Hi,
after some intensive hours of dealing with switching an important system to firewalld (v0.7.3) running on openSUSE 15.1, may I gently ask for some clarification.
I have to pass VoIP to an Asterisk PBX through the firewall:
# empty and completely unrelated values removed $ firewall-cmd --info-zone external external (active) target: default icmp-block-inversion: no interfaces: eth1 services: dns http https ssh masquerade: yes forward-ports: port=15060:proto=udp:toport=15060:toaddr=192.168.2.2 port=10000-10099:proto=udp:toport=10000-10099:toaddr=192.168.2.2 icmp-blocks: *almost all* rich rules: rule family="ipv4" source address="213.167.161.0/26" destination address="192.168.2.2/32" port port="15060" protocol="udp" accept rule family="ipv4" source address="213.167.162.0/26" destination address="192.168.2.2/32" port port="15060" protocol="udp" accept
Due to continuous attacks on the VoIP infrastructure, I'm using a non standard SIP port here and try to block all accesses, that didn't derive from my provider. If forward ports and rich rules are combined, is the rich rule effective before forwarding (using the iptables backend)? Given it is, would this hold true with the nftables backend as well?
Thanks, Pete
On Tue, Mar 10, 2020 at 10:59:34PM +0100, Hans-Peter Jansen wrote:
Hi,
after some intensive hours of dealing with switching an important system to firewalld (v0.7.3) running on openSUSE 15.1, may I gently ask for some clarification.
I have to pass VoIP to an Asterisk PBX through the firewall:
# empty and completely unrelated values removed $ firewall-cmd --info-zone external external (active) target: default icmp-block-inversion: no interfaces: eth1 services: dns http https ssh masquerade: yes forward-ports: port=15060:proto=udp:toport=15060:toaddr=192.168.2.2 port=10000-10099:proto=udp:toport=10000-10099:toaddr=192.168.2.2 icmp-blocks: *almost all* rich rules: rule family="ipv4" source address="213.167.161.0/26" destination address="192.168.2.2/32" port port="15060" protocol="udp" accept rule family="ipv4" source address="213.167.162.0/26" destination address="192.168.2.2/32" port port="15060" protocol="udp" accept
Due to continuous attacks on the VoIP infrastructure, I'm using a non standard SIP port here and try to block all accesses, that didn't derive from my provider. If forward ports and rich rules are combined, is the rich rule effective before forwarding (using the iptables backend)? Given it is, would this hold true with the nftables backend as well?
Rules to perform forward-port (DNAT) occur in the NAT table, nat_PRE_external_allow, before filtering. After NAT occurs, the packet hits the filter_INPUT table and is accepted by the following rule:
chain filter_INPUT { [..] ct status dnat accept [..] jump filter_INPUT_ZONES }
Note that "ct status dnat accept" causes the packet to be accepted _before_ regular zone filtering.
The solution case is to remove the forward-port at the zone level and use a rich rule. However your situation is a bit more difficult since you're omitting multiple subnets so you need to use an ipset. e.g.
firewall-cmd --permanent --new-ipset do_not_dnat --type=hash:net firewall-cmd --permanent --ipset do_not_dnat --add-entry=213.167.161.0/26 firewall-cmd --permanent --ipset do_not_dnat --add-entry=213.167.162.0/26
firewall-cmd --permanent --zone external --add-rich-rule='rule family=ipv4 source not ipset="do_not_dnat" forward-port port=15060 protocol=udp to-port=15060 to-addr=192.168.2.2'
Hope that helps. Eric.
Dear Eric,
Am Mittwoch, 11. März 2020, 13:28:45 CET schrieb Eric Garver:
On Tue, Mar 10, 2020 at 10:59:34PM +0100, Hans-Peter Jansen wrote:
Hi,
after some intensive hours of dealing with switching an important system to firewalld (v0.7.3) running on openSUSE 15.1, may I gently ask for some clarification.
I have to pass VoIP to an Asterisk PBX through the firewall:
# empty and completely unrelated values removed $ firewall-cmd --info-zone external external (active)
target: default icmp-block-inversion: no interfaces: eth1 services: dns http https ssh masquerade: yes forward-ports: port=15060:proto=udp:toport=15060:toaddr=192.168.2.2
port=10000-10099:proto=udp:toport=10000-10099:toaddr=192.168.2.2
icmp-blocks: *almost all* rich rules:
rule family="ipv4" source address="213.167.161.0/26" destination
address="192.168.2.2/32" port port="15060" protocol="udp" accept
rule family="ipv4" source address="213.167.162.0/26" destination
address="192.168.2.2/32" port port="15060" protocol="udp" accept
Due to continuous attacks on the VoIP infrastructure, I'm using a non standard SIP port here and try to block all accesses, that didn't derive from my provider. If forward ports and rich rules are combined, is the rich rule effective before forwarding (using the iptables backend)? Given it is, would this hold true with the nftables backend as well?
Rules to perform forward-port (DNAT) occur in the NAT table, nat_PRE_external_allow, before filtering. After NAT occurs, the packet hits the filter_INPUT table and is accepted by the following rule:
chain filter_INPUT { [..] ct status dnat accept [..] jump filter_INPUT_ZONES }
Note that "ct status dnat accept" causes the packet to be accepted _before_ regular zone filtering.
The solution case is to remove the forward-port at the zone level and use a rich rule. However your situation is a bit more difficult since you're omitting multiple subnets so you need to use an ipset. e.g.
firewall-cmd --permanent --new-ipset do_not_dnat --type=hash:net firewall-cmd --permanent --ipset do_not_dnat
--add-entry=213.167.161.0/26 firewall-cmd --permanent --ipset do_not_dnat --add-entry=213.167.162.0/26 firewall-cmd --permanent --zone external --add-rich-rule='rule family=ipv4 source not ipset="do_not_dnat" forward-port port=15060 protocol=udp to-port=15060 to-addr=192.168.2.2'
Thank you for the detailed answer.
I don't know, how long it would have taken for me to come up with this solution!
Hope that helps.
Yes, very helpful and much appreciated.
Cheers, Pete
firewalld-users@lists.stg.fedorahosted.org