SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0000243: firewall prevents osx clients from logging in.(kerbos or general LDAP) - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000243Endian FirewallNetwork related (VPN, uplinks)public2007-08-21 08:062009-10-27 12:04
Reportercode_slave 
Assigned Topeter-endian 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version2.1.2 
Target VersionFixed in Version2.2-beta4 
Summary0000243: firewall prevents osx clients from logging in.(kerbos or general LDAP)
DescriptionBasically Endian will not allow a computer in the DMZ to have it's own ip address exposed to the internet ,but rather port forwarding and aliasing is used.
This breaks Kerbos and other authentication methods, where the boot information is take from the server.

I.E
I have an external address:
59.37.49.99 (abc.com)
however my server has to sit inside endian at :
192.168.3.99 in the dmz zone

Kerbos MUST be able to resolve forward and backward dns, therefore I must setup an internal DNS
that maps 192.168.3.99 to (abc.com), all internal traffic must go via that DNS
Kerbos will NOT configure to 192.168.3.99, and take input from 59.37.49.99, if the DNS points to 59.37.49.99


when my local clients on green 192.168.2.x, want to authenticate they go to hte dns that resolves to 192.168.3.99, but traffic from green to orange is not allowed, so authentication breaks.

Either:
1. endian MUST allow computers in the DMZ zone to have ip addresses normally in the red zone, (in which case DNS/RDNS can be handled externally)
OR
2. traffic from green must be allowed to orange, for the authentication, but DNS/RDNS has to be handled internally.


The alternative it to put the Authentication server directly to the internet, then set dns to point to it.
This obviously negates the purpose of the firewall.

It also means that i have to go to the complexity of setting up an internal DNS/RDNS just to botch round Endian & the way it works.


If you try and configure an apple XSERVE the way endian insists you work then , you end up with a defective non-functioning server, because external DNS/RDNS cannot map to 192.168 addresses.




Additional Informationhere we can see:
the firewall blocking the traffic from green to orange.

Aug 21 15:28:49 FORWARD br0 TCP 192.168.2.74 00:10:5a:6f:03:76 192.168.3.99
TagsNo tags attached.
Attached Files

- Relationships

-  Notes
(0000440)
code_slave (reporter)
2007-08-21 08:21
edited on: 2007-08-21 08:22

O.K the following from an assigned note (215) fixed the login:


iptables -A FORWARD -i "${GREEN_DEV}" -o "${ORANGE_DEV}" -j ACCEPT
iptables -A FORWARD -i "${ORANGE_DEV}" -o "${GREEN_DEV}" -m state --state ESTABLISHED,RELATED -j ACCEPT

this allows ALL the traffic from green to orange, it fixes my problem , but Im not sure what else it may break.

(0000561)
peter-endian (administrator)
2007-10-27 19:12

zone firewall which has been introduced with version 2.2 allows now to create such rules
(0000715)
code_slave (reporter)
2007-12-31 22:19

zone firewall does not work in 2.2 beta, it will not accept rules.

- Issue History
Date Modified Username Field Change
2007-08-21 08:06 code_slave New Issue
2007-08-21 08:21 code_slave Note Added: 0000440
2007-08-21 08:22 code_slave Note Edited: 0000440
2007-10-27 19:12 peter-endian Status new => resolved
2007-10-27 19:12 peter-endian Fixed in Version => 2.2
2007-10-27 19:12 peter-endian Resolution open => fixed
2007-10-27 19:12 peter-endian Assigned To => peter-endian
2007-10-27 19:12 peter-endian Note Added: 0000561
2007-12-31 19:15 raphael-endian Fixed in Version 2.2-beta1 => 2.2-beta2
2007-12-31 19:15 raphael-endian Status resolved => closed
2007-12-31 22:19 code_slave Status closed => feedback
2007-12-31 22:19 code_slave Resolution fixed => reopened
2007-12-31 22:19 code_slave Note Added: 0000715
2008-04-24 13:44 ra-endian Status feedback => resolved
2008-04-24 13:44 ra-endian Fixed in Version 2.2-beta2 => 2.2-beta4
2008-04-24 13:44 ra-endian Resolution reopened => fixed
2009-10-27 12:04 peter-endian Status resolved => closed

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker