Bug #3200
shorewall syntax error with port-range port fwd and IPS
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-firewall-base | |||
Target version: | v6.6 | |||
Security class: | Resolution: | |||
Affected version: | v6.6 | NEEDINFO: | No |
Description
Port forwarding produces a shorewall syntax error when the following conditions are met:
- the IPS is enabled
- the
Destination
field is left empty OR theOrigin port
is a port intervalX:Y
WAN IP (red interface)
is not "Any"
Task completed with errors Configuring shorewall #24 (exit status 1) ERROR: Invalid/Unknown tcp port/service (192.168.5.64) /etc/shorewall/rules (line 153)
The error is not present if the IPS is disabled.
Related issues
Associated revisions
port forward: fix range with IPS. Refs bug #3200
port forward: fix empty dest port with IPS. Refs bug #3200
History
#1 Updated by Filippo Carletti about 6 years ago
Here's a fix:
- $OUT.="NFQBY\tnet$allow\t".$z[0]."\t$proto\t$dst$srcHost$oriDst\n"; + if ($src =~ /:/) { + $OUT.="NFQBY\tnet$allow\t".$z[0]."\t$proto\t$src$srcHost$oriDst\n"; + } else { + $OUT.="NFQBY\tnet$allow\t".$z[0]."\t$proto\t$dst$srcHost$oriDst\n"; + }
#2 Updated by Filippo Carletti about 6 years ago
- Status changed from NEW to TRIAGED
- Assignee set to Filippo Carletti
- % Done changed from 0 to 20
#3 Updated by Filippo Carletti about 6 years ago
- Status changed from TRIAGED to ON_DEV
- % Done changed from 20 to 30
#4 Updated by Filippo Carletti about 6 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Filippo Carletti) - % Done changed from 30 to 60
Fixed in nethserver-firewall-base-2.6.2-1.2.g0618e45.ns6.noarch.rpm
nethserver-firewall-base-2.6.2-1.3.g5872100.ns6.noarch.rpm
- enable IPS
- create a port forward with a port range (start:end)
- see the error box
- delete the fwd
- update to above package
- create the same port fwd
- create a port fwd with an empty destination port
- disable IPS
- create a port forward with a port range (start:end)
- see the error box
- delete the fwd
- update to above package
- create the same port fwd
#5 Updated by Filippo Carletti about 6 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
#6 Updated by Davide Principi about 6 years ago
- Assignee set to Davide Principi
- Target version set to v6.6
#7 Updated by Davide Principi about 6 years ago
- Description updated (diff)
- Status changed from ON_QA to VERIFIED
- Assignee deleted (
Davide Principi) - % Done changed from 70 to 90
Changed bug description.
Wan IP must not be "Any"
VERIFIED
The modified package fixes all the cases.
#8 Updated by Davide Principi about 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates:
nethserver-firewall-base-2.6.3-1.ns6.noarch.rpm
#9 Updated by Filippo Carletti about 6 years ago
- Related to Bug #3232: hairpin nat - shorewall syntax error with port-range port fwd and IPS added