Rearrange order of FW rules

Signed-off-by: keliramu <[email protected]>
NordSecurity · Aug 6, 2024 · a7e0c89 · a7e0c89
1 parent 03bf3e3
commit a7e0c89
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 16 deletions.
diff --git a/daemon/rpc_set_lan_discovery.go b/daemon/rpc_set_lan_discovery.go
@@ -48,6 +48,7 @@ func (r *RPC) SetLANDiscovery(ctx context.Context, in *pb.SetLANDiscoveryRequest
 		}
 
 		cfg.AutoConnectData.Allowlist.Subnets = subnets
+		allowlist = cfg.AutoConnectData.Allowlist
 	}
 
 	if err := r.netw.SetAllowlist(allowlist); err != nil {

diff --git a/networker/networker.go b/networker/networker.go
@@ -899,6 +899,7 @@ func (netw *Combined) setAllowlist(allowlist config.Allowlist) error {
 		allowlist = addLANPermissions(allowlist)
 	}
 
+	// start adding set of rules
 	rules := []firewall.Rule{}
 	var subnets []netip.Prefix
 
@@ -924,12 +925,6 @@ func (netw *Combined) setAllowlist(allowlist config.Allowlist) error {
 			Direction:      firewall.TwoWay,
 			Allow:          true,
 		})
-		rules = append(rules, firewall.Rule{
-			Name:             "allowlist_forward_related",
-			Direction:        firewall.Forward,
-			Allow:            true,
-			ConnectionStates: firewall.ConnectionStates{States: []firewall.ConnectionState{firewall.Established, firewall.Related}},
-		})
 		rules = append(rules, firewall.Rule{
 			Name:           "allowlist_subnets_forward",
 			Interfaces:     ifaces,
@@ -967,15 +962,17 @@ func (netw *Combined) setAllowlist(allowlist config.Allowlist) error {
 			}
 		}
 	}
-
 	if err := netw.fw.Add(rules); err != nil {
 		return err
 	}
 
-	// disable DNS traffic to private LAN ranges - to prevent DNS leaks
-	// when /etc/resolv.conf has nameserver default gateway
-	if err := netw.denyDNS(); err != nil {
-		return err
+	// if port 53 is whitelisted - do not add drop-dns rules
+	if !allowlist.Ports.TCP[53] && !allowlist.Ports.UDP[53] {
+		// disable DNS traffic to private LAN ranges - to prevent DNS leaks
+		// when /etc/resolv.conf has nameserver default gateway
+		if err := netw.denyDNS(); err != nil {
+			return err
+		}
 	}
 
 	netw.allowlist = allowlist
@@ -1005,22 +1002,23 @@ func (netw *Combined) unsetAllowlist() error {
 	for _, rule := range []string{
 		"allowlist_subnets",
 		"allowlist_subnets_forward",
-		"allowlist_forward_related",
 		"allowlist_ports_tcp",
 		"allowlist_ports_udp",
 	} {
 		err := netw.fw.Delete([]string{rule})
 		if err != nil && !errors.Is(err, firewall.ErrRuleNotFound) {
-			return err
+			return fmt.Errorf("disabling allowlist firewall rules: %w", err)
 		}
 	}
 
 	if err := netw.allowlistRouting.Disable(); err != nil {
 		return fmt.Errorf("disabling allowlist routing: %w", err)
 	}
 
-	if err := netw.undenyDNS(); err != nil {
-		return fmt.Errorf("unsetting deny dns: %w", err)
+	if !netw.allowlist.Ports.TCP[53] && !netw.allowlist.Ports.UDP[53] {
+		if err := netw.undenyDNS(); err != nil {
+			return fmt.Errorf("unsetting deny dns: %w", err)
+		}
 	}
 
 	return nil

diff --git a/test/qa/lib/firewall.py b/test/qa/lib/firewall.py
@@ -103,7 +103,6 @@
     "-A FORWARD -d 192.168.0.0/16 -o eth0 -m comment --comment nordvpn -j ACCEPT",
     "-A FORWARD -d 172.16.0.0/12 -o eth0 -m comment --comment nordvpn -j ACCEPT",
     "-A FORWARD -d 10.0.0.0/8 -o eth0 -m comment --comment nordvpn -j ACCEPT",
-    "-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -m comment --comment nordvpn -j ACCEPT",
 ]
 
 OUTPUT_LAN_DISCOVERY_RULES = [
-Original file line number
+Diff line change
@@ Expand Up @@
     		}
     		cfg.AutoConnectData.Allowlist.Subnets = subnets
+    		allowlist = cfg.AutoConnectData.Allowlist
     	}
     	if err := r.netw.SetAllowlist(allowlist); err != nil {
@@ Expand Down @@