X-Original-To: alpine-user@lists.alpinelinux.org Received: from mail-vk0-f65.google.com (mail-vk0-f65.google.com [209.85.213.65]) by lists.alpinelinux.org (Postfix) with ESMTP id D13115C002B for ; Tue, 8 May 2018 19:55:37 +0000 (GMT) Received: by mail-vk0-f65.google.com with SMTP id j7-v6so20299482vkc.9 for ; Tue, 08 May 2018 12:55:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=2IEM+wvhII8cyn1FzUsim73EhLh4AZIy4uSVKhE/aYk=; b=aGO/YoqFUfA8p0kK82C4SBX7IYX3pXt414gKmO/+R1Ga3V1M1QSkKxyzTENtvodCbB kloLIq9MiRGnuFrOWyoCz/zk1r2j4vui8o5giLlR0rCxlz2E0QyfUkXkFjT/yQN2oyEc 56yAblwR0Is2N+8rpy9M2snY+IpjmtOOVByiueINKuZ7VbhV3d1hmoT0HqdblwgHDqec UQw6pKJjedqDkJsOuxTgT5LVpMbLJwGSh2pMu1xxacNpPcWWG1iijFkkM2XZgRd0G/EX /I/lb+gt93IwHqkop6lKUSrzusNDlsN5xjof9cjRgxWzHjItIXyvHj7Hbt1ojYiC0ipm YSQg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=2IEM+wvhII8cyn1FzUsim73EhLh4AZIy4uSVKhE/aYk=; b=Q3JO2O25OuqGXNQYNvLMmX4MTfxAScJeUkm4eOCa5IjJK9KZh4NJWNLyZl2HF+fTvK HCKP2thdlaw7XpkO4K5HcUPJC3OWZee9k0SZcNIwOPRzVCJOI3MFDo/a8ogByLuy8Lc0 lrVaAx1iyfi7gDDmoYYzREOU2KxgVWQ/R0RLHxFWW2Ir1t1xoxd3V028HHgZM6qBw0Mi cOyvilD/yLcWckQ1+HzzC1fTvoAvAteHz41OoK5HltPLRMNtnnJUcAyML2bBYmm67Pwd EicPmYHcpjlKM6KCnEKQ78e6461cnTrhdwTMTfGLchhKMduE+Mf0biGAi4bMHuJKQFwn hm1g== X-Gm-Message-State: ALQs6tDu4P5ugxl9qFerywrASS1RXtauUG9UbEHccUfqoHb9YRjfldK6 ywpfFSCXcSajWq1mFIdaCybLD0gHQhCRSqAZ+qdpyQ== X-Google-Smtp-Source: AB8JxZponDJ2m5yK2kTopeqB32SM++UlJJyxx4yWQjCT1uQaxWEISqQeLKoWpm0m4RLWHzGDhT2m+ADnyrX8ITS1ES8= X-Received: by 2002:a1f:611:: with SMTP id 17-v6mr34881759vkg.181.1525809337019; Tue, 08 May 2018 12:55:37 -0700 (PDT) X-Mailinglist: alpine-user Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: MIME-Version: 1.0 Received: by 10.176.3.103 with HTTP; Tue, 8 May 2018 12:55:36 -0700 (PDT) In-Reply-To: References: From: Jeff Bilyk Date: Tue, 8 May 2018 15:55:36 -0400 Message-ID: Subject: Re: [alpine-user] Awall _fw Zone To: Gareth Williams Cc: alpine-user@lists.alpinelinux.org Content-Type: multipart/alternative; boundary="000000000000873357056bb72bd5" --000000000000873357056bb72bd5 Content-Type: text/plain; charset="UTF-8" On Tue, May 8, 2018 at 3:48 PM, Gareth Williams wrote: > Good evening, > > I'm trying awall for the first time on an Alpine box I'm in the process of > building for use as a firewall/router. > > I have one admin interface, on which I want to allow to allow SSH access > to this Alpine box while blocking it on all other interfaces. I also want > the box to be able to connect to the Internet for apk etc. > > I've noticed that if I place the following in the Base zone and policy > file: > > { "in" : "_fw", "action": "reject" }, > > it blocks access to the Alpine box as expected. I then add a SSH service > in /etc/awall/optional/admin.json I can access the box from the required > interface. So far, so good. I can SSH into the device from the admin > network, while it blocks for all other networks. > > The problem comes when I add: > > { "out" : "_fw", "action": "accept" }, > This should be "in": "_fw". In other words, the input is the firewall itself, egressing out another interface. > to the Base zone and policy file, which I believe I need to do to allow > outbound network access. > > Unfortunately, this allows anyone to SSH into the box from anywhere. I > also noticed that it adds the following to the INPUT chain: > > target prot opt in out source destination > ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 > > which with my limited iptables understanding, says that the firewall will > accept anything to any service running on the device. As far as I can see, > this is the only changes that are applied (at least to the INPUT, OUTPUT > and FORWARD chains). > > My undestanding of the _fw zone is that it should refer to any traffic > eminating from the firewall, but that doesn't seem to be the case. Am I > missing something here? > _fw refers to the firewall itself. If the traffic is "out": "_fw", then it is traffic that is sent to the firewall (as opposed to forwarding through the firewall, or originating from the firewall). > > Any advice would be appreciated. > > Kind regards, > > Gareth Williams > > > --- > This email has been checked for viruses by Avast antivirus software. > https://www.avast.com/antivirus > > > > --- > Unsubscribe: alpine-user+unsubscribe@lists.alpinelinux.org > Help: alpine-user+help@lists.alpinelinux.org > --- > > -- Jeff --000000000000873357056bb72bd5 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Tue, May 8, 2018 at 3:48 PM, Gareth Williams <<= a href=3D"mailto:gareth@garethwilliams.me.uk" target=3D"_blank">gareth@gare= thwilliams.me.uk> wrote:
Go= od evening,

