Bug #3129
IPS: shorewall configuration not applied if there is at least an orange interface
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-firewall-base | |||
Target version: | v6.6 | |||
Security class: | Resolution: | |||
Affected version: | v6.6-final | NEEDINFO: | No |
Description
Steps to reproduce
- Configure an orange interface
- Enable the IPS
- Shorewall stops working
- Firewall must correctly run
- Snort should inspect traffic from/to orange zone
- Firewall rules are not applied
Thanks to Charlie Lehardy (AZChas) for reporting.
Associated revisions
IPS: fix support for orange zone. Refs #3129
History
#1 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from NEW to TRIAGED
- Target version set to v6.6
- % Done changed from 0 to 20
- Affected version set to v6.6-final
#2 Updated by Giacomo Sanchietti over 6 years ago
Workaround
Create the following template-custom
/etc/e-smith/templates-custom/etc/shorewall/rules/10base20established
# # SECTION ESTABLISHED # ?SECTION ESTABLISHED { use esmith::NetworksDB; my $nfqueue = $firewall{'nfqueue'} || 'disabled'; if ($nfqueue eq 'enabled') { $OUT .= "# Enable NFQ for ESTABLISHED connections\n"; $OUT .= "NFQBY\tloc\tnet\n"; $OUT .= "NFQBY\tnet\tloc\n"; $OUT .= "NFQBY\tnet\tfw\n"; $OUT .= "NFQBY\tfw\tnet\n"; my $ndb = esmith::NetworksDB->open_ro(); if ($ndb->blue) { $OUT .= "NFQBY\tblue\tnet\n"; } if ($ndb->orange) { $OUT .= "NFQBY\torang\tnet\n"; } if ($ndb->blue && $ndb->orange) { $OUT .= "NFQBY\tblue\torang\n"; } } }
/etc/e-smith/templates-custom/etc/shorewall/rules/10base50related
# # SECTION RELATED # ?SECTION RELATED { use esmith::NetworksDB; my $nfqueue = $firewall{'nfqueue'} || 'disabled'; if ($nfqueue eq 'enabled') { $OUT .= "# Enable NFQ for RELATED connections\n"; $OUT .= "NFQBY\tloc\tnet\n"; $OUT .= "NFQBY\tnet\tloc\n"; $OUT .= "NFQBY\tnet\tfw\n"; $OUT .= "NFQBY\tfw\tnet\n"; my $ndb = esmith::NetworksDB->open_ro(); if ($ndb->blue) { $OUT .= "NFQBY\tblue\tnet\n"; } if ($ndb->orange) { $OUT .= "NFQBY\torang\tnet\n"; } if ($ndb->blue && $ndb->orange) { $OUT .= "NFQBY\tblue\torang\n"; } } }
#3 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Giacomo Sanchietti
- % Done changed from 20 to 30
#4 Updated by Giacomo Sanchietti over 6 years ago
- Category changed from nethserver-snort to nethserver-firewall-base
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#5 Updated by Giacomo Sanchietti over 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
Package in nethserver-testing:
- nethserver-firewall-base-2.5.1-1.24.g6ffa8a0.ns6.noarch.rpm
- Check the bug is not reproducible
#6 Updated by Davide Principi over 6 years ago
- Assignee set to Davide Principi
#7 Updated by Davide Principi over 6 years ago
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 90
VERIFIED
#8 Updated by Davide Principi over 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
CLOSED
In nethserver-updates:
nethserver-firewall-base-2.6.0-1.ns6.noarch.rpm