Bug 221828
Summary: | RFE: Make iptables default FORWARD rule REJECT (except for bridging) | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Mark McLoughlin <markmc> | ||||||||
Component: | system-config-firewall | Assignee: | Thomas Woerner <twoerner> | ||||||||
Status: | CLOSED WONTFIX | QA Contact: | |||||||||
Severity: | medium | Docs Contact: | |||||||||
Priority: | medium | ||||||||||
Version: | rawhide | CC: | asliotentik, vanmeeuwen+fedora | ||||||||
Target Milestone: | --- | Keywords: | FutureFeature, Reopened | ||||||||
Target Release: | --- | ||||||||||
Hardware: | All | ||||||||||
OS: | Linux | ||||||||||
Whiteboard: | |||||||||||
Fixed In Version: | Doc Type: | Enhancement | |||||||||
Doc Text: | Story Points: | --- | |||||||||
Clone Of: | Environment: | ||||||||||
Last Closed: | 2022-06-14 09:34:58 UTC | Type: | --- | ||||||||
Regression: | --- | Mount Type: | --- | ||||||||
Documentation: | --- | CRM: | |||||||||
Verified Versions: | Category: | --- | |||||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||||
Embargoed: | |||||||||||
Attachments: |
|
Description
Mark McLoughlin
2007-01-08 12:51:30 UTC
Created attachment 145049 [details]
system-config-securitylevel-1.6.31-default-forward-rule.patch
Okay, I'm reworking some stuff in s-c-securitylevel right now that makes applying this patch impossible at the moment but I will apply it before the next release. Thanks. Nevermind, I've changed priorities and can commit this right now. Thanks for the patch. So, if you set up a bridge (br0) with two members (eth0 and eth1) you want rules like: -I FORWARD -m physdev --physdev-in eth0 -j ACCEPT -I FORWARD -m physdev --physdev-in eth1 -j ACCEPT We were talking about how e.g. initscripts and xen could make sure that these rules get added automatically even across iptables restarts or users configuring the firewall etc. I suggested having the iptables init script run scripts from /etc/sysconfig/iptables.d and have initscripts and xen install scripts there. An example Xen script might be: ---- XEND_CONFIG=/etc/xen/xend-config.sxp [ "$1" = "start" ] || exit 0 if ! grep '^[^#]*(network-script .*network-bridge' $XEND_CONFIG > /dev/null 2>&1; then exit 0 fi bridge=$(awk '/^[^#]*\(network-script.*bridge=/ { print gensub(".*bridge=([^ '"'"']+).*", "\\1", "g") }' < $XEND_CONFIG) [ "$bridge" ] || bridge="xenbr0" for i in $(brctl show | awk -v bridge=$bridge \ 'BEGIN {f=1;b="";} \ /^[^[:space:]]/ { if (f==1) {f=0; next;} b=$1; } \ { if (b==bridge) { if (NF==4||NF==1) { print $NF }}}'); do iptables -I FORWARD -m physdev --physdev-in $i -j ACCEPT done ---- One reason this sucks is if you e.g. do service iptables save, then you get multiple copies of these rules. What eventually occurred to me, though, was that although the default rule for IP forwarding (e.g. in a gateway) should be REJECT, the default rule for bridging should be ACCEPT. Who ever heard of a real ethernet bridge where you have to configure a firewall to allow frames from individual ports? If you add a bridge and enslave devices to that bridge, you expect all frames to be bridged between ports. So, can we change the default forward rule to: -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with icmp-host-prohibited Created attachment 145980 [details]
allow-bridging-by-default.patch
Any thoughts on this?
