|

Firewall Builder

»

fwbuilder-discussion

Accept rules in table mangle.

View: New views

5 Messages — Rating Filter: Alert me

	Accept rules in table mangle. by Niumar André Klein :: Rate this Message: \| View Threaded \| Show Only this Message Hi! I don't know if this is a bug.. For Fwbuilder 3.0.0 (build 474), is necessary create ACCEPT rules in the table mangle when its Policy is ACCEPT? In the older versions this don't occur. Exemple: to mark a packet in the table mangle, chain OUTPUT. Thanks! -- Niumar André Klein Analista de rede/servidores SOLIS - Cooperativa de Soluções Livres www.solis.coop.br ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Fwbuilder-discussion mailing list Fwbuilder-discussion@... https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion signature.asc (196 bytes) Download Attachment
	Re: Accept rules in table mangle. by Vadim Kurland ✎ :: Rate this Message: \| View Threaded \| Show Only this Message On Aug 18, 2008, at 9:48 AM, Niumar André Klein wrote: > Hi! > > I don't know if this is a bug.. > > For Fwbuilder 3.0.0 (build 474), is necessary create ACCEPT rules in > the > table mangle when its Policy is ACCEPT? > In the older versions this don't occur. > > Exemple: to mark a packet in the table mangle, chain OUTPUT. I dont quite understand the problem. Could you provide an example ? --vk ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Fwbuilder-discussion mailing list Fwbuilder-discussion@... https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion
	Re: Accept rules in table mangle. by Niumar André Klein :: Rate this Message: \| View Threaded \| Show Only this Message Ok hehehe let me explain better. On the image01 I checked the option "In addition to filter, create branching rule in 'mangle' tables as well" The image02 has two rules, the first permit ftp to go out and the second marks http. I think that Ftp rule don't need mangle table, becouse I don't edit it, and the default policy for table mangle, chain OUTPUT is ACCEPT, so is not necessary a rule to accept. The two images annexed produced the "iptables -L -n -t mangle" output: Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination tcp_outbound_inet_01 tcp -- 192.168.0.38 0.0.0.0/0 tcp Chain POSTROUTING (policy ACCEPT) target prot opt source destination tcp_outbound_inet_01 tcp -- 192.168.0.38 0.0.0.0/0 tcp Chain tcp_outbound_inet_01 (2 references) target prot opt source destination ACCEPT tcp -- 192.168.0.38 0.0.0.0/0 tcp dpt:21 MARK tcp -- 192.168.0.38 0.0.0.0/0 tcp dpt:80 MARK set 0x2 Note the line "Chain OUTPUT (policy ACCEPT)". With this policy I think that is not necessary the rule: "ACCEPT tcp -- 192.168.0.38 0.0.0.0/0 tcp dpt:21" in the chain "tcp_outbound_inet_01", table mangle, becouse the default Policy is ACCEPT and not DROP. Em Seg, 2008-08-18 às 09:49 -0700, Vadim Kurland ✎ escreveu: > On Aug 18, 2008, at 9:48 AM, Niumar André Klein wrote: > > > Hi! > > > > I don't know if this is a bug.. > > > > For Fwbuilder 3.0.0 (build 474), is necessary create ACCEPT rules in > > the > > table mangle when its Policy is ACCEPT? > > In the older versions this don't occur. > > > > Exemple: to mark a packet in the table mangle, chain OUTPUT. > > I dont quite understand the problem. Could you provide an example ? > > --vk -- Niumar André Klein Analista de rede/servidores SOLIS - Cooperativa de Soluções Livres www.solis.coop.br ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Fwbuilder-discussion mailing list Fwbuilder-discussion@... https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion image01.jpg (49K) Download Attachment image02.jpg (56K) Download Attachment signature.asc (196 bytes) Download Attachment
