ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0022711ClearOSapp-firewall - Firewallpublic2019-01-09 08:102019-02-23 12:43
ReporterNickH 
Assigned Todloper 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionsuspended 
PlatformOSOS Version
Product Version7.6.0 Updates 
Target Version7.6.0 UpdatesFixed in Version 
Summary0022711: Firewall rules are wrong if more than one NIC is HotLAN
DescriptionIf you have two or more HotLAN's the FORWARD firewall rules are wrong:
enp0s3 = WAN
enp0s8 = LAN
enp0s9 = HotLAN
enp0s10 = HotLAN
Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- enp0s10 enp0s8 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s10 enp0s8 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s8 enp0s10 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 enp0s8 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s9 enp0s8 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s8 enp0s9 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 DROP all -- enp0s9 enp0s10 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s10 enp0s9 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
    0 0 ACCEPT all -- pptp+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s10 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 * 0.0.0.0/0 0.0.0.0/0

In this case enp0s9 can access enp0s10 which it should not be able to do. These rules can be simplified to make it easier to apply to multiple HotLAN's. All that is needed is for multiple rules like:
iptables -I FORWARD -s hotlan_if_x -o other_LAN_if -m state --state NEW -j DROP
You would need to loop through the above rule for each in-interface hotlan_if_x, setting rules for every other out-interface LAN/HotLAN/DMZ interface.

You don't need the "state RELATED,ESTABLISHED" rules as they are covered by the standard rule further down the chain:
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

You dont't need the ALLOW rules from LAN to any HotLAN as these are allowed further down the chain:
    0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0

The rules for the HotLAN interfaces at the end will only allow traffic out to the internet as the earlier DROP rules stop you accessing the other LAN's.

Alternative solution:

Possibly even easier would be to not create any DROP rules. But for the default rules at the end, only create rules like:
    0 0 ACCEPT all -- enp0s8 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s10 * 0.0.0.0/0 0.0.0.0/0
    0 0 ACCEPT all -- enp0s9 * 0.0.0.0/0 0.0.0.0/0

for LAN interfaces.

For HotLAN interfaces create rules like:
iptables -A FORWARD -i hotlan_if_x -o WAN_if_x -j ACCEPT

For each HotLAN interface you'd need to loop over all external interfaces. DROP rules would not then be needed as the default chain action is to DROP all unmatched packets.
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0009151)
dloper (administrator)
2019-02-23 12:43

Migrated to: https://gitlab.com/clearos/clearfoundation/app-firewall/issues/2 [^]

- Issue History
Date Modified Username Field Change
2019-01-09 08:10 NickH New Issue
2019-01-09 09:11 NickH Description Updated View Revisions
2019-02-16 08:00 NickH Description Updated View Revisions
2019-02-23 12:43 dloper Note Added: 0009151
2019-02-23 12:43 dloper Status new => closed
2019-02-23 12:43 dloper Assigned To => dloper
2019-02-23 12:43 dloper Resolution open => suspended