Feature #2644

Allow to specify a port range in firewall rules

Added by Stefano Fancello almost 6 years ago. Updated almost 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.5-rc1
Resolution: NEEDINFO:No

Description

Now when a package needs to open ports in firewall, can specify them in configuration db. But is not possible to specify port ranges.
For example, asterisk needs to open UDP ports from 10000 to 20000 to allow RTP data stream.
The only way to do this is to create a template for default firewall and for shorewall, but isn't correct that a package has to take care of what firewall is installed, it would be better to implement this at system level, with an interface that allow packages to specify port ranges in db like:

UDPPorts=5060,4569,10000-20000,5036

The previous line should create rules to open ports 5060,4569,5036 (it is like this right now) AND ports from 10000 to 20000

Associated revisions

Revision cbacb3a2
Added by Giacomo Sanchietti almost 6 years ago

system-config-firewall: add support for services with port range. Refs #2644

Revision 413a6bd9
Added by Giacomo Sanchietti almost 6 years ago

rules template: add support for services with port range. Refs #2644

Revision 5bfa48ca
Added by Giacomo Sanchietti almost 6 years ago

rules template: support port range from local network. Refs #2644

Revision 1f79eea8
Added by Giacomo Sanchietti almost 6 years ago

system-config-firewall: revert to cbacb3a27d5b764152d8dce7afba5d47d0e752b3. Refs #2644

Current template already support port ranges.

Revision 516934f6
Added by Giacomo Sanchietti almost 6 years ago

/etc/shorewall/rules template: use port range syntax. Refs #2644

History

#1 Updated by Davide Principi almost 6 years ago

  • Target version set to v6.5-rc1

#2 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from NEW to TRIAGED
  • % Done changed from 0 to 20

It must be implemented in lokkit and shorewall configuration.

#3 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#4 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#5 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Packages in nethserver-testing:
  • nethserver-firewall-base-1.0.9-2.0git5bfa48ca.ns6.noarch.rpm
  • nethserver-base-2.0.0-2.0gitcbacb3a2.ns6.noarch.rpm
Test case 1
  • Create a clean machine without nethserver-firewall-base installed
  • Create two test services with port range and port list
    config set test service UDPPorts 10000-20000 TCPPorts 1111-1122 status enabled access private
    config set test1 service UDPPorts 122,123 TCPPorts 124,125 status enabled access private
    
  • Execute signal-event firewall-adjust
  • Check all ports are enabled in /etc/sysconfig/system-config-firewall
  • Check all ports are enabled in iptables: iptables -nvL | less
Test case 2
  • Install nethserver-firewall-base and configure a red interface
  • Create two test services with port range and port list
    config set test service UDPPorts 10000-20000 TCPPorts 1111-1122 status enabled access public
    config set test1 service UDPPorts 122,123 TCPPorts 124,125 status enabled access private
    
  • Execute signal-event firewall-adjust
  • Check all ports are enabled in /etc/shorewall/rules
  • Check all ports (from local and external network) are enabled in iptables: iptables -nvL | less

#6 Updated by Giacomo Sanchietti almost 6 years ago

  • Description updated (diff)

#7 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from ON_QA to TRIAGED
  • % Done changed from 70 to 20

Actual implementation allows only property in the form with commas or dash, not the sum of both as reported in description.
If possible use lokkit and shorewall range syntax.

#8 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#9 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

New implementation is now using range port syntax for lokkit and Shorewall.

#10 Updated by Giacomo Sanchietti almost 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Packages in nethserver-testing:
  • nethserver-firewall-base-1.0.9-3.0git516934f6.ns6.noarch.rpm
  • nethserver-base-2.0.0-5.0git1f79eea8.ns6.noarch.rpm
Test case 1
  • Create a clean machine without nethserver-firewall-base installed
  • Create two test services with port range and port list
    config set test service UDPPorts 100,10000-20000,200 TCPPorts 300,1111-1122 status enabled access private
    
  • Execute signal-event firewall-adjust
  • Check all ports are enabled in /etc/sysconfig/system-config-firewall
  • Check all ports are enabled in iptables: iptables -nvL | less
Test case 2
  • Install nethserver-firewall-base and configure a red interface
  • Create two test services with port range and port list
    config set test service UDPPorts 100,10000-20000,200 TCPPorts 300,1111-1122 status enabled access public
    
  • Execute signal-event firewall-adjust
  • Check all ports are enabled in /etc/shorewall/rules
  • Check all ports (from local and external network) are enabled in iptables: iptables -nvL | less

