| Message ID | 20230309234906.3651665-1-stijn@linux-ipv6.be |
|---|---|
| State | Handled Elsewhere, archived |
| Delegated to: | Stijn Tintel |
| Headers | show |
| Series | [firewall4] ruleset: unconditionally allow DNAT traffic | expand |
On 10/03/2023 01:49, stijn@linux-ipv6.be wrote: > We currently only accept DNAT traffic if there is at least one DNAT rule > configured in UCI. This leads to a problem for people wanting to use > UPnP, and do not have any DNAT rules configured. In this case, the UPnP > daemon sets up the DNAT rules, but the traffic is not allowed in the > input or forward chain, so the DNAT rules do not work. > > Solve this by unconditionally allowing packets with the dnat conntrack > status. One could argue that this makes firewall4 less secure, but for a > packet to have the dnat conntrack status, it must have already matched a > DNAT rule. If there are no DNAT rules, no packets should ever have this > status. Please disregard, miniupnpd seems to add a forward rule, this is no longer needed.
diff --git a/root/usr/share/firewall4/templates/ruleset.uc b/root/usr/share/firewall4/templates/ruleset.uc index 9537ba2..f57836e 100644 --- a/root/usr/share/firewall4/templates/ruleset.uc +++ b/root/usr/share/firewall4/templates/ruleset.uc @@ -217,9 +217,7 @@ table inet fw4 { {% for (let rule in fw4.rules(`input_${zone.name}`)): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} -{% if (zone.dflags.dnat): %} ct status dnat accept comment "!fw4: Accept port redirections" -{% endif %} {% fw4.includes('chain-append', `input_${zone.name}`) %} jump {{ zone.input }}_from_{{ zone.name }} } @@ -238,9 +236,7 @@ table inet fw4 { {% for (let rule in fw4.rules(`forward_${zone.name}`)): %} {%+ include("rule.uc", { fw4, rule }) %} {% endfor %} -{% if (zone.dflags.dnat): %} ct status dnat accept comment "!fw4: Accept port forwards" -{% endif %} {% fw4.includes('chain-append', `forward_${zone.name}`) %} jump {{ zone.forward }}_to_{{ zone.name }} {% if (fw4.forward_policy() != "accept" && (zone.log & 1)): %}
We currently only accept DNAT traffic if there is at least one DNAT rule configured in UCI. This leads to a problem for people wanting to use UPnP, and do not have any DNAT rules configured. In this case, the UPnP daemon sets up the DNAT rules, but the traffic is not allowed in the input or forward chain, so the DNAT rules do not work. Solve this by unconditionally allowing packets with the dnat conntrack status. One could argue that this makes firewall4 less secure, but for a packet to have the dnat conntrack status, it must have already matched a DNAT rule. If there are no DNAT rules, no packets should ever have this status. Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be> --- root/usr/share/firewall4/templates/ruleset.uc | 4 ---- 1 file changed, 4 deletions(-)