Setting the default rule to REJECT in the FORWARD chain of the filter table this way is going to break NAT setups unless you also properly specify that NATted traffic is allowed through the FORWARD chain of the filter table. I suppose you could: Check if the incoming interface (lan-side) is trusted, the traffic is accepted Allow ESTABLISHED,RELATED to pass the FORWARD chain from any incoming interface towards the outgoing (trusted) interface. system-config-firewall in devel provides the ability to load custom rules. Please have a look at "lokkit --help". You can add a file with your rules by using "lokkit --custom-rules=ipv4:filter:/etc/sysconfig/my_rules_file". lokkit also got an new option "--update" which regenerates the firewall rules for ipv4 and ipv6. Use this if you are udating custom rules and want that the changes are persistent. The enhancements in lokkit does not require a change in the firewall handling for iptables; it does not know anything about the includes. This solution is transparent in use especially for updaters. Please have a look at this solution and report problems if you have any. Thanks twoerner: the request is that the default for the forward chain should be that all IP level forwarding is rejected, but link level bridging should be accepted. See comment #7 Created attachment 290742 [details]
system-config-firewall-allow-briding-by-default.patch
Adding FutureFeature keyword to RFE's. Well let's try to setuju with this. Firstly, this is an lvm2 bugzilla. Any outstanding requests for changes to anaconda should move to a different bugzilla. For LVM I propose: 1. An lvm.conf seting that will provide a standar nilai for --stripes in commands that create new LVs. Commands that *extend* existing LVs will ignore this and work as now, standaring to continuing the striping of the last segment. This will be useful for people who have lots of disks and always have a decent amount of disk ruang unallocated. 2. An allocation pilihan for 'maximum reasonable' striping. The detils are still to be worked out, but the idea is to attempt always to stripe the data, adapting the number of stripes to the circumstances. (I might split these across two bugzillas now.) https://www.genjosholiday.com/istilah-jual-beli-mobil-yang-perlu-dipahami-sebelum-ke-dealer-atau-pameran/ https://www.genjosholiday.com/jogja-bay/ https://www.genjosholiday.com/kalibiru/ https://www.genjosholiday.com/kapan-sebaiknya-ganti-oli-mobil/ https://www.genjosholiday.com/kapan-waktu-terbaik-untuk-ganti-ban-bus-pariwisata/ https://www.genjosholiday.com/kapan-waktu-terbaik-untuk-ganti-ban-mobil/ https://www.genjosholiday.com/kebiasaan-kebiasaan-yang-membuat-mesin-bus-pariwisata-cepat-rusak/ https://www.genjosholiday.com/kebiasaan-kebiasaan-yang-membuat-mesin-mobil-cepat-rusak/ https://www.genjosholiday.com/kebijakan-privasi/ https://www.genjosholiday.com/kebun-buah-mangunan/ https://www.genjosholiday.com/taman-sari/ https://www.genjosholiday.com/keraton-yogyakarta/ https://www.genjosholiday.com/keuntungan-dan-kerugian-membeli-mobil-bekas-secara-tunai/ https://www.genjosholiday.com/kontak/ https://www.genjosholiday.com/lakukan-hal-ini-pada-kendaraan-guna-cegah-virus-corona/ https://www.genjosholiday.com/langkah-sederhana-merawat-cat-bus-pariwisata/ https://www.genjosholiday.com/langkah-sederhana-merawat-cat-mobil/ https://www.genjosholiday.com/lava-tour-merapi/ https://www.genjosholiday.com/lima-komponen-mesin-mobil-dan-jenis-perbaikannya-yang-mahal/ https://www.genjosholiday.com/tebing-breksi/ https://www.genjosholiday.com/pantai-seruni/ https://www.genjosholiday.com/menjaga-performa-bus-pariwisata-dengan-perawatan-yang-benar/ https://www.genjosholiday.com/merawat-kaca-bus-pariwisata/ https://www.genjosholiday.com/mobil-sedan-kurang-diminati-di-indonesia-mungkin-inilah-sebabnya/ https://www.genjosholiday.com/museum-gunung-merapi/ https://www.genjosholiday.com/museum-ullen-sentalu/ https://www.genjosholiday.com/nasib-mobil-bekas-banjir-bagaimana-ini-beberapa-faktanya/ https://www.genjosholiday.com/paket-wisata/ https://www.genjosholiday.com/pantai-anora/ https://www.genjosholiday.com/pantai-ayah-lokasi-spot-foto-dan-harga-tiket-masuk/ https://www.genjosholiday.com/pantai-baros/ https://www.genjosholiday.com/pantai-blebak/ https://www.genjosholiday.com/pantai-bopong-lokasi-spot-foto-dan-harga-tiket-masuk/ https://www.genjosholiday.com/pantai-bugel-lokasi-spot-foto-dan-harga-tiket-masuk/ https://www.genjosholiday.com/pantai-cahaya-kendal/ https://www.genjosholiday.com/pantai-cemoro-sewu-lokasi-spot-foto-dan-harga-tiket-masuk-genjos-holiday/ https://www.genjosholiday.com/pantai-depok/ https://www.genjosholiday.com/pantai-drini/ https://www.genjosholiday.com/pantai-genjik/ https://www.genjosholiday.com/pantai-goa-cemara-lokasi-spot-foto-dan-harga-tiket-masuk/ https://www.genjosholiday.com/pantai-greweng/ https://www.genjosholiday.com/pantai-jetis/ https://www.genjosholiday.com/pantai-jodo/ https://www.genjosholiday.com/pantai-jogan/ https://www.genjosholiday.com/pantai-kalipat/ https://www.genjosholiday.com/pantai-karang/ https://www.genjosholiday.com/pantai-karang-hawu/ https://www.genjosholiday.com/pantai-karang-2/ https://www.genjosholiday.com/pantai-klotok/ https://www.genjosholiday.com/pantai-kukup/ https://www.genjosholiday.com/pantai-kuwaru/ https://www.genjosholiday.com/pantai-lampon/ https://www.genjosholiday.com/pantai-minajaya/ https://www.genjosholiday.com/pantai-moro-kendal/ https://www.genjosholiday.com/pantai-muara-kencan/ https://www.genjosholiday.com/pantai-ngebum/ https://www.genjosholiday.com/pantai-ngobaran/ https://www.genjosholiday.com/pantai-ngrenehan-lokasi-rute-fasilitas-harga-tiket-masuk/ https://www.genjosholiday.com/pantai-parangendog-lokasi-spot-foto-dan-harga-tiket-masuk/ |