Faulty firewall

[priyend@…]

Hi

I have the following set up with version 0.9.x.

HTTP proxy enabled and set to transparent with group policy to allow all.

When I try to go to the following site:

 http://demo.cpanel.net:2086/login/?user=demo&pass=demo

I get a time out.

The reason is that the port 2086 is non standard such as port 80 or 443.

I then use the web interface and go to Firewall->Packet Filter and choose

Configure rules under "Filtering Rules between internal networks"

I then add a simple rule to allow any port to any source and any destination. This would then mean that I will be able to go to the above site.

This does not work.

I log in as root and then type in :

iptables -A OUTPUT -j ACCEPT

Once this is done then I can easily go to the site above with no problems.

I know that it is not a good idea to simply allow any port to any source and destination. The above is just for simplicity.

Anyway after invesitgation I found that the web interface only adds a line to the "Chain ffwdrules" section which in turn only affects the "FORWARD" section of the iptables firewall.

The correct place to have put the rule is in the OUTPUT section but there is no way of doing that from the web interface.

On another note I also found that restarting the ebox firewall or ebox system, my iptables rule above dissapears. I have to log in and type it in manually.

The firewall packet rules need to be looked at. Some sites cannot be reached unless we write our own rules using the console.

Best regards
Priyend

[ejhernandez@…]

From 0.10 and so on, the Firewall will have changed dramatically in order to allow setting OUTPUT/INPUT rules via Web UI.

The rule for the uncommon Web port through transparent proxy is required to be at the OUTPUT chain since the traffic source is eBox (the proxy itself).

You can hack Iptables.pm for the time being to add your custom rule. You may ask the firewall developer to know how to do so.

[javier.amor.garcia@…]

This tickset is about the deprecated firewall interface...