0022711: Firewall rules are wrong if more than one NIC is HotLAN

ClearFoundation Tracker - ClearOS
View Issue Details

ID	Project	Category	View Status	Date Submitted	Last Update
0022711	ClearOS	app-firewall - Firewall	public	2019-01-09 08:10	2019-02-23 12:43

Reporter	NickH
Assigned To	dloper
Priority	normal	Severity	minor	Reproducibility	always
Status	closed	Resolution	suspended
Platform		OS		OS Version
Product Version	7.6.0 Updates
Target Version	7.6.0 Updates	Fixed in Version

Summary	0022711: Firewall rules are wrong if more than one NIC is HotLAN
Description	If you have two or more HotLAN's the FORWARD firewall rules are wrong: enp0s3 = WAN enp0s8 = LAN enp0s9 = HotLAN enp0s10 = HotLAN Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- enp0s10 enp0s8 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP all -- enp0s10 enp0s8 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s8 enp0s10 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s9 enp0s8 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP all -- enp0s9 enp0s8 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s8 enp0s9 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s10 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s9 * 0.0.0.0/0 0.0.0.0/0 In this case enp0s9 can access enp0s10 which it should not be able to do. These rules can be simplified to make it easier to apply to multiple HotLAN's. All that is needed is for multiple rules like: iptables -I FORWARD -s hotlan_if_x -o other_LAN_if -m state --state NEW -j DROP You would need to loop through the above rule for each in-interface hotlan_if_x, setting rules for every other out-interface LAN/HotLAN/DMZ interface. You don't need the "state RELATED,ESTABLISHED" rules as they are covered by the standard rule further down the chain: 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED You dont't need the ALLOW rules from LAN to any HotLAN as these are allowed further down the chain: 0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0 The rules for the HotLAN interfaces at the end will only allow traffic out to the internet as the earlier DROP rules stop you accessing the other LAN's. Alternative solution: Possibly even easier would be to not create any DROP rules. But for the default rules at the end, only create rules like: 0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s10 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s9 * 0.0.0.0/0 0.0.0.0/0 for LAN interfaces. For HotLAN interfaces create rules like: iptables -A FORWARD -i hotlan_if_x -o WAN_if_x -j ACCEPT For each HotLAN interface you'd need to loop over all external interfaces. DROP rules would not then be needed as the default chain action is to DROP all unmatched packets.
Steps To Reproduce
Additional Information
Tags	No tags attached.
Relationships
Attached Files

Issue History
Date Modified	Username	Field	Change
2019-01-09 08:10	NickH	New Issue
2019-01-09 09:11	NickH	Description Updated	bug_revision_view_page.php?rev_id=2481#r2481
2019-02-16 08:00	NickH	Description Updated	bug_revision_view_page.php?rev_id=2551#r2551
2019-02-23 12:43	dloper	Note Added: 0009151
2019-02-23 12:43	dloper	Status	new => closed
2019-02-23 12:43	dloper	Assigned To	=> dloper
2019-02-23 12:43	dloper	Resolution	open => suspended

Notes