Bug 25632 - Firewall does not allow filtering on source address
Firewall does not allow filtering on source address
Status: NEW
Product: UCS
Classification: Unclassified
Component: Firewall (univention-firewall)
UCS 4.4
Other Linux
: P5 enhancement with 7 votes (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
: 52129 (view as bug list)
Depends on:
Blocks: 45500
  Show dependency treegraph
 
Reported: 2011-12-27 10:30 CET by Jan Christoph Ebersbach
Modified: 2023-01-04 09:49 CET (History)
8 users (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 5: Major Usability: Impairs usability in key scenarios
Who will be affected by this bug?: 3: Will affect average number of installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.171
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2020092221000562
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Jan Christoph Ebersbach univentionstaff 2011-12-27 10:30:20 CET
Beim Spezifizieren einer Firewall-Regel ueber UCR ist mir aufgefallen, dass es es nur moeglich ist einen Destination-Filter anzulegen. D.h. die Firewall filtert durchgehenden Datenverkehr nach der Zieladresse. Beispiel:

security/packetfilter/package/zarafa-gateway/tcp/237/172.16.235.5=ACCEPT

Der Datenverkehr zur IP-Adresse 172.16.235.5 wird mit der Regel zugelasen.

In dem Fall moechte ich aber den Host schuetzen, auf dem ich die Regel definiert habe. D.h. ich moechte nur Zugriff von einem bestimmten anderen Host (172.16.235.5) zulassen. Mit unserer aktuellen Firewall-Implementierung scheint es nicht moeglich zu sein diese Anforderung umzusetzen.
Comment 1 Stefan Gohmann univentionstaff 2015-12-28 08:19:36 CET
Requested again via feedback: Ticket #2015121621000452
Comment 2 Timo Denissen univentionstaff 2016-07-19 14:27:58 CEST
Running a latest UCS 4.1-2, the UCR variable still creates a destination-rule, not a source-rule. I have the exakt same scenario as Jan Christoph in note 1, that I want to protect a system.

My suggestion is that either the iptables command "-d" is changed to "-s", or that the UCR variables are extended to specifiy if a source or destination is given.
Comment 3 Bjoern Franke 2020-01-27 15:12:50 CET
Wie auf dem Summit-Barcamp angesprochen zeigt sich das Problem u.a. auch hier:
https://help.univention.com/t/firewall-ucr-registry-will-not-accept-ipv4-address-in-rule/
Man geht vermutlich im Regelfall davon aus, dass die setzbare IP die Quelle ist und nicht das Ziel.
Comment 4 Nico Stöckigt univentionstaff 2020-06-20 10:14:40 CEST
This is still the case in UCS 4.4.
Comment 5 Philipp Hahn univentionstaff 2020-09-23 14:30:20 CEST
*** Bug 52129 has been marked as a duplicate of this bug. ***
Comment 6 Daniel Tröder univentionstaff 2020-09-23 17:18:00 CEST
Because of this missing feature I had to deactivate the package filter rules and add my own rules in 50_local.sh, on my personal UCS systems that have a public IP address.
Comment 7 Philipp Hahn univentionstaff 2022-05-04 06:44:35 CEST
Bug #25632 is another example where an user assumed that the specified address is a *sourcce* address and not a destination address, which only seems to be useful if the host has multiple IP addresses. This makes it mostly useless for any server except either for blocking IPv4 or IPv6.
Comment 8 Philipp Hahn univentionstaff 2022-05-04 07:27:20 CEST
The UCRV descriptions re-direct to <https://docs.software-univention.de/developer-reference-5.0.html#misc:nacl>, which only talks about "address" but also does not specify, if it is the *source* or *destination* address.