fwbuilder 2.1.18 iptables 1.4.2 no -i ethX

R.Welz
2009-04-13
2013-03-05
  • R.Welz

    R.Welz - 2009-04-13

    and no -o ethX were generated when defining an interface in the GUI. Is this a missing feature?

    BTW the default template for router with three interfaces contains an source: Any destination: Any service: Any Interface: loopback rule.
    Its a bit dangerous to have everything open since -i lo was not generated.

    kind regards,

    Robert

     
    • Vadim Kurland

      Vadim Kurland - 2009-04-13

      first, v2.1.18 is old and is not supported anymore.

      as for the "-i interface", could you quote the rule that should get it but does not ?

       
    • R.Welz

      R.Welz - 2009-04-13

      hi,
      when I have, as second rule in the GUI:

      Any,Any,Any,loopback,both directions, accept, any time; the install script it creates:

      IPTABLES -A INPUT -i lo -m state --state NEW -j ACCEPT
      IPTABLES -A OUTPUT -i lo -m state --state NEW -j ACCEPT

      but when it installs remotely in iptables it gives:
      Chain INPUT (policy DROP)
      target     prot opt source               destination        
      1 ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
      2 ACCEPT     tcp  --  192.168.1.0/24       anywhere            tcp dpt:ssh state NEW,ESTABLISHED
      drop_invalid  all  --  anywhere             anywhere            state INVALID
      3 In_RULE_0  all  --  netyou-xxx-xxx.net-you.de  anywhere            state NEW
      4 In_RULE_0  all  --  Oberon               anywhere            state NEW
      5 In_RULE_0  all  --  192.168.1.0/24       anywhere            state NEW
      6 In_RULE_0  all  --  192.168.2.0/24       anywhere            state NEW
      7 In_RULE_0  all  --  192.168.4.0/24       anywhere            state NEW
      8 ACCEPT     all  --  anywhere             localhost           state NEW

      basically rule 1 and 8 means everything open?

      kind regards,
      Robert

       
      • Vadim Kurland

        Vadim Kurland - 2009-04-13

        rule #1 accepts packets in states ESTABLISHED,RELATED. These are reply packets to existing sessions. Rule #8 accepts from any to localhost. This rule was not produced from the rules for the loopback you quoted above. This rule is from something else, you need to look in your policy what this could be. Perhaps you have a rule somewhere with "any" in source and "127.0.0.1" or firewall address in "destination" ?

         
    • R.Welz

      R.Welz - 2009-04-13

      sorry my firewall is a hot firewall, which I misuesd shortly for this test .

      No, It creates

      Chain INPUT (policy DROP)
      target     prot opt source               destination        
      1 ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
      2 ACCEPT     tcp  --  192.168.1.0/24       anywhere            tcp dpt:ssh state NEW,ESTABLISHED
      drop_invalid  all  --  anywhere             anywhere            state INVALID
      3 In_RULE_0  all  --  mail.fixe-post.de    anywhere            state NEW
      4 In_RULE_0  all  --  Oberon               anywhere            state NEW
      5 In_RULE_0  all  --  192.168.1.0/24       anywhere            state NEW
      6 In_RULE_0  all  --  192.168.2.0/24       anywhere            state NEW
      7 In_RULE_0  all  --  192.168.4.0/24       anywhere            state NEW
      8 ACCEPT     all  --  anywhere             anywhere            state NEW

      which means everything open ?

       
    • R.Welz

      R.Welz - 2009-04-13

      iptables -S
      -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
      -A INPUT -i lo -m state --state NEW -j ACCEPT

      iptables -L
      ACCEPT     all  --  anywhere             anywhere            state RELATED,ESTABLISHED
      ACCEPT     all  --  anywhere             anywhere            state NEW

      so there is a discrepancy between both command line paramters for iptables. Sorry for wasting your time but I was really concerend.

      kind regards,
      Robert

       
      • Vadim Kurland

        Vadim Kurland - 2009-04-13

        the rules you see in "iptables -L" were generated for some other iptables commands, not for those you quoted above. Command you quoted do have "-i lo" which is not shown in the output of "iptables -L". This means you are looking at different commands. There has to be some other rule in your policy that permits any to any.

        Also, make sure there are no errors when you activate policy generated by fwbuilder so that when you run iptables -L you really look at the policy you think you look at, and not at what was there on the firewall before.

         
    • Jeffrey

      Jeffrey - 2009-04-14

      I'd strongly suggest you install the policy, then look at the output of:
      iptables -L -nv

      -n : don't do address to name conversions (IPs only)
      -v : verbose  (Includes interface specified by -i or -o)

       

Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks