Re: Forward default "DROP" is not applied to ORANGE traffic?!

["Peter Müller" <peter.mueller@link38.eu>]

[-- Attachment #1: Type: text/plain, Size: 2557 bytes --]

Hello Michael,

sorry for the late reply.

I will send you the output of "iptables -L -n -v" directly.

So far, I am able to reproduce this issue on two machines
(both with default policy set to DROP). In both cases, adding
a rule with source = ORANGE, destination = RED and action = DROP
to the end of the firewall ruleset in the WebUI solved the
problem.

So far, it seems like ORANGE is affected by this only.

Thanks, and best regards,
Peter Müller

> Hey,
> 
> Could you dump the generated iptables ruleset?
> 
> I do not see anything that could potentially be a problem here that is causing your behaviour:
> 
>   https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/firewall/firewall-policy;h=078c3c515c31f1f385a2159f83fb5c6c52f5e89f;hb=HEAD
> 
> -Michael
> 
>> On 15 Dec 2018, at 16:36, Peter Müller <peter.mueller(a)link38.eu> wrote:
>>
>> Hello list,
>>
>> I recently stumbled across a strange behaviour of IPFire 2.x, which
>> seems to be quite critical in my eyes, but I am not sure whether it is
>> intentional or not.
>>
>> Default settings of IPFire allow traffic from internal networks
>> (GREEN, BLUE, ORANGE) to the internet (RED), as documented here:
>> https://wiki.ipfire.org/configuration/firewall/default-policy
>>
>> For several reasons, no direct internet access is desired on most
>> firewall installations I administer, so setting the "default firewall
>> behaviour" to DROP for both FORWARD and OUTGOING usually is one of
>> the first steps after installation.
>>
>> Speaking about GREEN and BLUE, this seems to work: No direct connection
>> is possible except it has been explicitly allowed.
>>
>> It turns out this setting does not apply to traffic from ORANGE: Even
>> default is set to DROP, and no firewall rules allowing anything are
>> in place, a server located in DMZ is able to reach full internet -
>> every port on every IP in every country.
>>
>> This is not my expectation of "default policy" = DROP after all!
>>
>> Could somebody of the core developers urgently have a look at this, please?
>>
>> Thanks, and best regards,
>> Peter Müller
>> -- 
>> Microsoft DNS service terminates abnormally when it recieves a response
>> to a DNS query that was never made.  Fix Information: Run your DNS
>> service on a different platform.
>> 		-- bugtraq
> 

-- 
Microsoft DNS service terminates abnormally when it recieves a response
to a DNS query that was never made.  Fix Information: Run your DNS
service on a different platform.
		-- bugtraq