Bug #3232
hairpin nat - shorewall syntax error with port-range port fwd and IPS
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | nethserver-firewall-base | |||
Target version: | v6.6 | |||
Security class: | Resolution: | |||
Affected version: | v6.6 | NEEDINFO: | No |
Description
See issue #3200, the same fix is needed for hairpin nat.
An enhancement could merge the two templates.
Related issues
Associated revisions
Fix hairpin nat port fwd range with IPS. Refs #3232
Port forward: merge template fragments. Refs #3232
Fix hairpin nat port fwd range with IPS /2. Refs #3232
Fix hairpin nat port fwd range with IPS /3. Refs #3232
History
#1 Updated by Filippo Carletti about 6 years ago
- Related to Bug #3200: shorewall syntax error with port-range port fwd and IPS added
#2 Updated by Filippo Carletti about 6 years ago
- Status changed from NEW to TRIAGED
- % Done changed from 0 to 20
#3 Updated by Filippo Carletti about 6 years ago
- Status changed from TRIAGED to ON_DEV
- Assignee set to Filippo Carletti
- Target version set to v6.6
- % Done changed from 20 to 30
#4 Updated by Giacomo Sanchietti about 6 years ago
- Assignee changed from Filippo Carletti to Giacomo Sanchietti
#5 Updated by Giacomo Sanchietti about 6 years ago
- Status changed from ON_DEV to MODIFIED
- % Done changed from 30 to 60
#6 Updated by Giacomo Sanchietti about 6 years ago
- Status changed from MODIFIED to ON_QA
- Assignee deleted (
Giacomo Sanchietti) - % Done changed from 60 to 70
- nethserver-firewall-base-2.6.5-1.7.g4e4b34e.ns6.noarch.rpm
- Create some port forwards with and without IPS enabled
- Check all port forwards works fine
- From test case 1, enable hairpin nat
- Check all port forwards are enabled also from loc zone
You can use this command to compare generated rules before and after the update:
iptables -t nat -nL
#7 Updated by Filippo Carletti about 6 years ago
- Status changed from ON_QA to TRIAGED
- % Done changed from 70 to 20
Port forward syntax with IPS enabled are wrong. A backslash is missing:
[root@ns65 ~]# diff 50pf /etc/e-smith/templates/etc/shorewall/rules/50pf 64c64 < $OUT.="NFQBY\t$_t$allow\t".$z[0]."\t$proto\t$dst$srcHost$oriDst\n"; --- > $OUT.="NFQBY\t$_\t$allow\t".$z[0]."\t$proto\t$dst$srcHost$oriDst\n";
#8 Updated by Filippo Carletti almost 6 years ago
- Status changed from TRIAGED to ON_DEV
- % Done changed from 20 to 30
#9 Updated by Filippo Carletti almost 6 years ago
- Assignee set to Filippo Carletti
#10 Updated by Filippo Carletti almost 6 years ago
- Status changed from ON_DEV to MODIFIED
- Assignee deleted (
Filippo Carletti) - % Done changed from 30 to 60
#11 Updated by Filippo Carletti almost 6 years ago
- nethserver-firewall-base-2.6.5-1.10.gc065620.ns6.noarch.rpm
- enable ips and create a port forward: shorewall check should display:
Checking /etc/shorewall/action.NFQBY for chain NFQBY... ERROR: Unknown destination zone (tcp) /etc/shorewall/rules
- update package, shorewall check should pass
#12 Updated by Filippo Carletti almost 6 years ago
- Status changed from MODIFIED to ON_QA
- % Done changed from 60 to 70
#13 Updated by Luca Gasparini almost 6 years ago
- Status changed from ON_QA to VERIFIED
- % Done changed from 70 to 90
update package.
enable IPS and create portf orward
shorewall configuration check verified:
?COMMENT test from net
DNAT- net 192.168.1.100:8888 tcp 8888 - -
NFQBY net loc tcp 8888 - -
#14 Updated by Davide Principi almost 6 years ago
- Status changed from VERIFIED to CLOSED
- % Done changed from 90 to 100
In nethserver-updates/6.6
nethserver-firewall-base-2.7.0-1.ns6.noarch.rpm
#15 Updated by Davide Principi almost 6 years ago
HOTFIX release in nethserver/6.6
nethserver-firewall-base-2.7.0-2.ns6.noarch.rpm
* ven ago 28 2015 Davide Principi <davide.principi@nethesis.it> - 2.7.0-2 - (Hotfix) Fix hairpin nat port fwd range with IPS /3. - Bug #3232 [NethServer]
#16 Updated by Filippo Carletti almost 6 years ago
- Related to Bug #3248: hairpin nat intercepts outgoing traffic if port forward is on Any ip added