Bug #2836
Masquerade all sources
| Status: | CLOSED | Start date: | ||
|---|---|---|---|---|
| Priority: | High | Due date: | ||
| Assignee: | - | % Done: | 100% | |
| Category: | nethserver-firewall-base | |||
| Target version: | v6.5 | |||
| Security class: | Resolution: | |||
| Affected version: | v6.5 | NEEDINFO: | No |
Description
Traffic leaving the firewall to the net has to be masqueraded (SNAT) to wan ip address regardless of where it is coming from.
Now, we masq only traffic coming from the lan network.
Additional lan (local networks, extra zones) can't reach the net.
Associated revisions
/etc/shorewall/masq: masquerade all sources. Refs #2836
History
#1
Updated by Filippo Carletti about 7 years ago
Tentative fix:
--- /etc/e-smith/templates/etc/shorewall/masq/20red 2014-08-05 18:59:17.878355714 +0200
+++ /etc/e-smith/templates-custom/etc/shorewall/masq/20red 2014-08-05 18:59:24.675204074 +0200
@@ -2,8 +2,7 @@
use esmith::util;
use esmith::NetworksDB;
my $ndb = esmith::NetworksDB->open_ro();
- my $green = $ndb->green;
foreach ($ndb->get_by_role('red')) {
- $OUT .= $_->key."\t".esmith::util::computeLocalNetworkShortSpec($green->prop('ipaddr'),$green->prop('netmask'))."\n";
+ $OUT .= $_->key."\n";
}
}
#2
Updated by Filippo Carletti almost 7 years ago
- Status changed from NEW to TRIAGED
- Assignee set to Filippo Carletti
- % Done changed from 0 to 20
#3
Updated by Filippo Carletti almost 7 years ago
- Status changed from TRIAGED to ON_DEV
- % Done changed from 20 to 30
#4
Updated by Filippo Carletti almost 7 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Filippo Carletti) - % Done changed from 30 to 60
After update, /etc/shorewall/masq should contain only your wan eth, i.e.:
###################################################################################################### #INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/ SWITCH # GROUP eth1
without references to networks under source column.
Also,
]# shorewall show nat | grep MASQ 38 2633 MASQUERADE all -- * * 0.0.0.0/0 0.0.0.0/0 policy match dir out pol none
ON_QA
In nethserver-testing:
nethserver-firewall-base-1.1.0-130.0git21b4db71.ns6.noarch.rpm
#5
Updated by Filippo Carletti almost 7 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
#6
Updated by Davide Principi almost 7 years ago
- Assignee set to Davide Principi
#7
Updated by Davide Principi almost 7 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 90
VERIFIED
Before update, in /etc/shorewall/masq:
#INTERFACE:DEST SOURCE ADDRESS PROTO PORT(S) IPSEC MARK USER/SWITCH # GROUP eth1 192.168.8.0/24
And:
# shorewall show nat | grep MASQ
0 0 MASQUERADE all -- * * 192.168.8.0/24 0.0.0.0/0
After update I've got the expected config file and command output.
#8
Updated by Davide Principi almost 7 years ago
- Target version set to v6.5
#9
Updated by Davide Principi almost 7 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-firewall-base-2.0.0-1.ns6.noarch.rpm