SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264

0002720: creating portforward rules with no destination port, allow access *from internal zones* to all ports on the destination machine - MantisBT Endian Bugtracker
Endian Issue Tracker





Please see now our new Bugtracker system: JIRA








View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0002720Endian FirewallFirewall (iptables)public2010-02-24 14:012010-11-22 12:09
Reporterra-endian 
Assigned Topeter-endian 
PrioritynormalSeveritymajorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version 
Target Version2.3.1Fixed in Version2.3.1 
Summary0002720: creating portforward rules with no destination port, allow access *from internal zones* to all ports on the destination machine
Descriptionif you create a portforward rule with no destination port, you can access all ports from the destination machine (from LAN)


currently:
iptables -t nat -A PORTFW -d 192.168.15.41 -j DNAT -p tcp --dport 5190:5194 --to-destination 10.1.1.1
iptables -t filter -A PORTFWACCESS -d 10.1.1.1 -p tcp -j ALLOW

should be:
iptables -t nat -A PORTFW -d 192.168.15.41 -j DNAT -p tcp --dport 5190:5194 --to-destination 10.1.1.1
iptables -t filter -A PORTFWACCESS -d 10.1.1.1 --dport 5190:5194 -p tcp -j ALLOW
TagsNo tags attached.
Attached Filespng file icon portfw_2.png [^] (47,320 bytes) 2010-02-24 14:01


png file icon Bildschirmfoto 2010-02-25 um 10.50.07.png [^] (16,516 bytes) 2010-02-25 09:50


? file icon efw-firewall-2.3.65-0.endian21.noarch.rpm [^] (372,879 bytes) 2010-02-25 11:05

- Relationships

-  Notes
(0003853)
aender (reporter)
2010-02-25 09:49

Is this fixed with the efw-firewall package from yesterday?

If not, please give as asap a new update via endian-network because this bug makes a big hole in to firewall!

We have many rules with no dport!
(0003854)
aender (reporter)
2010-02-25 09:51

See attached.
(0003858)
peter-endian (administrator)
2010-02-25 10:42

no, it hasn't. single unnotified releases right now are only about migration stuff in order to bring that stable.

this fix will be released with the next scheduled updates (in order to pass QA) as long as there's no other migration related stuff to release for this package.
(0003859)
aender (reporter)
2010-02-25 10:46

Sorry for reopening.

But is my up-do-date system and all other affected by this bug or not?
If yes, this would leave a big hole in all current installed 2.3 systems...
(0003861)
peter-endian (administrator)
2010-02-25 10:57

this bug does not open the target host for everyone, as the description may let think.
It's open only for intern, since you can't reach the internal ip from extern.
So ok,. it's not nice, but also not that bad that it could be :)

We will release the update as soon as possible.
(0003863)
peter-endian (administrator)
2010-02-25 11:07

i attached the rpm which contains the fix.
if you want you can try it until we have the update release ready.

- Issue History
Date Modified Username Field Change
2010-02-24 14:01 ra-endian New Issue
2010-02-24 14:01 ra-endian File Added: portfw_2.png
2010-02-24 14:19 peter-endian Assigned To => peter-endian
2010-02-24 14:19 peter-endian Status new => confirmed
2010-02-24 14:19 peter-endian Target Version => 2.3.1
2010-02-24 18:19 peter-endian View Status private => public
2010-02-24 19:11 peter-endian Status confirmed => resolved
2010-02-24 19:11 peter-endian Fixed in Version => 2.3.1
2010-02-24 19:11 peter-endian Resolution open => fixed
2010-02-25 09:49 aender Note Added: 0003853
2010-02-25 09:49 aender Status resolved => feedback
2010-02-25 09:49 aender Resolution fixed => reopened
2010-02-25 09:50 aender File Added: Bildschirmfoto 2010-02-25 um 10.50.07.png
2010-02-25 09:51 aender Note Added: 0003854
2010-02-25 10:42 peter-endian Note Added: 0003858
2010-02-25 10:42 peter-endian Status feedback => resolved
2010-02-25 10:42 peter-endian Resolution reopened => fixed
2010-02-25 10:46 aender Note Added: 0003859
2010-02-25 10:46 aender Status resolved => feedback
2010-02-25 10:46 aender Resolution fixed => reopened
2010-02-25 10:57 peter-endian Note Added: 0003861
2010-02-25 11:05 peter-endian File Added: efw-firewall-2.3.65-0.endian21.noarch.rpm
2010-02-25 11:07 peter-endian Note Added: 0003863
2010-02-25 11:08 peter-endian Summary creating portforward rules with no destination port, allow access to all ports on the destination machine => creating portforward rules with no destination port, allow access *from internal zones* to all ports on the destination machine
2010-03-03 15:16 ra-endian Status feedback => resolved
2010-03-03 15:16 ra-endian Resolution reopened => fixed
2010-11-22 12:09 peter-endian Status resolved => closed

Copyright © 2005-2008 Endian, SRL. All rights reserved.


Copyright © 2000 - 2012 MantisBT Group
Powered by Mantis Bugtracker