SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0002165: duplicated or incomplete system access rules - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002165Endian FirewallFirewall (iptables)public2009-09-16 08:192009-10-27 11:59
Reporterluca-endian 
Assigned Topeter-endian 
PrioritynormalSeverityminorReproducibilityhave not tried
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.2 
Target VersionFixed in Version2.3 
Summary0002165: duplicated or incomplete system access rules
DescriptionIt seems that system access rules have problems when more ips are specified I've discovered this strange behaviour:

This is the rule which allows from two ips:
tcp,192.168.58.133&192.168.58.132,12345,on,,RED,,INPUTFW,ACCEPT,,test

And these are the created iptables rules:
root@cartman:/var/efw/xtaccess # iptables -nvvL INPUTFW | grep 12345
0 0 ALLOW tcp -- eth3 * 192.168.58.133
0.0.0.0/0 tcp dpt:12345
0 0 ALLOW tcp -- eth3 * 192.168.58.133
0.0.0.0/0 tcp dpt:12345
0 0 ALLOW tcp -- eth3 * 192.168.58.132
0.0.0.0/0 tcp dpt:12345
0 0 ALLOW tcp -- eth3 * 192.168.58.132
0.0.0.0/0 tcp dpt:12345
0 0 ALLOW tcp -- eth1 * 192.168.58.133
0.0.0.0/0 tcp dpt:12345
0 0 ALLOW tcp -- eth1 * 192.168.58.133
0.0.0.0/0 tcp dpt:12345
0 0 ALLOW tcp -- eth1 * 192.168.58.132
0.0.0.0/0 tcp dpt:12345
0 0 ALLOW tcp -- eth1 * 192.168.58.132
0.0.0.0/0 tcp dpt:12345

This firewall has 2 uplinks this can partly explain the redundant rules?

I have been informed also that with 3 uplinks + 1 on hold a rule which has a source interface: RED allows access from the main uplink only.
(see the attachment for more detail about this problem)

This two strange behaviour can be related. Probably there's something wrong in the cycle statement which iterate and create the rules (this is my guess).

I don't know if this problem is restricted to system access firewall, if not would be a major problem.
Tagspurple
Attached Files? file icon sys-access-problem [^] (3,721 bytes) 2009-09-16 08:19 [Show Content]

- Relationships

-  Notes
(0002961)
peter-endian (administrator)
2009-09-16 14:27

happens always when there's both an ip and an interface selected as source.

explision code explodes both, src_ip and src_dev, but there should be a possibility to bind an ip address to an interface, where the explode then will not produce every combination.

- Issue History
Date Modified Username Field Change
2009-09-16 08:19 luca-endian New Issue
2009-09-16 08:19 luca-endian Assigned To => peter-endian
2009-09-16 08:19 luca-endian File Added: sys-access-problem
2009-09-16 08:19 luca-endian Tag Attached: purple
2009-09-16 14:25 peter-endian Relationship added duplicate of 0001966
2009-09-16 14:27 peter-endian Note Added: 0002961
2009-09-23 19:22 peter-endian Status new => resolved
2009-09-23 19:22 peter-endian Fixed in Version => 2.3
2009-09-23 19:22 peter-endian Resolution open => fixed
2009-10-27 11:59 peter-endian Status resolved => closed

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker