[Firehol-support] How different interfaces are from routers

Phil Whineray phil at firehol.org
Tue Jul 31 18:47:35 BST 2018

On Tue, Jul 31, 2018 at 03:47:48PM +0200, Wojtek Swiatek wrote:
> Le mar. 31 juil. 2018 à 14:19, Wojtek Swiatek <w at swtk.info> a écrit :
> >
> > A service (say, a web server) is bound to an interface. Its security is
> > dependent on
> > - the capacity of a packet to reach that interface (so "router"?)
> > - the capacity of a packet to be accepted on the interface (so
> > "interface"?)
> >
> >
> For that precise example I would say that  "interface" is not useful as the
> traffic can be filtered via "router".
> The more I think about it, the less I can imagine a use for "interface"
> since the traffic getting to it must in any case come from somewhere =
> another interface = filtered via "router"

Hi, a FireHOL interface and router will never see the same traffic.

This is because netfilter, which is what implements the actual firewall
rules in Linux, will only check rules in one of the INPUT, OUTPUT and
FORWARD chains. See this diagram [1].

There are other chains that complicate things e.g. NAT changes the
packet before the decision of which filter chain to use, but regardless
only one of the above will be chosen.

Basically, if an incoming packet will be handled by the Linux box itself,
it is INPUT. If it is being sent by the Linux box, it is OUTPUT. If the
packet arrives from outside and will go to outside it is FORWARD.

This is also complicated by e.g. VMs, where the host machine might be
routing packets between interfaces (FORWARD) even though it is to all
appearance the same machine. Again, it will only ever go to one of the
three options. It all hinges on whether Linux considers the packet to
be routed or not (or bridged if the appropriate sysctl is applied).

When you write an interface in FireHOL, you get rules on the INPUT
and OUTPUT chains. When you write a router, you get rules on the
FORWARD chain.

Hope that helps

More information about the Firehol-support mailing list