Bug 221828

Summary: RFE: Make iptables default FORWARD rule REJECT (except for bridging)
Product: [Fedora] Fedora Reporter: Mark McLoughlin <markmc>
Component: system-config-firewallAssignee: Thomas Woerner <twoerner>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: asliotentik, vanmeeuwen+fedora
Target Milestone: ---Keywords: FutureFeature, Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-14 09:34:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
system-config-securitylevel-1.6.31-default-forward-rule.patch
none
allow-bridging-by-default.patch
none
system-config-firewall-allow-briding-by-default.patch none

Description Mark McLoughlin 2007-01-08 12:51:30 UTC 
In bug #84975, we made our firewall tool apply its rules to both the INPUT and
FORWARD chains.

The rationale was that if you enable /proc/sys/net/ipv4/ip_forward, then you
should not have a default whereby all traffic is allowed to be forwarded.

However, I don't think our input rules make a good default:

  1) It may be a good default to allow e.g. SSH traffic to be forwarded
     from an "external" interface to an "internal" one but it is not a 
     a good default to *only* allow SSH traffic be forwarded from
     internal to external.

  2) The default creates a confusing situation where some traffic is
     forwarded from internal to external and some isn't. It probably isn't 
     obvious to people that this has anything to do with their firewall
     configuration.

I think a better default would be make REJECT the default rule on the FORWARD
chain. It makes it a lot more explicit to people setting up a gateway that they
need to modify their iptables FORWARD configuration.
Comment 1 Mark McLoughlin 2007-01-08 12:51:30 UTC 
Created attachment 145049 [details]
system-config-securitylevel-1.6.31-default-forward-rule.patch
Comment 4 Chris Lumens 2007-01-09 16:32:04 UTC 
Okay, I'm reworking some stuff in s-c-securitylevel right now that makes
applying this patch impossible at the moment but I will apply it before the next
release.  Thanks.
Comment 5 Chris Lumens 2007-01-09 19:19:52 UTC 
Nevermind, I've changed priorities and can commit this right now.  Thanks for
the patch.
Comment 6 Mark McLoughlin 2007-01-12 18:36:36 UTC 
So, if you set up a bridge (br0) with two members (eth0 and eth1) you want rules
like:

  -I FORWARD -m physdev --physdev-in eth0 -j ACCEPT
  -I FORWARD -m physdev --physdev-in eth1 -j ACCEPT

We were talking about how e.g. initscripts and xen could make sure that these
rules get added automatically even across iptables restarts or users configuring
the firewall etc.

I suggested having the iptables init script run scripts from
/etc/sysconfig/iptables.d and have initscripts and xen install scripts there.

An example Xen script might be:

----
XEND_CONFIG=/etc/xen/xend-config.sxp

[ "$1" = "start" ] || exit 0

if ! grep '^[^#]*(network-script .*network-bridge' $XEND_CONFIG > /dev/null
2>&1; then
    exit 0
fi

bridge=$(awk '/^[^#]*\(network-script.*bridge=/ { print gensub(".*bridge=([^
'"'"']+).*", "\\1", "g") }' < $XEND_CONFIG)

[ "$bridge" ] || bridge="xenbr0"

for i in $(brctl show | awk -v bridge=$bridge \
                            'BEGIN {f=1;b="";} \
                            /^[^[:space:]]/ { if (f==1) {f=0; next;} b=$1; } \
                            { if (b==bridge) { if (NF==4||NF==1) { print $NF
}}}'); do
    iptables -I FORWARD -m physdev --physdev-in $i -j ACCEPT
done
----

One reason this sucks is if you e.g. do service iptables save, then you get
multiple copies of these rules.
Comment 7 Mark McLoughlin 2007-01-12 18:42:17 UTC 
What eventually occurred to me, though, was that although the default rule for
IP forwarding (e.g. in a gateway) should be REJECT, the default rule for
bridging should be ACCEPT.

Who ever heard of a real ethernet bridge where you have to configure a firewall
to  allow frames from individual ports?

If you add a bridge and enslave devices to that bridge, you expect all frames to
be bridged between ports.

So, can we change the default forward rule to:

  -A FORWARD -m physdev ! --physdev-is-bridged -j REJECT --reject-with
icmp-host-prohibited
Comment 8 Mark McLoughlin 2007-01-19 13:50:34 UTC 
Created attachment 145980 [details]
allow-bridging-by-default.patch

Any thoughts on this?
Comment 9 Jeroen van Meeuwen 2007-08-26 09:38:53 UTC 
Setting the default rule to REJECT in the FORWARD chain of the filter table this
way is going to break NAT setups unless you also properly specify that NATted
traffic is allowed through the FORWARD chain of the filter table. I suppose you
could:

Check if the incoming interface (lan-side) is trusted, the traffic is accepted
Allow ESTABLISHED,RELATED to pass the FORWARD chain from any incoming interface
towards the outgoing (trusted) interface.
Comment 10 Thomas Woerner 2007-10-04 10:16:02 UTC 
system-config-firewall in devel provides the ability to load custom rules.
Please have a look at "lokkit --help". You can add a file with your rules by
using "lokkit --custom-rules=ipv4:filter:/etc/sysconfig/my_rules_file".
lokkit also got an new option "--update" which regenerates the firewall rules
for ipv4 and ipv6. Use this if you are udating custom rules and want that the
changes are persistent.
The enhancements in lokkit does not require a change in the firewall handling
for iptables; it does not know anything about the includes. This solution is
transparent in use especially for updaters.

Please have a look at this solution and report problems if you have any.
Thanks
Comment 11 Mark McLoughlin 2008-01-03 16:52:07 UTC 
twoerner: the request is that the default for the forward chain should be that
all IP level forwarding is rejected, but link level bridging should be accepted.

See comment #7
Comment 12 Mark McLoughlin 2008-01-03 16:52:40 UTC 
Created attachment 290742 [details]
system-config-firewall-allow-briding-by-default.patch
Comment 13 Jon Stanley 2008-04-23 20:28:29 UTC 
Adding FutureFeature keyword to RFE's.
Comment 14 genjosholiday.com 2022-01-22 00:04:41 UTC Comment hidden (spam)