public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed
* Firewall Question
@ 2012-10-13 12:39 Alexander Marx
  2012-10-13 17:18 ` Michael Tremer
  0 siblings, 1 reply; 3+ messages in thread
From: Alexander Marx @ 2012-10-13 12:39 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 590 bytes --]

Dear developers.

Are there any plans to implement the possibillity to create firewall 
rules for openvpn subnets?
Actually all vpn connections are able to do anything in the remotenetwork
The only solution is to put own iptables rule in the 
/etc/sysconfig/firewall.local

I already tried to play with the OVPNFORWARD Chain but had no luck.

It would be great if one can say:
Hey, VPN1 is only allowed to connect to my internal servers 192.168.0.2 
and 192.168.0.3 via RDP (3389)
ans that via gui

I already developed addons for ipcop, but ipfire seems complete different...

Greetings
Al

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Firewall Question
  2012-10-13 12:39 Firewall Question Alexander Marx
@ 2012-10-13 17:18 ` Michael Tremer
  0 siblings, 0 replies; 3+ messages in thread
From: Michael Tremer @ 2012-10-13 17:18 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 1291 bytes --]

Hey Alex,

On Sat, 2012-10-13 at 14:39 +0200, Alexander Marx wrote:
> Dear developers.
> 
> Are there any plans to implement the possibillity to create firewall 
> rules for openvpn subnets?
> Actually all vpn connections are able to do anything in the remotenetwork
> The only solution is to put own iptables rule in the 
> /etc/sysconfig/firewall.local

No, there are currently no plans to do that.

/etc/sysconfig/firewall.local is a mighty way to do these rules,
although it is not very nice to type them. Agreed.

> I already tried to play with the OVPNFORWARD Chain but had no luck.

You should use CUSTOMFORWARD/CUSTOMINPUT for those rules.

> It would be great if one can say:
> Hey, VPN1 is only allowed to connect to my internal servers 192.168.0.2 
> and 192.168.0.3 via RDP (3389)
> ans that via gui

You can use the outgoing firewall to limit some sorts of traffic, but
you cannot block incoming packets with it.

> I already developed addons for ipcop, but ipfire seems complete different...

No, the web UI is pretty much the same (crap). The firewall scripts do
not differ too much, either.

> Greetings
> Al
> _______________________________________________
> Development mailing list
> Development(a)lists.ipfire.org
> http://lists.ipfire.org/mailman/listinfo/development


^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Firewall Question
       [not found] <5079AABC.4020104@oab.de>
@ 2012-10-17 10:08 ` Michael Tremer
  0 siblings, 0 replies; 3+ messages in thread
From: Michael Tremer @ 2012-10-17 10:08 UTC (permalink / raw)
  To: development

[-- Attachment #1: Type: text/plain, Size: 2490 bytes --]

On Sat, 2012-10-13 at 19:54 +0200, Alexander Marx wrote:
> Am 13.10.2012 19:18, schrieb Michael Tremer:
> >> I already tried to play with the OVPNFORWARD Chain but had no luck.
> > You should use CUSTOMFORWARD/CUSTOMINPUT for those rules.
> ok. But why are there the chains OVPNINPUT and OVPNFORWARD?!
> As far as i understand right now, these chains should be DROP ore 
> flushed, when Firewall is in mode 1, right?
> And to think a bit further, when someone begins to develop an addon or 
> core function to create rules
> for CUSTOMFORWARD with a webgui, is this sufficient for creating a 
> INCOMING Firewall?! (I know its FORWARD-Chain)
> But i hope you understand what i mean.

Those chains have been introduced with the OpenVPN addon.
It was intended to build in-tunnel filtering, but that has never been
implemented.

If you would like to implement filtering for VPN tunnels, please use
those chains. Don't put anything into CUSTOM* because these are for
rules that are manually created by the user.

OVPNINPUT and OVPNFORWARD work in exactly the same way. Same for
IPSECINPUT and IPSECFORWARD.

> >> It would be great if one can say:
> >> Hey, VPN1 is only allowed to connect to my internal servers 192.168.0.2
> >> and 192.168.0.3 via RDP (3389)
> >> ans that via gui
> > You can use the outgoing firewall to limit some sorts of traffic, but
> > you cannot block incoming packets with it.
> >
> >> I already developed addons for ipcop, but ipfire seems complete different...
> > No, the web UI is pretty much the same (crap). The firewall scripts do
> > not differ too much, either.

> Well the way ipfire is compiled and the way addons are created is much 
> more complicated at a first sight.

Indeed, there is a detailed guide how to start on our wiki.
http://wiki.ipfire.org/en/development/build

> If i would understand how to add changes to the ipfire, maybe i would 
> begin to develop some sort of
> gui for creating some firewall-rules.
> I think it is not so difficult, because it just takes a textfile for the 
> rules, and a table in webinterface where the rule positions can be 
> changed and created. And a funvtion, that reads the rules on every reboot.
> 
> Do you agree so far?!!

Yes, that's the way.

Maybe it is a good idea to integrate that as native as possible into the
WUI, because there already too many possibilities how to add firewall
rules (portfw, xtaccess, outgoing firewall,...).

Michael


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2012-10-17 10:08 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-10-13 12:39 Firewall Question Alexander Marx
2012-10-13 17:18 ` Michael Tremer
     [not found] <5079AABC.4020104@oab.de>
2012-10-17 10:08 ` Michael Tremer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox