SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0003395: Cannot access from BLUE to GREEN - MantisBT
MantisBT - Endian Firewall
View Issue Details
0003395Endian FirewallFirewall (iptables)public2010-12-17 21:582011-09-14 06:03
sami 
lorenzo-endian 
normalminoralways
feedbackopen 
2.4 
 
0003395: Cannot access from BLUE to GREEN
Create "Inter-Zone traffic" rule with BLUE GREEN <any> but cannot access from blue to green.
As well I can not access when the "Inter-Zone traffic" is disabled.
Access from GREEN to BLUE work fine.
No tags attached.
has duplicate 0003734feedback lorenzo-endian Cannot access BLUE Zone from GREEN Zone 
png inter-zone_traffic.png (46,651) 2010-12-17 21:58
https://bugs.endian.com/file_download.php?file_id=585&type=bug
png

png endian_interzone_port-protocol.png (50,512) 2011-01-11 09:21
https://bugs.endian.com/file_download.php?file_id=591&type=bug
png

txt iptables_output.txt (28,846) 2011-01-18 13:31
https://bugs.endian.com/file_download.php?file_id=593&type=bug
? interzone-blue-to-green.tiff (122,372) 2011-01-18 13:33
https://bugs.endian.com/file_download.php?file_id=594&type=bug
png icmp_endian.png (5,322) 2011-01-25 03:30
https://bugs.endian.com/file_download.php?file_id=596&type=bug
png

txt output_iptables.txt (37,974) 2011-01-27 22:40
https://bugs.endian.com/file_download.php?file_id=597&type=bug
Issue History
2010-12-17 21:58samiNew Issue
2010-12-17 21:58samiFile Added: inter-zone_traffic.png
2010-12-17 22:03lorenzo-endianNote Added: 0005392
2010-12-17 22:03lorenzo-endianAssigned To => lorenzo-endian
2010-12-17 22:03lorenzo-endianStatusnew => feedback
2010-12-17 22:30samiNote Added: 0005393
2010-12-19 20:23samiNote Added: 0005394
2010-12-19 20:23samiNote Edited: 0005394
2010-12-19 20:23samiNote Edited: 0005393
2010-12-19 20:24samiNote Deleted: 0005394
2011-01-10 15:10lorenzo-endianNote Added: 0005460
2011-01-10 15:53samiNote Added: 0005461
2011-01-10 16:10lorenzo-endianNote Added: 0005462
2011-01-10 17:48lorenzo-endianNote Added: 0005463
2011-01-11 09:21samiNote Added: 0005464
2011-01-11 09:21samiFile Added: endian_interzone_port-protocol.png
2011-01-11 18:54samiNote Edited: 0005464
2011-01-17 18:02lorenzo-endianNote Added: 0005490
2011-01-17 18:48samiNote Added: 0005491
2011-01-18 13:31lorenzo-endianFile Added: iptables_output.txt
2011-01-18 13:33lorenzo-endianFile Added: interzone-blue-to-green.tiff
2011-01-18 13:36lorenzo-endianNote Added: 0005495
2011-01-19 09:34samiNote Added: 0005506
2011-01-19 09:35samiNote Edited: 0005506
2011-01-20 17:11samiNote Added: 0005516
2011-01-24 09:42lorenzo-endianNote Added: 0005522
2011-01-25 03:30samiNote Added: 0005524
2011-01-25 03:30samiFile Added: icmp_endian.png
2011-01-25 03:36samiNote Edited: 0005524
2011-01-27 08:53lorenzo-endianNote Added: 0005533
2011-01-27 22:40samiFile Added: output_iptables.txt
2011-01-27 22:43samiNote Added: 0005545
2011-06-01 16:17lorenzo-endianRelationship addedhas duplicate 0003734
2011-09-14 06:03SheldmanduNote Added: 0007403

Notes
(0005392)
lorenzo-endian   
2010-12-17 22:03   
Hi sami,

I think that this does not make too much sense. The BLUE network is used for creating a "Guests" network which does not allow the access to the GREEN network.

What happen if you try to move the machine(s) you need to access from the GREEN to the ORANGE network? Of course you have to recreate the rule.

