SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0000215: can't access servers behind the orange interface from pc's on the green interface (lan) - MantisBT
MantisBT - Endian Firewall
View Issue Details
0000215Endian FirewallNetwork related (VPN, uplinks)public2007-07-06 08:162007-12-31 19:15
clubbing80s 
peter-endian 
normalmajoralways
closedfixed 
2.1 
2.2-beta2 
0000215: can't access servers behind the orange interface from pc's on the green interface (lan)
Hi
I can't access the services on the servers in the dmz attached to the orange interface form my lan / vpn (openvpn) clients on the green interface. I have ensured that the ports are open on the green interface 25,80,110,143 etc .. I can access these same services via the red interface (internet).

Many Thanks
Gregory Machin
No tags attached.
txt info.txt (19,292) 2007-07-17 09:09
https://bugs.endian.com/file_download.php?file_id=39&type=bug
? rc.firewall (19,867) 2007-07-17 09:10
https://bugs.endian.com/file_download.php?file_id=40&type=bug
? rc.firewall-19072007 (20,069) 2007-07-19 07:19
https://bugs.endian.com/file_download.php?file_id=41&type=bug
Issue History
2007-07-06 08:16clubbing80sNew Issue
2007-07-17 09:08clubbing80sNote Added: 0000395
2007-07-17 09:09clubbing80sFile Added: info.txt
2007-07-17 09:10clubbing80sFile Added: rc.firewall
2007-07-19 07:19clubbing80sFile Added: rc.firewall-19072007
2007-07-19 07:24clubbing80sNote Added: 0000403
2007-09-07 16:02raphael-endianStatusnew => assigned
2007-09-07 16:02raphael-endianAssigned To => peter-endian
2007-10-27 18:54peter-endianStatusassigned => resolved
2007-10-27 18:54peter-endianFixed in Version => 2.2
2007-10-27 18:54peter-endianResolutionopen => fixed
2007-10-27 18:54peter-endianNote Added: 0000554
2007-12-31 19:15raphael-endianFixed in Version2.2-beta1 => 2.2-beta2
2007-12-31 19:15raphael-endianStatusresolved => closed

Notes
(0000395)
clubbing80s   
2007-07-17 09:08   
here is a clearer picture
Hi
I have tried I number of experiments and I'm not winning, but my understand of how a dmz should work the pvt lan (green) should have full access to the dmz (orange) through ports that are open on the green interface/s but the dmz should not be able to access the lan unless pinholes are configures...

this is my lab config

    +--------+
    | desktop|
    +--------+
         |
         |lan-(192.168.2.0/24)
         | (192.168.1.0/24
    +--------+ dmz/ +--------+
    | efw |--------------| laptop |
    +--------+ +--------+
         |
             |pppoe (adsl dialup)
         |
     Internet


where the lan pc is connected to efw via a switch, the laptop (in the dmz) in connected to efw via cross over cable.

and the internet is connected via crossover into an adsl modem configured in bridge mode..


both the lan desktop and the dmz laptop have efw as there default gw
from efw i can ping the desktop and the laptop
from laptop i can ping efw but not desktop - which I understand as being connect
from desktop i can ping efw but not laptop - which I understand as being incorrect
neither can I access ssh on the laptop from the desktop ..- which I understand as being incorrect..


here are the routing info from efw
root@proxy:~ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
41.242.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br1
1.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
0.0.0.0 41.242.0.1 0.0.0.0 UG 0 0 0 ppp0

I have attached the iptables -vnL output info.txt as it won't display in most mail clients to well ..
I have allso attached the efw firewall build script for those who dont know endian firewall, but are good with iptables... maybe some one has sharp eyes...

Many Thanks in advance ..
(0000403)
clubbing80s   
2007-07-19 07:24   
Hi
I have added some iptables rules to the rc.firewall script
after

function iptables_orange() {
    iptables -F ORANGEINPUT
    if ! has_orange; then
    return
    fi
    if [ -z "${ORANGE_DEV}" ]; then
    return
    fi
    iptables -A ORANGEINPUT -i "${ORANGE_DEV}" -j ACCEPT
   iptables -A ACCEPT_ALL -i "${ORANGE_DEV}" -o "${ORANGE_DEV}" -j ORANGE_ORANGE

Add

iptables -A FORWARD -i "${GREEN_DEV}" -o "${ORANGE_DEV}" -j ACCEPT
iptables -A FORWARD -i "${ORANGE_DEV}" -o "${GREEN_DEV}" -m state --state ESTABLISHED,RELATED -j ACCEPT

end

this gives green access to the orange but not access from orange to green as per how dmz should work ..
please test and check that it does not break something else .
Gregory
(0000554)
peter-endian   
2007-10-27 18:54   
Please try with version 2.2, which has an extended zone firewall replacing dmzholes