Override default firewall policies

NethServer Version: 7.9.2009
Module: Firewall

I am struggling to understand how I can use firewall rules to override the built in policies listed in the top right corner of the rules page.

I am trying to allow some specific traffic from one zone(green) to another zone(aqua) by using a firewall rule, however it seems to not be working. Checking the logs or a simple dmesg output shows the firewall still blocking packets.

Is there some other tricks required to get the firewall rules to overrule the policies?

I may have figured out why the rules are not working. It looks like rules that are added via the web interface are in an invalid shorewall format.

10base15rules

?COMMENT RULE#1 LAN to Aqua net
{source:loc, proto:tcp, dest:net:172.28.45.1/16, time:-, action:ACCEPT:none, dport:80}

?COMMENT

Looking over the shorewall manual for rules seems to indicate this is not valid syntax for adding rules, looking lower in the file the port forwarding rules look completely different and do work.

PF &ppp0:81 -> 192.168.0.3

?COMMENT web from net
DNAT:none net loc:192.168.0.3 tcp 81 - &ppp0
?COMMENT web from loc
DNAT:none loc loc:192.168.0.3 tcp 81 - &ppp0
?COMMENT web from blue
DNAT:none blue loc:192.168.0.3 tcp 81 - &ppp0

I don’t know anything about shorewall or what custom things may have been added to it but just looking over the man page seems to indicate this is not right.

I am not sure how to get this to work, just by looking at the shorewall config I think the Perl module that writes to the config needs to get reworked to output the correct format. I went on GitHub and it looks like the code for this has not changed since 2016, I would assume I am not the first one to notice that it outputs incorrect config data to shorewall.

Just create the rules from the UI. Rules are evaluated from top to bottom, and policies are just like rules at the very bottom.

That syntax is correct, you can try also with shorewall check.
Take a look to https://shorewall.org/configuration_file_basics.htm#Pairs

Interesting, I wonder if there is some switch that needs to be passed for shorewall to use that format. When I issue shorewall show I don’t see my rule in the list of compiled firewall rules.

So I have done more digging and it for sure looks like shorewall is ignoring the rules I put into the web UI, or perhaps I am just using it wrong?
Below is a screenshot of the rule I created on the web and what the rule looks like in the shorewall rules file.

This next image is what the current iptables dump looks like with the above config.
image

Shorewall does rule optimization so your rule cold be merged with others.
Still, with your grep command I think you should see it.

Assuming that 192.168.0.x is your green and 172.28.45.x is your aqua (docker zone), I see a couple of errors in the rules:

  • the green is already available from the UI, just search green and do not use the CIDR, otherwise enter the right address 192.168.0.0/24
  • the same should be for aqua zone which should be 172.28.45.0/16, but it seems also that docker CIDR should be marked with acqua zone and not net inside the shorewall file

For the last part, I guess there is not integration with docker and shorewall.
But since that package is a community one, we should ask better to @mrmarkuz or @stephdl

yes it is of course we have integrated docker and shorewall, thank to @davidep

# 65aqua Accept ping from aqua
#

Ping/ACCEPT    aqua            $FW


#
# 65aqua -- Rules for Docker containers
#

?COMMENT aqua
ACCEPT  aqua    $FW     tcp     3306

obviously we accept only connection coming from firewall (localhost of server), this is a feature,if you read the documentation by a prop you can open other service running on the firewall.

If you wan to be reachable by the local network, use aeria or macvlan network

1 Like