Good evening,
I'm trying awall for the first time on an Alpine box I'm in the process
of building for use as a firewall/router.
I have one admin interface, on which I want to allow to allow SSH access
to this Alpine box while blocking it on all other interfaces. I also
want the box to be able to connect to the Internet for apk etc.
I've noticed that if I place the following in the Base zone and policy file:
{ "in" : "_fw", "action": "reject" },
it blocks access to the Alpine box as expected. I then add a SSH
service in /etc/awall/optional/admin.json I can access the box from the
required interface. So far, so good. I can SSH into the device from
the admin network, while it blocks for all other networks.
The problem comes when I add:
{ "out" : "_fw", "action": "accept" },
to the Base zone and policy file, which I believe I need to do to allow
outbound network access.
Unfortunately, this allows anyone to SSH into the box from anywhere. I
also noticed that it adds the following to the INPUT chain:
target prot opt in out source destination
ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
which with my limited iptables understanding, says that the firewall
will accept anything to any service running on the device. As far as I
can see, this is the only changes that are applied (at least to the
INPUT, OUTPUT and FORWARD chains).
My undestanding of the _fw zone is that it should refer to any traffic
eminating from the firewall, but that doesn't seem to be the case. Am I
missing something here?
Any advice would be appreciated.
Kind regards,
Gareth Williams
---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus
---
Unsubscribe: alpine-user+unsubscribe@lists.alpinelinux.org
Help: alpine-user+help@lists.alpinelinux.org
---
On Tue, May 8, 2018 at 3:48 PM, Gareth Williams <gareth@garethwilliams.me.uk
> wrote:
> Good evening,
>
> I'm trying awall for the first time on an Alpine box I'm in the process of
> building for use as a firewall/router.
>
> I have one admin interface, on which I want to allow to allow SSH access
> to this Alpine box while blocking it on all other interfaces. I also want
> the box to be able to connect to the Internet for apk etc.
>
> I've noticed that if I place the following in the Base zone and policy
> file:
>
> { "in" : "_fw", "action": "reject" },
>
> it blocks access to the Alpine box as expected. I then add a SSH service
> in /etc/awall/optional/admin.json I can access the box from the required
> interface. So far, so good. I can SSH into the device from the admin
> network, while it blocks for all other networks.
>
> The problem comes when I add:
>
> { "out" : "_fw", "action": "accept" },
>
This should be "in": "_fw". In other words, the input is the firewall
itself, egressing out another interface.
> to the Base zone and policy file, which I believe I need to do to allow
> outbound network access.
>
> Unfortunately, this allows anyone to SSH into the box from anywhere. I
> also noticed that it adds the following to the INPUT chain:
>
> target prot opt in out source destination
> ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
>
> which with my limited iptables understanding, says that the firewall will
> accept anything to any service running on the device. As far as I can see,
> this is the only changes that are applied (at least to the INPUT, OUTPUT
> and FORWARD chains).
>
> My undestanding of the _fw zone is that it should refer to any traffic
> eminating from the firewall, but that doesn't seem to be the case. Am I
> missing something here?
>
_fw refers to the firewall itself. If the traffic is "out": "_fw", then it
is traffic that is sent to the firewall (as opposed to forwarding through
the firewall, or originating from the firewall).
>
> Any advice would be appreciated.
>
> Kind regards,
>
> Gareth Williams
>
>
> ---
> This email has been checked for viruses by Avast antivirus software.
> https://www.avast.com/antivirus
>
>
>
> ---
> Unsubscribe: alpine-user+unsubscribe@lists.alpinelinux.org
> Help: alpine-user+help@lists.alpinelinux.org
> ---
>
>
--
Jeff