SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0001992: in some circumstances zone firewall will block vpn traffic - MantisBT Endian Bugtracker
Endian Issue Tracker

Please see now our new Bugtracker system: JIRA

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0001992Endian FirewallFirewall (iptables)public2009-07-09 19:012009-10-27 11:59
Assigned Topeter-endian 
PlatformOSOS Version
Product Version 
Target Version2.3Fixed in Version2.3 
Summary0001992: in some circumstances zone firewall will block vpn traffic
- 2 interfaces in green
- openvpn server running (bridged to green)
- zone firewall allow rule from interface 1 (green) to interface 2 (green)

if you make a zone firewall entry which allows from interface 1 to interface 2
all traffic to the bridged openvpn device will be blocked as long as you don't allow in zone firewall the access to subnet's behind the vpn.

this happens because the ZONEFW mangle rules mark all packets coming from interface 2 (in green) (which covers also vpn traffic).

traffic to vpn ip's (green openvpn dynamic pool) or networks behind vpn endpoints will then not allowed, because the ebtables rule allows only marked packets which go out on interface 2.

it's necessary to exclude every vpn subnet/ips from the ZONEFW mangling, just the same as VPNFWDST in VPNTRAFFIC filter table.

that's working then
Attached Files

- Relationships
related to 0002025closedpeter-endian VPNFWDST rules are not removed if openvpn is disabled 

-  Notes
peter-endian (administrator)
2009-08-20 13:58

it's not completely fixed.
while VNPFWDST does not need to check also traffic from GREEN to GREEN, since we have already a VPNTRAFFIC rule which passed traffic vrom GREEN to OPENVPN to VPNFW and from OPENVPN to GREEN also.. it's ok there to have no VPNFWDST rule from GREEN to GREEN.

BUT.. within the mangle table, there's necessity for it. Otherwise VPNtraffic from GREEN to OPENVPN (which is in mangle-table'ish from br0 to br0) would be marked as ZONE traffic, since within the mangle table there's nothing which would
stop from processing further rules (ACCEPT) for vpn traffic.

- Issue History
Date Modified Username Field Change
2009-07-09 19:01 peter-endian New Issue
2009-07-09 19:01 peter-endian Assigned To => peter-endian
2009-07-09 21:47 peter-endian Status new => resolved
2009-07-09 21:47 peter-endian Fixed in Version => 2.3
2009-07-09 21:47 peter-endian Resolution open => fixed
2009-07-21 15:22 luca-endian Relationship added related to 0002025
2009-08-20 11:10 peter-endian Tag Attached: needsfix
2009-08-20 13:58 peter-endian Note Added: 0002879
2009-08-20 13:58 peter-endian Status resolved => assigned
2009-08-20 14:02 peter-endian Status assigned => resolved
2009-10-27 11:59 peter-endian Status resolved => closed

Copyright © 2005-2008 Endian, SRL. All rights reserved.

Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker