[Firewall] Configuration Issues

Chris Vavruska vavruska at gmail.com
Tue Sep 3 15:59:55 CEST 2013


That did indeed fixed the issue. The reason for the rule was I could not
get the firewall to allow DNS resolution so I added the 53 to the
LAN_OPEN_TCP it fixed the issue. I think need to look further into why DNS
is not happening. I will take another look at it tonight when I can put the
firewall back inline. I think I mistakenly used this and should of used
HOST_OPEN_TCP and _UDP.

Thanks for the assistance!

Chris



On Tue, Sep 3, 2013 at 1:46 PM, Lonnie Abelbeck
<lists at lonnie.abelbeck.com>wrote:

> Hi Chris,
>
> Your two LAN_OPEN_xxx configs are causing your problem, short answer,
> remove them and you should be good to go.
>
> With that, I suspect you can also remove TRUSTED_IF, but that was an
> earlier question related to your VM.
>
> So why is this?  The LAN input default policy is set with:
> --
> # Disable this (set to "") to automatically set default policy as above.
> # When set to "1" the LAN->localhost default policy will always be DROP
> # When set to "0" the LAN->localhost default policy will always be ACCEPT
> #
> -----------------------------------------------------------------------------
> LAN_DEFAULT_POLICY_DROP=""
> --
> By default, an unset LAN_DEFAULT_POLICY_DROP will examine if the any
> LAN_OPEN_xxx or LAN_HOST_OPEN_xxx are defined, if yes, then the default
> policy is DROP, otherwise the default is ACCEPT.
>
> Additionally LAN_DEFAULT_POLICY_DROP can be set to 0 or 1 as described
> above. (AIF version 2.0.1d)  BTW, the configs LAN_INET_DEFAULT_POLICY_DROP
> and DMZ_INET_DEFAULT_POLICY_DROP effect forwarded packets in a similar way.
>
> I turns out that setting the LAN input default policy to DROP (indirectly
> with LAN_OPEN_xxx) occurred before the TRUSTED_IF told iptables to ACCEPT,
> so the former won, and the packets you posted were dropped.
>
> Lonnie
>
>
> On Sep 3, 2013, at 7:03 AM, Chris Vavruska wrote:
>
> > When I first installed the script I could not get NAT/MASQ working. It
> looked like I had everything configured properly so I decided to start
> debugging the script. I put a few echo's in the code to see if was getting
> to the area that NAT was configured. It turned on that EXT_IF was not set
> but looking at the configuration it was set. I went to the start of the
> script just after the config was read in and printed out $EXT_IF and it was
> set there but if I put another printf just after the environment was read
> in it was null. I added another ". $CONFIG_FILE" after the env was read in
> and NAT was now configured and working.
> >
> > Any Ideas? I have output of the script run with and without the change
> if anyone wants to see. Since it appears to be working I am ok with the
> change as long as security wise nothing has changed.
> >
> > Onto my configuration issue.
> >
> > I have 3 interfaces, 1 (eth0) connected to my provider which gets it's
> IP via DHCP. 2 internal networks (br1 and br2 - 192.168.1.0/24 &
> 192.168.2.0/24). Currently br2 is not connected to anything. bind9 and
> DHCP is running on the firewall to service the internal network.
> >
> > I added br1 to TRUSTED_IF which looks to me as if all traffic should be
> accepted to the firewall from anything on the br1 network
> >
> > Here the items I have set in my firewall.conf
> > > EXT_IF="eth0"
> > > INT_IF="br1 br2"
> > > INTERNAL_NET="192.168.1.0/24 192.168.2.0/24"
> > > INT_NET_BCAST_ADDRESS="192.168.1.255 192.168.2.255"
> > > NAT=1
> > > TRUSTED_IF="br1"
> > > LAN_OPEN_TCP="22"
> > > LAN_OPEN_UDP="53"
> >
> > When I try to connect to the vnc server running on the firewall I get
> the following in the log:
> >
> > Sep  2 19:12:32 shaggy kernel: [32429.690498] AIF:LAN-INPUT denied:
> IN=br1 OUT= PHYSIN=eth1 MAC=d4:3d:7e:bf:74:fa:00:23:54:f8:ba:8f:08:00
> SRC=192.168.1.3 DST=192.168.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=26564
> DF PROTO=TCP SPT=59643 DPT=5900 WINDOW=8192 RES=0x00 SYN URGP=0
> > Sep  2 19:12:35 shaggy kernel: [32432.679081] AIF:LAN-INPUT denied:
> IN=br1 OUT= PHYSIN=eth1 MAC=d4:3d:7e:bf:74:fa:00:23:54:f8:ba:8f:08:00
> SRC=192.168.1.3 DST=192.168.1.1 LEN=52 TOS=0x00 PREC=0x00 TTL=128 ID=26574
> DF PROTO=TCP SPT=59643 DPT=5900 WINDOW=8192 RES=0x00 SYN URGP=0
> >
> > Shouldn't TRUSTED_IF allow this?
> >
> > I am also seeing the following for a DHCP request.
> > Sep  2 19:14:40 shaggy kernel: [32557.634624] AIF:LAN-INPUT denied:
> IN=br1 OUT= PHYSIN=eth1 MAC=ff:ff:ff:ff:ff:ff:00:19:1d:e5:83:d9:08:00
> SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=64 ID=5143
> PROTO=UDP SPT=68 DPT=67 LEN=308
> >
> > I really like the way the script allows for the easy addition of rules
> so I would like to try and figure this one out.
> >
> > Any help is appreciated!
> >
> > Thanks,
> >
> > Chris
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20130903/d8ad97c2/attachment.html>


More information about the Firewall mailing list