#11 Updated by Alessio Fattorini almost 6 years ago

  • Assignee set to Alessio Fattorini

#12 Updated by Alessio Fattorini almost 6 years ago

Test case 2

[root@botolo ~]# config set test service UDPPorts 100,10000-20000,200 TCPPorts 300,1111-1122 status enabled access public
[root@botolo ~]# signal-event firewall-adjust

[root@botolo ~]# grep "10000" /etc/shorewall/rules 
ACCEPT    loc    $FW    udp    10000:20000
ACCEPT    net    $FW    udp    10000:20000

[root@botolo ~]# grep "1111" /etc/shorewall/rules 
ACCEPT    loc    $FW    tcp    1111:1122
ACCEPT    net    $FW    tcp    1111:1122

[root@botolo ~]# iptables -nvL | grep 1111
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpts:1111:1122 /* test */ 
[root@botolo ~]# iptables -nvL | grep 10000
    6   852 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpts:10000:20000 /* test */ 
[root@botolo ~]# iptables -nvL | grep "200 " 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:200 /* test */ 
[root@botolo ~]# iptables -nvL | grep "100 " 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:100 /* test */

VERIFIED

#13 Updated by Alessio Fattorini almost 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

Test case 1

  • Create a clean machine without nethserver-firewall-base installed
[root@botolo ~]# rpm -qa | grep firewall
system-config-firewall-base-1.2.27-5.el6.noarch
  • Create two test services with port range and port list
[root@botolo ~]# config set test service UDPPorts 100,10000-20000,200 TCPPorts 300,1111-1122 status enabled access private
[root@botolo ~]#  signal-event firewall-adjust

Testing it

[root@botolo ~]# grep -w 10000  /etc/sysconfig/system-config-firewall
--port=10000-20000:udp
[root@botolo ~]# grep -w 100  /etc/sysconfig/system-config-firewall
--port=100:udp
[root@botolo ~]# grep -w 200  /etc/sysconfig/system-config-firewall 
--port=200:udp
[root@botolo ~]# grep -w 300  /etc/sysconfig/system-config-firewall 
--port=300:tcp
[root@botolo ~]# grep -w 1111  /etc/sysconfig/system-config-firewall 
--port=1111-1122:tcp

Testing iptables entry


[root@botolo ~]# iptables -nvL | grep -w 200
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:200 
[root@botolo ~]# iptables -nvL | grep -w 100
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpt:100 
[root@botolo ~]# iptables -nvL | grep -w 10000
   24  3408 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpts:10000:20000 
[root@botolo ~]# iptables -nvL | grep -w 300
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:300 
[root@botolo ~]# iptables -nvL | grep -w 1111
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:1111:1122 

VERIFIED

#14 Updated by Alessio Fattorini almost 6 years ago

  • Assignee deleted (Alessio Fattorini)

#15 Updated by Davide Principi almost 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

#16 Updated by Davide Principi almost 6 years ago

In nethserver-updates:
nethserver-release-6.5-4.ns6.rc1.noarch.rpm
nethserver-devbox-1.4.0-1.ns6.noarch.rpm
nethserver-backup-data-1.0.9-1.ns6.noarch.rpm
nethserver-base-2.1.0-1.ns6.noarch.rpm
nethserver-directory-2.0.1-1.ns6.noarch.rpm
nethserver-firewall-base-1.1.0-1.ns6.noarch.rpm
nethserver-hosts-1.0.7-1.ns6.noarch.rpm
nethserver-httpd-2.3.0-1.ns6.noarch.rpm
nethserver-httpd-admin-1.2.1-1.ns6.noarch.rpm
nethserver-hylafax-1.0.5-1.ns6.noarch.rpm
nethserver-ibays-2.0.3-1.ns6.noarch.rpm
nethserver-lib-2.0.1-1.ns6.noarch.rpm
nethserver-mail-server-1.6.1-1.ns6.noarch.rpm
nethserver-nethgui-1.4.0-1.ns6.noarch.rpm
nethserver-ntopng-1.1.2-1.ns6.noarch.rpm
nethserver-nut-1.0.7-1.ns6.noarch.rpm
nethserver-openssh-1.0.5-1.ns6.noarch.rpm
nethserver-roundcubemail-0.0.2-1.ns6.noarch.rpm
nethserver-samba-1.4.2-1.ns6.noarch.rpm
nethserver-shorewall-1.0.4-1.ns6.noarch.rpm
nethserver-sogo-thunderbird-1.1.1-1.ns6.noarch.rpm
nethserver-vpn-1.1.2-1.ns6.noarch.rpm
sogo-frontends-1.3.0-1.ns6.noarch.rpm

Also available in: Atom PDF