Hi,

We are trying to specifically allow only certain traffic from our forward-internal-inline-if interface, and have edited our iptables.conf accordingly:


root@packetfence:/usr/local/pf# iptables -L forward-internal-inline-if -n 
--line-numbers
Chain forward-internal-inline-if (1 references)
num  target     prot opt source               destination
1    ACCEPT     tcp  --  10.19.0.0/16         0.0.0.0/0            tcp dpt:8331
.....
11   ACCEPT     tcp  --  10.19.0.0/16         0.0.0.0/0            tcp dpt:443
12   ACCEPT     udp  --  10.19.0.0/16         0.0.0.0/0            udp dpt:53
13   ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            mark match 
0x1
14   DROP       all  --  0.0.0.0/0            0.0.0.0/0
root@packetfence:/usr/local/pf#

However, after loading these rules (pfcmd service iptables restart) we could still access everything. This is probably because of rule #13, which presumably was added by packetfence itself. (at least: we think we did not add it...)

So we simply deleted rule #13, and our own final DROP line kicked in. Firewalling works now, but we are not sure if it was smart to kick out rule #13 with the ACCEPT for mark match 0x1

Can anyone tell us the negative side effects (if any) from simply deleting rule #13?

MJ

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users

Reply via email to