* Forward default "DROP" is not applied to ORANGE traffic?! @ 2018-12-15 16:36 Peter Müller 2018-12-16 13:53 ` Michael Tremer 0 siblings, 1 reply; 8+ messages in thread From: Peter Müller @ 2018-12-15 16:36 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1348 bytes --] Hello list, I recently stumbled across a strange behaviour of IPFire 2.x, which seems to be quite critical in my eyes, but I am not sure whether it is intentional or not. Default settings of IPFire allow traffic from internal networks (GREEN, BLUE, ORANGE) to the internet (RED), as documented here: https://wiki.ipfire.org/configuration/firewall/default-policy For several reasons, no direct internet access is desired on most firewall installations I administer, so setting the "default firewall behaviour" to DROP for both FORWARD and OUTGOING usually is one of the first steps after installation. Speaking about GREEN and BLUE, this seems to work: No direct connection is possible except it has been explicitly allowed. It turns out this setting does not apply to traffic from ORANGE: Even default is set to DROP, and no firewall rules allowing anything are in place, a server located in DMZ is able to reach full internet - every port on every IP in every country. This is not my expectation of "default policy" = DROP after all! Could somebody of the core developers urgently have a look at this, please? Thanks, and best regards, Peter Müller -- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Forward default "DROP" is not applied to ORANGE traffic?! 2018-12-15 16:36 Forward default "DROP" is not applied to ORANGE traffic?! Peter Müller @ 2018-12-16 13:53 ` Michael Tremer 2018-12-16 17:07 ` oliver.fuhrer 2018-12-23 15:31 ` Peter Müller 0 siblings, 2 replies; 8+ messages in thread From: Michael Tremer @ 2018-12-16 13:53 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 1840 bytes --] Hey, Could you dump the generated iptables ruleset? I do not see anything that could potentially be a problem here that is causing your behaviour: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/firewall/firewall-policy;h=078c3c515c31f1f385a2159f83fb5c6c52f5e89f;hb=HEAD -Michael > On 15 Dec 2018, at 16:36, Peter Müller <peter.mueller(a)link38.eu> wrote: > > Hello list, > > I recently stumbled across a strange behaviour of IPFire 2.x, which > seems to be quite critical in my eyes, but I am not sure whether it is > intentional or not. > > Default settings of IPFire allow traffic from internal networks > (GREEN, BLUE, ORANGE) to the internet (RED), as documented here: > https://wiki.ipfire.org/configuration/firewall/default-policy > > For several reasons, no direct internet access is desired on most > firewall installations I administer, so setting the "default firewall > behaviour" to DROP for both FORWARD and OUTGOING usually is one of > the first steps after installation. > > Speaking about GREEN and BLUE, this seems to work: No direct connection > is possible except it has been explicitly allowed. > > It turns out this setting does not apply to traffic from ORANGE: Even > default is set to DROP, and no firewall rules allowing anything are > in place, a server located in DMZ is able to reach full internet - > every port on every IP in every country. > > This is not my expectation of "default policy" = DROP after all! > > Could somebody of the core developers urgently have a look at this, please? > > Thanks, and best regards, > Peter Müller > -- > Microsoft DNS service terminates abnormally when it recieves a response > to a DNS query that was never made. Fix Information: Run your DNS > service on a different platform. > -- bugtraq ^ permalink raw reply [flat|nested] 8+ messages in thread
* RE: Forward default "DROP" is not applied to ORANGE traffic?! 2018-12-16 13:53 ` Michael Tremer @ 2018-12-16 17:07 ` oliver.fuhrer 2018-12-23 15:31 ` Peter Müller 1 sibling, 0 replies; 8+ messages in thread From: oliver.fuhrer @ 2018-12-16 17:07 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2752 bytes --] Hi Michael, I observed the same issue on my installations and I think it's coming from the following lines in /etc/rc.d/init.d/firewall: 413 # Orange pinholes 414 if [ "$ORANGE_DEV" != "" ]; then 415 # This rule enables a host on ORANGE network to connect to the outside 416 # (only if we have a red connection) 417 if [ "$IFACE" != "" ]; then 418 iptables -A REDFORWARD -i $ORANGE_DEV -o $IFACE -j ACCEPT 419 fi 420 fi Regards Oliver -----Original Message----- From: Development <development-bounces(a)lists.ipfire.org> On Behalf Of Michael Tremer Sent: Sunday, December 16, 2018 2:53 PM To: Peter Müller <peter.mueller(a)link38.eu> Cc: IPFire: Development-List <development(a)lists.ipfire.org> Subject: Re: Forward default "DROP" is not applied to ORANGE traffic?! Hey, Could you dump the generated iptables ruleset? I do not see anything that could potentially be a problem here that is causing your behaviour: https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/firewall/firewall-policy;h=078c3c515c31f1f385a2159f83fb5c6c52f5e89f;hb=HEAD -Michael > On 15 Dec 2018, at 16:36, Peter Müller <peter.mueller(a)link38.eu> wrote: > > Hello list, > > I recently stumbled across a strange behaviour of IPFire 2.x, which > seems to be quite critical in my eyes, but I am not sure whether it is > intentional or not. > > Default settings of IPFire allow traffic from internal networks > (GREEN, BLUE, ORANGE) to the internet (RED), as documented here: > https://wiki.ipfire.org/configuration/firewall/default-policy > > For several reasons, no direct internet access is desired on most > firewall installations I administer, so setting the "default firewall > behaviour" to DROP for both FORWARD and OUTGOING usually is one of > the first steps after installation. > > Speaking about GREEN and BLUE, this seems to work: No direct connection > is possible except it has been explicitly allowed. > > It turns out this setting does not apply to traffic from ORANGE: Even > default is set to DROP, and no firewall rules allowing anything are > in place, a server located in DMZ is able to reach full internet - > every port on every IP in every country. > > This is not my expectation of "default policy" = DROP after all! > > Could somebody of the core developers urgently have a look at this, please? > > Thanks, and best regards, > Peter Müller > -- > Microsoft DNS service terminates abnormally when it recieves a response > to a DNS query that was never made. Fix Information: Run your DNS > service on a different platform. > -- bugtraq ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Forward default "DROP" is not applied to ORANGE traffic?! 2018-12-16 13:53 ` Michael Tremer 2018-12-16 17:07 ` oliver.fuhrer @ 2018-12-23 15:31 ` Peter Müller 2019-01-04 21:12 ` Peter Müller 1 sibling, 1 reply; 8+ messages in thread From: Peter Müller @ 2018-12-23 15:31 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2557 bytes --] Hello Michael, sorry for the late reply. I will send you the output of "iptables -L -n -v" directly. So far, I am able to reproduce this issue on two machines (both with default policy set to DROP). In both cases, adding a rule with source = ORANGE, destination = RED and action = DROP to the end of the firewall ruleset in the WebUI solved the problem. So far, it seems like ORANGE is affected by this only. Thanks, and best regards, Peter Müller > Hey, > > Could you dump the generated iptables ruleset? > > I do not see anything that could potentially be a problem here that is causing your behaviour: > > https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/firewall/firewall-policy;h=078c3c515c31f1f385a2159f83fb5c6c52f5e89f;hb=HEAD > > -Michael > >> On 15 Dec 2018, at 16:36, Peter Müller <peter.mueller(a)link38.eu> wrote: >> >> Hello list, >> >> I recently stumbled across a strange behaviour of IPFire 2.x, which >> seems to be quite critical in my eyes, but I am not sure whether it is >> intentional or not. >> >> Default settings of IPFire allow traffic from internal networks >> (GREEN, BLUE, ORANGE) to the internet (RED), as documented here: >> https://wiki.ipfire.org/configuration/firewall/default-policy >> >> For several reasons, no direct internet access is desired on most >> firewall installations I administer, so setting the "default firewall >> behaviour" to DROP for both FORWARD and OUTGOING usually is one of >> the first steps after installation. >> >> Speaking about GREEN and BLUE, this seems to work: No direct connection >> is possible except it has been explicitly allowed. >> >> It turns out this setting does not apply to traffic from ORANGE: Even >> default is set to DROP, and no firewall rules allowing anything are >> in place, a server located in DMZ is able to reach full internet - >> every port on every IP in every country. >> >> This is not my expectation of "default policy" = DROP after all! >> >> Could somebody of the core developers urgently have a look at this, please? >> >> Thanks, and best regards, >> Peter Müller >> -- >> Microsoft DNS service terminates abnormally when it recieves a response >> to a DNS query that was never made. Fix Information: Run your DNS >> service on a different platform. >> -- bugtraq > -- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Forward default "DROP" is not applied to ORANGE traffic?! 