I'm trying awall for the first time on an Alpine box I'm in the pro= cess of building for use as a firewall/router.

I have one admin interface, on which I want to allow to allow SSH access to= this Alpine box while blocking it on all other interfaces.=C2=A0 I also wa= nt the box to be able to connect to the Internet for apk etc.

I've noticed that if I place the following in the Base zone and policy = file:

=C2=A0=C2=A0=C2=A0=C2=A0 { "in" : "_fw", "action&q= uot;: "reject" },

it blocks access to the Alpine box as expected.=C2=A0 I then add a SSH serv= ice in /etc/awall/optional/admin.json I can access the box from the require= d interface.=C2=A0 So far, so good.=C2=A0 I can SSH into the device from th= e admin network, while it blocks for all other networks.

The problem comes when I add:

=C2=A0=C2=A0=C2=A0=C2=A0 { "out" : "_fw", "action&= quot;: "accept" },
=C2=A0
This sho= uld be "in":=C2=A0 "_fw".=C2=A0 =C2=A0In other words, t= he input is the firewall itself, egressing out another interface.


to the Base zone and policy file, which I believe I need to do to allow out= bound network access.

Unfortunately, this allows anyone to SSH into the box from anywhere.=C2=A0 = I also noticed that it adds the following to the INPUT chain:

target=C2=A0=C2=A0=C2=A0=C2=A0 prot opt in=C2=A0=C2=A0=C2=A0=C2=A0 out=C2= =A0=C2=A0=C2=A0=C2=A0 source destination
ACCEPT=C2=A0=C2=A0=C2=A0=C2=A0 all=C2=A0 --=C2=A0 *=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0 *=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 0.0.0.0/0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 0.0.0.0/0

which with my limited iptables understanding, says that the firewall will a= ccept anything to any service running on the device.=C2=A0 As far as I can = see, this is the only changes that are applied (at least to the INPUT, OUTP= UT and FORWARD chains).

My undestanding of the _fw zone is that it should refer to any traffic emin= ating from the firewall, but that doesn't seem to be the case.=C2=A0 Am= I missing something here?

_fw refers t= o the firewall itself.=C2=A0 If the traffic is "out": "_fw&q= uot;, then it is traffic that is sent to the firewall (as opposed to forwar= ding through the firewall, or originating from the firewall).
=C2= =A0

Any advice would be appreciated.

Kind regards,

Gareth Williams


---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus



---
Unsubscribe:=C2=A0 alpine-user+unsubscribe@lists.alpinelinux= .org
Help:=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0alpine-user+help@lists.alpinelinux.org
---




--
Jeff
--000000000000873357056bb72bd5-- --- Unsubscribe: alpine-user+unsubscribe@lists.alpinelinux.org Help: alpine-user+help@lists.alpinelinux.org ---