Hi together, as far as i can see in your pictures, your GREEN network is 192.168.60.xx You are defining a hostgroup as SOURCE, which has devices from the network 192.168.10.xx. These are not GREEN and so the firewall assumes it is an INPUT rule.
Correct me if i am wrong.
Alex
Am 22.01.19 um 23:51 schrieb Julien Blais:
Hello,
In this new year, apart from wishing you all the best, I would also like to share with you the anomalies I was able to raise in Ipfire on the generation of firewall rules using the HMI.
I noticed 3 major problems in the management of firewall rules.
In the page https://ipfire:444/cgi-bin/firewall.cgi, it is worth noting 3 tables, namely Firewall Rules, Incoming Firewall Access and Outgoing Firewall Access.
The first two deduplication concerns the rules established in the 1st table, Firewall Rules.
1^e problem :
By defining a FORWARD rule whose destination is the standard network red0 (everything but green0/orange0/blue0/etc...), a rule is created in FORWARDFW.
image.png
However, I noticed that also that these same rules were reported in INPUTFW
image.png
INPUTFW rules with the -o red0 flag, it feels weird, doesn't it?
2nd problem :
It is much more delicate because it concerns DNAT.
For the creation of such a rule, here is the example below.
image.png
Including the 4 redirection rules :
image.png
As we can see, they are correctly created in NAT_DESTINATION :
image.png
However, it is not expected to be duplicated in OUTGOINGFW as well.
image.png
In fact, the creation of these rules is useless, even dangerous. Hopefully things are going well at home and the potential threat remains my person (LOL).
The last case is a little more twisted, it concerns the SNAT, of which here is the example below.
image.png
As I was refused a nice creation :
image.png
I modified directly in the /var/ipfire/firewall/input file.
Here is the result:
image.png
Using such a rule allows me to follow the path represented by the diagram below and solve the problem of double NAT:
image.png
The rules are correctly created in table NAT_SOURCE.
image.png
However, there is also a rule creation in the INPUTFW table, which I think is unnecessary.
image.png
Awaiting your thoughts, I hope I have provided all the information you need to understand the 3 cases above.
With kind regards.
Jbsky