Re: [Fwbuilder-discussion] Newbie questions
Brought to you by:
mikehorn
From: <va...@vk...> - 2007-02-26 03:35:23
|
looks like you need to add a rule to permit everything on loopback interface it also appears that you have logging turned on in all rules in your policy, you do not need to do that unless you want to see log records for all packets crossing the firewall. Did you add service object "ESTABLISHED" in some of your rules ? You do not need to do that since a rule matching ESTABLISHED,RELATED packets is added for you on top of the policy automatically. Rule that matches all multicast packets (224.0.0.0/8) should probably be stateless, you can do this using checkbox in the rule options dialog. To get to it, right mouse click in the "options" rule element. --vk On Feb 25, 2007, at 6:05 PM, John Gallagher wrote: > I am trying to generate a firewall for 2 Centos 4.4 32bit boxes > running > keepalived. When I apply the rules using fwbuilder it instantly > causes the > keepalived and ipvsadm to stop working properly. > > I have a valid/working iptables configuration but it seems that the > rule set > generated by fwbuilder is a lot more complex. I am not very good > at working > with IP tables which is why I want to use fwbuilder going forward to > generate my firewall rules. > > One of the issues I am having and have not quite figured out is the > logging > features of fwbuilder. > > I have a syslog server and I can not figure out how to disable > logging on a > per rule basis. Therefore, I am logging that I logged packets to > the Syslog > server (a nasty loop). > > What I see when I install the policy is the following: > > Packets come into the virtual interface. They are passed to the > real server > on the inside and then they die at the LB/Firewall on return. I > see the > return packets in the inside interface but never see them go out ... > > The logging issue makes it very difficult to trouble shoot what is > happening. > > The rule set that works is as follows, however it does not have any > NAT > function which is something I will need for some internal systems. > I have > tried to keep the rule set simple to eliminate NAT and routing issues. > > # Firewall configuration written by system-config-securitylevel > # Manual customization of this file is not recommended. > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :RH-Firewall-1-INPUT - [0:0] > -A INPUT -j RH-Firewall-1-INPUT > -A FORWARD -j RH-Firewall-1-INPUT > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > -A RH-Firewall-1-INPUT -i eth1 -j ACCEPT > -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport > 2800 -j > ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport > 443 -j > ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport > 22 -j > ACCEPT > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport > 80 -j > ACCEPT > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > -I INPUT -d 224.0.0.0/8 -j ACCEPT > COMMIT > > > The one that gets applied by Fwbuilder looks as follows: > > # Generated by iptables-save v1.2.11 on Sun Feb 25 17:55:14 2007 > *filter > :INPUT DROP [1:52] > :FORWARD DROP [0:0] > :OUTPUT DROP [0:0] > :In_RULE_2 - [0:0] > :Out_RULE_2 - [0:0] > :RULE_0 - [0:0] > :RULE_1 - [0:0] > :RULE_3 - [0:0] > :RULE_4 - [0:0] > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A INPUT -s 10.200.200.240 -p tcp -m tcp --dport 22 -m state --state > NEW,ESTABLISHED -j ACCEPT > -A INPUT -s 224.0.0.0/255.0.0.0 -m state --state NEW -j RULE_0 > -A INPUT -d 224.0.0.0/255.0.0.0 -m state --state NEW -j RULE_1 > -A INPUT -i eth1 -m state --state NEW -j In_RULE_2 > -A INPUT -p tcp -m tcp -m multiport --dports 80,443 -m state -- > state NEW -j > RULE_3 > -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j RULE_4 > -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT > -A FORWARD -i eth1 -m state --state NEW -j In_RULE_2 > -A FORWARD -o eth1 -m state --state NEW -j Out_RULE_2 > -A FORWARD -p tcp -m tcp -m multiport --dports 80,443 -m state -- > state NEW > -j RULE_3 > -A FORWARD -p tcp -m tcp --dport 22 -m state --state NEW -j RULE_4 > -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > -A OUTPUT -d 10.200.200.240 -p tcp -m tcp --sport 22 -m state --state > RELATED,ESTABLISHED -j ACCEPT > -A OUTPUT -s 224.0.0.0/255.0.0.0 -m state --state NEW -j RULE_0 > -A OUTPUT -d 224.0.0.0/255.0.0.0 -m state --state NEW -j RULE_1 > -A OUTPUT -o eth1 -m state --state NEW -j Out_RULE_2 > -A OUTPUT -p tcp -m tcp -m multiport --dports 80,443 -m state -- > state NEW -j > RULE_3 > -A OUTPUT -p tcp -m tcp --dport 22 -m state --state NEW -j RULE_4 > -A In_RULE_2 -j LOG --log-prefix "RULE 2 -- ACCEPT " --log-level 6 > -A In_RULE_2 -j ACCEPT > -A Out_RULE_2 -j LOG --log-prefix "RULE 2 -- ACCEPT " --log-level 6 > -A Out_RULE_2 -j ACCEPT > -A RULE_0 -j LOG --log-prefix "RULE 0 -- ACCEPT " --log-level 6 > -A RULE_0 -j ACCEPT > -A RULE_1 -j LOG --log-prefix "RULE 1 -- ACCEPT " --log-level 6 > -A RULE_1 -j ACCEPT > -A RULE_3 -j LOG --log-prefix "RULE 3 -- ACCEPT " --log-level 6 > -A RULE_3 -j ACCEPT > -A RULE_4 -j LOG --log-prefix "RULE 4 -- ACCEPT " --log-level 6 > -A RULE_4 -j ACCEPT > COMMIT > > Thanks in advance, > > John > > > > ---------------------------------------------------------------------- > --- > Take Surveys. Earn Cash. Influence the Future of IT > Join SourceForge.net's Techsay panel and you'll get the chance to > share your > opinions on IT & business topics through brief surveys-and earn cash > http://www.techsay.com/default.php? > page=join.php&p=sourceforge&CID=DEVDEV > _______________________________________________ > Fwbuilder-discussion mailing list > Fwb...@li... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > |