Hi,
does this https://wiki.ipfire.org/configuration/firewall/iptables
describes the packet flow with version 2.27-178, too?
Or are there differences to the actual behavior?
It a bit outdated. At least UPNPFW and P2PBLOCK are removed.
Also this is only the flow for new connections. Packets for already established connections skip many of the chains at CONNTRACK).
2 Likes
Some (two) new *.png´s might be great for the wiki. Are there some graphic affine people here ?
Best,
Erik
1 Like
Somewhere neer the beginning is the IP Address block list.
From my understanding.
If @hjkl is not available, I can redraw the diagram.
I just need someone to mark up the existing diagram and I will make the needed changes.
As a first question I do not understand the first ‘routing decision’. The path ‘input’ ends in the column ‘Forward’. But ‘Forward’ ends in ‘input’ column. Is this only a kind of typo?
I add my (very less) understanding of the FW. Where are the locations I can modify via the AdminUI? Where the .local files are located?
The firewall.local would typically contain the chains in the original diagram starting with CUSTOM. That way those rules occur before the pre-defined ones in IPFire.
Of course you can also modify any of the other chains in the firewall.local file but as the wiki page warns, that should not be done because that could be very dangerous if the modified rules don’t work as intended and the system could be opened and exposed without knowing it.
From my limited understanding these would be the chains marked INPUTFW, OUTPUTFW and FORWARDFW. Probably also NAT_SOURCE and NAT_DESTINATION. To really tell you would need to look through the firewall.cgi code to see which chains any rules that are created in each section would end up in.
1 Like
not a typo but inverting the arrow’s labels.