I have a minor issue with firewall configuration which might escalate to a security issue, so let's talk about it. It's on a snapshot version, and I am using fw3. Let's start with my network configuration...
It's non-relevant, but system is x86_64.
LAN is 10.0.0.0/9 ( 10.0.0.1-10.127.255.255 address space )
Actually LAN is only 10.0.0.0/16 (10.0.0.1-10.0.255.0 ) but since I have some VPN network with bridging, outside hosts are using 10.x.0.0/24 as their address spacing, so 10.0.0.0/9 covers this. I have a testing device where I have this "issue" with address of 10.95.0.1.
Issue comes with containerised service(s), I have nginx running inside a podman container. CNI is configured to use 10.129.0.0/24 as subnet, so:
config interface 'podman' option proto 'none' option device 'cni-podman0'
and in my firewall configuration I have following (un-related parts cut out):
config defaults option flow_offloading 1 option syn_flood 1 option input ACCEPT option output ACCEPT option forward REJECT config zone option name lan list network 'lan' option input ACCEPT option output ACCEPT option forward ACCEPT ... config zone option name podman list device 'cni-podman0' list subnet '10.129.0.0/24' option input REJECT option output ACCEPT option forward ACCEPT option masq 0 option mtu_fix 1 ... config forwarding option src lan option dest podman config forwarding option src podman option dest wan ... config rule option name Reject-podman-to-lan option src podman option dest * option dest_ip 10.0.0.0/9 option proto tcp+udp option target REJECT config redirect option name Allow-HTTP option src wan option dest podman option src_dport 80 option dest_ip 10.129.0.2 option dest_port 80 option proto tcp option target DNAT config redirect option name Allow-HTTPS option src wan option dest podman option src_dport 80 option dest_ip 10.129.0.2 option dest_port 80 option proto tcp option target DNAT
cni-podman0 Link encap:Ethernet HWaddr FE:7D:2E:77:DF:39 inet addr:10.129.0.1 Bcast:10.129.0.255 Mask:255.255.255.0 ... br-lan Link encap:Ethernet HWaddr 36:16:CD:39:4D:23 inet addr:10.95.0.1 Bcast:10.95.0.255 Mask:255.255.255.0 ...
firewall.user does not have any rules.
And then I have a pod that is set to use IP address 10.129.0.2.
With recent podman, on OpenWrt it is possible to use storage for podman which is on a physical device instead of in RAM, so pod(s) & container(s) can survive reboot, but if I won't use this set up, I have a kube file which builds pod and it's host(nginx) on rc.local
Now, as you see, on my firewall configuration, I want to disable access from container to ANY lan ip addresses, and all my configurations work as they should- except... After building my service with script on rc.local, I also must add /etc/init.d/firewall restart (maybe reload would be sufficient...) to block access to LAN from containers. I have not tested this yet, but I am pretty sure, I need to reload firewall EVERY time after creating containers to keep this wanted behaviour.
If I keep my containers on a persisting storage, like on a disk, I do not need to restart firewall.
And that is my concern of security issue I am talking about, as I'd like to fix this so one would not need to remember to restart firewall to retain podman -> lan blocking...
Here is what I think this is about: firewall starts BEFORE podman. So even though cni-podman0 is introduced in network configuration and zone is listed in firewall configuration, rules are ignored - which is strange in that way, that http(s) redirection works any way..
I have not actually ever been a firewall (iptables) expert, so that is why these are just thoughts why I have this issue. So, now I am looking for those experts to tell me where my mistake is and how to fix this.
Hopefully we can stay on topic...