SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0002165: duplicated or incomplete system access rules - MantisBT
MantisBT - Endian Firewall
View Issue Details
0002165Endian FirewallFirewall (iptables)public2009-09-16 08:192009-10-27 11:59
luca-endian 
peter-endian 
normalminorhave not tried
closedfixed 
2.2 
2.3 
0002165: duplicated or incomplete system access rules
It seems that system access rules have problems when more ips are specified I've discovered this strange behaviour:

This is the rule which allows from two ips:
tcp,192.168.58.133&192.168.58.132,12345,on,,RED,,INPUTFW,ACCEPT,,test

And these are the created iptables rules:
root@cartman:/var/efw/xtaccess # iptables -nvvL INPUTFW | grep 12345
0 0 ALLOW tcp -- eth3 * 192.168.58.133
0.0.0.0/0 tcp dpt:12345
0 0 ALLOW tcp -- eth3 * 192.168.58.133
0.0.0.0/0 tcp dpt:12345
0 0 ALLOW tcp -- eth3 * 192.168.58.132
0.0.0.0/0 tcp dpt:12345
0 0 ALLOW tcp -- eth3 * 192.168.58.132
0.0.0.0/0 tcp dpt:12345
0 0 ALLOW tcp -- eth1 * 192.168.58.133
0.0.0.0/0 tcp dpt:12345
0 0 ALLOW tcp -- eth1 * 192.168.58.133
0.0.0.0/0 tcp dpt:12345
0 0 ALLOW tcp -- eth1 * 192.168.58.132
0.0.0.0/0 tcp dpt:12345
0 0 ALLOW tcp -- eth1 * 192.168.58.132
0.0.0.0/0 tcp dpt:12345

This firewall has 2 uplinks this can partly explain the redundant rules?

I have been informed also that with 3 uplinks + 1 on hold a rule which has a source interface: RED allows access from the main uplink only.
(see the attachment for more detail about this problem)

This two strange behaviour can be related. Probably there's something wrong in the cycle statement which iterate and create the rules (this is my guess).

I don't know if this problem is restricted to system access firewall, if not would be a major problem.
purple
? sys-access-problem (3,721) 2009-09-16 08:19
https://bugs.endian.com/file_download.php?file_id=265&type=bug
Issue History
2009-09-16 08:19luca-endianNew Issue
2009-09-16 08:19luca-endianAssigned To => peter-endian
2009-09-16 08:19luca-endianFile Added: sys-access-problem
2009-09-16 08:19luca-endianTag Attached: purple
2009-09-16 14:25peter-endianRelationship addedduplicate of 0001966
2009-09-16 14:27peter-endianNote Added: 0002961
2009-09-23 19:22peter-endianStatusnew => resolved
2009-09-23 19:22peter-endianFixed in Version => 2.3
2009-09-23 19:22peter-endianResolutionopen => fixed
2009-10-27 11:59peter-endianStatusresolved => closed

Notes
(0002961)
peter-endian   
2009-09-16 14:27   
happens always when there's both an ip and an interface selected as source.

explision code explodes both, src_ip and src_dev, but there should be a possibility to bind an ip address to an interface, where the explode then will not produce every combination.