
match.ip.protocol: tcp
100 action: deny
110 match.ip.protocol: tcp
match.ip.recent-list.action: set
match.ip.recent-list.name: TCP
match.ip.tcp.dest-port: 22
120 action: deny
match.ip.protocol: tcp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.name: TCP
match.ip.recent-list.update-interval: 60
match.ip.tcp.dest-port: 22
130 match.ip.protocol: udp
match.ip.recent-list.action: set
match.ip.recent-list.name: UDP
match.ip.udp.dest-port: 161
140 action: deny
match.ip.protocol: udp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.name: UDP
match.ip.recent-list.update-interval: 60
match.ip.udp.dest-port: 161
150 match.ip.protocol: tcp
match.ip.recent-list.action: set
match.ip.recent-list.name: TCP
match.ip.tcp.dest-port: 443
160 action: deny
match.ip.protocol: tcp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 150
match.ip.recent-list.name: TCP
match.ip.recent-list.update-interval: 60
match.ip.tcp.dest-port: 443
170 match.ip.protocol: tcp
match.ip.recent-list.action: set
match.ip.recent-list.name: TCP
match.ip.tcp.dest-port: 9339
180 action: deny
match.ip.protocol: tcp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.name: TCP
match.ip.recent-list.update-interval: 60
match.ip.tcp.dest-port: 9339
190 match.ip.protocol: tcp
match.ip.recent-list.action: set
match.ip.recent-list.name: TCP
match.ip.tcp.dest-port: 636
200 action: deny
match.ip.protocol: tcp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.name: TCP
match.ip.recent-list.update-interval: 60
match.ip.tcp.dest-port: 636
210 match.ip.protocol: tcp
match.ip.recent-list.action: set
match.ip.recent-list.name: TCP
match.ip.tcp.dest-port: 389
220 action: deny
match.ip.protocol: tcp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.name: TCP
match.ip.recent-list.update-interval: 60
match.ip.tcp.dest-port: 389
230 match.ip.protocol: tcp
match.ip.recent-list.action: set
match.ip.recent-list.name: TCP
match.ip.tcp.dest-port: 49
240 action: deny
match.ip.protocol: tcp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.name: TCP
match.ip.recent-list.update-interval: 60
match.ip.tcp.dest-port: 49
250 match.ip.protocol: udp
match.ip.recent-list.action: set
match.ip.recent-list.name: UDP
match.ip.udp.dest-port: 123
260 action: deny
match.ip.protocol: udp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.name: UDP
match.ip.recent-list.update-interval: 60
match.ip.udp.dest-port: 123
270 match.ip.protocol: tcp
match.ip.recent-list.action: set
match.ip.recent-list.name: TCP
match.ip.tcp.dest-port: 53
280 action: deny
match.ip.protocol: tcp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.name: TCP
match.ip.recent-list.update-interval: 60
match.ip.tcp.dest-port: 53
290 match.ip.protocol: udp
match.ip.recent-list.action: set
match.ip.recent-list.name: UDP
match.ip.udp.dest-port: 53
300 action: deny
match.ip.protocol: udp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.name: UDP
match.ip.recent-list.update-interval: 60
match.ip.udp.dest-port: 53
310 match.ip.protocol: udp
match.ip.recent-list.action: set
match.ip.recent-list.name: UDP
match.ip.udp.dest-port: 514
320 action: deny
match.ip.protocol: udp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.name: UDP
match.ip.recent-list.update-interval: 60
match.ip.udp.dest-port: 514
330 match.ip.protocol: udp
match.ip.recent-list.action: set
match.ip.recent-list.name: UDP
match.ip.udp.dest-port: 5353
340 action: deny
match.ip.protocol: udp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.name: UDP
match.ip.recent-list.update-interval: 60
match.ip.udp.dest-port: 5353
