ClearFoundation Tracker - ClearOS | |||||
View Issue Details | |||||
ID | Project | Category | View Status | Date Submitted | Last Update |
0022711 | ClearOS | app-firewall - Firewall | public | 2019-01-09 08:10 | 2019-02-23 12:43 |
Reporter | NickH | ||||
Assigned To | dloper | ||||
Priority | normal | Severity | minor | Reproducibility | always |
Status | closed | Resolution | suspended | ||
Platform | OS | OS Version | |||
Product Version | 7.6.0 Updates | ||||
Target Version | 7.6.0 Updates | Fixed in Version | |||
Summary | 0022711: Firewall rules are wrong if more than one NIC is HotLAN | ||||
Description | If you have two or more HotLAN's the FORWARD firewall rules are wrong: enp0s3 = WAN enp0s8 = LAN enp0s9 = HotLAN enp0s10 = HotLAN Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- enp0s10 enp0s8 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP all -- enp0s10 enp0s8 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s8 enp0s10 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s9 enp0s8 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP all -- enp0s9 enp0s8 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s8 enp0s9 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 DROP all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s10 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s9 * 0.0.0.0/0 0.0.0.0/0 In this case enp0s9 can access enp0s10 which it should not be able to do. These rules can be simplified to make it easier to apply to multiple HotLAN's. All that is needed is for multiple rules like: iptables -I FORWARD -s hotlan_if_x -o other_LAN_if -m state --state NEW -j DROP You would need to loop through the above rule for each in-interface hotlan_if_x, setting rules for every other out-interface LAN/HotLAN/DMZ interface. You don't need the "state RELATED,ESTABLISHED" rules as they are covered by the standard rule further down the chain: 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED You dont't need the ALLOW rules from LAN to any HotLAN as these are allowed further down the chain: 0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0 The rules for the HotLAN interfaces at the end will only allow traffic out to the internet as the earlier DROP rules stop you accessing the other LAN's. Alternative solution: Possibly even easier would be to not create any DROP rules. But for the default rules at the end, only create rules like: 0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s10 * 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- enp0s9 * 0.0.0.0/0 0.0.0.0/0 for LAN interfaces. For HotLAN interfaces create rules like: iptables -A FORWARD -i hotlan_if_x -o WAN_if_x -j ACCEPT For each HotLAN interface you'd need to loop over all external interfaces. DROP rules would not then be needed as the default chain action is to DROP all unmatched packets. | ||||
Steps To Reproduce | |||||
Additional Information | |||||
Tags | No tags attached. | ||||
Relationships | |||||
Attached Files | |||||
Issue History | |||||
Date Modified | Username | Field | Change | ||
2019-01-09 08:10 | NickH | New Issue | |||
2019-01-09 09:11 | NickH | Description Updated | bug_revision_view_page.php?rev_id=2481#r2481 | ||
2019-02-16 08:00 | NickH | Description Updated | bug_revision_view_page.php?rev_id=2551#r2551 | ||
2019-02-23 12:43 | dloper | Note Added: 0009151 | |||
2019-02-23 12:43 | dloper | Status | new => closed | ||
2019-02-23 12:43 | dloper | Assigned To | => dloper | ||
2019-02-23 12:43 | dloper | Resolution | open => suspended |
Notes | |||||
|
|||||
|
|