Firewall UCR registry will not accept ipv4 address in rule

sccmrb · June 6, 2018, 3:54pm

I’ve been trying to make some rules more strict so that I can limit a port to an IP and my current rule is the only one that works:

UCR Variable: security/packetfilter/tcp/9102/all
Value: ACCEPT

According to the documentation at https://docs.software-univention.de/developer-reference-4.2.html#misc:nacl:ucr it says this should work:

security/packetfilter/protocol/port(s)/address=policy

So when I try it as below, it doesn’t work.

UCR Variable: security/packetfilter/tcp/9102/172.16.0.99
Value: ACCEPT

SirTux · June 6, 2018, 4:06pm

What doesn’t work exactly? You’ve to restart the firewall after creating the rule:

systemctl restart univention-firewall.service

sccmrb · June 11, 2018, 3:36pm

I am well aware of needing to restart the firewall service after each change. It still doesn’t work.

SirTux · June 11, 2018, 5:01pm

So what’s the output of

iptables -L

sccmrb · June 11, 2018, 8:21pm

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere             udp spt:netbios-ns
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http-alt
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:6670
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp dpts:netbios-ns:netbios-ssn
ACCEPT     udp  --  anywhere             anywhere             udp dpt:microsoft-ds
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:nrpe
ACCEPT     udp  --  anywhere             anywhere             udp dpt:netbios-ns
ACCEPT     udp  --  anywhere             anywhere             udp dpts:32765:32769
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:microsoft-ds
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ntp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:sunrpc
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:32765:32769
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:netbios-ns:netbios-ssn
ACCEPT     udp  --  anywhere             anywhere             udp dpt:sunrpc
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:kshell
ACCEPT     tcp  --  anywhere             backup.skaggscatholiccenter.org  tcp dpt:bacula-fd
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere             udp dpt:nfs
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:nfs
ACCEPT     tcp  --  172.17.0.0/16        anywhere             tcp dpt:mysql
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
DOCKER-ISOLATION  all  --  anywhere             anywhere            
DOCKER     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            

Chain DOCKER (1 references)
target     prot opt source               destination         

Chain DOCKER-ISOLATION (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere

Moritz_Bunkus · June 11, 2018, 10:00pm

Hey,

and

Port 9102 is called bacula-fd, and I guess that the IP 172.16.0.99 belongs to backup.skaggscatholiccenter.org. Which would mean that the rule does actually work. How do you figure that it doesn’t?

Kind regards,
mosu

sccmrb · June 11, 2018, 11:07pm

Because the backup server says cannot see the file damon running on port 9102. It only works with the “all” version of the command which I had enabled right before switching the rules and running the iptables -L command.

Moritz_Bunkus · June 12, 2018, 6:03am

Hey,

try looking into what actually happens with tcpdump. Run the following on the machine you want to backup:

tcpdump -n -i any port 9102

Then let Bacula try to connect. What does tcpdump output in that moment? Please also post the output of iptables -L -nv from the machine-to-be-backed-up after that attempt.

m.

bytemine · January 28, 2020, 9:54am

Hi,
this issue was also mentioned on the Barcamp session. I assume @sccmrb also wants the firewall rule in the other direction, so that backup.skaggscatholiccenter.org can connect to 9102. Due to a 9 year old bug, this it not possible: https://forge.univention.org/bugzilla/show_bug.cgi?id=25632