Bug #3081

Traffic from green to blue is not allowed

Added by Nicola Rauso over 6 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.6
Security class: Resolution:
Affected version:v6.5-final NEEDINFO:No

Description

Current Shorewall policies do not permit traffic from green to blue.

In "/var/log/firewall.log" you find:

Mar  6 17:51:50 ng65 kernel: Shorewall:loc2blue:REJECT:IN=eth0 OUT=eth1 SRC=192.168.0.101 DST=192.168.100.230 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=17252 PROTO=I
CMP TYPE=8 CODE=0 ID=1 SEQ=1624
Mar  6 17:51:51 ng65 kernel: Shorewall:loc2blue:REJECT:IN=eth0 OUT=eth1 SRC=192.168.0.101 DST=192.168.100.230 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=17256 PROTO=I
CMP TYPE=8 CODE=0 ID=1 SEQ=1625

that because in "/etc/shorewall/policy" the directive:

loc             blue            ACCEPT

is missing.

Package installed:

  • nethserver-firewall-base-2.2.3-1.ns6.noarch

Associated revisions

Revision ea5b3e82
Added by Giacomo Sanchietti over 6 years ago

Add missing policies for orange and blue. Refs #3081

History

#1 Updated by Giacomo Sanchietti over 6 years ago

  • Category set to nethserver-firewall-base
  • Status changed from NEW to TRIAGED
  • Target version set to v6.6
  • % Done changed from 0 to 20

Bug confirmed.
The same bug applies also to orange zone.

#2 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#3 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#4 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-firewall-base-2.3.0-1.1.gea5b3e8.ns6.noarch.rpm
Test case 1
  • Add a blue interface
  • Check the following policy is present:
    loc             blue            ACCEPT
    
Test case 2
  • Add an orange interface
  • Check the following policy is present:
    loc             orang            ACCEPT
    

#5 Updated by Davide Marini over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • % Done changed from 70 to 90

from 3 green zones to : 1 green, 1 blue, 1 orange

[root@server66 ~]# diff -u policy /etc/shorewall/policy 
--- policy    2015-03-09 11:19:20.043811924 +0100
+++ /etc/shorewall/policy    2015-03-09 11:21:03.621825349 +0100
@@ -23,7 +23,9 @@
 #
 # 20policy
 #
+blue        net        ACCEPT
 loc        net        ACCEPT
+orang        net        ACCEPT
 $FW        net        ACCEPT

 #
@@ -37,6 +39,10 @@
 loc      ivpn    ACCEPT
 ivpn     loc     ACCEPT
 ivpn     $FW     ACCEPT
+ivpn        blue           ACCEPT
+lvpn        blue           ACCEPT
+ivpn        orang          ACCEPT
+lvpn        orang          ACCEPT

 #
 # 20policy_openvpn
@@ -45,6 +51,8 @@
 ovpn           loc            ACCEPT
 ovpn           $FW            ACCEPT
 $FW            ovpn           ACCEPT
+ovpn        blue           ACCEPT
+ovpn        orang          ACCEPT

 # openvpn/RouteToVPN is disabled

@@ -53,6 +61,22 @@
 # 30policy_extra_zones
 #

+# Zone: blue
+
+loc        blue        ACCEPT
+blue        loc        REJECT
+blue        $FW        REJECT        info
+$FW        blue        ACCEPT
+blue        orang        ACCEPT
+
+# Zone: orange
+
+loc        orang        ACCEPT
+orang        loc        REJECT
+orang        $FW        REJECT        info
+$FW        orang        ACCEPT
+orang        blue        REJECT        info
+

#6 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100
Released in nethserver-base:
  • nethserver-firewall-base-2.3.1-1.ns6.noarch.rpm

Also available in: Atom PDF