Bug #3200

shorewall syntax error with port-range port fwd and IPS

Added by Filippo Carletti about 6 years ago. Updated about 6 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.6
Security class: Resolution:
Affected version:v6.6 NEEDINFO:No

Description

Port forwarding produces a shorewall syntax error when the following conditions are met:
  • the IPS is enabled
  • the Destination field is left empty OR the Origin port is a port interval X:Y
  • WAN IP (red interface) is not "Any"
Task completed with errors
Configuring shorewall #24 (exit status 1)
 ERROR: Invalid/Unknown tcp port/service (192.168.5.64) /etc/shorewall/rules (line 153)

The error is not present if the IPS is disabled.


Related issues

Related to NethServer 6 - Bug #3232: hairpin nat - shorewall syntax error with port-range port... CLOSED

Associated revisions

Revision 0618e45c
Added by Filippo Carletti about 6 years ago

port forward: fix range with IPS. Refs bug #3200

Revision 58721009
Added by Filippo Carletti about 6 years ago

port forward: fix empty dest port with IPS. Refs bug #3200

History

#1 Updated by Filippo Carletti about 6 years ago

Here's a fix:

-            $OUT.="NFQBY\tnet$allow\t".$z[0]."\t$proto\t$dst$srcHost$oriDst\n";
+            if ($src =~ /:/) {
+                $OUT.="NFQBY\tnet$allow\t".$z[0]."\t$proto\t$src$srcHost$oriDst\n";
+            } else {
+                $OUT.="NFQBY\tnet$allow\t".$z[0]."\t$proto\t$dst$srcHost$oriDst\n";
+            }

#2 Updated by Filippo Carletti about 6 years ago

  • Status changed from NEW to TRIAGED
  • Assignee set to Filippo Carletti
  • % Done changed from 0 to 20

#3 Updated by Filippo Carletti about 6 years ago

  • Status changed from TRIAGED to ON_DEV
  • % Done changed from 20 to 30

#4 Updated by Filippo Carletti about 6 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Filippo Carletti)
  • % Done changed from 30 to 60

Fixed in
nethserver-firewall-base-2.6.2-1.2.g0618e45.ns6.noarch.rpm
nethserver-firewall-base-2.6.2-1.3.g5872100.ns6.noarch.rpm

Test case 1
  1. enable IPS
  2. create a port forward with a port range (start:end)
  3. see the error box
  4. delete the fwd
  5. update to above package
  6. create the same port fwd
  7. create a port fwd with an empty destination port
Test case 2
  1. disable IPS
  2. create a port forward with a port range (start:end)
  3. see the error box
  4. delete the fwd
  5. update to above package
  6. create the same port fwd

#5 Updated by Filippo Carletti about 6 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

#6 Updated by Davide Principi about 6 years ago

  • Assignee set to Davide Principi
  • Target version set to v6.6

#7 Updated by Davide Principi about 6 years ago

  • Description updated (diff)
  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 70 to 90

Changed bug description.

Wan IP must not be "Any"

VERIFIED

The modified package fixes all the cases.

#8 Updated by Davide Principi about 6 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-firewall-base-2.6.3-1.ns6.noarch.rpm

#9 Updated by Filippo Carletti about 6 years ago

  • Related to Bug #3232: hairpin nat - shorewall syntax error with port-range port fwd and IPS added

Also available in: Atom PDF