We are trying to specifically allow only certain traffic from our forward-internal-inline-if interface, and have edited our iptables.conf accordingly:

root@packetfence:/usr/local/pf# iptables -L forward-internal-inline-if -n 
Chain forward-internal-inline-if (1 references)
num  target     prot opt source               destination
1    ACCEPT     tcp  --            tcp dpt:8331
11   ACCEPT     tcp  --            tcp dpt:443
12   ACCEPT     udp  --            udp dpt:53
13   ACCEPT     all  --              mark match 
14   DROP       all  --  

However, after loading these rules (pfcmd service iptables restart) we could still access everything. This is probably because of rule #13, which presumably was added by packetfence itself. (at least: we think we did not add it...)

So we simply deleted rule #13, and our own final DROP line kicked in. Firewalling works now, but we are not sure if it was smart to kick out rule #13 with the ACCEPT for mark match 0x1

Can anyone tell us the negative side effects (if any) from simply deleting rule #13?


Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
PacketFence-users mailing list

Reply via email to