PDA

Bekijk de volledige versie : How often are your firewall rules flushed?



sesamebike
02-09-2004, 09:04
Hi,

I've noticed that every time my WAN ip is renewed my firewall rules are flushed even if the ip didn't change.

The dhcp client is configured to run the /usr/share/udhcpc/default.script after every dhcp event. It passes the argument "renew" or "bound" to reflect the reason of the invocation. In the end of this script the firewall script is invoked.

Snippet from /usr/share/udhcpc/default.script


# Invoke NAT and Firewall
. /etc/linuxigd/FirewallConfig
if [ "$DmzEnable" = 1 ] && [ "$DmzDevices" != None ]; then
/init/firewall $interface $ip br0 $IPRouters br1 $DmzIP
else
/init/firewall $interface $ip br0 $IPRouters
fi

# 2003/09/23 by Joey
# nvram set wan_ifname=eth1
nvram set wan_ipaddr=$ip


Now, the /init/firewall script will start by clearing all settings. During this time packets are dropped (at least if that is your default target). By the way, could this be related to the reported dead wan interface? During a short period of time you firewall rules will not be in place. To me this happens every 30 minutes.

Since the ip adress is the only parameter of the /init/firewall script that can be changed by the dhcp client (not really true, dns adress as well, but you get the picture) wouldn't it be better to flush the firewall rules only if there is a change in the parameters?

I'm thinkin something like:



if [ "$wan_ipaddr" != $ip ] || [ "$1" != "renew" ]; then
# Invoke NAT and Firewall
. /etc/linuxigd/FirewallConfig
if [ "$DmzEnable" = 1 ] && [ "$DmzDevices" != None ]; then
/init/firewall $interface $ip br0 $IPRouters br1 $DmzIP
else
/init/firewall $interface $ip br0 $IPRouters
fi
# 2003/09/23 by Joey
# nvram set wan_ifname=eth1
nvram set wan_ipaddr=$ip
fi


This way, the firewall rules are only flushed if the wan ip is changed by the dchp client or if the reason was not a renewal of the ip.

What do you think?

Cheers!

(I'm running Oleg's 1.7.5.9-5 firmware)

Oleg
02-09-2004, 10:11
Just check for "bound" event and do not run for "renew". Otherwise you will probably get problems with initial value for wan_ipaddr.

sesamebike
02-09-2004, 12:42
Hi Oleg,

What happens if you actually got a new ip adress from the dhcp server then? You will probably want to update your firewall rules then.

I say, run only if b) the event is not "renew" OR a) the ip adress has changed.

if [ "$wan_ipaddr" != $ip ] || [ "$1" != "renew" ]; then

The initial situation is covered by the event being "bound" instead of renew. Probably the ip adress check will fail as well since the $wan_ipaddr is not defined.

Would you consider adding this to your next firmware release? I can see a potential security problem where for a brief second your firewall rules are not present and the firewall either a) drops packages of ongoning connections or b) allows new incoming sessions which would have been blocked had the firewall rules been in place.

Thanks for your response.

Cheers!

sesamebike
02-09-2004, 12:48
Ok, I think I see your point. Ignore my last post.

If indeed we got a new ip adress the argument to the script wouldn't be renew but bound and thus your comment is perfectly valid.

We'll have to verify this somehow before it's being implemented. Unfortunately I get the same IP every time so I don't have an easy setup for testing this.

Cheers!