Mail archive

[alpine-user] Awall _fw Zone

From: Gareth Williams <>
Date: Tue, 8 May 2018 20:48:06 +0100

Good evening,

I'm trying awall for the first time on an Alpine box I'm in the process
of building for use as a firewall/router.

I have one admin interface, on which I want to allow to allow SSH access
to this Alpine box while blocking it on all other interfaces.  I also
want the box to be able to connect to the Internet for apk etc.

I've noticed that if I place the following in the Base zone and policy file:

      { "in" : "_fw", "action": "reject" },

it blocks access to the Alpine box as expected.  I then add a SSH
service in /etc/awall/optional/admin.json I can access the box from the
required interface.  So far, so good.  I can SSH into the device from
the admin network, while it blocks for all other networks.

The problem comes when I add:

      { "out" : "_fw", "action": "accept" },

to the Base zone and policy file, which I believe I need to do to allow
outbound network access.

Unfortunately, this allows anyone to SSH into the box from anywhere.  I
also noticed that it adds the following to the INPUT chain:

target     prot opt in     out     source destination
ACCEPT     all  --  *      *  

which with my limited iptables understanding, says that the firewall
will accept anything to any service running on the device.  As far as I
can see, this is the only changes that are applied (at least to the

My undestanding of the _fw zone is that it should refer to any traffic
eminating from the firewall, but that doesn't seem to be the case.  Am I
missing something here?

Any advice would be appreciated.

Kind regards,

Gareth Williams

This email has been checked for viruses by Avast antivirus software.
Received on Tue May 08 2018 - 20:48:06 GMT