Orange can connect to firewall.cgi (web UI)

Hello,
why can a client from the orange network connect to the web UI?
This should only possible from green, shouldn’t it?

edit:
i can get acces over green and orange IP

Regards
Andreas

By default orange can not reach Green or Blue.
Does the client in Orange have access to Green?
Is this a VM?

FYI…
https://wiki.ipfire.org/configuration/firewall/default-policy#default-zone-ruleset

Hi,
yes i have seen: https://wiki.ipfire.org/configuration/firewall/default-policy#default-zone-ruleset

I have 5 portforwarding rules to Orange
2 rules (TCP and UDP) for one client from Orange to Red

no Orange have acces to Green
Default firewall behaviour FORWARD is Blocked

untill this problem is not solved i have no Green connected

edit:
i get acces from x.y.6.2 orange client to
x.y.6.1 orange firewall and x.y.4.1 green firewall

no VM

regards
Andreas

Come to think of it I had to add a fire wall rule to block access to firewall WUI from Blue network.
You may have to do the same with Orange.
Even though the Default rules should do this.

sure, but you say there is a bug in the system (or i make a mistake) and you fix it with a workaround, that’s not my way. (ok, if there i a bug i will use your solution, of course)
i hoped i can learn how ipfire works in more detail

Could be a bug.
Firewall rule not noted here.

No rules to the affect of this

Hi @hvacguy

When you open blue access then all clients on blue also get access to the WUI, as mentioned in the Wiki, together with what to do if you don’t want this to be the case. See section titled " Deny blue clients access to the IPFire web interface" in the following Wiki page.

https://wiki.ipfire.org/configuration/firewall/accesstoblue

So access to the IPFire WUI is not a bug under these conditions.

Hi @andreaso

I just connected my laptop to my Orange DMZ and could access the Internet, which is allowed under default rules, but I could not access the WUI. The web page eventually just timed out.

As you are able to access the WUI from an IP on the Orange network, I would suggest disabling all the Firewall Rules you have set up and press “Apply Changes”.

If you can still access the WUI under those default rule conditions then that would indicate some form of bug that needs to be investigated via Bugzilla.

If you can not access the WUI then that would indicate some fault with one of the firewall rules that you have defined. Then you can enable them one at a time and check when you are able to access the WUI from Orange again. That would then indicate the rule(s) allowing the access.

This is not evident in the default firewall page.
Perhaps we need a note or asterisk next to it for the Blue network.
Looks like I have something to do later.

Hi @hvacguy

In the Firewall Default Policy page it has

Blue 	   -> 	        Firewall 	         Closed, use Blue Access
Blue 	   -> 	        Red 	             Closed, use Blue Access
Blue 	   -> 	        Orange 	             Closed, use Blue Access

What would make it clearer?

Hi,
I just wan to add my 2 cents to this discussion: some time ago i came across a similar situation: my ipfire is set up for red, green (192.168.5.1), blue (192.168.0.1) and orange (192.168.150.1). So, when I tried to access ipfire’s blue adress (192.168.0.1) from a client in the blue network, ipfire’s web gui opened up. I had to stop that by entering a rule to firewall.local since tis is not possible thru the firewall gui (solution derived from the old ipfire forum); haven’t tried it yet for the orange network, since I have no clients there yet, but I would assume the same behaviour. Perhaps it is this what the topic owner faced?

HI,
blue is not configured yet, the problem is orange.
Regards
Andreas

Hello,
i disabled all rules (and delete all cookies) and it seems do be ok now.
i will activate rule by rule to see which one allow the WUI access.

thanks all for help
Regards
Andreas

role:
Source client in orange
Destination red
gives access to WUI on orange and green IP.

so, i am a little surprised, but have a solution.

thank you all for help

Regards
Andreas

So I disabled all my firewall rules, created one from my laptop’s orange ip to the red network as @andreaso noted and was also able to get the WUI login screen coming up with my IPFire Orange and Green IP addresses. Using the IPFire FQDN didn’t work as there is no DNS on Orange from IPFire so the FQDN is searched externally and is local only so cannot be resolved.

So this shouldn’t be a risk as the access can only occur from Orange using the private addresses for Orange and Green. They should not be accessible from the internet but I haven’t confirmed that yet.
However it does surprise me that this has happened. I wouldn’t have expected it to with that Firewall Rule.

I wonder if the fact that my Red IP address is a private range address also as I have to currently have my ISP’s modem running in router mode so I get a NAT’d IP address from the modem/router.

Hi @andreaso,

I have been reading up about accessing the WUI from the internet. To do that you have to create a FW rule that has source any (as it is coming from the internet) and the destination is red.

The rule you created is making the same connection but from an orange ip to red so probably it is not surprising that we can the access the firewall WUI from orange.

What was the purpose you had to creat the rule to connect orange to red?

Yes the rule for
Blue -> firewall Closed Recommended * (Open by default) *NOTE

*NOTE = See wiki.ipfire.org - Blue Access

Deny blue clients access to the IPFire web interface

This makes sense to have Access by default for Red/Blue networks.
So some one can config firewall.
But Blue to Firewall is allowed by default. Per the Default policy page.Not as stated in the Wiki
Thank

Fixed Wiki default policy page. For blue.

Hi @hvacguy

Your edit is incorrect.
Blue to firewall is closed by default but is opened when Blue Access is used. So if Blue Access is used and you don’t want your clients to be able to try and access the firewall you need to add the extra firewall rule mentioned on the blue access wiki page.

I am sorry if something I wrote gave a different message.

1 Like