#10 Feature Request: Handle large numbers of local IP aliases

closed
Vadim Kurland
None
3
2011-12-23
2009-09-13
Jeffrey
No

Situation:

We have a server that acts as a tcp proxy for various services. This results in the server having a large number of alias IPs attached to an interface. (Class C network) The server has a firewall builder generated policy installed as a iptables host protection firewall. (ie: no FORWARD chain rules)

eg: 192.168.1.1 is the primary IP of the machine for management, etc
And individual proxies may listen on 192.168.1.2 - 192.168.2.254 ( ie:192.168.1.0/23)

As far as I can tell, I would need to add @508 IPs to the interface object in firewall builder in order for rules allowing traffic bound for 192.168.1.2 - 192.168.1.254 to be added to the INPUT or OUTPUT chains.

This is rather tedious to setup, and can be annoying to navigate in the object tree. Can the software be modified to allow network or address range (probably simplest) objects to be attached to an interface object, and the policy compilers be modified to cope (eg: A pre-processing stage to expand the address range object).

Discussion

  • Jeffrey
    Jeffrey
    2009-09-13

    • priority: 5 --> 3
     
  • Vadim Kurland
    Vadim Kurland
    2009-09-13

    I'll see what I can do. Meanwhile you can try a workaround:

    - create address table object and configure it to use a file with the list of ip addresses your server uses, or alternatively create address range object to cover the same range of ip addresses

    - add one address to the interface of the firewall in fwbuilder GUI. This is the address you can use for management of the firewall (to push generated policy script). Do not add the rest of 500 addresses.

    - in the main policy of the firewall create a rule with firewall object in destination, direction Inbound and action "Chain".

    - create new policy rule set object

    - double click on the action of the rule you created in the main policy to open it in the editor and drag new policy ruleset object into the well in the editor. Click Apply

    - this creates a branch in the policy. Since the top level rule has firewall object in destination, it will go into INPUT chain and then pass control to the new ruleset where you can do anything you want using address range or address table object or even individual addresses.

    this chapter in the Users Guide shows how to create and use branches:

    http://www.fwbuilder.org/docs/users_guide/policy-cookbook.htm#AEN4795

     
  • Vadim Kurland
    Vadim Kurland
    2009-09-13

    • assigned_to: nobody --> vkurland
     
  • Vadim Kurland
    Vadim Kurland
    2011-12-23

    • status: open --> closed
     
  • Vadim Kurland
    Vadim Kurland
    2011-12-23

    I am cleaning up old bug reports.

    there is another workaround that will work in fwbuilder5 : if you put firewall object into "Destination" of a policy rule, generated iptables command will be placed in the INPUT chain with no specific destination address match. This configuration will work even if some (most) of the alias ip addresses of the interface are not configured in fwbuilder firewall object.

    If you want to permit some protocols to some addresses but not the others, than you need to configure these addresses one way or another