Bug #3371
Shorewall error with a particolar port forward rule and IPS
Status: | CLOSED | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | - | % Done: | 100% | |
Category: | - | |||
Target version: | v6.7 | |||
Security class: | Resolution: | WORKSFORME | ||
Affected version: | NEEDINFO: | No |
Description
Shorewall return an error when IPS and port forwarding are working this way:
IPS: enabled
port forward with a rule working in a port range (non only a single port)
- SHOREWALL CHECK
Checking /etc/shorewall/action.NFQBY for chain NFQBY... ERROR: Invalid/Unknown udp port/service (37.186.244.52) /etc/shorewall/rules (line 204)
- the bad line /etc/shorewall/rules:
?COMMENT wildix from lan DNAT- loc 192.168.0.17 udp 10000:15000 - 37.186.244.52 NFQBY loc loc udp - 37.186.244.52
- a good rule in /etc/shorewall/rules:
?COMMENT wildix from lan DNAT- loc 192.168.0.17:443 tcp 443 - 37.186.244.52 NFQBY loc loc tcp 443 - 37.186.244.52
The problem does not occur if IPS is disabled or port forwarding rules are using only a single port.
It seems that IPS rule fails because of the missing destination port field in the port forward rule, putting the missing destination port range in the NFQBY rule shorewall works correctly:
?COMMENT wildix from lan DNAT- loc 192.168.0.17 udp 10000:15000 - 37.186.244.52 NFQBY loc loc udp 10000:15000 - 37.186.244.52
History
#1 Updated by Filippo Carletti over 5 years ago
- Status changed from NEW to CLOSED
- % Done changed from 0 to 100
- Resolution set to WORKSFORME
I cannot reproduce the bug.
#2 Updated by Giacomo Sanchietti about 5 years ago
- Target version set to v6.7