SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264
|Anonymous | Login||2020-04-01 08:25 UTC|
|Main | My View | View Issues | Change Log | Roadmap|
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001992||Endian Firewall||Firewall (iptables)||public||2009-07-09 19:01||2009-10-27 11:59|
|Target Version||2.3||Fixed in Version||2.3|
|Summary||0001992: in some circumstances zone firewall will block vpn traffic|
- 2 interfaces in green
- openvpn server running (bridged to green)
- zone firewall allow rule from interface 1 (green) to interface 2 (green)
if you make a zone firewall entry which allows from interface 1 to interface 2
all traffic to the bridged openvpn device will be blocked as long as you don't allow in zone firewall the access to subnet's behind the vpn.
this happens because the ZONEFW mangle rules mark all packets coming from interface 2 (in green) (which covers also vpn traffic).
traffic to vpn ip's (green openvpn dynamic pool) or networks behind vpn endpoints will then not allowed, because the ebtables rule allows only marked packets which go out on interface 2.
it's necessary to exclude every vpn subnet/ips from the ZONEFW mangling, just the same as VPNFWDST in VPNTRAFFIC filter table.
that's working then
it's not completely fixed.
while VNPFWDST does not need to check also traffic from GREEN to GREEN, since we have already a VPNTRAFFIC rule which passed traffic vrom GREEN to OPENVPN to VPNFW and from OPENVPN to GREEN also.. it's ok there to have no VPNFWDST rule from GREEN to GREEN.
BUT.. within the mangle table, there's necessity for it. Otherwise VPNtraffic from GREEN to OPENVPN (which is in mangle-table'ish from br0 to br0) would be marked as ZONE traffic, since within the mangle table there's nothing which would
stop from processing further rules (ACCEPT) for vpn traffic.
|2009-07-09 19:01||peter-endian||New Issue|
|2009-07-09 19:01||peter-endian||Assigned To||=> peter-endian|
|2009-07-09 21:47||peter-endian||Status||new => resolved|
|2009-07-09 21:47||peter-endian||Fixed in Version||=> 2.3|
|2009-07-09 21:47||peter-endian||Resolution||open => fixed|
|2009-07-21 15:22||luca-endian||Relationship added||related to 0002025|
|2009-08-20 11:10||peter-endian||Tag Attached: needsfix|
|2009-08-20 13:58||peter-endian||Note Added: 0002879|
|2009-08-20 13:58||peter-endian||Status||resolved => assigned|
|2009-08-20 14:02||peter-endian||Status||assigned => resolved|
|2009-10-27 11:59||peter-endian||Status||resolved => closed|
|Copyright © 2000 - 2012 MantisBT Group|