Bug #3129

IPS: shorewall configuration not applied if there is at least an orange interface

Added by Giacomo Sanchietti over 6 years ago. Updated over 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.6
Security class: Resolution:
Affected version:v6.6-final NEEDINFO:No

Description

Steps to reproduce
  • Configure an orange interface
  • Enable the IPS
  • Shorewall stops working
Expected behavior
  • Firewall must correctly run
  • Snort should inspect traffic from/to orange zone
Actual behavior
  • Firewall rules are not applied

Thanks to Charlie Lehardy (AZChas) for reporting.

Associated revisions

Revision 6ffa8a0d
Added by Giacomo Sanchietti over 6 years ago

IPS: fix support for orange zone. Refs #3129

History

#1 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from NEW to TRIAGED
  • Target version set to v6.6
  • % Done changed from 0 to 20
  • Affected version set to v6.6-final

#2 Updated by Giacomo Sanchietti over 6 years ago

Workaround

Create the following template-custom

/etc/e-smith/templates-custom/etc/shorewall/rules/10base20established

#
# SECTION ESTABLISHED
#
?SECTION ESTABLISHED

{
    use esmith::NetworksDB;
    my $nfqueue = $firewall{'nfqueue'} || 'disabled';
    if ($nfqueue eq 'enabled') {
        $OUT .= "# Enable NFQ for ESTABLISHED connections\n";
        $OUT .= "NFQBY\tloc\tnet\n";
        $OUT .= "NFQBY\tnet\tloc\n";
        $OUT .= "NFQBY\tnet\tfw\n";
        $OUT .= "NFQBY\tfw\tnet\n";

        my $ndb = esmith::NetworksDB->open_ro();
        if ($ndb->blue) {
            $OUT .= "NFQBY\tblue\tnet\n";
        }
        if ($ndb->orange) {
            $OUT .= "NFQBY\torang\tnet\n";
        }
        if ($ndb->blue && $ndb->orange) {
            $OUT .= "NFQBY\tblue\torang\n";
        }
    }
}

/etc/e-smith/templates-custom/etc/shorewall/rules/10base50related

#
# SECTION RELATED
#
?SECTION RELATED

{
    use esmith::NetworksDB;
    my $nfqueue = $firewall{'nfqueue'} || 'disabled';
    if ($nfqueue eq 'enabled') {
        $OUT .= "# Enable NFQ for RELATED connections\n";
        $OUT .= "NFQBY\tloc\tnet\n";
        $OUT .= "NFQBY\tnet\tloc\n";
        $OUT .= "NFQBY\tnet\tfw\n";
        $OUT .= "NFQBY\tfw\tnet\n";

        my $ndb = esmith::NetworksDB->open_ro();
        if ($ndb->blue) {
            $OUT .= "NFQBY\tblue\tnet\n";
        }
        if ($ndb->orange) {
            $OUT .= "NFQBY\torang\tnet\n";
        }
        if ($ndb->blue && $ndb->orange) {
            $OUT .= "NFQBY\tblue\torang\n";
        }
    }
}

#3 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#4 Updated by Giacomo Sanchietti over 6 years ago

  • Category changed from nethserver-snort to nethserver-firewall-base
  • Status changed from ON_DEV to MODIFIED
  • % Done changed from 30 to 60

#5 Updated by Giacomo Sanchietti over 6 years ago

  • Status changed from MODIFIED to ON_QA
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 60 to 70
Package in nethserver-testing:
  • nethserver-firewall-base-2.5.1-1.24.g6ffa8a0.ns6.noarch.rpm
Test case
  • Check the bug is not reproducible

#6 Updated by Davide Principi over 6 years ago

  • Assignee set to Davide Principi

#7 Updated by Davide Principi over 6 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

VERIFIED

#8 Updated by Davide Principi over 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

CLOSED

In nethserver-updates:
nethserver-firewall-base-2.6.0-1.ns6.noarch.rpm

Also available in: Atom PDF