350 match.ip.protocol: udp
match.ip.recent-list.action: set
match.ip.recent-list.name: UDP
match.ip.udp.dest-port: 68
360 action: deny
match.ip.protocol: udp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.name: UDP
match.ip.recent-list.update-interval: 60
match.ip.udp.dest-port: 68
370 match.ip.protocol: udp
match.ip.recent-list.action: set
match.ip.recent-list.name: UDP
match.ip.udp.dest-port: 67
380 action: deny
match.ip.protocol: udp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.name: UDP
match.ip.recent-list.update-interval: 60
match.ip.udp.dest-port: 67
390 match.ip.protocol: udp
match.ip.recent-list.action: set
match.ip.recent-list.name: UDP
match.ip.udp.dest-port: 4500
400 action: deny
match.ip.protocol: udp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.name: UDP
match.ip.recent-list.update-interval: 60
match.ip.udp.dest-port: 4500
410 match.ip.protocol: udp
match.ip.recent-list.action: set
match.ip.recent-list.name: UDP
match.ip.udp.dest-port: 500
420 action: deny
match.ip.protocol: udp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.name: UDP
match.ip.recent-list.update-interval: 60
match.ip.udp.dest-port: 500
430 match.ip.protocol: udp
match.ip.recent-list.action: set
match.ip.recent-list.name: UDP
match.ip.udp.dest-port: 1812
440 action: deny
match.ip.protocol: udp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.name: UDP
match.ip.recent-list.update-interval: 60
match.ip.udp.dest-port: 1812
450 match.ip.protocol: udp
match.ip.recent-list.action: set
match.ip.recent-list.name: UDP
match.ip.udp.dest-port: 1813
460 action: deny
match.ip.protocol: udp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.name: UDP
match.ip.recent-list.update-interval: 60
match.ip.udp.dest-port: 1813
470 match.ip.protocol: udp
match.ip.recent-list.action: set
match.ip.recent-list.name: UDP
match.ip.udp.dest-port: 1645
480 action: deny
match.ip.protocol: udp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.name: UDP
match.ip.recent-list.update-interval: 60
match.ip.udp.dest-port: 1645
490 match.ip.protocol: udp
match.ip.recent-list.action: set
match.ip.recent-list.name: UDP
match.ip.udp.dest-port: 1646
500 action: deny
match.ip.protocol: udp
match.ip.recent-list.action: update
match.ip.recent-list.hit-count: 100
match.ip.recent-list.name: UDP
match.ip.recent-list.update-interval: 60
match.ip.udp.dest-port: 1646
510 action: deny
match.ip.hashlimit.burst: 2
match.ip.hashlimit.expire: 30000
match.ip.hashlimit.mode: src-ip
match.ip.hashlimit.name: TCPRST
match.ip.hashlimit.rate-above: 5/min
match.ip.hashlimit.source-mask: 32
match.ip.protocol: tcp
520 action: deny
match.ip.hashlimit.burst: 30
match.ip.hashlimit.expire: 30000
match.ip.hashlimit.mode: src-ip
match.ip.hashlimit.name: TCPGENRAL
match.ip.hashlimit.rate-above: 50/second
match.ip.hashlimit.source-mask: 32
match.ip.protocol: tcp
530 action: deny
match.ip.hashlimit.burst: 30
match.ip.hashlimit.expire: 3000
match.ip.hashlimit.mode: src-ip
match.ip.hashlimit.name: TCPGENRAL
match.ip.hashlimit.rate-above: 50/second
match.ip.hashlimit.source-mask: 32
match.ip.protocol: tcp
560 action: permit
match.ip.protocol: udp
match.ip.udp.dest-port: 161
remark: Whitelist-snmp
570 action: permit
match.ip.protocol: tcp
match.ip.tcp.dest-port: 443
remark: Whitelist-https
580 action: permit
match.ip.protocol: tcp
match.ip.tcp.dest-port: 22
remark: Whitelist-ssh
590 action: permit
match.ip.protocol: tcp
match.ip.tcp.dest-port: 9339
remark: Whitelist-gnmi
600 action: permit
match.ip.protocol: tcp
match.ip.tcp.dest-port: 636
