Mail archive
alpine-user

Re: [alpine-user] Awall _fw Zone

From: Jeff Bilyk <jbilyk_at_gmail.com>
Date: Tue, 8 May 2018 15:55:36 -0400

On Tue, May 8, 2018 at 3:48 PM, Gareth Williams <gareth_at_garethwilliams.me.uk
> wrote:

> Good evening,
>
> I'm trying awall for the first time on an Alpine box I'm in the process of
> building for use as a firewall/router.
>
> I have one admin interface, on which I want to allow to allow SSH access
> to this Alpine box while blocking it on all other interfaces. I also want
> the box to be able to connect to the Internet for apk etc.
>
> I've noticed that if I place the following in the Base zone and policy
> file:
>
> { "in" : "_fw", "action": "reject" },
>
> it blocks access to the Alpine box as expected. I then add a SSH service
> in /etc/awall/optional/admin.json I can access the box from the required
> interface. So far, so good. I can SSH into the device from the admin
> network, while it blocks for all other networks.
>
> The problem comes when I add:
>
> { "out" : "_fw", "action": "accept" },
>

This should be "in": "_fw". In other words, the input is the firewall
itself, egressing out another interface.


> to the Base zone and policy file, which I believe I need to do to allow
> outbound network access.
>
> Unfortunately, this allows anyone to SSH into the box from anywhere. I
> also noticed that it adds the following to the INPUT chain:
>
> target prot opt in out source destination
> ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
>
> which with my limited iptables understanding, says that the firewall will
> accept anything to any service running on the device. As far as I can see,
> this is the only changes that are applied (at least to the INPUT, OUTPUT
> and FORWARD chains).
>
> My undestanding of the _fw zone is that it should refer to any traffic
> eminating from the firewall, but that doesn't seem to be the case. Am I
> missing something here?
>

_fw refers to the firewall itself. If the traffic is "out": "_fw", then it
is traffic that is sent to the firewall (as opposed to forwarding through
the firewall, or originating from the firewall).


>
> Any advice would be appreciated.
>
> Kind regards,
>
> Gareth Williams
>
>
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
>
>
>
> ---
> Unsubscribe: alpine-user+unsubscribe_at_lists.alpinelinux.org
> Help: alpine-user+help_at_lists.alpinelinux.org
> ---
>
>


-- 
Jeff
---
Unsubscribe:  alpine-user+unsubscribe_at_lists.alpinelinux.org
Help:         alpine-user+help_at_lists.alpinelinux.org
---
Received on Tue May 08 2018 - 15:55:36 GMT