We have moved to a new Sailfish OS Forum. Please start new discussions there.
0

Default firewall rules.

asked 2020-06-16 21:01:43 +0200

kan_ibal gravatar image

updated 2020-06-16 21:06:00 +0200

Long story short. During VPN connection I lost internet connection and restart didn't help. After short investigation I have found that in my output rules there is no rule allowing for output connections. There is no such firewall rule in delivered connman-configs-sailfish default package rules. If default policy is DROP, there should be a rule in connman-OUTPUT chain for allowing output traffic. How is it done? What am I missing?

edit retag flag offensive close delete

3 Answers

Sort by » oldest newest most voted
2

answered 2020-06-17 08:02:24 +0200

deloptes gravatar image

There is no default policy drop for the output chain. It is filtering the input, which is also correct.

[root@Sailfish nemo]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
connman-INPUT  all  --  anywhere             anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
connman-OUTPUT  all  --  anywhere             anywhere

Chain connman-INPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere             icmp !type 8 code 0
ACCEPT     dccp --  anywhere             anywhere             multiport dports 1024:65535
ACCEPT     sctp --  anywhere             anywhere             multiport dports 1024:65535
ACCEPT     tcp  --  anywhere             anywhere             multiport dports 1024:65535
ACCEPT     udplite--  anywhere             anywhere             multiport dports 1024:65535
ACCEPT     udp  --  anywhere             anywhere             multiport dports 1024:65535
ACCEPT     gre  --  anywhere             anywhere
ACCEPT     esp  --  anywhere             anywhere
ACCEPT     ah   --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED

Chain connman-OUTPUT (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere             icmp !type 0 code 0

Perhaps you are missing some routing that gets pushed via VPN or reset to normal routes after VPN.

edit flag offensive delete publish link more
0

answered 2020-06-17 17:34:25 +0200

kan_ibal gravatar image

Thank you for the answer and hint. My OUTPUT policy is DROP

Chain OUTPUT (policy DROP)
target     prot opt source               destination   
ACCEPT     all  --  anywhere             anywhere            
connman-OUTPUT  all  --  anywhere             anywhere

and I wonder why. So next question, where default policy is set?

edit flag offensive delete publish link more

Comments

Yes, I know. Do you have a rule that set a policy for OUTPUT?

kan_ibal ( 2020-06-19 19:38:35 +0200 )edit

Checked 3 devices (all 3.3.0.16), default OUTPUT is ACCEPT....

A.Maretzek ( 2020-06-19 20:02:50 +0200 )edit

I believe that default OUTPUT is ACCEPT but my OUTPUT policy switch to DROP after connman restart and I try to track down the culprit. In /etc/connman/firewall.conf there are rules for INPUT only.

[General]

# IPv4 rules and policies.

IPv4.INPUT.RULES = -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; -i lo -j ACCEPT
IPv4.INPUT.POLICY = DROP

# IPv6 rules and policies.

IPv6.INPUT.RULES = -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT; -i lo -j ACCEPT
IPv6.INPUT.POLICY = DROP
kan_ibal ( 2020-06-20 16:55:04 +0200 )edit
0

answered 2020-06-20 17:41:04 +0200

kan_ibal gravatar image

After some debugging I have found that there are *.v4 files in /home/.system/var/lib/connman/iptables with saved iptables rules and being restored after connman start. The rule for OUTPUT there was in filter.v4. I deleted all *.v4 files and the problem is solved. Odd is that only raw.v4 and security.v4 has been recreated.

edit flag offensive delete publish link more

Comments

While you are at it, can you correlate the file creation time with apps you started? Or boot time?

A.Maretzek ( 2020-06-20 17:51:16 +0200 )edit
Login/Signup to Answer

Question tools

Follow
2 followers

Stats

Asked: 2020-06-16 21:01:43 +0200

Seen: 599 times

Last updated: Jun 20 '20