remark: Whitelist-ldap-tls
610 action: permit
match.ip.protocol: udp
match.ip.udp.dest-port: 514
remark: Whitelist-rsyslog
620 action: permit
match.ip.protocol: tcp
match.ip.tcp.dest-port: 389
remark: Whitelist-ldap
630 action: permit
match.ip.protocol: tcp
match.ip.tcp.dest-port: 49
remark: Whitelist-tacacs
640 action: permit
match.ip.protocol: udp
match.ip.udp.dest-port: 123
remark: Whitelist-ntp
650 action: permit
match.ip.protocol: udp
match.ip.udp.dest-port: 53
remark: Whitelist-dns
660 action: permit
match.ip.protocol: tcp
match.ip.tcp.dest-port: 53
remark: Whitelist-dns
670 action: permit
match.ip.protocol: udp
match.ip.udp.dest-port: 5353
remark: Whitelist-mDNS
680 action: permit
match.ip.protocol: udp
match.ip.udp.dest-port: 68
remark: Whitelist-dhcp
690 action: permit
match.ip.protocol: udp
match.ip.udp.dest-port: 67
remark: Whitelist-dhcp
700 action: permit
match.ip.protocol: udp
match.ip.udp.dest-port: 4500
remark: Whitelist-IPSec-NAT
710 action: permit
match.ip.protocol: udp
match.ip.udp.dest-port: 500
remark: Whitelist-IKE
720 action: permit
match.ip.protocol: udp
match.ip.udp.dest-port: 1812
remark: Whitelist-radius
730 action: permit
match.ip.protocol: udp
match.ip.udp.dest-port: 1813
remark: Whitelist-radius
740 action: permit
match.ip.protocol: udp
match.ip.udp.dest-port: 1645
remark: Whitelist-radius
750 action: permit
match.ip.protocol: udp
match.ip.udp.dest-port: 1646
remark: Whitelist-radius
760 action: permit
match.ip.protocol: icmp
remark: Whitelist-icmp
770 action: log
match.ip.hashlimit.burst: 5
match.ip.hashlimit.expire: 4294967295
match.ip.hashlimit.mode: src-ip
match.ip.hashlimit.name: LOGGING
match.ip.hashlimit.rate-above: 1/min
match.ip.hashlimit.source-mask: 32
780 action: deny
Run the nv show acl acl-default-dos --rev=applied -o json command to show additional information, such as the connection state, hit count and update interval:
nvos@switch:~$ nv show acl acl-default-dos --rev=applied -o json
...
"630": {
"action": {
"permit": {}
},
"match": {
"ip": {
"connection-state": {
"established": {},
"new": {}
},
"protocol": "tcp",
"tcp": {
"dest-port": {
"49": {}
}
}
}
},
"remark": "Whitelist-tacacs"
},
...
"500": {
"action": {
"deny": {}
},
"match": {
"ip": {
"connection-state": {
"new": {}
},
"protocol": "udp",
"recent-list": {
"action": "update",
"hit-count": 100,
"name": "UDP",
"update-interval": 60
},
"udp": {
"dest-port": {
"1646": {}
}
}
}
}
...
To show information about a specific rule, run the nv show acl <default-acl-id> rule <rule> command:
nvos@switch:~$ nv show acl acl-default-dos rule 500
operational applied
--------------------- ----------- -------
match
ip
protocol udp udp
udp
[dest-port] 1646 1646
recent-list
name UDP UDP
update-interval 60 60
hit-count 100 100
action update update
action deny deny
Run the nv show acl <default-acl-id> rule <rule> --rev=applied -o json command to see additional information, such as the connection state:
nvos@switch:~$ nv show acl acl-default-dos rule 500 --rev=applied -o json {
"action": {
"deny": {}
},
"match": {
"ip": {
"connection-state": {
"new": {}
},
"protocol": "udp",
"recent-list": {
"action": "update",
"hit-count": 100,
"name": "UDP",
"update-interval": 60
},
"udp": {
"dest-port": {
"1646": {}
}
}
}
}
}
Log Messages
Default firewall rules include a log rule for packets that arrive in the control plane and do not match user defined or default firewall rules. The switch generates a log message in/var/log/firewall_packet_capture.log for packets that match the log rule.
Last updated: