Undefined non-forwarding zone blocks all ports.
Anders Peter Fugmann
email hidden
Thu Apr 6 22:19:33 CEST 2006
Dan Serban wrote:
<cut>
> After all that ... I'll describe my config currently. Fiaif loads only
> the EXT zone, as defined in fiaif.conf, I then set all ports to be
> blocked except for smtp (as that's the only service required to the big
> bad intarweb).
>
> Most of my internal ports are blocked (I don't know specifically if all
> are blocked as I've focused only on apache currently), this is what
> fiaif reports when I try to access apache over the local network:
How do you block the internal ports without a firewall?
>
> Apr 6 12:48:30 oberon kernel: [FIAIF_GLOBAL_MISS]:IN=eth0 OUT=
> MAC=00:13:d3:9d:9d:de:00:50:bf:9e:b0:34:08:00 SRC=192.168.0.1
> DST=192.168.0.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=21624 DF PROTO=TCP
> SPT=42199 DPT=80 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
>
> I don't understand what GLOBAL_MISS means as it seems to block the
> service I'm attempting to contact. Locally I can run elinks
> http://192.168.0.2 until my heart's content and it works fine, though I
> understand it's a local loop, and nothing is hitting the actual
> interface, so I've boiled it down to fiaif being a little too eager in
> protecting the box :)
Correct.
Global miss means that the packet seen by FIAIF was not matched by any
rules, and is meant as a warning. FIAIF examines ALL traffic going
in/out of the box. This includes traffic from / to the internal
interface. As you have not defined any rules for you internal
interfaces, FIAIF warns that no rules were found, and drops the packet.
>
> What have I misconfigured? What can I try/do? I would certainly
> appreciate any input on this.
You need to add a zone for the internal network. Just setup a zone where
all packets are accepted on INPUT, OUTPUT and FORWARD rules. Just
remember to disable NAT and forwarding on the external interface.
>
> Thank you,
>
> Dan Serban
Regards
Anders Fugmann
More information about the fiaif
mailing list