I'm trying to set a IPFW as open by default, so I do firewall_type="open", but when I do "ipfw flush", it only adds a "deny ip any from any" rule. Should it be "allow ip any from any"? I mean, If I flush the rules, should it be set only as the default ruleset or, instead of that, it will add that rule automatically?
Another question. If I restart the firewall doing "service ipfw restart", it add the whole open ruleset, but its last two rules are:
65000 allow ip from any to any
65535 deny ip from any to any
If firewall_type="open", should it be "65535 allow ip from any to any" only, without the last rule?
I have read somewhere:
If the open policy is enabled in the kernel (IPFIREWALL_DEFAULT_TO_ACCEPT), then rule # 65535 will be automatically set to "allow ip from any to any" instead of "deny ip from any to any," thus making rule # 65000 as set in rc.firewall for the open policy redundant. As such, it is more apropos to indicate firewall type "UNKNOWN" if one enables an open policy in the kernel, and does not wish to enable any other rules.
Related
When I add a wireguard interface via wg-quick up wg0, wg-quick sets up the following nftable rules. What are these doing and why are they needed?
Here are some example rules for ipv4:
table ip wg-quick-wg0 {
chain preraw {
type filter hook prerouting priority raw; policy accept;
iifname != "wg0" ip daddr 10.4.125.231 fib saddr type != local drop
}
chain premangle {
type filter hook prerouting priority mangle; policy accept;
meta l4proto 17 meta mark set ct mark
}
chain postmangle {
type filter hook postrouting priority mangle; policy accept;
meta l4proto 17 meta mark 0x0000ca6c ct mark set meta mark
}
}
I am interested in these, because my virtual machine needs those to function properly, but my host does not need them to have a working wireguard interface. Sadly the script itself is not documented on why they are setup.
The wg-quick script sets up these rules only when you configure the AllowedIPs of a WireGuard peer to include /0 -- aka "all addresses" or the "default route" for an address family (0.0.0.0/0 for IPv4 and ::/0 for IPv6).
Using a tunnel like WireGuard for a default route requires some tricks to work correctly in most scenarios. The main trick wg-quick uses is to put the new default route into a custom routing table, while adding policy routing rules with a firewall mark to overide only the default route of the main table. This is the purpose for the route and policy rules you'll see wg-quick set up in this case:
[#] ip -4 route add 0.0.0.0/0 dev wg0 table 51820
[#] ip -4 rule add not fwmark 51820 table 51820
[#] ip -4 rule add table main suppress_prefixlength 0
The firewall rules listed in your question help with a few additional edge cases: The first rule prevents certain routing loops and other issues when packets are sent to the WireGuard interface's address outside of the tunnel; and the second and third rules fix up reverse-path lookups for packets received through the tunnel (allowing reverse-path filtering to work).
If you don't want wg-quick to do these things, you can set Table = off in the [Interface] section of your WireGuard configuration, and set up the appropriate routes yourself. For more details about these routing tricks, see the Routing All Your Traffic section of the routing guide on the WireGuard site, or the Understanding Modern Linux Routing article. See the Wg-quick Default Firewall Rules article for more details about these firewall rules specifically.
Can't find the answer anywhere and I'm a little bit afraid to check this out on my computer.
I want to block all traffic that comes from specific address - except one, which is already established.
netsh advfirewall firewall add rule name=”ping” protocol=icmpv4 action=block
dir=in remoteip=xxx.xxx.xx.xx
Is it okay to add new netsh advfirewall rule that block all the traffic from the address or it'll break my existing connection too?
In resource monitor under network, there is a tab called listening ports which has a column called firewall status. It has values like
1)allowed, not restricted
2)not allowed, not restricted
3)allowed, restricted
My understanding is that the first one represents whether the incoming traffic will be allowed or not.
(when I tested after disabling the firewall, everything changed to allowed)
My understanding of the second one is whether there is a rule restricting that connection or not. But in this case, allowed, restricted gives no sense because when it is restricted how can it be allowed.
And also there is an option to either block or allow all connections that do no match any available rules.
could anyone please explain these things in detail please?
My understanding of Allowed/Restricted.
FW allows access to that port but with some restrictions.
For example, there is a rule in fw blocking access to that port for some IP addresses or allowing access from local subnet only.
I have set a NAT Rule for chain=dstnat action=dst-nat port=1234 and is working ok, I can access application from internet to my local pc, now i want to limit this port=1234 on upload speed but i cant do it!
On Simple Queues there is option but to limit on IP Address not on port, i use multiple ports so i want to limit on port. Is this possible ?
Thank you.
It's possible, you'll need a setup where mark packets on mangle table.
/ip firewall mangle
add action=mark-packet chain=forward dst-port=1234 new-packet-mark=custom-port passthrough=no protocol=tcp
After that, you can do traffic shapping on those marked packets.
/ queue simple
add name="custom-port" parent=main packet-marks=custom-port max-limit=240000/500000 priority=1
I'm reading instructions (on installing R on an EC2 instance) that ask me to do the following:
When you get to the ‘Security Groups’ tab, create a security group that has the following ports open: 22 (SSH), 80 (HTTP), 443 (HTTPS), 3389 (RDP, optional), and 8787 (RStudio Server).
I don't fully understand what this means. Especially when it comes to opening port 8787 for the RStudio Server.
Here's the tab to add an inbound rule for a Security Group:
So, if I want to "open port 8787 for RStudio," what do I do? Is that a TCP rule?
If I want open that port to "everyone," what do I specify as the source?
It's a custom TCP rule. The port range is just the single number (8787 here).
The source is all the IP addresses you want to allow to use it. The first four numbers are dotted quads, a way of specifying a 32 bit address as four 8 bit decimal numbers. 192.168.1.0 is an example. The number after the slash is the number of bits that the source address must match.
So 192.168.1.0/24 means any address that matches the first 24 bits would be allowed: 192.168.1.0 through 192.168.1.255. 0.0.0.0/0 means any address that matches the first 0 bits would be allowed. That is, any address at all.
I don't know how secure the RStudio protocol is, but I'd advise against allowing all addresses on the Internet to connect to it. Find your own IP address (you can just Google "what's my ip" to find out). Say it's 123.123.123.123. Then you could specify the source to be 123.123.123.123/32, meaning that address, and only that address, would be allowed.
If you connect from different places in the future, you can change the rule to match whatever address you are at each time you need to connect.
Yes its a TCP rule. If you want to open the port to everyone, you would use 0.0.0.0/0.
Opening to everyone is not always a good idea, depends what you are trying to do.