2018-12-23 15:31 ` Peter Müller @ 2019-01-04 21:12 ` Peter Müller 2019-01-05 12:51 ` Michael Tremer 0 siblings, 1 reply; 8+ messages in thread From: Peter Müller @ 2019-01-04 21:12 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 2843 bytes --] Hello Michael, just a quick reminder on this. :-) I know it's still the very beginning of the year... If there are any questions, please drop me a line. Thanks, and best regards, Peter Müller > Hello Michael, > > sorry for the late reply. > > I will send you the output of "iptables -L -n -v" directly. > > So far, I am able to reproduce this issue on two machines > (both with default policy set to DROP). In both cases, adding > a rule with source = ORANGE, destination = RED and action = DROP > to the end of the firewall ruleset in the WebUI solved the > problem. > > So far, it seems like ORANGE is affected by this only. > > Thanks, and best regards, > Peter Müller > >> Hey, >> >> Could you dump the generated iptables ruleset? >> >> I do not see anything that could potentially be a problem here that is causing your behaviour: >> >> https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/firewall/firewall-policy;h=078c3c515c31f1f385a2159f83fb5c6c52f5e89f;hb=HEAD >> >> -Michael >> >>> On 15 Dec 2018, at 16:36, Peter Müller <peter.mueller(a)link38.eu> wrote: >>> >>> Hello list, >>> >>> I recently stumbled across a strange behaviour of IPFire 2.x, which >>> seems to be quite critical in my eyes, but I am not sure whether it is >>> intentional or not. >>> >>> Default settings of IPFire allow traffic from internal networks >>> (GREEN, BLUE, ORANGE) to the internet (RED), as documented here: >>> https://wiki.ipfire.org/configuration/firewall/default-policy >>> >>> For several reasons, no direct internet access is desired on most >>> firewall installations I administer, so setting the "default firewall >>> behaviour" to DROP for both FORWARD and OUTGOING usually is one of >>> the first steps after installation. >>> >>> Speaking about GREEN and BLUE, this seems to work: No direct connection >>> is possible except it has been explicitly allowed. >>> >>> It turns out this setting does not apply to traffic from ORANGE: Even >>> default is set to DROP, and no firewall rules allowing anything are >>> in place, a server located in DMZ is able to reach full internet - >>> every port on every IP in every country. >>> >>> This is not my expectation of "default policy" = DROP after all! >>> >>> Could somebody of the core developers urgently have a look at this, please? >>> >>> Thanks, and best regards, >>> Peter Müller >>> -- >>> Microsoft DNS service terminates abnormally when it recieves a response >>> to a DNS query that was never made. Fix Information: Run your DNS >>> service on a different platform. >>> -- bugtraq >> > -- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Forward default "DROP" is not applied to ORANGE traffic?! 2019-01-04 21:12 ` Peter Müller @ 2019-01-05 12:51 ` Michael Tremer 2019-01-06 10:41 ` Peter Müller 0 siblings, 1 reply; 8+ messages in thread From: Michael Tremer @ 2019-01-05 12:51 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 3190 bytes --] Hi, > On 4 Jan 2019, at 21:12, Peter Müller <peter.mueller(a)link38.eu> wrote: > > Hello Michael, > > just a quick reminder on this. :-) I know it's still the very beginning > of the year... > > If there are any questions, please drop me a line. Reminder of what? According to the code this is intentional. If you think that this should not be like this, please send a patch. -Michael > Thanks, and best regards, > Peter Müller > > >> Hello Michael, >> >> sorry for the late reply. >> >> I will send you the output of "iptables -L -n -v" directly. >> >> So far, I am able to reproduce this issue on two machines >> (both with default policy set to DROP). In both cases, adding >> a rule with source = ORANGE, destination = RED and action = DROP >> to the end of the firewall ruleset in the WebUI solved the >> problem. >> >> So far, it seems like ORANGE is affected by this only. >> >> Thanks, and best regards, >> Peter Müller >> >>> Hey, >>> >>> Could you dump the generated iptables ruleset? >>> >>> I