Feature #2644
Allow to specify a port range in firewall rules
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-firewall-base | |||
Target version: | v6.5-rc1 | |||
Resolution: | NEEDINFO: | No |
Description
Now when a package needs to open ports in firewall, can specify them in configuration db. But is not possible to specify port ranges.
For example, asterisk needs to open UDP ports from 10000 to 20000 to allow RTP data stream.
The only way to do this is to create a template for default firewall and for shorewall, but isn't correct that a package has to take care of what firewall is installed, it would be better to implement this at system level, with an interface that allow packages to specify port ranges in db like:
UDPPorts=5060,4569,10000-20000,5036
The previous line should create rules to open ports 5060,4569,5036 (it is like this right now) AND ports from 10000 to 20000
Associated revisions
system-config-firewall: add support for services with port range. Refs #2644
rules template: add support for services with port range. Refs #2644
rules template: support port range from local network. Refs #2644
system-config-firewall: revert to cbacb3a27d5b764152d8dce7afba5d47d0e752b3. Refs #2644
Current template already support port ranges.
/etc/shorewall/rules template: use port range syntax. Refs #2644
History
#1 Updated by Davide Principi over 7 years ago
- Target version set to v6.5-rc1
#2 Updated by Giacomo Sanchietti over 7 years ago
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
It must be implemented in lokkit and shorewall configuration.
#3 Updated by Giacomo Sanchietti over 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#4 Updated by Giacomo Sanchietti over 7 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#5 Updated by Giacomo Sanchietti over 7 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-firewall-base-1.0.9-2.0git5bfa48ca.ns6.noarch.rpm
- nethserver-base-2.0.0-2.0gitcbacb3a2.ns6.noarch.rpm
- Create a clean machine without nethserver-firewall-base installed
- Create two test services with port range and port list
config set test service UDPPorts 10000-20000 TCPPorts 1111-1122 status enabled access private config set test1 service UDPPorts 122,123 TCPPorts 124,125 status enabled access private
- Execute
signal-event firewall-adjust
- Check all ports are enabled in
/etc/sysconfig/system-config-firewall
- Check all ports are enabled in iptables:
iptables -nvL | less
- Install nethserver-firewall-base and configure a red interface
- Create two test services with port range and port list
config set test service UDPPorts 10000-20000 TCPPorts 1111-1122 status enabled access public config set test1 service UDPPorts 122,123 TCPPorts 124,125 status enabled access private
- Execute
signal-event firewall-adjust
- Check all ports are enabled in
/etc/shorewall/rules
- Check all ports (from local and external network) are enabled in iptables:
iptables -nvL | less
#6 Updated by Giacomo Sanchietti over 7 years ago
- Description updated (diff)
#7 Updated by Giacomo Sanchietti over 7 years ago
- Status changed from ON_QA to TRIAGED
- % Done changed from 70 to 20
Actual implementation allows only property in the form with commas or dash, not the sum of both as reported in description.
If possible use lokkit and shorewall range syntax.
#8 Updated by Giacomo Sanchietti over 7 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#9 Updated by Giacomo Sanchietti over 7 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
New implementation is now using range port syntax for lokkit and Shorewall.
