ipfire firewall rules confusion

General questions.
Post Reply
IAPar
Posts: 16
Joined: March 23rd, 2017, 6:13 pm

ipfire firewall rules confusion

Post by IAPar » April 25th, 2017, 11:19 pm

I am sure this is a very basic question. I have ipfire with default firewall set to "Block" so it should not allow anything except allowed in firewall rules but I see it otherwise. I have only Green (192.168.2.0) and Red (192.168.3.0) network setup

I have this rule in there
Protocol: Source Log Destination Action
All Any 100.104.70.202

so any protocol going to host 100.104.70.202 is set to drop and log and I have put this at the top first rule.
Note I do have rules below this one to allow port 80 and 443 but right at the top I added this rule to specifically drop a destination IP from any source but it doesnt work.

I see this in the firewall logs

Code: Select all

Time 	Chain 	Iface 	Proto 	Source 	Src Port 			Destination 	Dst Port
19:12:55 	FORWARDFW 	green0 	TCP 	192.168.2.130 	32876 	 100.104.70.202 	443 
19:12:49 	FORWARDFW 	green0 	TCP 	 192.168.2.130 	32876 	 100.104.70.202 	443 
19:12:46 	FORWARDFW 	green0 	TCP 	 192.168.2.130 	32876 	 100.104.70.202 	443 
19:12:37 	FORWARDFW 	green0 	TCP 	 192.168.2.130 	32868 	 100.104.70.202 	443 
19:12:25 	FORWARDFW 	green0 	TCP 	 192.168.2.130 	32868 	 100.104.70.202 	443 
19:12:19 	FORWARDFW 	green0 	TCP 	 192.168.2.130 	32868 	 100.104.70.202 	443
so to me its allowing that communication and forwarding it. Why is it so ?

There are some other rules as well to block but it allows them and I have checked there is nothing that would precede it and I am going from top to bottom in terms of firewall rules and there are no packets incremented when I checked iptables page
anyone know what is that destination ?

What am I doing wrong ?

IAPar
Posts: 16
Joined: March 23rd, 2017, 6:13 pm

Re: ipfire firewall rules confusion

Post by IAPar » April 26th, 2017, 11:15 pm

no one ?

I guess people hate me here. Since I installed ipfire I got no replies to any of my questions on this forum. :o.

or Maybe my questions are too advanced for people here but this was a very very basic question!!! ;D

Alorotom
Posts: 429
Joined: March 30th, 2015, 6:56 am

Re: ipfire firewall rules confusion

Post by Alorotom » April 27th, 2017, 6:11 am

IAPar wrote:Since I installed ipfire I got no replies to any of my questions on this forum.
This is wrong as you can look up in your fist thread.

Maybe you don't get replys cause you provide too little information?

If you put default firewall behavior to blocked nothing will pass the firewall without an allow rule.

So here is a wild guess: maybe your mentioned rule does not match for some reason and another rule allows 443 then.

Other idea: do you use the proxy in nontransparent mode? This could bypass your ruleset.

Regards
Alorotom
Image
Image

IAPar
Posts: 16
Joined: March 23rd, 2017, 6:13 pm

Re: ipfire firewall rules confusion

Post by IAPar » April 27th, 2017, 6:07 pm

Hi Alorotom,

thanks for your reply.

Well, no one asks for more info. If/when they do I would provide it as I do not know if the info provided is enough or not. I spent 30 minutes to write up the message and provide as much detail as I can but again I cant tell if that is enough or not unless someone says so. ok maybe someone replied to my msg once a while back query but I never resolved that issue still.

Another problem here is that I cannot directly attach an image on this forum posts to show the config. By that I mean, direct copy and paste a screen shot in the post. if there is a way I am not aware of it.

So what is confusing me is the Firewall logs page. It shows ForwardFW for the logs mentioned, Does that mean it allowed that traffic ? To me that log says it allowed the traffic where as it shouldnt since default firewall Forward setting is "Blocked".

How does ipfire log in "firewall logs" page ? Does it show dropped packets or does it just log and you have to go some place else to see if it dropped or not ? I am going by pfsense firewall logs which shows dropped or forwarded but this is confusing to me in ipfire.

There is no proxy running at all. Its just two networks (green and red) and its being used as a masquerade firewall.

The very first rule is what I showed in my previous post where it should be blocking any source to the destination IP address 100.104.70.202

After that first rule I have:

Source Destination
Any Red TCP 80,443

If I remember it matches from top to bottom. the first rule should hit and it should block.

