[BUG] INPUT is permitted even if DROP exists

Sameh Attia email hidden
Mon Feb 12 12:13:52 CET 2007 

On 2/11/07, postmaster <postmaster at fiaif.net> wrote:
>
> Sameh Attia wrote:
> > Hi,
> >   We are running the latest version of FIAIF 1.21.1. We have N zones,
> > Zone1, Zone2, ....,and ZoneN. Each zone is associated with a certain
> > interface with a certain IP and network range. For example ZoneX has an
> > address IPX and a network NetX.
> >
> > The problem is that if we have any zone with its INPUT's rules set as:
> > ZONE X:
> >   INPUT[0]="ACCEPT XXX  0.0.0.0/0=>0.0.0.0/0"
> >   INPUT[1]="DROP ALL  0.0.0.0/0=>0.0.0.0/0"
> >
> > and all other zones' rules set as:
> > ALL ZONES EXCEPT X:
> >   INPUT[0]="DROP ALL  0.0.0.0/0=>0.0.0.0/0"
> >
> > We end up with all hosts coming through the interface of zone X are able
> to
> > communicate with all the other INPUT interfaces of all the other zones
> > regardless there is a clear DROP statement or not. This is due to the
> fact
> > that FIAIF converts this setup into IPtables rules as being restricted
> to
> > come through X's physical interface only.
>
> It is true, that INPUT rules do not block access to services on the
> firewall itself for ip-aliases outside the zone configuration. Linux
> does not route packet internally when communicating between interfaces,
> and hence forward rules does not apply, but if FIAIF logic is to be
> followed strictly, then accept/deny rules all inter-zone communication
> should be placed in the forward rules, guarding each zone. If a client
> wish to communicate with the firewall itself, then only the zones own
> input rules are used.
>
> However it is easy to apply the desired policy:
> Lets say in your example that clients within zone X should only be able
> to communicate with the firewall itself using IP number X', then replace
> the input rules with:
>
> INPUT[0]="ACCEPT XXX 0.0.0.0/0=>X'"
> INPUT[1]="DROP ALL  0.0.0.0/0=>0.0.0.0/0"
>
> >
> > I think there should be another check that protects such generic rules
> in
> > the other remaining zones; especially that FIAIF used to have the
> > 0.0.0.0/0notation as an alias of the zones network range.
> 0.0.0.0/0 is not an alias for the zones network range. It is an alias
> for everything (meaning no restriction). For INPUT rules, the zones
> network restriction is only applied on the source address.
>
> Eventually FIAIF2 will be ready, and INPUT / OUTPUT rules will
> disappear, and replaced by a separate 'local' zone.
>
>
> > Regards
>
> Regards
> Anders Fugmann
>

Thank you Anders fro your quick response.
Yes, your solution is good for cases of a static IP addresses. What about a
zone with DYNAMIC=1? which is our case here?

I agree with you that Linux does not forward between INPUTs. So, it should
be implemented by FIAIF itself.
What about expanding the destination 0.0.0.0/0 to the actual zone's network
range with the proper permission as per the rules?

-- 
Sameh Attia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.fiaif.net/pipermail/fiaif/attachments/20070212/b0708553/attachment.htm

More information about the fiaif mailing list