[Firewall] Configuration Issues

Lonnie Abelbeck lists at lonnie.abelbeck.com
Tue Sep 3 15:46:42 CEST 2013


Hi Chris,

Your two LAN_OPEN_xxx configs are causing your problem, short answer, remove them and you should be good to go.

With that, I suspect you can also remove TRUSTED_IF, but that was an earlier question related to your VM.

So why is this?  The LAN input default policy is set with: 
--
# Disable this (set to "") to automatically set default policy as above.
# When set to "1" the LAN->localhost default policy will always be DROP
# When set to "0" the LAN->localhost default policy will always be ACCEPT
# -----------------------------------------------------------------------------
LAN_DEFAULT_POLICY_DROP=""
--
By default, an unset LAN_DEFAULT_POLICY_DROP will examine if the any LAN_OPEN_xxx or LAN_HOST_OPEN_xxx are defined, if yes, then the default policy is DROP, otherwise the default is ACCEPT.

Additionally LAN_DEFAULT_POLICY_DROP can be set to 0 or 1 as described above. (AIF version 2.0.1d)  BTW, the configs LAN_INET_DEFAULT_POLICY_DROP and DMZ_INET_DEFAULT_POLICY_DROP effect forwarded packets in a similar way.

I turns out that setting the LAN input default policy to DROP (indirectly with LAN_OPEN_xxx) occurred before the TRUSTED_IF told iptables to ACCEPT, so the former won, and the packets you posted were dropped.

Lonnie


On Sep 3, 2013, at 7:03 AM, Chris Vavruska wrote:

> When I first installed the script I could not get NAT/MASQ working. It looked like I had everything configured properly so I decided to start debugging the script. I put a few echo's in the code to see if was getting to the area that NAT was configured. It turned on that EXT_IF was not set but looking at the configuration it was set. I went to the start of the script just after the config was read in and printed out $EXT_IF and it was set there but if I put another printf just after the environment was read in it was null. I added another ". $CONFIG_FILE" after the env was read in and NAT was now configured and working.  
> 
> Any Ideas? I have output of the script run with and without the change if anyone wants to see. Since it appears to be working I am ok with the change as long as security wise nothing has changed.
> 
> Onto my configuration issue.
> 
> I have 3 interfaces, 1 (eth0) connected to my provider which gets it's IP via DHCP. 2 internal networks (br1 and br2 - 192.168.1.0/24 & 192.168.2.0/24). Currently br2 is not connected to anything. bind9 and DHCP is running on the firewall to service the internal network.
> 
> I added br1 to TRUSTED_IF which looks to me as if all traffic should be accepted to the firewall from anything on the br1 network
> 
> Here the items I have set in my firewall.conf
> > EXT_IF="eth0"
> > INT_IF="br1 br2"
> > INTERNAL_NET="192.168.1.0/24 192.168.2.0/24"
> > INT_NET_BCAST_ADDRESS="192.168.1.255 192.168.2.255"
> > NAT=1
> > TRUSTED_IF="br1"
> > LAN_OPEN_TCP="22"
> > LAN_OPEN_UDP="53"
> 
> When I try to connect to the vnc server running on the firewall I get the following in the log:
> 
> Sep  2 19:12:32 shaggy kernel: [32429.690498] AIF:LAN-INPUT denied: IN=br1 OUT= PHYSIN=eth1 MAC=d4:3d:7e:bf:74:fa:00:23:54:f8:ba:8f:08:00 SRC=192.168.1.3 DST=192.168.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=26564 DF PROTO=TCP SPT=59643 DPT=5900 WINDOW=8192 RES=0x00 SYN URGP=0 
> Sep  2 19:12:35 shaggy kernel: [32432.679081] AIF:LAN-INPUT denied: IN=br1 OUT= PHYSIN=eth1 MAC=d4:3d:7e:bf:74:fa:00:23:54:f8:ba:8f:08:00 SRC=192.168.1.3 DST=192.168.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=26574 DF PROTO=TCP SPT=59643 DPT=5900 WINDOW=8192 RES=0x00 SYN URGP=0
> 
> Shouldn't TRUSTED_IF allow this?
> 
> I am also seeing the following for a DHCP request.
> Sep  2 19:14:40 shaggy kernel: [32557.634624] AIF:LAN-INPUT denied: IN=br1 OUT= PHYSIN=eth1 MAC=ff:ff:ff:ff:ff:ff:00:19:1d:e5:83:d9:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=5143 PROTO=UDP SPT=68 DPT=67 LEN=308 
> 
> I really like the way the script allows for the easy addition of rules so I would like to try and figure this one out.
> 
> Any help is appreciated!
> 
> Thanks,
> 
> Chris


More information about the Firewall mailing list