do not see anything that could potentially be a problem here that is causing your behaviour: >>> >>> https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/firewall/firewall-policy;h=078c3c515c31f1f385a2159f83fb5c6c52f5e89f;hb=HEAD >>> >>> -Michael >>> >>>> On 15 Dec 2018, at 16:36, Peter Müller <peter.mueller(a)link38.eu> wrote: >>>> >>>> Hello list, >>>> >>>> I recently stumbled across a strange behaviour of IPFire 2.x, which >>>> seems to be quite critical in my eyes, but I am not sure whether it is >>>> intentional or not. >>>> >>>> Default settings of IPFire allow traffic from internal networks >>>> (GREEN, BLUE, ORANGE) to the internet (RED), as documented here: >>>> https://wiki.ipfire.org/configuration/firewall/default-policy >>>> >>>> For several reasons, no direct internet access is desired on most >>>> firewall installations I administer, so setting the "default firewall >>>> behaviour" to DROP for both FORWARD and OUTGOING usually is one of >>>> the first steps after installation. >>>> >>>> Speaking about GREEN and BLUE, this seems to work: No direct connection >>>> is possible except it has been explicitly allowed. >>>> >>>> It turns out this setting does not apply to traffic from ORANGE: Even >>>> default is set to DROP, and no firewall rules allowing anything are >>>> in place, a server located in DMZ is able to reach full internet - >>>> every port on every IP in every country. >>>> >>>> This is not my expectation of "default policy" = DROP after all! >>>> >>>> Could somebody of the core developers urgently have a look at this, please? >>>> >>>> Thanks, and best regards, >>>> Peter Müller >>>> -- >>>> Microsoft DNS service terminates abnormally when it recieves a response >>>> to a DNS query that was never made. Fix Information: Run your DNS >>>> service on a different platform. >>>> -- bugtraq >>> >> > -- > Microsoft DNS service terminates abnormally when it recieves a response > to a DNS query that was never made. Fix Information: Run your DNS > service on a different platform. > -- bugtraq ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Forward default "DROP" is not applied to ORANGE traffic?! 2019-01-05 12:51 ` Michael Tremer @ 2019-01-06 10:41 ` Peter Müller 2019-01-07 12:57 ` Michael Tremer 0 siblings, 1 reply; 8+ messages in thread From: Peter Müller @ 2019-01-06 10:41 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 600 bytes --] Hello Michael, thanks for your reply. Sorry for the confusion. The current behaviour is unintentional in my point of view: If default policy is set to DROP, connections from GREEN and BLUE to RED are forbidden by default, but not from ORANGE to RED. As far as I know, this is not even documented. Thereof, I suggest to change behaviour to DROP, too. @All: Opinions? Thanks, and best regards, Peter Müller -- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Forward default "DROP" is not applied to ORANGE traffic?! 2019-01-06 10:41 ` Peter Müller @ 2019-01-07 12:57 ` Michael Tremer 0 siblings, 0 replies; 8+ messages in thread From: Michael Tremer @ 2019-01-07 12:57 UTC (permalink / raw) To: development [-- Attachment #1: Type: text/plain, Size: 857 bytes --] Hey, > On 6 Jan 2019, at 10:41, Peter Müller <peter.mueller(a)link38.eu> wrote: > > Hello Michael, > > thanks for your reply. Sorry for the confusion. > > The current behaviour is unintentional in my point of view: If default > policy is set to DROP, connections from GREEN and BLUE to RED are > forbidden by default, but not from ORANGE to RED. As far as I know, > this is not even documented. > This *is* intended. The code says so. What you are saying is that it is unexpected. Agreed. > Thereof, I suggest to change behaviour to DROP, too. > > @All: Opinions? *Raises hand in favour* -Michael > > Thanks, and best regards, > Peter Müller > -- > Microsoft DNS service terminates abnormally when it recieves a response > to a DNS query that was never made. Fix Information: Run your DNS > service on a different platform. > -- bugtraq ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2019-01-07 12:57 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-12-15 16:36 Forward default "DROP" is not applied to ORANGE traffic?! Peter Müller 2018-12-16 13:53 ` Michael Tremer 2018-12-16 17:07 ` oliver.fuhrer 2018-12-23 15:31 ` Peter Müller 2019-01-04 21:12 ` Peter Müller 2019-01-05 12:51 ` Michael Tremer 2019-01-06 10:41 ` Peter Müller 2019-01-07 12:57 ` Michael Tremer
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox