allora la situazione:
Con queste regole:
ho provato:
- Tutte e tre insieme abilitate. Non si naviga (eccetto su google e pochi altri
, non capisco perchè), il match della regola viene segnato nel registro (mi da sempre dns match e http match) ma non mi vengono passati i dati del sito, che sono sempre su porta 80, visto che la regola any(all) non ha entry nel registro.
Quando si naviga (a furia di "applica") TUTTE le porte sono aperte (raggiungo siti con la porta 81 (
www.itek.it:81), messenger riparte e via dicendo, quindi è come se le regole fossero disabilitate.
- Solo le prime due abilitate (any(all) disattivato): stessa cosa, non si naviga, ma le entry nel registro sono corrette.
Posto il diagnostica fw de volete (non capisco perchè in outfilter ci sono 2 regole dns invece che una
)
cmq c'è qualcosa di grave che non va nel fw...è palese.
Codice HTML:
-------------------------------------------------------------------------
Chain PREROUTING (policy ACCEPT 6169 packets, 691K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- ppp0 * 0.0.0.0/0 239.255.255.250
0 0 ACCEPT all -- ppp0 * 0.0.0.0/0 224.0.0.252
25 2330 DIS_IMPORTS all -- * * 0.0.0.0/0 0.0.0.0/0
25 2330 REAIM all -- * * 0.0.0.0/0 0.0.0.0/0
25 2330 PRE_BASIC all -- * * 0.0.0.0/0 0.0.0.0/0
25 2330 MINIUPNPD_W all -- * * 0.0.0.0/0 0.0.0.0/0
25 2330 NAPT all -- * * 0.0.0.0/0 0.0.0.0/0
21 2080 DMZ all -- * * 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT 2993 packets, 221K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x2643
5 1140 MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain BASIC_DNS (1 references)
pkts bytes target prot opt in out source destination
0 0 DNS udp -- br0 * 0.0.0.0/0 192.168.0.1 udp dpt:53
Chain DIS_IMPORTS (1 references)
pkts bytes target prot opt in out source destination
Chain DMZ (1 references)
pkts bytes target prot opt in out source destination
Chain DNS (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- * * 0.0.0.0/0 192.168.0.1 random 25% to:208.67.222.222
0 0 DNAT all -- * * 0.0.0.0/0 192.168.0.1 random 25% to:8.8.4.4
0 0 DNAT all -- * * 0.0.0.0/0 192.168.0.1 random 25% to:208.67.220.220
0 0 DNAT all -- * * 0.0.0.0/0 192.168.0.1 to:8.8.8.8
Chain MINIUPNPD (0 references)
pkts bytes target prot opt in out source destination
Chain MINIUPNPD_W (1 references)
pkts bytes target prot opt in out source destination
Chain NAPT (1 references)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 82.52.65.32 tcp dpt:EDIT to:192.168.0.2:EDIT
0 0 DNAT udp -- * * 0.0.0.0/0 82.52.65.32 udp dpt:EDIT to:192.168.0.2:EDIT
0 0 DNAT tcp -- * * 0.0.0.0/0 82.52.65.32 tcp dpt:EDIT to:192.168.0.2:EDIT
0 0 DNAT udp -- * * 0.0.0.0/0 82.52.65.32 udp dpt:EDIT to:192.168.0.2:EDIT
2 96 DNAT tcp -- * * 0.0.0.0/0 82.52.65.32 tcp dpt:EDIT to:192.168.0.3:EDIT
2 154 DNAT udp -- * * 0.0.0.0/0 82.52.65.32 udp dpt:EDIT to:192.168.0.3:EDIT
0 0 DNAT tcp -- * * 0.0.0.0/0 82.52.65.32 tcp dpt:EDIT to:192.168.0.3:EDIT
0 0 DNAT udp -- * * 0.0.0.0/0 82.52.65.32 udp dpt:EDIT to:192.168.0.3:EDIT
Chain PRE_BASIC (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- ppp0 * 0.0.0.0/0 !82.52.65.32
19 1954 BASIC_DNS all -- * * 0.0.0.0/0 0.0.0.0/0
19 1954 REMOTE_HTTPS all -- * * 0.0.0.0/0 0.0.0.0/0
19 1954 REMOTE_HTTP all -- * * 0.0.0.0/0 0.0.0.0/0
19 1954 REMOTE_TEL all -- * * 0.0.0.0/0 0.0.0.0/0
19 1954 REMOTE_SSH all -- * * 0.0.0.0/0 0.0.0.0/0
19 1954 REMOTE_NTP all -- * * 0.0.0.0/0 0.0.0.0/0
19 1954 REMOTE_SNMP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain REAIM (1 references)
pkts bytes target prot opt in out source destination
Chain REMOTE_HTTP (1 references)
pkts bytes target prot opt in out source destination
Chain REMOTE_HTTPS (1 references)
pkts bytes target prot opt in out source destination
Chain REMOTE_NTP (1 references)
pkts bytes target prot opt in out source destination
Chain REMOTE_SNMP (1 references)
pkts bytes target prot opt in out source destination
Chain REMOTE_SSH (1 references)
pkts bytes target prot opt in out source destination
Chain REMOTE_TEL (1 references)
pkts bytes target prot opt in out source destination
--------------- [ FILTER table ] ----------------------------------------------------------------------
Chain INPUT (policy DROP 7 packets, 334 bytes)
pkts bytes target prot opt in out source destination
60 13167 OPENVPN all -- * * 0.0.0.0/0 0.0.0.0/0
60 13167 REAIM all -- * * 0.0.0.0/0 0.0.0.0/0
60 13167 BASIC_SERVICE all -- * * 0.0.0.0/0 0.0.0.0/0
7 334 LOCAL_SERVICE all -- * * 0.0.0.0/0 0.0.0.0/0
7 334 WAN_PING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- ppp0 * 0.0.0.0/0 239.255.255.250
0 0 ACCEPT all -- ppp0 * 0.0.0.0/0 224.0.0.252
42 32620 ALGS all -- * * 0.0.0.0/0 0.0.0.0/0
20 1846 OUT_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
20 1846 CFILTER_IM all -- * * 0.0.0.0/0 0.0.0.0/0
20 1846 CFILTER all -- * * 0.0.0.0/0 0.0.0.0/0
20 1846 FW_BASIC all -- * * 0.0.0.0/0 0.0.0.0/0
1 48 IN_FILTER all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 MINIUPNPD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DMZ all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 59 packets, 31396 bytes)
pkts bytes target prot opt in out source destination
59 31396 MINIUPNPD_O all -- * * 0.0.0.0/0 0.0.0.0/0
59 31396 LAN_PING all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ALGS (1 references)
pkts bytes target prot opt in out source destination
22 30774 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:80
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:389
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:522
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:1503
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:1720
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:1731
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:1863
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:6701
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:6891
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:6901
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:7001
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:5060
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:6901
Chain BASIC_SERVICE (1 references)
pkts bytes target prot opt in out source destination
29 2899 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
24 9934 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
6 294 DOS_SERVICE all -- * * 0.0.0.0/0 0.0.0.0/0
Chain BLOCK (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `[BLOCK]'
0 0 REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 reject-with http-block
Chain CFILTER (1 references)
pkts bytes target prot opt in out source destination
Chain CFILTER_IM (1 references)
pkts bytes target prot opt in out source destination
Chain DIS_IMPORTS (0 references)
pkts bytes target prot opt in out source destination
Chain DMZ (1 references)
pkts bytes target prot opt in out source destination
Chain DOS (6 references)
pkts bytes target prot opt in out source destination
1 72 RETURN all -- !ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 SCAN all -- * * 0.0.0.0/0 0.0.0.0/0 psd weight-threshold: 21 delay-threshold: 300 lo-ports-weight: 3 hi-ports-weight: 1
4 192 RETURN tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 50/sec burst 80 tcp flags:0x16/0x02
4 296 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 60/sec burst 100
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 5/sec burst 60
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec burst 5 LOG flags 0 level 4 prefix `[DOS]'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain DOS_BASIC (1 references)