Thanks in advance

Lo
(0005393)
sami   
2010-12-17 22:30   
(edited on: 2010-12-19 20:23)
Hi,

I want have some smartphones (WLAN) in the BLUE network which should have access to the asterisk server in GREEN. (I dont want a rule BLUE GREEN <any> later, was only for testing).

Cannot move the machine from GREEN to ORANGE, sorry.

> I think that this does not make too much sense. The BLUE network is used for
> creating a "Guests" network which does not allow the access to the GREEN
> network.

Thats a good thing for the security, but then the GUI should not allow
to create a rule like this.

The solution for this is own user zones like "MYZONE1" where I can
create the rules that I want.

Anyway, is it a bug that I can not create a rule from BLUE to GREEN or
a security feature?

Did you see another resolution with endian to solve my problem?

(0005460)
lorenzo-endian   
2011-01-10 15:10   
Hi sami,

I have done some tests...Do you have the hotspot enabled on your BLUE interface, is it right?

If you switch it off, just for testing purpose, can you reach the GREEN zone?

Thanks in advance!

Lo
(0005461)
sami   
2011-01-10 15:53   
Hi lorenzo,

thank you for testing.
I have no hotspot, it's a endian community version.

Maybe its a good idea for future to have a product version with "2.4 community" and "2.4 enterprise" in the bugreport?
(0005462)
lorenzo-endian   
2011-01-10 16:10   
Hi sami,

you are right, but it cannot be done now! I hope we can do it in a near future :)

For your problem, it is really strange...btw, all the test I have done are with the enterprise edition. Let me try with the community edition!

I will keep you updated :-)

Have a nice day!

Lo
(0005463)
lorenzo-endian   
2011-01-10 17:48   
Hi sami,

trying to reproduce the test I get a strange behavior while setting up a rule ANY-ANY from BLUE to GREEN.

Can you try to setup a rule specifying the protocol and the ports?

Thanks in advance!

Lo
(0005464)
sami   
2011-01-11 09:21   
(edited on: 2011-01-11 18:54)
Hi lorenzo,

dont work with protocol and port (endian_interzone_port-protocol.png).

(0005490)
lorenzo-endian   
2011-01-17 18:02   
Hi sami,

is your system up to date?

Thanks a lot

Lo
(0005491)
sami   
2011-01-17 18:48   
Hi lorenzo,

yes its up to date:

No interesting upgrades available.
/etc/upgrade/upgrade.d/migration:
---
Found: 0
OK: 0
(0005495)
lorenzo-endian   
2011-01-18 13:36   
Hi sami,

I am still unable to reproduce your problem. Attached you can find the screenshot with the inter-zone firewall's rule and the output of the command

iptables --list --verbose

of my system. Please double-check that you don't have any other rule which prevents you to reach your system on the GREEN network from the BLUE network.

Let me know if you are able to solve the problem!

Thanks in advance!

Lo
(0005506)
sami   
2011-01-19 09:34   
(edited on: 2011-01-19 09:35)
Hi lorenzo,

I dont no whats wrong.

Here are the rules befor blue green access:
-->
Chain ZONEFW (4 references)
 pkts bytes target prot opt in out source destination
21614 1851K ACCEPT all -- br0 br0 anywhere anywhere
    0 0 ACCEPT all -- br0 br2 anywhere anywhere
    0 0 ACCEPT all -- br0 br1 anywhere anywhere
    0 0 ACCEPT all -- br2 br2 anywhere anywhere
    0 0 ACCEPT all -- br1 br1 anywhere anywhere

Chain ZONEFW_LOGDROP (4 references)
 pkts bytes target prot opt in out source destination
    0 0 DROP all -- any any anywhere anywhere

Chain ZONETRAFFIC (1 references)
 pkts bytes target prot opt in out source destination
21614 1851K ZONEFW all -- br0 br0 anywhere anywhere
    0 0 ZONEFW_LOGDROP all -- br0 br0 anywhere anywhere
    0 0 ZONEFW all -- br0 br2 anywhere anywhere
    0 0 ZONEFW_LOGDROP all -- br0 br2 anywhere anywhere
    0 0 ZONEFW all -- br2 br0 anywhere anywhere
    0 0 ZONEFW_LOGDROP all -- br2 br0 anywhere anywhere
    0 0 ZONEFW all -- br2 br2 anywhere anywhere
    0 0 ZONEFW_LOGDROP all -- br2 br2 anywhere anywhere
<--

