Advanced Custom Rules

davidpzk · February 9, 2024, 10:16pm

Howdy All,

I want to move all my firewall rules to entries at “Advanced Custom Rules” instead of having lots of entries on the Firewall’s “Networks” Tab.

It appears that the command INPUT 0 is the same or equivalent as zone “Trusted” or “Local”
and I am guessing INPUT 1 & INPUT 2 & INPUT 3 correspond to the other zones “Internet”, “Other”, “Local”

-I INPUT 0 -s XXX.XXX.XXX.XXX/32 -j ACCEPT
-I INPUT 1 -s XXX.XXX.XXX.XXX/32 -j ACCEPT
-I INPUT 2 -s XXX.XXX.XXX.XXX/32 -j ACCEPT
-I INPUT 3 -s XXX.XXX.XXX.XXX/32 -j ACCEPT

Does anyone know what INPUT # corresponds with what zone name?

(or alternatively)

Does anyone know where I can look at the config file for the entries that are done on the Firewall’s “Networks” Tab where I might answer the above question myself by interjecting some old school reasoning?

jfinstrom · February 9, 2024, 11:52pm

Perhaps

github.com

FreePBX/firewall/blob/release/16.0/drivers/Iptables.class.php#L1415


      
          		);
          
          		foreach ($rules as $r) {
          			$cmd = "/sbin/iptables ".$this->wlock." $r";
          			$this->l($cmd);
          			exec($cmd);
          		}
          		return true;
          	}
          
          	private function getDefaultRules() {
          		
          		$defaults = array();
          		$retarr['INPUT'][]= array("jump" => "fpbxfirewall");
          
          		// Default sanity rules. 
          		// 1: Always allow all lo traffic, no matter what.
          		$retarr['fpbxfirewall'][]= array("int" => "lo", "jump" => "ACCEPT");
          		// 2: Allow related/established - TCP all, but udp needs to be managed AFTER
          		// we check for any other traffic we care about.
          		$retarr['fpbxfirewall'][]= array("proto" => "tcp", "other" => "-m connmark ! --mark 0x20 -m state --state RELATED,ESTABLISHED", "jump" => "ACCEPT");

davidpzk · February 10, 2024, 6:16pm

I figured out how to assign a zone to the input. No need to figure out the zone ID numbers, just use the zone name in all lower case

Here is the syntax that works;

-I INPUT --zone other -s xxx.xxx.xxx.xxx -j ACCEPT

davidpzk · February 11, 2024, 3:20pm

I spoke to soon.

-I INPUT --zone other -s xxx.xxx.xxx.xxx -j ACCEPT

does not work.

I’m looking for an advanced firewall rule that is the same thing as assigning an IP address to a zone on the Firewall - Networks tab

in linux IP tables, I believe this would be the command;

firewall-cmd --zone=other --add-source=192.168.2.15

Im trying to figure out the advanced firewall rule that would be the equivalent.

system · March 13, 2024, 3:21pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.