[BUG] INPUT is permitted even if DROP exists

postmaster email hidden
Sun Feb 11 20:01:08 CET 2007 

Sameh Attia wrote:
> Hi,
>   We are running the latest version of FIAIF 1.21.1. We have N zones,
> Zone1, Zone2, ....,and ZoneN. Each zone is associated with a certain
> interface with a certain IP and network range. For example ZoneX has an
> address IPX and a network NetX.
> 
> The problem is that if we have any zone with its INPUT's rules set as:
> ZONE X:
>   INPUT[0]="ACCEPT XXX  0.0.0.0/0=>0.0.0.0/0"
>   INPUT[1]="DROP ALL  0.0.0.0/0=>0.0.0.0/0"
> 
> and all other zones' rules set as:
> ALL ZONES EXCEPT X:
>   INPUT[0]="DROP ALL  0.0.0.0/0=>0.0.0.0/0"
> 
> We end up with all hosts coming through the interface of zone X are able to
> communicate with all the other INPUT interfaces of all the other zones
> regardless there is a clear DROP statement or not. This is due to the fact
> that FIAIF converts this setup into IPtables rules as being restricted to
> come through X's physical interface only.

It is true, that INPUT rules do not block access to services on the
firewall itself for ip-aliases outside the zone configuration. Linux
does not route packet internally when communicating between interfaces,
and hence forward rules does not apply, but if FIAIF logic is to be
followed strictly, then accept/deny rules all inter-zone communication
should be placed in the forward rules, guarding each zone. If a client
wish to communicate with the firewall itself, then only the zones own
input rules are used.

However it is easy to apply the desired policy:
Lets say in your example that clients within zone X should only be able
to communicate with the firewall itself using IP number X', then replace
the input rules with:

INPUT[0]="ACCEPT XXX 0.0.0.0/0=>X'"
INPUT[1]="DROP ALL  0.0.0.0/0=>0.0.0.0/0"

> 
> I think there should be another check that protects such generic rules in
> the other remaining zones; especially that FIAIF used to have the
> 0.0.0.0/0notation as an alias of the zones network range.
0.0.0.0/0 is not an alias for the zones network range. It is an alias
for everything (meaning no restriction). For INPUT rules, the zones
network restriction is only applied on the source address.

Eventually FIAIF2 will be ready, and INPUT / OUTPUT rules will
disappear, and replaced by a separate 'local' zone.


> Regards

Regards
Anders Fugmann

More information about the fiaif mailing list