SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264
| Anonymous | Login | 2022-01-21 20:19 UTC |  |
| Main | My View | View Issues | Change Log | Roadmap |
| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||||
| 0003395 | Endian Firewall | Firewall (iptables) | public | 2010-12-17 21:58 | 2011-09-14 06:03 | ||||||
| Reporter | sami | ||||||||||
| Assigned To | lorenzo-endian | ||||||||||
| Priority | normal | Severity | minor | Reproducibility | always | ||||||
| Status | feedback | Resolution | open | ||||||||
| Platform | OS | OS Version | |||||||||
| Product Version | 2.4 | ||||||||||
| Target Version | Fixed in Version | ||||||||||
| Summary | 0003395: Cannot access from BLUE to GREEN | ||||||||||
| Description | Create "Inter-Zone traffic" rule with BLUE GREEN <any> but cannot access from blue to green. | ||||||||||
| Additional Information | As well I can not access when the "Inter-Zone traffic" is disabled. Access from GREEN to BLUE work fine. | ||||||||||
| Tags | No tags attached. | ||||||||||
| Attached Files |  inter-zone_traffic.png [^] (46,651 bytes) 2010-12-17 21:58
endian_interzone_port-protocol.png [^] (50,512 bytes) 2011-01-11 09:21
 iptables_output.txt [^] (28,846 bytes) 2011-01-18 13:31 [Show Content]
 interzone-blue-to-green.tiff [^] (122,372 bytes) 2011-01-18 13:33 icmp_endian.png [^] (5,322 bytes) 2011-01-25 03:30
output_iptables.txt [^] (37,974 bytes) 2011-01-27 22:40 [Show Content]
| ||||||||||
 Relationships |
||||||
|
||||||
 Relationships |
|
Notes |
|
|
(0005392) lorenzo-endian (manager) 2010-12-17 22:03 |
Hi sami, I think that this does not make too much sense. The BLUE network is used for creating a "Guests" network which does not allow the access to the GREEN network. What happen if you try to move the machine(s) you need to access from the GREEN to the ORANGE network? Of course you have to recreate the rule. Thanks in advance Lo |
|
(0005393) sami (reporter) 2010-12-17 22:30 edited on: 2010-12-19 20:23 |
Hi, I want have some smartphones (WLAN) in the BLUE network which should have access to the asterisk server in GREEN. (I dont want a rule BLUE GREEN <any> later, was only for testing). Cannot move the machine from GREEN to ORANGE, sorry. > I think that this does not make too much sense. The BLUE network is used for > creating a "Guests" network which does not allow the access to the GREEN > network. Thats a good thing for the security, but then the GUI should not allow to create a rule like this. The solution for this is own user zones like "MYZONE1" where I can create the rules that I want. Anyway, is it a bug that I can not create a rule from BLUE to GREEN or a security feature? Did you see another resolution with endian to solve my problem? |
|
(0005460) lorenzo-endian (manager) 2011-01-10 15:10 |
Hi sami, I have done some tests...Do you have the hotspot enabled on your BLUE interface, is it right? If you switch it off, just for testing purpose, can you reach the GREEN zone? Thanks in advance! Lo |
|
(0005461) sami (reporter) 2011-01-10 15:53 |
Hi lorenzo, thank you for testing. I have no hotspot, it's a endian community version. Maybe its a good idea for future to have a product version with "2.4 community" and "2.4 enterprise" in the bugreport? |
|
(0005462) lorenzo-endian (manager) 2011-01-10 16:10 |
Hi sami, you are right, but it cannot be done now! I hope we can do it in a near future :) For your problem, it is really strange...btw, all the test I have done are with the enterprise edition. Let me try with the community edition! I will keep you updated :-) Have a nice day! Lo |
|
(0005463) lorenzo-endian (manager) 2011-01-10 17:48 |
Hi sami, trying to reproduce the test I get a strange behavior while setting up a rule ANY-ANY from BLUE to GREEN. Can you try to setup a rule specifying the protocol and the ports? Thanks in advance! Lo |
|
(0005464) sami (reporter) 2011-01-11 09:21 edited on: 2011-01-11 18:54 |
Hi lorenzo, dont work with protocol and port (endian_interzone_port-protocol.png). |
|
(0005490) lorenzo-endian (manager) 2011-01-17 18:02 |
Hi sami, is your system up to date? Thanks a lot Lo |
|
(0005491) sami (reporter) 2011-01-17 18:48 |
Hi lorenzo, yes its up to date: No interesting upgrades available. /etc/upgrade/upgrade.d/migration: --- Found: 0 OK: 0 |
|
(0005495) lorenzo-endian (manager) 2011-01-18 13:36 |
Hi sami, I am still unable to reproduce your problem. Attached you can find the screenshot with the inter-zone firewall's rule and the output of the command iptables --list --verbose of my system. Please double-check that you don't have any other rule which prevents you to reach your system on the GREEN network from the BLUE network. Let me know if you are able to solve the problem! Thanks in advance! Lo |
|
(0005506) sami (reporter) 2011-01-19 09:34 edited on: 2011-01-19 09:35 |
Hi lorenzo, I dont no whats wrong. Here are the rules befor blue green access: --> Chain ZONEFW (4 references) pkts bytes target prot opt in out source destination 21614 1851K ACCEPT all -- br0 br0 anywhere anywhere 0 0 ACCEPT all -- br0 br2 anywhere anywhere 0 0 ACCEPT all -- br0 br1 anywhere anywhere 0 0 ACCEPT all -- br2 br2 anywhere anywhere 0 0 ACCEPT all -- br1 br1 anywhere anywhere Chain ZONEFW_LOGDROP (4 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- any any anywhere anywhere Chain ZONETRAFFIC (1 references) pkts bytes target prot opt in out source destination 21614 1851K ZONEFW all -- br0 br0 anywhere anywhere 0 0 ZONEFW_LOGDROP all -- br0 br0 anywhere anywhere 0 0 ZONEFW all -- br0 br2 anywhere anywhere 0 0 ZONEFW_LOGDROP all -- br0 br2 anywhere anywhere 0 0 ZONEFW all -- br2 br0 anywhere anywhere 0 0 ZONEFW_LOGDROP all -- br2 br0 anywhere anywhere 0 0 ZONEFW all -- br2 br2 anywhere anywhere 0 0 ZONEFW_LOGDROP all -- br2 br2 anywhere anywhere <-- And here with the rule blue to green allow: --> Chain ZONEFW (4 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- br0 br0 anywhere anywhere 0 0 ACCEPT all -- br0 br2 anywhere anywhere 0 0 ACCEPT all -- br0 br1 anywhere anywhere 0 0 ACCEPT all -- br2 br2 anywhere anywhere 0 0 ACCEPT all -- br1 br1 anywhere anywhere 0 0 ACCEPT all -- br2 br0 anywhere anywhere Chain ZONEFW_LOGDROP (4 references) pkts bytes target prot opt in out source destination 0 0 DROP all -- any any anywhere anywhere Chain ZONETRAFFIC (1 references) pkts bytes target prot opt in out source destination 21675 1856K ZONEFW all -- br0 br0 anywhere anywhere 0 0 ZONEFW_LOGDROP all -- br0 br0 anywhere anywhere 0 0 ZONEFW all -- br0 br2 anywhere anywhere 0 0 ZONEFW_LOGDROP all -- br0 br2 anywhere anywhere 0 0 ZONEFW all -- br2 br0 anywhere anywhere 0 0 ZONEFW_LOGDROP all -- br2 br0 anywhere anywhere 0 0 ZONEFW all -- br2 br2 anywhere anywhere 0 0 ZONEFW_LOGDROP all -- br2 br2 anywhere anywhere <-- I will test the access tomorrow again with my notebook and give you a feedback. Thank you very much. |
|
(0005516) sami (reporter) 2011-01-20 17:11 |
Hi lorenzo, I test it again today, but no way to connect to the green zone. If I disable the interzone firewall its the same problem, no connection from blue to green. |
|
(0005522) lorenzo-endian (manager) 2011-01-24 09:42 |
Hi sami, this is really strange...the iptables rule is added, as you can see... Are you sure that the traffic is not blocked somewhere else? eg by a local FW on the host in the green network? try to do as follows: - put a machine in the blue and a linux machine in the green - start a ping (which never ends - if you are using windows, just use the -t option) from the blue to the green - connect to the EFW console and try to use tcpdump on br2 to check if the traffic arrives on the interface and after that on the br0 to check if the traffic leaves the EFW from that interface (the commands are "tcpdump -i br2 icmp" and "tcpdump -i br0 icmp") - connect to the linux machine in the green network, check that no firewall are enabled on the host and execute "tcpdump -i eth0 icmp" (I suppose this machine has only a network interface - if it is not the case, change eth0 accordingly) Did you see if there is ICMP traffic which leaves the machine from the br0 interface? Moreover, can you post the output of the command "ip route" ? Thanks in advance Lo |
