[BUG] INPUT is permitted even if DROP exists
Sameh Attia
email hidden
Mon Feb 12 19:16:02 CET 2007
On 2/12/07, postmaster <postmaster at fiaif.net> wrote:
>
> Sameh Attia wrote:
> > I agree with you that Linux does not forward between INPUTs. So, it
> should
> > be implemented by FIAIF itself.
> > What about expanding the destination 0.0.0.0/0 to the actual zone's
> network
> > range with the proper permission as per the rules?
> The problem is that these permissions are too strict, as the user then
> only communicate with the firewall using the ip number within the zone
> definition. In my setup, the firewall runs different services on
> different ip-numbers.
>
> Another solution would be to emulate the true forwading system, but this
> is FIAIF2 stuff. FIAIF2 will have a "local" zone, so FORWARD rules
> applies as they should have in the current version of FIAIF.
>
> Regards
> Anders
>
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > fiaif mailing list
> > fiaif at fiaif.net
> > https://www.fiaif.net/mailman/listinfo/fiaif
>
>
Here you are an example that might better illustrates what I mean:
Zone A:
IP 10.0.A.1
NET 10.0.A.0/255.255.255.0
INPUT DROP 0/0=>0/0
...
...
Zone X:
IP 10.0.X.1
NET 10.0.X.0/255.255.255.0
INPUT ACCEPT XXX 0/0=>0/0
...
...
Zone N:
IP 10.0.N.1
NET 10.0.N.0/255.255.255.0
INPUT DROP 0/0=>0/0
What about substituting the destination 0/0 of every zone with the zone's
network range?
I think this would solve the problem.
Also when FIAIF2 will be available?
--
Sameh Attia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.fiaif.net/pipermail/fiaif/attachments/20070212/5b3586c7/attachment.htm
More information about the fiaif
mailing list