Bug #2836

Masquerade all sources

Added by Filippo Carletti about 5 years ago. Updated about 5 years ago.

Status:CLOSEDStart date:
Priority:HighDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.5
Security class: Resolution:
Affected version:v6.5 NEEDINFO:No

Description

Traffic leaving the firewall to the net has to be masqueraded (SNAT) to wan ip address regardless of where it is coming from.
Now, we masq only traffic coming from the lan network.
Additional lan (local networks, extra zones) can't reach the net.

Associated revisions

Revision 21b4db71
Added by Filippo Carletti about 5 years ago

/etc/shorewall/masq: masquerade all sources. Refs #2836

History

#1 Updated by Filippo Carletti about 5 years ago

Tentative fix:

--- /etc/e-smith/templates/etc/shorewall/masq/20red    2014-08-05 18:59:17.878355714 +0200
+++ /etc/e-smith/templates-custom/etc/shorewall/masq/20red    2014-08-05 18:59:24.675204074 +0200
@@ -2,8 +2,7 @@
     use esmith::util;
     use esmith::NetworksDB;
     my $ndb = esmith::NetworksDB->open_ro();
-    my $green = $ndb->green;
     foreach ($ndb->get_by_role('red')) {
-        $OUT .= $_->key."\t".esmith::util::computeLocalNetworkShortSpec($green->prop('ipaddr'),$green->prop('netmask'))."\n";
+        $OUT .= $_->key."\n";
     }
 }

#2 Updated by Filippo Carletti about 5 years ago

  • Status changed from NEW to TRIAGED
  • Assignee set to Filippo Carletti
  • % Done changed from 0 to 20

#3 Updated by Filippo Carletti about 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • % Done changed from 20 to 30

#4 Updated by Filippo Carletti about 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Filippo Carletti)
  • % Done changed from 30 to 60

After update, /etc/shorewall/masq should contain only your wan eth, i.e.:

######################################################################################################
#INTERFACE:DEST        SOURCE        ADDRESS        PROTO    PORT(S)    IPSEC    MARK    USER/    SWITCH
#                                            GROUP
eth1

without references to networks under source column.
Also,

]# shorewall show nat | grep MASQ
   38  2633 MASQUERADE  all  --  *      *       0.0.0.0/0            0.0.0.0/0           policy match dir out pol none

ON_QA
In nethserver-testing:
nethserver-firewall-base-1.1.0-130.0git21b4db71.ns6.noarch.rpm

#5 Updated by Filippo Carletti about 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

#6 Updated by Davide Principi about 5 years ago

  • Assignee set to Davide Principi

#7 Updated by Davide Principi about 5 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

VERIFIED

Before update, in /etc/shorewall/masq:

#INTERFACE:DEST        SOURCE        ADDRESS        PROTO    PORT(S)    IPSEC    MARK    USER/SWITCH
#                                            GROUP
eth1    192.168.8.0/24

And:

   # shorewall show nat | grep MASQ
    0     0 MASQUERADE  all  --  *      *       192.168.8.0/24       0.0.0.0/0

After update I've got the expected config file and command output.

#8 Updated by Davide Principi about 5 years ago

  • Target version set to v6.5

#9 Updated by Davide Principi about 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-firewall-base-2.0.0-1.ns6.noarch.rpm

Also available in: Atom PDF