firewall rules.pl - rules of forwardfw are also beeing added to inputfw / outputfw and green/blue are allays accepted on INPUT ????

8 Sep 2019


      Hi,
I was wondering why some hosts of my internal nets had access to some ports on my IPFire-Machine that I didn't open for them and I didn't want them to either ...
Taking a closer look at the raw iptables content, I noticed that nearly all of my forwardings-rules were also added to the inputfw-chain. I tracked this behaviour down to the following lines in /usr/lib/firewall/rules.pl
503                                         # Handle forwarding rules and add corresponding rules for firewall access.
504                                         if ($chain eq $CHAIN_FORWARD) {
505                                                 # If the firewall is part of the destination subnet and access to the destination network
506                                                 # is granted/forbidden for any network that the firewall itself is part of, we grant/forbid access
507                                                 # for the firewall, too.
508                                                 if ($firewall_is_in_destination_subnet && ($target ~~ @special_input_targets)) {
509                                                         if ($LOG && !$NAT) {
510                                                                 run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_INPUT '");
511                                                         }
512                                                         run("$IPTABLES -A $CHAIN_INPUT @options @source_intf_options -j $target");
513                                                 }
514
515                                                 # Likewise.
516                                                 if ($firewall_is_in_source_subnet && ($target ~~ @special_output_targets)) {
517                                                         if ($LOG && !$NAT) {
518                                                                 run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options @log_limit_options -j LOG --log-prefix '$CHAIN_OUTPUT '");
519                                                         }
520                                                         run("$IPTABLES -A $CHAIN_OUTPUT @options @destination_intf_options -j $target");
521                                                 }
522                                         }
What is the goal of doing this? I was not aware of this and it's certainly nothing I expected to happen. I didn't read anything about it in the wiki either. I usually set up different rules for input and forwarding.
After figuring this out, I found some policies completely opening input for green and blue in /usr/sbin/firewall-policy
72 # Allow access from GREEN
  73 if [ -n "${GREEN_DEV}" ]; then
  74         iptables -A POLICYIN -i "${GREEN_DEV}" -j ACCEPT
  75 fi
  76
  77 # Allow access from BLUE
  78 if [ "${HAVE_BLUE}" = "true" ] && [ -n "${BLUE_DEV}" ]; then
  79         iptables -A POLICYIN -i "${BLUE_DEV}" -j ACCEPT
  80 fi
I want to be able to configure this the way I want to too. blue is my guest network. It should not have access to anything but dhcp, dns, ntp etc. on my firewall!
Is this an issue of me misunderstanding the way the firewall is supposed to work or something that should be patched asap? I would like to understand the reason for this being done this way ... thank you!
Regards, Alex

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

firewall rules.pl - rules of forwardfw are also beeing added to inputfw / outputfw and green/blue are allays accepted on INPUT ????