	Re: Accept rules in table mangle. by Vadim Kurland ✎ :: Rate this Message: \| View Threaded \| Show Only this Message On Aug 18, 2008, at 10:54 AM, Niumar André Klein wrote: > Ok hehehe let me explain better. > > On the image01 I checked the option "In addition to filter, create > branching rule in 'mangle' tables as well" > > The image02 has two rules, the first permit ftp to go out and the > second > marks http. > > I think that Ftp rule don't need mangle table, becouse I don't edit > it, > and the default policy for table mangle, chain OUTPUT is ACCEPT, so is > not necessary a rule to accept. > fwbuilder does not set default policy for chains in the mangle table, so this ACCEPT is what was there by default. > The two images annexed produced the "iptables -L -n -t mangle" output: > > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > tcp_outbound_inet_01 tcp -- 192.168.0.38 0.0.0.0/0 > tcp > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > tcp_outbound_inet_01 tcp -- 192.168.0.38 0.0.0.0/0 > tcp > > Chain tcp_outbound_inet_01 (2 references) > target prot opt source destination > ACCEPT tcp -- 192.168.0.38 0.0.0.0/0 tcp dpt: > 21 > MARK tcp -- 192.168.0.38 0.0.0.0/0 tcp dpt: > 80 > MARK set 0x2 > > Note the line "Chain OUTPUT (policy ACCEPT)". > With this policy I think that is not necessary the rule: > "ACCEPT tcp -- 192.168.0.38 0.0.0.0/0 tcp > dpt:21" in the chain "tcp_outbound_inet_01", table mangle, becouse the > default Policy is ACCEPT and not DROP. > this iptables command is there because of the rule #0 in your policy tcp_outbound_inet_01, which explicitly requests ftp to be accepted. If you do not want to have a rule in the mangle table that would accept ftp, then you should not put both rules that match ftp and http in the same policy and request this policy to be placed in both tables filter and mangle. Create two separate branching rules and create two separate policies, one for ftp and another for http. Then request only one of these policies to be placed in the mangle table. However I feel I still might not understand the problem. --vk > > Em Seg, 2008-08-18 às 09:49 -0700, Vadim Kurland ✎ escreveu: >> On Aug 18, 2008, at 9:48 AM, Niumar André Klein wrote: >> >>> Hi! >>> >>> I don't know if this is a bug.. >>> >>> For Fwbuilder 3.0.0 (build 474), is necessary create ACCEPT rules in >>> the >>> table mangle when its Policy is ACCEPT? >>> In the older versions this don't occur. >>> >>> Exemple: to mark a packet in the table mangle, chain OUTPUT. >> >> I dont quite understand the problem. Could you provide an example ? >> >> --vk > -- > Niumar André Klein > Analista de rede/servidores > SOLIS - Cooperativa de Soluções Livres > www.solis.coop.br > > < > image01 > .jpg > > > < > image02 > .jpg > > > ------------------------------------------------------------------------- > This SF.Net email is sponsored by the Moblin Your Move Developer's > challenge > Build the coolest Linux based applications with Moblin SDK & win > great prizes > Grand prize is a trip for two to an Open Source event anywhere in > the world > http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________ > Fwbuilder-discussion mailing list > Fwbuilder-discussion@... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Fwbuilder-discussion mailing list Fwbuilder-discussion@... https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion
	Re: Accept rules in table mangle. by Niumar André Klein :: Rate this Message: \| View Threaded \| Show Only this Message Ohh right! I understand you! The right way is create two braching rules, one for mangle and a other for filter. Thanks for the help! Em Seg, 2008-08-18 às 21:35 -0700, Vadim Kurland ✎ escreveu: > On Aug 18, 2008, at 10:54 AM, Niumar André Klein wrote: > > > Ok hehehe let me explain better. > > > > On the image01 I checked the option "In addition to filter, create > > branching rule in 'mangle' tables as well" > > > > The image02 has two rules, the first permit ftp to go out and the > > second > > marks http. > > > > I think