#10 Updated by Giacomo Sanchietti over 7 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-firewall-base-1.0.9-3.0git516934f6.ns6.noarch.rpm
- nethserver-base-2.0.0-5.0git1f79eea8.ns6.noarch.rpm
- Create a clean machine without nethserver-firewall-base installed
- Create two test services with port range and port list
config set test service UDPPorts 100,10000-20000,200 TCPPorts 300,1111-1122 status enabled access private
- Execute
signal-event firewall-adjust
- Check all ports are enabled in
/etc/sysconfig/system-config-firewall
- Check all ports are enabled in iptables:
iptables -nvL | less
- Install nethserver-firewall-base and configure a red interface
- Create two test services with port range and port list
config set test service UDPPorts 100,10000-20000,200 TCPPorts 300,1111-1122 status enabled access public
- Execute
signal-event firewall-adjust
- Check all ports are enabled in
/etc/shorewall/rules
- Check all ports (from local and external network) are enabled in iptables:
iptables -nvL | less
#11 Updated by Alessio Fattorini over 7 years ago
- Assignee set to Alessio Fattorini
#12 Updated by Alessio Fattorini over 7 years ago
Test case 2
[root@botolo ~]# config set test service UDPPorts 100,10000-20000,200 TCPPorts 300,1111-1122 status enabled access public [root@botolo ~]# signal-event firewall-adjust [root@botolo ~]# grep "10000" /etc/shorewall/rules ACCEPT loc $FW udp 10000:20000 ACCEPT net $FW udp 10000:20000 [root@botolo ~]# grep "1111" /etc/shorewall/rules ACCEPT loc $FW tcp 1111:1122 ACCEPT net $FW tcp 1111:1122 [root@botolo ~]# iptables -nvL | grep 1111 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpts:1111:1122 /* test */ [root@botolo ~]# iptables -nvL | grep 10000 6 852 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:20000 /* test */ [root@botolo ~]# iptables -nvL | grep "200 " 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:200 /* test */ [root@botolo ~]# iptables -nvL | grep "100 " 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:100 /* test */
VERIFIED
#13 Updated by Alessio Fattorini over 7 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
Test case 1
- Create a clean machine without nethserver-firewall-base installed
[root@botolo ~]# rpm -qa | grep firewall system-config-firewall-base-1.2.27-5.el6.noarch
- Create two test services with port range and port list
[root@botolo ~]# config set test service UDPPorts 100,10000-20000,200 TCPPorts 300,1111-1122 status enabled access private [root@botolo ~]# signal-event firewall-adjust
Testing it
[root@botolo ~]# grep -w 10000 /etc/sysconfig/system-config-firewall --port=10000-20000:udp [root@botolo ~]# grep -w 100 /etc/sysconfig/system-config-firewall --port=100:udp [root@botolo ~]# grep -w 200 /etc/sysconfig/system-config-firewall --port=200:udp [root@botolo ~]# grep -w 300 /etc/sysconfig/system-config-firewall --port=300:tcp [root@botolo ~]# grep -w 1111 /etc/sysconfig/system-config-firewall --port=1111-1122:tcp
Testing iptables entry
[root@botolo ~]# iptables -nvL | grep -w 200 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:200 [root@botolo ~]# iptables -nvL | grep -w 100 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:100 [root@botolo ~]# iptables -nvL | grep -w 10000 24 3408 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW udp dpts:10000:20000 [root@botolo ~]# iptables -nvL | grep -w 300 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:300 [root@botolo ~]# iptables -nvL | grep -w 1111 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpts:1111:1122
VERIFIED
#14 Updated by Alessio Fattorini over 7 years ago
- Assignee deleted (
Alessio Fattorini)
#15 Updated by Davide Principi over 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
#16 Updated by Davide Principi over 7 years ago
In nethserver-updates:
nethserver-release-6.5-4.ns6.rc1.noarch.rpm
nethserver-devbox-1.4.0-1.ns6.noarch.rpm
nethserver-backup-data-1.0.9-1.ns6.noarch.rpm
nethserver-base-2.1.0-1.ns6.noarch.rpm
nethserver-directory-2.0.1-1.ns6.noarch.rpm
nethserver-firewall-base-1.1.0-1.ns6.noarch.rpm
nethserver-hosts-1.0.7-1.ns6.noarch.rpm
nethserver-httpd-2.3.0-1.ns6.noarch.rpm
nethserver-httpd-admin-1.2.1-1.ns6.noarch.rpm
nethserver-hylafax-1.0.5-1.ns6.noarch.rpm
nethserver-ibays-2.0.3-1.ns6.noarch.rpm
nethserver-lib-2.0.1-1.ns6.noarch.rpm
nethserver-mail-server-1.6.1-1.ns6.noarch.rpm
nethserver-nethgui-1.4.0-1.ns6.noarch.rpm
nethserver-ntopng-1.1.2-1.ns6.noarch.rpm
nethserver-nut-1.0.7-1.ns6.noarch.rpm
nethserver-openssh-1.0.5-1.ns6.noarch.rpm
nethserver-roundcubemail-0.0.2-1.ns6.noarch.rpm
nethserver-samba-1.4.2-1.ns6.noarch.rpm
nethserver-shorewall-1.0.4-1.ns6.noarch.rpm
nethserver-sogo-thunderbird-1.1.1-1.ns6.noarch.rpm
nethserver-vpn-1.1.2-1.ns6.noarch.rpm
sogo-frontends-1.3.0-1.ns6.noarch.rpm