IPFire 2.19 (x86_64) - Core Update 109

This is from firewall options page:

Default firewall behaviour
FORWARD
Sets the default firewall behaviour for connections from local networks. You may either allow all new connections or block them by default. Connections between the local networks are also blocked in the latter mode.

Blocked

From iptables details from UI I see no packets incremented. If the first forward rule is matched it should drop the traffic to 100.104.70.202 443.

0 0 LOG all -- * * 0.0.0.0/0 100.104.70.202 limit: avg 10/min burst 20 LOG flags 0 level 4 prefix "FORWARDFW "
0 0 DROP all -- * * 0.0.0.0/0 100.104.70.202
Default



EDIT:
ok here we go.. I am trying this attachment
Capture.JPG
Capture2.JPG
After this I tried different combinations, source =Green, source=MAC etc. etc.. in all cases log is the same which seems its allowing it. Maybe rules are defined differently in ipfire or it logs it that way. clarify me pls.

Is there a way for it to log what rule got hit in firewall logs or otherwise ?

I hope this is enough info
Last edited by IAPar on April 27th, 2017, 6:52 pm, edited 1 time in total.

IAPar
Posts: 16
Joined: March 23rd, 2017, 6:13 pm

Re: ipfire firewall rules confusion

Post by IAPar » April 27th, 2017, 6:42 pm

Just now I got this.

Code: Select all

14:37:36 	DROP_FORWARD 	green0 	TCP 	192.168.2.126 31.13.80.52 	54478 443(HTTPS) 		
14:37:36 	DROP_INPUT 	              red0 	UDP 	192.168.2.126 255.255.255.255 	57621 57621 		
14:37:30 	DROP_FORWARD 	green0 	TCP 	192.168.2.126 31.13.80.52 	54478 443(HTTPS) 		
14:37:27 	DROP_FORWARD 	green0 	TCP 	192.168.2.126 31.13.80.52 	54478 443(HTTPS) 		
14:37:25 	DROP_FORWARD 	green0 	TCP 	192.168.2.119 67.195.236.146 	32892 993(IMAPS) 	

wth ? why did it drop TCP 443 when its allowed ?

also how to make it not log those broadcast packets. Makes it hard to look for info

I will debug this later. Lets just look at the first issue above so I know I am using this correctly as its making me nuts

cibgiu
Posts: 28
Joined: November 7th, 2012, 12:53 pm

Re: ipfire firewall rules confusion

Post by cibgiu » April 27th, 2017, 8:59 pm

Hi IAPar,

in destination you set RED that is the RED network not internet, set it as ANY and try.

Giuseppe

IAPar
Posts: 16
Joined: March 23rd, 2017, 6:13 pm

Re: ipfire firewall rules confusion

Post by IAPar » May 1st, 2017, 10:00 pm

thats the second rule and which seem to be working.

Its the first rule that isnt where I have a destination IP defined. Any idea why that shows as forwarded ?

IAPar
Posts: 16
Joined: March 23rd, 2017, 6:13 pm

Re: ipfire firewall rules confusion

Post by IAPar » May 1st, 2017, 10:46 pm

so I did a bit more trial and error.

Is this correct that even though the traffic passing through ipfire with default setting of "blocked" would still show traffic passing through in firewall logs? The following is the log and I checked on source machine the traffic is being blocked but logs shows ipfire is allowing it.

Why is this ? What is the point of having a firewall with UI if it shows incorrect logs ... or am I missing something about the way firewall logs show information ?

Code: Select all

8:42:18 	FORWARDFW 	green0 	TCP       192.168.2.137 50149 	 216.239.38.120 	443
18:42:18 	FORWARDFW 	green0 	TCP 	 192.168.2.137 	50148 	 216.239.38.120 	443
18:42:18 	FORWARDFW 	green0 	TCP 	 192.168.2.137 	50156 	 134.170.58.123 	443
18:42:18 	FORWARDFW 	green0 	TCP 	 192.168.2.137 	50147 	 146.112.61.104 	443

GeoKen
Posts: 8
Joined: May 8th, 2019, 12:03 pm

Re: ipfire firewall rules confusion

Post by GeoKen » June 5th, 2019, 3:40 am

Hi IAPar,
I would love to know if you found the answer.
Thanks

Post Reply