On Oct 27, 2005, at 3:54 PM, Christoph Badura wrote:
> A while ago I came across an fwbuilder setup under Linux w/iptables
> used interface policies. The traffic observed with tcpdump(8) on the
> internal interface was at first surprising because it was not in-
> line with
> a casual reading of the policies. There was lots of unwanted traffic
> passing from the internal network to the other interfaces. And
> only by
> sheer luck the traffic from a couple of worm infested machines in a
> was blocked from the internal network.
> I believe this all is because fwbuilder's semantic model of
> iptables is
> incomplete and fwb_ipt fails to detect rule shadowing between
> policies and the global policy.
> If you install the filter rules resulting from the attached .fwb
> file you
> will observe the following traffic despite the global "deny
> - Connections initiated by packets entering through eth0 will be
> allowed to
> any destination.
right. The rule on eth0 looks like this:
any any any inbound Accept
that is, you accept all packets coming in through that interface.
This rule, however, does not shade global "any any any deny" rule
because it has narrower scope - it applies only to a single interface
eth0, whereas global rule applies to all interfaces.
> - Connections initiated by packets exiting the DMZ by entering the
> firewall through eth2 will be allowed to any destination --
> including the
> internal network.
same thing as above.
> This is because iptables has a "first match" approach. I.e. the
> first rule
> that matches a packet decides on accept/reject/drop. Further rules
> are not
> fwb_ipt seems to operate under the assumption that "-i"- and "-o"
> somehow don't short-circuit. Hence fwb_ipt fails to detect that
> the "inbound"
> filter rules shadow the global "deny everything" policy. It also
> fails to
> detect that the global "deny everything" policy is shadowed by rule
> 0 of eth0.
no, they do not shadow the global rule.
> Also you cannot affect the order the interface policies are applied.
you will be able in v2.1 where interface and global policies are
merged into one policy.