SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0000215: can't access servers behind the orange interface from pc's on the green interface (lan) - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000215Endian FirewallNetwork related (VPN, uplinks)public2007-07-06 08:162007-12-31 19:15
Reporterclubbing80s 
Assigned Topeter-endian 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.1 
Target VersionFixed in Version2.2-beta2 
Summary0000215: can't access servers behind the orange interface from pc's on the green interface (lan)
DescriptionHi
I can't access the services on the servers in the dmz attached to the orange interface form my lan / vpn (openvpn) clients on the green interface. I have ensured that the ports are open on the green interface 25,80,110,143 etc .. I can access these same services via the red interface (internet).

Many Thanks
Gregory Machin
TagsNo tags attached.
Attached Filestxt file icon info.txt [^] (19,292 bytes) 2007-07-17 09:09 [Show Content]
? file icon rc.firewall [^] (19,867 bytes) 2007-07-17 09:10
? file icon rc.firewall-19072007 [^] (20,069 bytes) 2007-07-19 07:19

- Relationships

-  Notes
(0000395)
clubbing80s (reporter)
2007-07-17 09:08

here is a clearer picture
Hi
I have tried I number of experiments and I'm not winning, but my understand of how a dmz should work the pvt lan (green) should have full access to the dmz (orange) through ports that are open on the green interface/s but the dmz should not be able to access the lan unless pinholes are configures...

this is my lab config

    +--------+
    | desktop|
    +--------+
         |
         |lan-(192.168.2.0/24)
         | (192.168.1.0/24
    +--------+ dmz/ +--------+
    | efw |--------------| laptop |
    +--------+ +--------+
         |
             |pppoe (adsl dialup)
         |
     Internet


where the lan pc is connected to efw via a switch, the laptop (in the dmz) in connected to efw via cross over cable.

and the internet is connected via crossover into an adsl modem configured in bridge mode..


both the lan desktop and the dmz laptop have efw as there default gw
from efw i can ping the desktop and the laptop
from laptop i can ping efw but not desktop - which I understand as being connect
from desktop i can ping efw but not laptop - which I understand as being incorrect
neither can I access ssh on the laptop from the desktop ..- which I understand as being incorrect..


here are the routing info from efw
root@proxy:~ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
41.242.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br1
1.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
0.0.0.0 41.242.0.1 0.0.0.0 UG 0 0 0 ppp0

I have attached the iptables -vnL output info.txt as it won't display in most mail clients to well ..
I have allso attached the efw firewall build script for those who dont know endian firewall, but are good with iptables... maybe some one has sharp eyes...

Many Thanks in advance ..
(0000403)
clubbing80s (reporter)
2007-07-19 07:24

Hi
I have added some iptables rules to the rc.firewall script
after

function iptables_orange() {
    iptables -F ORANGEINPUT
    if ! has_orange; then
    return
    fi
    if [ -z "${ORANGE_DEV}" ]; then
    return
    fi
    iptables -A ORANGEINPUT -i "${ORANGE_DEV}" -j ACCEPT
   iptables -A ACCEPT_ALL -i "${ORANGE_DEV}" -o "${ORANGE_DEV}" -j ORANGE_ORANGE

Add

iptables -A FORWARD -i "${GREEN_DEV}" -o "${ORANGE_DEV}" -j ACCEPT
iptables -A FORWARD -i "${ORANGE_DEV}" -o "${GREEN_DEV}" -m state --state ESTABLISHED,RELATED -j ACCEPT

end

this gives green access to the orange but not access from orange to green as per how dmz should work ..
please test and check that it does not break something else .
Gregory
(0000554)
peter-endian (administrator)
2007-10-27 18:54

Please try with version 2.2, which has an extended zone firewall replacing dmzholes

- Issue History
Date Modified Username Field Change
2007-07-06 08:16 clubbing80s New Issue
2007-07-17 09:08 clubbing80s Note Added: 0000395
2007-07-17 09:09 clubbing80s File Added: info.txt
2007-07-17 09:10 clubbing80s File Added: rc.firewall
2007-07-19 07:19 clubbing80s File Added: rc.firewall-19072007
2007-07-19 07:24 clubbing80s Note Added: 0000403
2007-09-07 16:02 raphael-endian Status new => assigned
2007-09-07 16:02 raphael-endian Assigned To => peter-endian
2007-10-27 18:54 peter-endian Status assigned => resolved
2007-10-27 18:54 peter-endian Fixed in Version => 2.2
2007-10-27 18:54 peter-endian Resolution open => fixed
2007-10-27 18:54 peter-endian Note Added: 0000554
2007-12-31 19:15 raphael-endian Fixed in Version 2.2-beta1 => 2.2-beta2
2007-12-31 19:15 raphael-endian Status resolved => closed

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker