Hello Michael,
sorry for the late reply.
I will send you the output of "iptables -L -n -v" directly.
So far, I am able to reproduce this issue on two machines (both with default policy set to DROP). In both cases, adding a rule with source = ORANGE, destination = RED and action = DROP to the end of the firewall ruleset in the WebUI solved the problem.
So far, it seems like ORANGE is affected by this only.
Thanks, and best regards, Peter Müller
Hey,
Could you dump the generated iptables ruleset?
I do not see anything that could potentially be a problem here that is causing your behaviour:
https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=config/firewall/firewall-p...
-Michael
On 15 Dec 2018, at 16:36, Peter Müller peter.mueller@link38.eu wrote:
Hello list,
I recently stumbled across a strange behaviour of IPFire 2.x, which seems to be quite critical in my eyes, but I am not sure whether it is intentional or not.
Default settings of IPFire allow traffic from internal networks (GREEN, BLUE, ORANGE) to the internet (RED), as documented here: https://wiki.ipfire.org/configuration/firewall/default-policy
For several reasons, no direct internet access is desired on most firewall installations I administer, so setting the "default firewall behaviour" to DROP for both FORWARD and OUTGOING usually is one of the first steps after installation.
Speaking about GREEN and BLUE, this seems to work: No direct connection is possible except it has been explicitly allowed.
It turns out this setting does not apply to traffic from ORANGE: Even default is set to DROP, and no firewall rules allowing anything are in place, a server located in DMZ is able to reach full internet - every port on every IP in every country.
This is not my expectation of "default policy" = DROP after all!
Could somebody of the core developers urgently have a look at this, please?
Thanks, and best regards, Peter Müller -- Microsoft DNS service terminates abnormally when it recieves a response to a DNS query that was never made. Fix Information: Run your DNS service on a different platform. -- bugtraq