Only input rules for unnumbered interface
|
View:
New views
3 Messages
—
Rating Filter:
Alert me
|
 |
Only input rules for unnumbered interface
by Niumar André Klein
::
Rate this Message:
Hi list!
I need to create rules only in the INPUT table using unnumbered interface. In my case, I have more than hundred vpn interfaces (tap) and I want to accept only input traffic to them. However fwbuilder only creats FORWARD rules. A sample rule: any : address table : any : tap+ : input : accept results on: $IPTABLES -A FORWARD -i tap+ -d 10.11.0.1 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i tap+ -d 10.11.0.5 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i tap+ -d 10.11.0.9 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i tap+ -d 10.11.0.13 -m state --state NEW -j ACCEPT Is it possible? Niumar. -- Niumar André Klein Analista de rede/servidores SOLIS - Cooperativa de Soluções Livres www.solis.coop.br ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Fwbuilder-discussion mailing list Fwbuilder-discussion@... https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion |
|
|
Re: Only input rules for unnumbered interface
by Vadim Kurland ✎
::
Rate this Message:
The program needs to know that the rule should go into INPUT chain, the only way for it to know it is to compare address in "Destination" with addresses of the firewall configured in the firewall object. It looks like you are using Address Table object in destination, but addresses that it has do not match any addresses of the firewall and the program has no way to know the rule should go into INPUT chain. I can see two options: 1) Do you really need to match on all vpn interface addresses ? If the packet appears in the INPUT chain, it is guaranteed that its destination matches one of the addresses of the firewall. If this is sufficient for you, then all you need to do is put firewall object in the Destination of the rule to make it go into INPUT chain. 2) Another possibility is to create a rule with firewall object in Destination (so it goes into INPUT chain) and action "Chain". Then you create new policy rule set with some name different from the main rule set name "Policy", double click on the action to open it in the editor and drag and drop new rule set object into the well in the editor. In the new rule set you can match destination address against the same Address Table object you've been using to further limit packets you permit. You can find examples of branching rules in the Users Guide. --vk 2009/9/8 Niumar André Klein <niumar@...> Hi list! ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Fwbuilder-discussion mailing list Fwbuilder-discussion@... https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion |
|
|
Re: Only input rules for unnumbered interface
by Niumar André Klein
::
Rate this Message:
Em Ter, 2009-09-08 às 19:28 -0700, Vadim Kurland escreveu:
> Hi! > The program needs to know that the rule should go into INPUT chain, > the only way for it to know it is to compare address in "Destination" > with addresses of the firewall configured in the firewall object. It > looks like you are using Address Table object in destination, but > addresses that it has do not match any addresses of the firewall and > the program has no way to know the rule should go into INPUT chain. I note this in my testes... > I can see two options: > > 1) Do you really need to match on all vpn interface addresses ? If the > packet appears in the INPUT chain, it is guaranteed that its > destination matches one of the addresses of the firewall. If this is > sufficient for you, then all you need to do is put firewall object in > the Destination of the rule to make it go into INPUT chain. Yes, I need because my vpns are dynamically open and closed. But I know the source and the destination address. They are in a file and because this I use the address table. The address table is the feature in Fwbuilder that allowed me to leave the bash manual scripts. Great feature! I ever tested using objects from firewall objetcs, this mean, interfaces, ip address or mac address. I had never used the firewall object at all. I made the testes and they worked perfectly. So I can use the firewall object for destination address and the source addresses from the vpns in from a address table object. Best solution! > 2) Another possibility is to create a rule with firewall object in > Destination (so it goes into INPUT chain) and action "Chain". Then you > create new policy rule set with some name different from the main rule > set name "Policy", double click on the action to open it in the editor > and drag and drop new rule set object into the well in the editor. In > the new rule set you can match destination address against the same > Address Table object you've been using to further limit packets you > permit. I already use the action "chain" a lot in my firewalls. The idea is use it with rules above. Vadim, tanks for answering and again for the great help! > > You can find examples of branching rules in the Users Guide. > > --vk > > > 2009/9/8 Niumar André Klein <niumar@...> > Hi list! > > I need to create rules only in the INPUT table using > unnumbered > interface. In my case, I have more than hundred vpn interfaces > (tap) and > I want to accept only input traffic to them. > > However fwbuilder only creats FORWARD rules. > A sample rule: > > any : address table : any : tap+ : input : accept > > results on: > > $IPTABLES -A FORWARD -i tap+ -d 10.11.0.1 -m state > --state NEW -j > ACCEPT > $IPTABLES -A FORWARD -i tap+ -d 10.11.0.5 -m state > --state NEW -j > ACCEPT > $IPTABLES -A FORWARD -i tap+ -d 10.11.0.9 -m state > --state NEW -j > ACCEPT > $IPTABLES -A FORWARD -i tap+ -d 10.11.0.13 -m state > --state NEW -j > ACCEPT > > Is it possible? > > Niumar. > > -- > Niumar André Klein > Analista de rede/servidores > SOLIS - Cooperativa de Soluções Livres > www.solis.coop.br > > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal > Reports 2008 30-Day > trial. Simplify your report design, integration and deployment > - and focus on > what you do best, core application coding. Discover what's new > with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > Fwbuilder-discussion mailing list > Fwbuilder-discussion@... > https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion > Niumar André Klein Analista de rede/servidores SOLIS - Cooperativa de Soluções Livres www.solis.coop.br ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Fwbuilder-discussion mailing list Fwbuilder-discussion@... https://lists.sourceforge.net/lists/listinfo/fwbuilder-discussion |
| Free embeddable forum powered by Nabble | Forum Help |
