I have a noob networking question. So If i set my default policy on both green and red to block, then nothing goes out. If i add DNS server rules for red, and then proceed to add the following to green
Allow out from LAN subnet to any port 80
Allow out from LAN subnet to any port 443
Bear in mind that i didn’t set any NAT rules for the above, but surfing the internet works.
Now shouldn’t I have to add Allow out from RED to any 80 and 443 for this to work, cause technically the GREEN address does NAT to become the RED IP before it exits the interface no? Are the NAT rules for this perhaps automatically set by underlying iptables, or do i just not understand how NAT works in this case?
I also noticed that if i set the option for example to “Provide time to local network” on the time server, my outgoing requests to port 123 on the GREEN side of the firewall work, without me having to add any rules here. Cause again if the default policy is DROP, i should have to add a rule to allow from LAN subnet to GREEN side of firewall port 123. Again i assume Iptables is working magic under the hood?
You say any port 80 and any port 443 so that looks like in the firewall rule you set the Destination network to ANY which means that green port 80 can go to any other network on your system - Red, Blue or Orange - so connection via Red is already defined by that.
You don’t need NAT for this as the Destination address you will be using for browsing a web page will be a public IP address converted by Unbound from a URL to the Public IP and therefore the internet will know where to go for that info.
The return to green happens due to the Stateful Connection Tracking.
IPFire records that connection from yourself out to the internet so a reply to that connection is passed back to you automatically.
NAT is needed for the other direction because anyone on the internet trying to contact, for instance, a web server that you are running, will have your URL (maybe via Dynamic DNS) and that URL will be converted to the Public IP that your ISP has given to your system’s Red connection. To get to your web server on the orange network for instance, IPFire has to use NAT to convert the Public IP to the Private IP address that your server has on the orange network. That is done via the Port Forward firewall rule.
Yes I understand what you are saying. Let me clarify more succinctly what my question is.
When I initiate an outgoing connection via a host in the GREEN network, that gets automatically NATed (this translation happens somewhere under the hood or its done via the masquerading GREEN option) to RED public ip and out to the next hop, until it reaches its destination.
My only question is: if the default policy for my RED interface is DROP. And this connection above is leaving the RED interface/IP, how come my default policy doesn’t block this. It should.
I noticed here that the default policy in iptables output is ACCEPT even though I have set it to DROP under the Firewall Options page. So this is what is causing confusion, IPFire must be doing something else under the hood which allows a LAN initiated connection to just be trusted, without explicitly setting this option.
I certainly don’t know enough about iptables to go and change the settings, but I’m just trying to understand so i can have control over the connections.
So I did a test with a vm testbed machine and putting both Forward and Outgoing to Blocked and rebooting the machine resulted in the Output chain in the iptables menu item showing policy ACCEPT.
So I am able to reproduce what you have found.
As I am not at all familiar with iptables and how it is used in detail within IPFire I am unable to say if that result is intended or is a bug.
I would suggest that you sign up to the dev mailing list and ask the question on that list to get it confirmed if it is a bug or not- see following link
