Bug #3081
Traffic from green to blue is not allowed
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-firewall-base | |||
Target version: | v6.6 | |||
Security class: | Resolution: | |||
Affected version: | v6.5-final | NEEDINFO: | No |
Description
Current Shorewall policies do not permit traffic from green to blue.
In "/var/log/firewall.log"
you find:
Mar 6 17:51:50 ng65 kernel: Shorewall:loc2blue:REJECT:IN=eth0 OUT=eth1 SRC=192.168.0.101 DST=192.168.100.230 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=17252 PROTO=I CMP TYPE=8 CODE=0 ID=1 SEQ=1624 Mar 6 17:51:51 ng65 kernel: Shorewall:loc2blue:REJECT:IN=eth0 OUT=eth1 SRC=192.168.0.101 DST=192.168.100.230 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=17256 PROTO=I CMP TYPE=8 CODE=0 ID=1 SEQ=1625
that because in "/etc/shorewall/policy"
the directive:
loc blue ACCEPT
is missing.
Package installed:
- nethserver-firewall-base-2.2.3-1.ns6.noarch
Associated revisions
Add missing policies for orange and blue. Refs #3081
History
#1 Updated by Giacomo Sanchietti over 6 years ago
- Category set to nethserver-firewall-base
- Status changed from NEW to TRIAGED
- Target version set to v6.6
- % Done changed from 0 to 20
Bug confirmed.
The same bug applies also to orange zone.
#2 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#3 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#4 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
Package in nethserver-testing:
- nethserver-firewall-base-2.3.0-1.1.gea5b3e8.ns6.noarch.rpm
- Add a blue interface
- Check the following policy is present:
loc blue ACCEPT
- Add an orange interface
- Check the following policy is present:
loc orang ACCEPT
#5 Updated by Davide Marini over 6 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
from 3 green zones to : 1 green, 1 blue, 1 orange
[root@server66 ~]# diff -u policy /etc/shorewall/policy --- policy 2015-03-09 11:19:20.043811924 +0100 +++ /etc/shorewall/policy 2015-03-09 11:21:03.621825349 +0100 @@ -23,7 +23,9 @@ # # 20policy # +blue net ACCEPT loc net ACCEPT +orang net ACCEPT $FW net ACCEPT # @@ -37,6 +39,10 @@ loc ivpn ACCEPT ivpn loc ACCEPT ivpn $FW ACCEPT +ivpn blue ACCEPT +lvpn blue ACCEPT +ivpn orang ACCEPT +lvpn orang ACCEPT # # 20policy_openvpn @@ -45,6 +51,8 @@ ovpn loc ACCEPT ovpn $FW ACCEPT $FW ovpn ACCEPT +ovpn blue ACCEPT +ovpn orang ACCEPT # openvpn/RouteToVPN is disabled @@ -53,6 +61,22 @@ # 30policy_extra_zones # +# Zone: blue + +loc blue ACCEPT +blue loc REJECT +blue $FW REJECT info +$FW blue ACCEPT +blue orang ACCEPT + +# Zone: orange + +loc orang ACCEPT +orang loc REJECT +orang $FW REJECT info +$FW orang ACCEPT +orang blue REJECT info +
#6 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
Released in nethserver-base:
- nethserver-firewall-base-2.3.1-1.ns6.noarch.rpm