Firewall Builder - Specify and IN *and* an OUT interface?

fukawi2 · 2009-06-19 01:59:48

Hi all,

I'm playing with Firewall Builder at the moment. Normally I just write my own raw iptables rules, but Firewall Builder seems to be powerful and capable enough to maybe think about using it to abstract 1 level away from iptables.

Anyway, one thing that I can't seem to figure out is how to specify both the IN *and* the OUT interface for one rule. I normally create a new chain for each combination of interface traversals. Example:

Firewall with 3 interfaces: NET, LAN and DMZ. I normally create several chains:

- LAN to NET
- DMZ to NET
- LAN to DMZ
- NET to DMZ
- DMZ to LAN
- NET to LAN

Then call those from iptables like:

iptables -A FORWARD -i eth1 -o eth0 -j LAN_NET
iptables -A FORWARD -i eth2 -o eth0 -j DMZ_NET
iptables -A FORWARD -i eth1 -o eth2 -j LAN_DMZ

etc...

I can't figure out a way to do this in fwbuilder though. I can specific 1 interface, and whether I want to match IN, OUT or BOTH, but I can't figure out how to specify -i and -o in the one rule.

Is this possible? How? Please?

NB: I know I can specify a source network and then an OUT interface, but that's not really suitable for what I need. For example, some of my firewalls have a dozen or more subnets connected to it in a WAN scenario and I'd rather have one rule to capture all that, than have to keep track of the IP ranges and have to add and remove them all the time.

Last edited by fukawi2 (2009-06-19 02:00:56)

jspaces · 2009-07-25 23:54:31

Do you try creating an interface group?
I created a DMZ group with DMZ(eth1) and Inside(eth2) and placed into the interface box. I changed the action from deny to accept, no other changes.

(If the image has been deleted please click on this link > testfw Hopefully it will have a longer shelf life.)
The compiled test.fw shows the following:

echo "Rule 0 (DMZ_Group)"
# 
$IPTABLES -A INPUT  -i eth1  -m state --state NEW  -j ACCEPT 
$IPTABLES -A INPUT  -i eth2  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -i eth1  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -i eth2  -m state --state NEW  -j ACCEPT 
$IPTABLES -A OUTPUT  -o eth1  -m state --state NEW  -j ACCEPT 
$IPTABLES -A OUTPUT  -o eth2  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -o eth1  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -o eth2  -m state --state NEW  -j ACCEPT

I believe that is what you are trying to do. Hope this helps.

fukawi2 · 2009-07-26 03:37:08

jspaces wrote:

echo "Rule 0 (DMZ_Group)"
# 
$IPTABLES -A INPUT  -i eth1  -m state --state NEW  -j ACCEPT 
$IPTABLES -A INPUT  -i eth2  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -i eth1  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -i eth2  -m state --state NEW  -j ACCEPT 
$IPTABLES -A OUTPUT  -o eth1  -m state --state NEW  -j ACCEPT 
$IPTABLES -A OUTPUT  -o eth2  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -o eth1  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD  -o eth2  -m state --state NEW  -j ACCEPT

I believe that is what you are trying to do. Hope this helps.

Not quite

The setup you've got creates separate rules for each interface... ie, the first rule above will accept ANYTHING that comes in eth1, regardless of where it is destined. I need to have both the -i and -o in the same rule, so it will only match traffic that comes in eth1 AND out eth2, not one or the other.

Thanks for the input though -- I didn't know about interface groups, so that's handy to know

Arch Linux

#1 2009-06-19 01:59:48