Hello,
In
this new year, apart from wishing you all the best,
I would also like to share with you the anomalies I
was able to raise in Ipfire on the generation of
firewall rules using the HMI.
I noticed 3 major problems in the management of firewall rules.
In the page https://ipfire:444/cgi-bin/firewall.cgi, it is worth noting 3 tables, namely Firewall Rules, Incoming Firewall Access and Outgoing Firewall Access.
The first two deduplication concerns the rules established in the 1st table, Firewall Rules.
1e problem :
By defining a FORWARD rule whose destination is the standard network red0 (everything but green0/orange0/blue0/etc...), a rule is created in FORWARDFW.
However, I noticed that also that these same rules were reported in INPUTFW
INPUTFW rules with the -o red0 flag, it feels weird, doesn't it?
2nd problem :
It is much more delicate because it concerns DNAT.
For the creation of such a rule, here is the example below.
Including the 4 redirection rules :
As we can see, they are correctly created in NAT_DESTINATION :
However, it is not expected to be duplicated in OUTGOINGFW as well.
In fact, the
creation of these rules is
useless, even dangerous. Hopefully things are going
well at home and the
potential threat remains my person (LOL).
The last case is a little more twisted, it concerns the SNAT, of which here is the example below.
As I was refused a nice creation :
I modified directly in the /var/ipfire/firewall/input file.
Here is the result:
Using such a rule allows me to follow the path represented by the diagram below and solve the problem of double NAT:
The
rules are correctly created in table NAT_SOURCE.
However, there is also a rule creation in the INPUTFW table, which I think is unnecessary.
With kind regards.
Jbsky