Reply To: Simple (easy to manage) Firewall / Virtual Server Zeroshell

Home Page Forums Network Management ZeroShell Simple (easy to manage) Firewall / Virtual Server Zeroshell Reply To: Simple (easy to manage) Firewall / Virtual Server Zeroshell

#48351

OK I have recreated a ZS ‘simple basic’ setup:

INPUT – DEFAULT: DENY

ACCEPT tcp opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp dpt:443

OUTPUT – DEFAULT: DENY

ACCEPT tcp opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp spt:443

FORWARD – DEFAULT: DENY

(No rules)

So (as far as I am aware!) this is a simple setup where you allow management of the box from any interface via HTTPS, and everything else is blocked, even if you have added in a Virtual Server.

In my example here, the external interface is ETH0 – network 192.168.0.0

I now want to add a virtual server, the physical (REAL) server for which is on ETH1 – network 192.168.254.0. I want to be able to remote desktop in to this server from ETH0.

So first of all I create a virtual server:

INTERFACE/IP: ETH0 / 192.168.0.252
PROTOCOL: TCP
LOCAL PORT: 3389
REAL SERVER: 192.168.254.2:3389

Great this is added – however, I can not get through. The reason for this is that I have still to create a rule through the firewall for this Virtual Server to work. If I had 100 Virtual Servers, then I need to create 100 rules. Actually, I have to create 200 rules, as you will see.

So rather than to mess up FORWARD with all my virtual server rules, I create a new chain called vserver.

Next I make sure that all forwarding traffic goes to this (I’m not using this box for anything else)

FORWARD – DEFAULT: DENY

vserver all opt — in * out * 0.0.0.0/0 -> 0.0.0.0/0

This sends everything to chain vserver.

Now I create my rule in vserver:

VSERVER

ACCEPT tcp opt — in * out * 0.0.0.0/0 -> 192.168.254.2 state NEW,RELATED,ESTABLISHED tcp dpt:3389

I do this… try to connect, and nothing. I use a packet sniffer, and notice that for some reason packets are not coming back through the firewall, even though, as we are using STATE, they should be related.

The only way I can get remote desktop to work, is to create a second rule, allowing traffic from the server out again:

ACCEPT tcp opt — in * out * 192.168.254.2 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp spt:3389

So my final vserver chain now looks like this:

VSERVER

ACCEPT tcp opt — in * out * 0.0.0.0/0 -> 192.168.254.2 state NEW,RELATED,ESTABLISHED tcp dpt:3389

ACCEPT tcp opt — in * out * 192.168.254.2 -> 0.0.0.0/0 state NEW,RELATED,ESTABLISHED tcp spt:3389

Thus – this example shows that when you create a vserver rule, not only do you also have to create an additional rule for it in the firewall, but you actually have to add TWO.

For people with 100’s of virtual servers (in a hosting environment) this is a huge resource drain, and makes life extremely complicated.

We are now hoping to create a script which will ‘read’ vserver rules and create both sets of firewall rules for them in a special chain called vserver, as in the above example. This will save a huge amount of time/work.

Jeff