pkts bytes target prot opt in out source destination
3 144 DOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
3 226 DOS udp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOS icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
Chain DOS_SERVICE (1 references)
pkts bytes target prot opt in out source destination
1 48 DOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02
2 142 DOS udp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOS icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
Chain FW_BASIC (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
3 144 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
11 440 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
9 1406 DOS_BASIC all -- * * 0.0.0.0/0 0.0.0.0/0
4 250 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x2511
4 1108 ACCEPT all -- br0 * 0.0.0.0/0 0.0.0.0/0
Chain HTTP (0 references)
pkts bytes target prot opt in out source destination
Chain IN_FILTER (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- !ppp0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.2 tcp dpt:EDIT
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.0.2 udp dpt:EDIT
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.2 tcp dpt:EDIT
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.0.2 udp dpt:EDIT
1 48 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.3 tcp dpt:EDIT
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.0.3 udp dpt:EDIT
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.3 tcp dpt:EDIT
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.0.3 udp dpt:EDIT
Chain LAN_PING (1 references)
pkts bytes target prot opt in out source destination
Chain LOCAL_SERVICE (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 MARK match 0x2511
6 294 REMOTE_HTTPS all -- * * 0.0.0.0/0 0.0.0.0/0
6 294 REMOTE_HTTP all -- * * 0.0.0.0/0 0.0.0.0/0
6 294 REMOTE_TEL all -- * * 0.0.0.0/0 0.0.0.0/0
6 294 REMOTE_SSH all -- * * 0.0.0.0/0 0.0.0.0/0
6 294 REMOTE_NTP all -- * * 0.0.0.0/0 0.0.0.0/0
6 294 REMOTE_SNMP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain MINIUPNPD (1 references)
pkts bytes target prot opt in out source destination
Chain MINIUPNPD_O (1 references)
pkts bytes target prot opt in out source destination
Chain OPENVPN (1 references)
pkts bytes target prot opt in out source destination
Chain OUT_FILTER (1 references)
pkts bytes target prot opt in out source destination
5 298 RETURN all -- !br0 * 0.0.0.0/0 0.0.0.0/0
0 0 LOG tcp -- * * 192.168.0.3 0.0.0.0/0 tcp dpt:53 LOG flags 0 level 4 prefix `[DNS rule match]'
0 0 ACCEPT tcp -- * * 192.168.0.3 0.0.0.0/0 tcp dpt:53
0 0 LOG udp -- * * 192.168.0.3 0.0.0.0/0 udp dpt:53 LOG flags 0 level 4 prefix `[DNS rule match]'
0 0 ACCEPT udp -- * * 192.168.0.3 0.0.0.0/0 udp dpt:53
0 0 LOG tcp -- * * 192.168.0.3 0.0.0.0/0 tcp dpt:80 LOG flags 0 level 4 prefix `[HTTP rule match]'
0 0 ACCEPT tcp -- * * 192.168.0.3 0.0.0.0/0 tcp dpt:80
0 0 LOG all -- * * 192.168.0.3 0.0.0.0/0 LOG flags 0 level 4 prefix `[Any(ALL) rule match]'
0 0 DROP all -- * * 192.168.0.3 0.0.0.0/0
Chain REAIM (1 references)
pkts bytes target prot opt in out source destination
Chain REMOTE_HTTP (1 references)
pkts bytes target prot opt in out source destination
Chain REMOTE_HTTPS (1 references)
pkts bytes target prot opt in out source destination
Chain REMOTE_NTP (1 references)
pkts bytes target prot opt in out source destination
Chain REMOTE_SNMP (1 references)
pkts bytes target prot opt in out source destination
Chain REMOTE_SSH (1 references)
pkts bytes target prot opt in out source destination
Chain REMOTE_TEL (1 references)
pkts bytes target prot opt in out source destination
Chain SCAN (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain WAN_PING (1 references)
pkts bytes target prot opt in out source destination