And here with the rule blue to green allow:
-->
Chain ZONEFW (4 references)
 pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- br0 br0 anywhere anywhere
    0 0 ACCEPT all -- br0 br2 anywhere anywhere
    0 0 ACCEPT all -- br0 br1 anywhere anywhere
    0 0 ACCEPT all -- br2 br2 anywhere anywhere
    0 0 ACCEPT all -- br1 br1 anywhere anywhere
    0 0 ACCEPT all -- br2 br0 anywhere anywhere

Chain ZONEFW_LOGDROP (4 references)
 pkts bytes target prot opt in out source destination
    0 0 DROP all -- any any anywhere anywhere

Chain ZONETRAFFIC (1 references)
 pkts bytes target prot opt in out source destination
21675 1856K ZONEFW all -- br0 br0 anywhere anywhere
    0 0 ZONEFW_LOGDROP all -- br0 br0 anywhere anywhere
    0 0 ZONEFW all -- br0 br2 anywhere anywhere
    0 0 ZONEFW_LOGDROP all -- br0 br2 anywhere anywhere
    0 0 ZONEFW all -- br2 br0 anywhere anywhere
    0 0 ZONEFW_LOGDROP all -- br2 br0 anywhere anywhere
    0 0 ZONEFW all -- br2 br2 anywhere anywhere
    0 0 ZONEFW_LOGDROP all -- br2 br2 anywhere anywhere
<--

I will test the access tomorrow again with my notebook and give you a feedback.
Thank you very much.

(0005516)
sami   
2011-01-20 17:11   
Hi lorenzo,

I test it again today, but no way to connect to the green zone.
If I disable the interzone firewall its the same problem, no connection from blue to green.
(0005522)
lorenzo-endian   
2011-01-24 09:42   
Hi sami,

this is really strange...the iptables rule is added, as you can see...

Are you sure that the traffic is not blocked somewhere else? eg by a local FW on the host in the green network?

try to do as follows:
- put a machine in the blue and a linux machine in the green
- start a ping (which never ends - if you are using windows, just use the -t option) from the blue to the green
- connect to the EFW console and try to use tcpdump on br2 to check if the traffic arrives on the interface and after that on the br0 to check if the traffic leaves the EFW from that interface (the commands are "tcpdump -i br2 icmp" and "tcpdump -i br0 icmp")
- connect to the linux machine in the green network, check that no firewall are enabled on the host and execute "tcpdump -i eth0 icmp" (I suppose this machine has only a network interface - if it is not the case, change eth0 accordingly)

Did you see if there is ICMP traffic which leaves the machine from the br0 interface?

Moreover, can you post the output of the command "ip route" ?

Thanks in advance

Lo
(0005524)
sami   
2011-01-25 03:30   
(edited on: 2011-01-25 03:36)
Hi lorenzo,

I can see the ping of the client in the blue zone on the endian br2:

listening on br2, link-type EN10MB (Ethernet), capture size 96 bytes
04:22:24.576783 IP 192.168.78.245 > xx.xxx.xxx: icmp 64: echo request seq 179
^C
1 packets captured
1 packets received by filter
0 packets dropped by kernel


But the ping dont pass through the endian br0:

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

ICMP is allowed in all zones.

route -n of the endian:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1
xxx.xxx.xxx.110 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
xxx.xxx.xxx.27 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1
192.168.1.0 10.23.254.201 255.255.255.0 UG 0 0 0 br0
1.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
1.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
192.168.78.0 0.0.0.0 255.255.255.0 U 0 0 0 br2
10.23.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0
0.0.0.0 xxx.xxx.xxx.110 0.0.0.0 UG 0 0 0 ppp0

(0005533)
lorenzo-endian   
2011-01-27 08:53   
Hi sami,

I am still not able to understand the source of the problem.

Could you please post the output of "iptables --list --verbose"?

Please hide all the sensitive data as you already did the last time :-)

Thanks in advance!

Lo
(0005545)
sami   
2011-01-27 22:43   
Hi lorenzo,

here is the output of "iptables --list --verbose":
output_iptables.txt
(0007403)
Sheldmandu   
2011-09-14 06:03   
Hi, is there any progress on this, the issue still persists. It's marked as Feedback but it's in fact an issue!