Bugfix/sentinel dynfw bypass fix (!434) · Merge requests · Turris / Turris OS / Turris OS packages

Merged Bugfix/sentinel dynfw bypass fix

bugfix/sentinel-dynfw-bypass-fix into develop

Merged Martin Prudek requested to merge bugfix/sentinel-dynfw-bypass-fix into develop 4 years ago

Jul 24, 2020

sentinel-dynfw-client: Remove bypass on FORWARD chain · 07187ebe
Martin Prudek authored 4 years ago and Karel Koci committed 4 years ago

Verified

07187ebe

sentinel-dynfw-client: Move marking to PREROUTING · 43d9f0c8

Martin Prudek authored 4 years ago and

Karel Koci committed 4 years ago

We use marking is to be able to identify traffic for minipots
and other probes and let it bypass the firewall. The marking is done by
checking destination ports - e.g. 22, 23 etc.

When marked in mangle INPUT chain the destination ports were already
REDIRECTed to corresponding internal ports e.g. 2525, 2333 etc and thus
no marking were done at all.

Marking in mangle PREROUTING chain is done before REDIRECT and thus
correct destination ports are matched.

Verified

43d9f0c8

Admin message

Admin message

Bugfix/sentinel dynfw bypass fix

Merge request reports

Activity