Bug #3371

Shorewall error with a particolar port forward rule and IPS

Added by Davide Marini over 3 years ago. Updated over 3 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:-
Target version:v6.7
Security class: Resolution:WORKSFORME
Affected version: NEEDINFO:No

Description

Shorewall return an error when IPS and port forwarding are working this way:

IPS: enabled
port forward with a rule working in a port range (non only a single port)

  • SHOREWALL CHECK
Checking /etc/shorewall/action.NFQBY for chain NFQBY...
   ERROR: Invalid/Unknown udp port/service (37.186.244.52) /etc/shorewall/rules (line 204)
  • the bad line /etc/shorewall/rules:
?COMMENT wildix from lan
DNAT-   loc     192.168.0.17    udp     10000:15000     -       37.186.244.52
NFQBY   loc     loc     udp             -       37.186.244.52

  • a good rule in /etc/shorewall/rules:
?COMMENT wildix from lan
DNAT-   loc     192.168.0.17:443        tcp     443     -       37.186.244.52
NFQBY   loc     loc     tcp     443     -       37.186.244.52

The problem does not occur if IPS is disabled or port forwarding rules are using only a single port.
It seems that IPS rule fails because of the missing destination port field in the port forward rule, putting the missing destination port range in the NFQBY rule shorewall works correctly:

?COMMENT wildix from lan
DNAT-   loc     192.168.0.17    udp     10000:15000     -       37.186.244.52
NFQBY   loc     loc     udp     10000:15000     -       37.186.244.52

History

#1 Updated by Filippo Carletti over 3 years ago

  • Status changed from NEW to CLOSED
  • % Done changed from 0 to 100
  • Resolution set to WORKSFORME

I cannot reproduce the bug.

#2 Updated by Giacomo Sanchietti over 3 years ago

  • Target version set to v6.7

Also available in: Atom PDF