From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Firewall Question Date: Wed, 17 Oct 2012 12:08:43 +0200 Message-ID: <1350468523.9815.56.camel@rice-oxley.tremer.info> In-Reply-To: <5079AABC.4020104@oab.de> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0851248218872372312==" List-Id: --===============0851248218872372312== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On Sat, 2012-10-13 at 19:54 +0200, Alexander Marx wrote: > Am 13.10.2012 19:18, schrieb Michael Tremer: > >> I already tried to play with the OVPNFORWARD Chain but had no luck. > > You should use CUSTOMFORWARD/CUSTOMINPUT for those rules. > ok. But why are there the chains OVPNINPUT and OVPNFORWARD?! > As far as i understand right now, these chains should be DROP ore=20 > flushed, when Firewall is in mode 1, right? > And to think a bit further, when someone begins to develop an addon or=20 > core function to create rules > for CUSTOMFORWARD with a webgui, is this sufficient for creating a=20 > INCOMING Firewall?! (I know its FORWARD-Chain) > But i hope you understand what i mean. Those chains have been introduced with the OpenVPN addon. It was intended to build in-tunnel filtering, but that has never been implemented. If you would like to implement filtering for VPN tunnels, please use those chains. Don't put anything into CUSTOM* because these are for rules that are manually created by the user. OVPNINPUT and OVPNFORWARD work in exactly the same way. Same for IPSECINPUT and IPSECFORWARD. > >> It would be great if one can say: > >> Hey, VPN1 is only allowed to connect to my internal servers 192.168.0.2 > >> and 192.168.0.3 via RDP (3389) > >> ans that via gui > > You can use the outgoing firewall to limit some sorts of traffic, but > > you cannot block incoming packets with it. > > > >> I already developed addons for ipcop, but ipfire seems complete differen= t... > > No, the web UI is pretty much the same (crap). The firewall scripts do > > not differ too much, either. > Well the way ipfire is compiled and the way addons are created is much=20 > more complicated at a first sight. Indeed, there is a detailed guide how to start on our wiki. http://wiki.ipfire.org/en/development/build > If i would understand how to add changes to the ipfire, maybe i would=20 > begin to develop some sort of > gui for creating some firewall-rules. > I think it is not so difficult, because it just takes a textfile for the=20 > rules, and a table in webinterface where the rule positions can be=20 > changed and created. And a funvtion, that reads the rules on every reboot. >=20 > Do you agree so far?!! Yes, that's the way. Maybe it is a good idea to integrate that as native as possible into the WUI, because there already too many possibilities how to add firewall rules (portfw, xtaccess, outgoing firewall,...). Michael --===============0851248218872372312==--