that Ftp rule don't need mangle table, becouse I don't edit > > it, > > and the default policy for table mangle, chain OUTPUT is ACCEPT, so is > > not necessary a rule to accept. > > > > fwbuilder does not set default policy for chains in the mangle table, > so this ACCEPT is what was there by default. > > > > > The two images annexed produced the "iptables -L -n -t mangle" output: > > > > Chain PREROUTING (policy ACCEPT) > > target prot opt source destination > > > > Chain INPUT (policy ACCEPT) > > target prot opt source destination > > > > Chain FORWARD (policy ACCEPT) > > target prot opt source destination > > > > Chain OUTPUT (policy ACCEPT) > > target prot opt source destination > > tcp_outbound_inet_01 tcp -- 192.168.0.38 0.0.0.0/0 > > tcp > > > > Chain POSTROUTING (policy ACCEPT) > > target prot opt source destination > > tcp_outbound_inet_01 tcp -- 192.168.0.38 0.0.0.0/0 > > tcp > > > > Chain tcp_outbound_inet_01 (2 references) > > target prot opt source destination > > ACCEPT tcp -- 192.168.0.38 0.0.0.0/0 tcp dpt: > > 21 > > MARK tcp -- 192.168.0.38 0.0.0.0/0 tcp dpt: > > 80 > > MARK set 0x2 > > > > Note the line "Chain OUTPUT (policy ACCEPT)". > > With this policy I think that is not necessary the rule: > > "ACCEPT tcp -- 192.168.0.38 0.0.0.0/0 tcp > > dpt:21" in the chain "tcp_outbound_inet_01", table mangle, becouse the > > default Policy is ACCEPT and not DROP. > > > > > this iptables command is there because of the rule #0 in your policy > tcp_outbound_inet_01, which explicitly requests ftp to be accepted. > > If you do not want to have a rule in the mangle table that would > accept ftp, then you should not put both rules that match ftp and http > in the same policy and request this policy to be placed in both tables > filter and mangle. Create two separate branching rules and create two > separate policies, one for ftp and another for http. Then request only > one of these policies to be placed in the mangle table. > > However I feel I still might not understand the problem. > > --vk > > > > > > Em Seg, 2008-08-18 às 09:49 -0700, Vadim Kurland ✎ escreveu: > >> On Aug 18, 2008, at 9:48 AM, Niumar André Klein wrote: > >> > >>> Hi! > >>> > >>> I don't know if this is a bug.. > >>> > >>> For Fwbuilder 3.0.0 (build 474), is necessary create ACCEPT rules in > >>> the > >>> table mangle when its Policy is ACCEPT? > >>> In the older versions this don't occur. > >>> > >>> Exemple: to mark a packet in the table mangle, chain OUTPUT. > >> > >> I dont quite understand the problem. Could you provide an example ? > >> > >> --vk > > -- > > Niumar André Klein > > Analista de rede/servidores > > SOLIS - Cooperativa de Soluções Livres > > www.solis.coop.br > > > > < > > image01 > > .jpg > > > > > < > > image02 > > .jpg > > > > > ------------------------------------------------------------------------- > > This SF.Net email is sponsored by the Moblin Your Move Developer's > > challenge > > Build the coolest Linux based applications with Moblin SDK & win > > great prizes > > Grand prize is a trip for two to an Open Source event anywhere in > > the world > > http://moblin-contest.org/redirect.php?banner_id=100&url=/_______________________________________________ > > Fwbuilder-discussion mailing list > > Fwbuilder-discussion@... > > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion -- Niumar André Klein Analista de rede/servidores SOLIS - Cooperativa de Soluções Livres www.solis.coop.br ------------------------------------------------------------------------- This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK & win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100&url=/ _______________________________________________ Fwbuilder-discussion mailing list Fwbuilder-discussion@... https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion signature.asc (196 bytes) Download Attachment