[Firewall] TRUSTED_IF not showing up

Chris Vavruska vavruska at gmail.com
Wed Nov 13 14:04:28 CET 2013


I just wanted to pop back in and say thanks!  This is working just like I
want it. I had tried the DMZ route before but missed the NAT_INTERNAL_NET
so the dmz traffic couldn't get out... well it could get out just no one
knew how to get back to it.
I still added the TRUSTED_IF=br1 since I want all hosts on BR to be able to
access any port on the firewall since I have other services running on it
(vms, mythtv, etc). I have run this way for 12 years or so on my old host
(PIII 800, redhat 8.1) using less configurable firewall script with no
issues.
I can now shut off the kids without shutting myself off! :)

Again, Thanks for your help and patience.

Chris


On Wed, Nov 6, 2013 at 11:41 PM, Lonnie Abelbeck
<lists at lonnie.abelbeck.com>wrote:

> Chris,
>
> If you issue "iptables -nvL INPUT" you will see the "br1" in #11..
> --
> 0     0 ACCEPT     all  --  br1    *       0.0.0.0/0            0.0.0.0/0
> --
>
> But, let's take a step back, the TRUSTED_IF="" should only be used for
> special situations as it is marked as (EXPERT SETTING!).
>
> While there is no one solution, you might try setting br2 as a DMZ
> interface... (no TRUSTED_IF)
>
> INT_IF="br1"
> INTERNAL_NET="192.168.1.0/24"
> DMZ_IF="br2"
> DMZ_NET="192.168.2.0/24"
> NAT_INTERNAL_NET="192.168.1.0/24 192.168.2.0/24"
> NAT=1
>
> # Allow DNS and DHCP to Local on DMZ
> DMZ_HOST_OPEN_UDP="0/0~53,67"
>
> # Allow br2 to LAN for select host/ports, eg. IPP Printer
> DMZ_LAN_HOST_OPEN_TCP="0/0>192.168.1.20~631"
>
> # Note all of br2 is reachable by br1 by default in this scenario, br1 is
> not reachable by br2
>
> # both br1 and br2 may reach the external network (internet)
>
> Lonnie
>
>
> On Nov 6, 2013, at 6:51 PM, Chris Vavruska wrote:
>
> > Since I didnt get any reply for my last issue I thought I would pose a
> more pointed question:
> >
> > I have a config line that looks like:
> >
> > TRUSTED_IF="br1"
> >
> > I see in the script it executes
> > iptables -A INPUT -i $interface -j ACCEPT
> >
> > which give me output:
> > Accepting ALL INPUT packets from trusted interface(s): br1
> >
> > Why don't I see a rule in the INPUT chain for br1?
> >
> > Chain INPUT (policy DROP)
> > num  target     prot opt source               destination
> > 1    BASE_INPUT_CHAIN  all  --  0.0.0.0/0            0.0.0.0/0
> > 2    INPUT_CHAIN  all  --  0.0.0.0/0            0.0.0.0/0
> > 3    HOST_BLOCK_SRC  all  --  0.0.0.0/0            0.0.0.0/0
> > 4    SPOOF_CHK  all  --  0.0.0.0/0            0.0.0.0/0
> > 5    VALID_CHK  all  --  0.0.0.0/0            0.0.0.0/0
> > 6    EXT_INPUT_CHAIN !icmp --  0.0.0.0/0            0.0.0.0/0
>  state NEW
> > 7    EXT_INPUT_CHAIN  icmp --  0.0.0.0/0            0.0.0.0/0
>  state NEW limit: avg 60/sec burst 100
> > 8    EXT_ICMP_FLOOD_CHAIN  icmp --  0.0.0.0/0            0.0.0.0/0
>        state NEW
> > 9    INT_INPUT_CHAIN  all  --  0.0.0.0/0            0.0.0.0/0
> > 10   INT_INPUT_CHAIN  all  --  0.0.0.0/0            0.0.0.0/0
> > 11   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> > 12   POST_INPUT_CHAIN  all  --  0.0.0.0/0            0.0.0.0/0
> > 13   LOG        all  --  0.0.0.0/0            0.0.0.0/0
>  limit: avg 1/sec burst 5 LOG flags 0 level 6 prefix "AIF:Dropped INPUT
> packet: "
> > 14   DROP       all  --  0.0.0.0/0            0.0.0.0/0
> >
> > What would cause me to not see the rule in the table?
> >
> > Thanks,
> >
> > Chris
>
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20131113/f77b4a59/attachment.html>


More information about the Firewall mailing list