ClearFoundation Tracker - ClearOS
View Issue Details
0022711ClearOSapp-firewall - Firewallpublic2019-01-09 08:102019-02-23 12:43
NickH 
dloper 
normalminoralways
closedsuspended 
7.6.0 Updates 
7.6.0 Updates 
0022711: Firewall rules are wrong if more than one NIC is HotLAN
If you have two or more HotLAN's the FORWARD firewall rules are wrong:
enp0s3 = WAN
enp0s8 = LAN
enp0s9 = HotLAN
enp0s10 = HotLAN
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- enp0s10 enp0s8 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s10 enp0s8 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s8 enp0s10 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 enp0s8 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s9 enp0s8 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s8 enp0s9 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s10 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 * 0.0.0.0/0 0.0.0.0/0

In this case enp0s9 can access enp0s10 which it should not be able to do. These rules can be simplified to make it easier to apply to multiple HotLAN's. All that is needed is for multiple rules like:
iptables -I FORWARD -s hotlan_if_x -o other_LAN_if -m state --state NEW -j DROP
You would need to loop through the above rule for each in-interface hotlan_if_x, setting rules for every other out-interface LAN/HotLAN/DMZ interface.

You don't need the "state RELATED,ESTABLISHED" rules as they are covered by the standard rule further down the chain:
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

You dont't need the ALLOW rules from LAN to any HotLAN as these are allowed further down the chain:
    0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0

The rules for the HotLAN interfaces at the end will only allow traffic out to the internet as the earlier DROP rules stop you accessing the other LAN's.

Alternative solution:

Possibly even easier would be to not create any DROP rules. But for the default rules at the end, only create rules like:
    0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s10 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 * 0.0.0.0/0 0.0.0.0/0

for LAN interfaces.

For HotLAN interfaces create rules like:
iptables -A FORWARD -i hotlan_if_x -o WAN_if_x -j ACCEPT

For each HotLAN interface you'd need to loop over all external interfaces. DROP rules would not then be needed as the default chain action is to DROP all unmatched packets.
No tags attached.
Issue History
2019-01-09 08:10NickHNew Issue
2019-01-09 09:11NickHDescription Updatedbug_revision_view_page.php?rev_id=2481#r2481
2019-02-16 08:00NickHDescription Updatedbug_revision_view_page.php?rev_id=2551#r2551
2019-02-23 12:43dloperNote Added: 0009151
2019-02-23 12:43dloperStatusnew => closed
2019-02-23 12:43dloperAssigned To => dloper
2019-02-23 12:43dloperResolutionopen => suspended

Notes
(0009151)
dloper   
2019-02-23 12:43   
Migrated to: https://gitlab.com/clearos/clearfoundation/app-firewall/issues/2 [^]