Hello,
I created Firewall rules to block in coming firewall access from Blue and Green on port 444.
The idea is to stop the admin interface being accessed from those two networks.
Despite my rules to stop anything from green or blue to the firewall TCP 444, I can still connect to the admin interface from Green.
Now that I think about it, given that inbound to firewall is blocked by default anyway, is there some special hidden rules that are allowing port 444 through?
Hello @anon45931963,
i do not know in which order the IPfire iptables rules are working but if the rule for the GUIINPUT is before your rule, I think those rule will allow the access to the GUI from green.
I had only a short look in the rules and if you look at GUIINput you will see:
Chain GUIINPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- green0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:444
Best
Silvio
Indeed, seems GUIINPUT sits above INPUTFW
that’ll be it, it’ll be allowing access to the gui despite my rules. I imagine if scrub that chain from iptables I’ll have joy.
Thanks for that!
Chain GUIINPUT (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:snpp
Chain ICMPINPUT (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
Chain INPUTFW (1 references)
target prot opt source destination
LOG udp -- anywhere anywhere udp dpt:isakmp limit: avg 10/sec burst 20 LOG level warning prefix "INPUTFW "
ACCEPT udp -- anywhere anywhere udp dpt:isakmp
LOG udp -- anywhere anywhere udp dpt:ipsec-nat-t limit: avg 10/sec burst 20 LOG level warning prefix "INPUTFW "Look here
Just out of interest, if you have blocked all the usual way, how do you want to admin IPFire in the future?
I allow it to the IPSec subnet only. So when I connect via IPSec then I can connect to 444
SSH still is available to blue and green, but only allows for public key auth.
Thanks for explaining your mission. That’s why i wrote usual.
I thought it was a good time to ask before you succeeded 
Haha yep otherwise I will be locked out. I have managed to lock myself out before some how, I had to SSH in and remove the offending iptables entry
I think you should be able to use firewall.local in the same way as used to prevent any blue clients accessing the WUI you could just specify the green network. I think the firewall.local is earlier in the whole sequence so a drop would stop that match going forward.
See following link in the wiki
I thought that was already clear from the above informations. Especially if you read on, which I always try to encourage everyone to do as a matter of principle ;-).
If for some reason you can’t do it through the WUI, you have to do it through firewall.local
Only do the above if you know what you are doing!
BUT I missed an important part of the above post myself
I would never recommend deleting the defaults, I would always set my needs in firewall.local
So, I’m glad you mentioned it.
@anon33261557 @bonnietwin alright awesome thanks guys I’ll pop something in firewall.local and report how it goes.
It works well thanks 