From: Alexander Koch <ipfire@starkstromkonsument.de>
To: development@lists.ipfire.org
Subject: firewall rules.pl - rules of forwardfw are also beeing added to inputfw / outputfw and green/blue are allays accepted on INPUT ????
Date: Sun, 08 Sep 2019 02:09:43 +0200 [thread overview]
Message-ID: <93f6410e-ef84-5e16-05df-7e9ad09c2719@starkstromkonsument.de> (raw)
[-- Attachment #1: Type: text/plain, Size: 3463 bytes --]
Hi,
I was wondering why some hosts of my internal nets had access to some ports on my IPFire-Machine that I didn't open for them and I didn't want them to either ...
Taking a closer look at the raw iptables content, I noticed that nearly all of my forwardings-rules were also added to the inputfw-chain. I tracked this behaviour down to the following lines in /usr/lib/firewall/rules.pl
503 # Handle forwarding rules and add corresponding rules for firewall access.
504 if ($chain eq $CHAIN_FORWARD) {
505 # If the firewall is part of the destination subnet and access to the destination network
506 # is granted/forbidden for any network that the firewall itself is part of, we grant/forbid access
507 # for the firewall, too.
508 if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) {
509 if ($LOG && !$NAT) {
510 run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
511 }
512 run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options -j $target");
513 }
514
515 # Likewise.
516 if ($firewall_is_in_source_subnet && ($target ~~ @special_output_targets)) {
517 if ($LOG && !$NAT) {
518 run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '");
519 }
520 run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options -j $target");
521 }
522 }
What is the goal of doing this? I was not aware of this and it's certainly nothing I expected to happen. I didn't read anything about it in the wiki either. I usually set up different rules for input and forwarding.
After figuring this out, I found some policies completely opening input for green and blue in /usr/sbin/firewall-policy
72 # Allow access from GREEN
73 if [ -n "${GREEN_DEV}" ]; then
74 iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
75 fi
76
77 # Allow access from BLUE
78 if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
79 iptables -A POLICYIN -i "${BLUE_DEV}" -j ACCEPT
80 fi
I want to be able to configure this the way I want to too. blue is my guest network. It should not have access to anything but dhcp, dns, ntp etc. on my firewall!
Is this an issue of me misunderstanding the way the firewall is supposed to work or something that should be patched asap? I would like to understand the reason for this being done this way ... thank you!
Regards, Alex
next reply other threads:[~2019-09-08 0:09 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-08 0:09 Alexander Koch [this message]
2019-09-09 14:56 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=93f6410e-ef84-5e16-05df-7e9ad09c2719@starkstromkonsument.de \
--to=ipfire@starkstromkonsument.de \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox