Proper Firewall Configuration

[air101]

Hello WillyXJ,

how do I configure the firewall component the right way? Thats what I want to do on a latest Debian with latest stable release of facilemanager:

allow IN ssh from anywhere allow IN snmp from specific ip 10.0.0.5 allow OUT anything block REST

When I configure my firewall like that with your tool, then nothing NEW gets in or anything goes out. I keep the connection to the server (via ssh) but no setting was working till now.

Thanks in advance!

[WillyXJ]

Are you allowing established connection packets in your rules, too?

[air101]

Yes

[WillyXJ]

You have uncovered a flaw in the software. In order to essentially block new inbound requests, but allow related traffic, the following rule needs to be applied:

-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

However, fmFirewall does not currently allow that type of rule. This will need to be fixed in the next release.

[WillyXJ]

This is now included in the latest beta version and later.

[air101]

Hello WillyXJ,

i upgraded to the latest Beta but now all rules are gone and when I want to add a new rule, theres an error: Could not add the policy because a database error occurred.

[WillyXJ]

@air101 - thanks for the report. I've been able to reproduce this behavior. What I've found is the fmFirewall upgrade function isn't getting executed for some reason. If the version is reset in the database and you run through the forced upgrade, then the database gets updated.

Run the following manually against your database and then use the web interface and go through the upgrade again. After that, your records will be present and policies can be added/updated.

UPDATE fm_options SET option_value='1.3.1' WHERE option_name='version' AND module_name='fmFirewall';

I'll continue working on a fix for the next release.

[WillyXJ]

A fix for the upgrade process has been committed and will be included in the next release.

[WillyXJ]

This is now included in 3.0 and later.