Modify

Opened 8 years ago

Closed 7 years ago

#3043 closed defect (fixed)

Default firewall config accepts all OUTPUT connections

Reported by: argovela-at-yahoo-com Owned by: developers
Priority: normal Milestone: Kamikaze 7.09
Component: packages Version:
Keywords: firewall iptables OUTPUT Cc:

Description

The default iptables rules configured by /etc/init.d/firewall will accept all outgoing connections from the router in the OUTPUT chain. This seems to contradict the documentation at http://wiki.openwrt.org/OpenWrtDocs/IPTables, which implies that all outgoing connections need to be specifically allowed.

Note lines #81-82 in the following code:

76 	        #
77 	        # insert accept rule or to jump to new accept-check table here
78 	        #
79 	        iptables -A OUTPUT -j output_rule
80 	       
81 	        # allow
82 	        iptables -A OUTPUT -j ACCEPT            #allow everything out
83 	       
84 	        # reject (what to do with anything not allowed earlier)
85 	        iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
86 	        iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable
87 	       

Attachments (0)

Change History (1)

comment:1 Changed 7 years ago by florian

  • Resolution set to fixed
  • Status changed from new to closed

Should be fixed with the new UCI firewall.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.