Issue
iptables rules
I checked my iptables rules and I don't understand some of the default rules,
1. Why the separate "RELATED,ESTABLISHED" rules? why not 1 for each interface to cover all ports?
2. for INPUT there are no "RELATED,ESTABLISHED" rules below port 1024, how does this work?
Why do we need DHCP port open on the WAN interface?
# iptables-save | grep "RELATED,ESTABLISHED"
-A INPUT -p udp -m udp --dport 123 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ppp0 -p udp -m udp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ppp1 -p udp -m udp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ppp1 -p tcp -m tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment "Established,Related" -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
1. Why the separate "RELATED,ESTABLISHED" rules? why not 1 for each interface to cover all ports?
2. for INPUT there are no "RELATED,ESTABLISHED" rules below port 1024, how does this work?
iptables-save | grep -E " 67| 68"
-A INPUT -i ppp0 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --sport 67 --dport 68 -j ACCEPT
-A INPUT -i ppp1 -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -i ppp1 -p tcp -m tcp --sport 67 --dport 68 -j ACCEPT
-A OUTPUT -o ppp0 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -o ppp0 -p tcp -m tcp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -o ppp1 -p udp -m udp --sport 68 --dport 67 -j ACCEPT
-A OUTPUT -o ppp1 -p tcp -m tcp --sport 68 --dport 67 -j ACCEPT
Why do we need DHCP port open on the WAN interface?
In Firewall
Share this post:
Responses (4)
-
Accepted Answer
-
Accepted Answer
-
Accepted Answer
You need a rule each for tcp and udp. You cannot do a port rule without a protocol.
In general communication is initiated from a high port (aka unprivileged port), so >=1024. It follows, then, that for security reasons, it is valid to block replies to low ports <1024. The exception to this is ntp when using the ntp program, when communication is from and to port 123, so installing NTP gets this rule. Having said that, chronyd and ntpdate are from high ports and at some point we may switch to using chronyd as it is the upstream default. You could argue that a really basic rule could suffice not specifying ports, protocols or interfaces, but it is unlikely that the firewall will get that sort of review until ClearOS 8.
I can't remember the details but, DHCP is either from 67 to 68 or vice versa, so the related/established rules are covered by the INPUT rules.The outbound request is allowed automatically by OUTPUT rules.
The ClearOS firewall does some odd things where it creates an OUTPUT rule for every INPUT rule it creates. This is generally unnecessary because of the related/established rules, but **may** be necessary for the FORWARD chain if the default policy is to block all and allow by exception. There has been an issue for this for years but as the firewall works, no one has bothered fixing it.
Please login to post a reply
You will need to be logged in to be able to post a reply. Login using the form on the right or register an account if you are new here.
Register Here »