Bug #3371

Shorewall error with a particolar port forward rule and IPS

Added by Davide Marini almost 5 years ago. Updated over 4 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:


Target version:v6.7
Security class: Resolution:WORKSFORME
Affected version: NEEDINFO:No


Shorewall return an error when IPS and port forwarding are working this way:

IPS: enabled
port forward with a rule working in a port range (non only a single port)

Checking /etc/shorewall/action.NFQBY for chain NFQBY...
   ERROR: Invalid/Unknown udp port/service ( /etc/shorewall/rules (line 204)
  • the bad line /etc/shorewall/rules:
?COMMENT wildix from lan
DNAT-   loc    udp     10000:15000     -
NFQBY   loc     loc     udp             -

  • a good rule in /etc/shorewall/rules:
?COMMENT wildix from lan
DNAT-   loc        tcp     443     -
NFQBY   loc     loc     tcp     443     -

The problem does not occur if IPS is disabled or port forwarding rules are using only a single port.
It seems that IPS rule fails because of the missing destination port field in the port forward rule, putting the missing destination port range in the NFQBY rule shorewall works correctly:

?COMMENT wildix from lan
DNAT-   loc    udp     10000:15000     -
NFQBY   loc     loc     udp     10000:15000     -


#1 Updated by Filippo Carletti almost 5 years ago

  • Status changed from NEW to CLOSED
  • % Done changed from 0 to 100
  • Resolution set to WORKSFORME

I cannot reproduce the bug.

#2 Updated by Giacomo Sanchietti over 4 years ago

  • Target version set to v6.7

Also available in: Atom PDF