Firewall Not Working?

Hello,

I created Firewall rules to block in coming firewall access from Blue and Green on port 444.

The idea is to stop the admin interface being accessed from those two networks.

Despite my rules to stop anything from green or blue to the firewall TCP 444, I can still connect to the admin interface from Green.

Now that I think about it, given that inbound to firewall is blocked by default anyway, is there some special hidden rules that are allowing port 444 through?

Hello @knightian,

i do not know in which order the IPfire iptables rules are working but if the rule for the GUIINPUT is before your rule, I think those rule will allow the access to the GUI from green.
I had only a short look in the rules and if you look at GUIINput you will see:

Chain GUIINPUT (1 references)
pkts bytes target prot opt in out source destination

0 	0 	ACCEPT 	tcp 	-- 	green0 	* 	0.0.0.0/0 	0.0.0.0/0 	tcp dpt:444

Best

Silvio

1 Like

Indeed, seems GUIINPUT sits above INPUTFW

that’ll be it, it’ll be allowing access to the gui despite my rules. I imagine if scrub that chain from iptables I’ll have joy.

Thanks for that!

Chain GUIINPUT (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:snpp

Chain ICMPINPUT (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request

Chain INPUTFW (1 references)
target     prot opt source               destination         
LOG        udp  --  anywhere             anywhere             udp dpt:isakmp limit: avg 10/sec burst 20 LOG level warning prefix "INPUTFW "
ACCEPT     udp  --  anywhere             anywhere             udp dpt:isakmp
LOG        udp  --  anywhere             anywhere             udp dpt:ipsec-nat-t limit: avg 10/sec burst 20 LOG level warning prefix "INPUTFW "

Look here

Just out of interest, if you have blocked all the usual way, how do you want to admin IPFire in the future?

1 Like

I allow it to the IPSec subnet only. So when I connect via IPSec then I can connect to 444

SSH still is available to blue and green, but only allows for public key auth.

Thanks for explaining your mission. That’s why i wrote usual.

I thought it was a good time to ask before you succeeded :wink:

1 Like

Haha yep otherwise I will be locked out. I have managed to lock myself out before some how, I had to SSH in and remove the offending iptables entry

3 Likes

I think you should be able to use firewall.local in the same way as used to prevent any blue clients accessing the WUI you could just specify the green network. I think the firewall.local is earlier in the whole sequence so a drop would stop that match going forward.

See following link in the wiki

https://wiki.ipfire.org/configuration/firewall/accesstoblue#deny-blue-clients-access-to-the-ipfire-web-interface

I thought that was already clear from the above informations. Especially if you read on, which I always try to encourage everyone to do as a matter of principle ;-).

If for some reason you can’t do it through the WUI, you have to do it through firewall.local

Only do the above if you know what you are doing!

BUT I missed an important part of the above post myself

I would never recommend deleting the defaults, I would always set my needs in firewall.local

So, I’m glad you mentioned it.

3 Likes

@tulpenknicker @bonnietwin alright awesome thanks guys I’ll pop something in firewall.local and report how it goes.

It works well thanks :smiley:

1 Like