|
(0005524) sami (reporter) 2011-01-25 03:30 edited on: 2011-01-25 03:36 |
Hi lorenzo, I can see the ping of the client in the blue zone on the endian br2: listening on br2, link-type EN10MB (Ethernet), capture size 96 bytes 04:22:24.576783 IP 192.168.78.245 > xx.xxx.xxx: icmp 64: echo request seq 179 ^C 1 packets captured 1 packets received by filter 0 packets dropped by kernel But the ping dont pass through the endian br0: tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on br0, link-type EN10MB (Ethernet), capture size 96 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel ICMP is allowed in all zones. route -n of the endian: Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 0.0.0.0 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1 xxx.xxx.xxx.110 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 xxx.xxx.xxx.27 0.0.0.0 255.255.255.255 UH 0 0 0 ppp1 192.168.1.0 10.23.254.201 255.255.255.0 UG 0 0 0 br0 1.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3 1.1.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2 192.168.78.0 0.0.0.0 255.255.255.0 U 0 0 0 br2 10.23.0.0 0.0.0.0 255.255.0.0 U 0 0 0 br0 0.0.0.0 xxx.xxx.xxx.110 0.0.0.0 UG 0 0 0 ppp0 |
|
(0005533) lorenzo-endian (manager) 2011-01-27 08:53 |
Hi sami, I am still not able to understand the source of the problem. Could you please post the output of "iptables --list --verbose"? Please hide all the sensitive data as you already did the last time :-) Thanks in advance! Lo |
|
(0005545) sami (reporter) 2011-01-27 22:43 |
Hi lorenzo, here is the output of "iptables --list --verbose": output_iptables.txt |
|
(0007403) Sheldmandu (reporter) 2011-09-14 06:03 |
Hi, is there any progress on this, the issue still persists. It's marked as Feedback but it's in fact an issue! |
|
Notes |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 2010-12-17 21:58 | sami | New Issue | |
| 2010-12-17 21:58 | sami | File Added: inter-zone_traffic.png | |
| 2010-12-17 22:03 | lorenzo-endian | Note Added: 0005392 | |
| 2010-12-17 22:03 | lorenzo-endian | Assigned To | => lorenzo-endian |
| 2010-12-17 22:03 | lorenzo-endian | Status | new => feedback |
| 2010-12-17 22:30 | sami | Note Added: 0005393 | |
| 2010-12-19 20:23 | sami | Note Added: 0005394 | |
| 2010-12-19 20:23 | sami | Note Edited: 0005394 | |
| 2010-12-19 20:23 | sami | Note Edited: 0005393 | |
| 2010-12-19 20:24 | sami | Note Deleted: 0005394 | |
| 2011-01-10 15:10 | lorenzo-endian | Note Added: 0005460 | |
| 2011-01-10 15:53 | sami | Note Added: 0005461 | |
| 2011-01-10 16:10 | lorenzo-endian | Note Added: 0005462 | |
| 2011-01-10 17:48 | lorenzo-endian | Note Added: 0005463 | |
| 2011-01-11 09:21 | sami | Note Added: 0005464 | |
| 2011-01-11 09:21 | sami | File Added: endian_interzone_port-protocol.png | |
| 2011-01-11 18:54 | sami | Note Edited: 0005464 | |
| 2011-01-17 18:02 | lorenzo-endian | Note Added: 0005490 | |
| 2011-01-17 18:48 | sami | Note Added: 0005491 | |
| 2011-01-18 13:31 | lorenzo-endian | File Added: iptables_output.txt | |
| 2011-01-18 13:33 | lorenzo-endian | File Added: interzone-blue-to-green.tiff | |
| 2011-01-18 13:36 | lorenzo-endian | Note Added: 0005495 | |
| 2011-01-19 09:34 | sami | Note Added: 0005506 | |
| 2011-01-19 09:35 | sami | Note Edited: 0005506 | |
| 2011-01-20 17:11 | sami | Note Added: 0005516 | |
| 2011-01-24 09:42 | lorenzo-endian | Note Added: 0005522 | |
| 2011-01-25 03:30 | sami | Note Added: 0005524 | |
| 2011-01-25 03:30 | sami | File Added: icmp_endian.png | |
| 2011-01-25 03:36 | sami | Note Edited: 0005524 | |
| 2011-01-27 08:53 | lorenzo-endian | Note Added: 0005533 | |
| 2011-01-27 22:40 | sami | File Added: output_iptables.txt | |
| 2011-01-27 22:43 | sami | Note Added: 0005545 | |
| 2011-06-01 16:17 | lorenzo-endian | Relationship added | has duplicate 0003734 |
| 2011-09-14 06:03 | Sheldmandu | Note Added: 0007403 | |
|
Issue History |
| Copyright © 2000 - 2012 MantisBT Group |
 |