| Summary: | Outgoing firewall bug with MAC addresses on Core 62 | ||
|---|---|---|---|
| Product: | IPFire | Reporter: | Erik Kapfer <ummeegge> |
| Component: | firewall | Assignee: | Michael Tremer <michael.tremer> |
| Status: | CLOSED FIXED | QA Contact: | |
| Severity: | - Unknown - | ||
| Priority: | - Unknown - | CC: | erik.moons, joerg.blodau, jpever, lastdrum10, mayerthomas, skoolkidd |
| Version: | 2 | ||
| Hardware: | all | ||
| OS: | Linux | ||
| Attachments: |
Outgoing firewall patch
Outgoing firewall patch #2 |
||
|
Description
Erik Kapfer
2012-09-17 09:55:23 UTC
Need a more detailed description about what is going wrong here. Hi there, you can find additional information in this post: http://forum.ipfire.org/index.php/topic,6858.0.html And I'll try to describe it here: - The device is listed in "GUI: Firewall / Blue Access" with its MAC-address - "GUI: Firewall / Outgoing Firewall" contains al corresponding rule like: all mac ALL:80 allow HTTP active Source MAC Address: 34:51:C9:31:5B:3C This device is unable a host in the internet! Error messages: DROP_OUTGOINGFW blue0 TCP 192.168.2.51 62747 193.99.144.85 80 - If you allow access to port 443 for the whole blue network, you'll receive the following error message for WORKING connection: DROP_OUTPUT blue0 TCP 192.168.2.51 62753 191.189.90.19 443 These are my experiences. Further questions? Please let me know! Ciao for now Joerg Hi there, i have the same issues: My firewall is configured in modus 1. I have some computers that should not be blocked by firewall, so i put in a firewall-rule by source-mac-adress (like: all/mac/ALL:ALL). That was working since updating to Core 62. With a firewall-rule by ip/network (like: all/ip/ALL:ALL) it is still working, but no more with the mac-rule. Even after a complete reinstall of core 62 it didn't work out for me. Greetings Tom. (In reply to comment #1) > Need a more detailed description about what is going wrong here. It seems the OUTGOINGFWMAC rule RETURNs for the valid MAC and the packets get dropped in the OUTGOINGFW rule. an example iptables -L extract -------------------------------------- Chain FORWARD (policy DROP) target prot opt source destination ... OUTGOINGFWMAC all -- anywhere anywhere OUTGOINGFW all -- anywhere anywhere ... Chain OUTGOINGFW (2 references) target prot opt source destination RETURN all -- anywhere anywhere state RELATED,ESTABLISHED RETURN icmp -- anywhere anywhere DROP all -- anywhere anywhere /* DROP_OUTGOINGFW */ Chain OUTGOINGFWMAC (1 references) target prot opt source destination RETURN all -- anywhere anywhere state RELATED,ESTABLISHED RETURN icmp -- anywhere anywhere LOG tcp -- anywhere anywhere MAC 00:25:64:96:B9:E9 TIME from 00:00:00 to 00:00:00 limit: avg 10/min burst 5 LOG level warning prefix `LOG_OUTGOINGFW ' RETURN tcp -- anywhere anywhere MAC 00:25:64:96:B9:E9 TIME from 00:00:00 to 00:00:00 LOG udp -- anywhere anywhere MAC 00:25:64:96:B9:E9 TIME from 00:00:00 to 00:00:00 limit: avg 10/min burst 5 LOG level warning prefix `LOG_OUTGOINGFW ' RETURN udp -- anywhere anywhere MAC 00:25:64:96:B9:E9 TIME from 00:00:00 to 00:00:00 ---------------------------- Regards, Erik Created attachment 71 [details]
Outgoing firewall patch
Please try the attached patch, which will create two different tables with all the rules of the outgoing firewall. But the MAC rules will only apply to the FORWARD chain, because MAC addresses rules cannot be applied to the OUTPUT chain (obviously).
I can confirm this bug. Installed Core Update 62 a week ago. Had no problems until this morning when I added a MAC rule to Outgoing Firewall to bypass the firewall for a client PC. As soon as I saved the new rule I started having problems with my personal PC that has a MAC based bypass rule. Any new rules or existing rules added to Outgoing Firewall using Source MAC Address option to bypass firewall did not work. Applied the patch listed. Restarted the IPFire box. Seems to be working fine now. Thanks! Thanks for testing. I am awaiting a little bit more feedback before I merge the patch. Hi there! Because I haven't got an development environment yet, I wasn't able to apply the patch easily until now. Please be a bit more patient. ;-) Ciao for now Joerg Hallo! Test results with outgoingfw-fix1.patch in firewall mode 1: - MAC-address based outgoing firewall rules for blue are working fine now - interface based outgoing firewall rules for blue do not work = DROP_OUTGOINGFW - interface based outgoing firewall rules for all do not work = DROP_OOUTGOINGFW - interface based outgoing firewall rules for green dot not work = DROP_OUTGOINGFW If you need further information (like my patched files?) please let me know. I'm not aware of any faults, but I'm not sure. ;-) Please advise. Ciao for now Joerg Thanks for testing. Could you please provide the content of those two chains? iptables -L OUTGOINGFW -n -v iptables -L OUTGOINGFWMAC -n -v Thanks. Also confirm interface rules not working.
Output for iptables -L OUTGOINGFW -n -v:
------------------------------------------------------
Chain OUTGOINGFW (1 references)
pkts bytes target prot opt in out source destination
2149 698K RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
9 936 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN tcp -- * red0 192.168.0.116 0.0.0.0/0 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * red0 192.168.0.116 0.0.0.0/0 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * red0 192.168.0.103 0.0.0.0/0 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * red0 192.168.0.103 0.0.0.0/0 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * red0 192.168.0.18 0.0.0.0/0 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * red0 192.168.0.18 0.0.0.0/0 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * red0 97.xxx.xxx.xx2 0.0.0.0/0 multiport dports 53 TIME from 00:00:00 to 00:00:00
41 2602 RETURN udp -- * red0 97.xxx.xxx.xx2 0.0.0.0/0 multiport dports 53 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * red0 97.xxx.xxx.xx2 0.0.0.0/0 multiport dports 20,21,115 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * red0 97.xxx.xxx.xx2 0.0.0.0/0 multiport dports 20,21,115 TIME from 00:00:00 to 00:00:00
40 2400 RETURN tcp -- * red0 97.xxx.xxx.xx2 0.0.0.0/0 multiport dports 80 TIME from 00:00:00 to 00:00:00
1 60 RETURN tcp -- * red0 97.xxx.xxx.xx2 0.0.0.0/0 multiport dports 443 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * red0 97.xxx.xxx.xx2 0.0.0.0/0 multiport dports 123 TIME from 00:00:00 to 00:00:00
0 0 LOG all -- * red0 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `DROP_OUTGOINGFW '
0 0 DROP all -- * red0 0.0.0.0/0 0.0.0.0/0 /* DROP_OUTGOINGFW */
------------------------------------------------------
Output for iptables -L OUTGOINGFWMAC -n -v:
------------------------------------------------------
Chain OUTGOINGFWMAC (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN tcp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 00:08:02:xx:xx:xx multiport dports 20,21 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 00:17:31:xx:xx:xx multiport dports 20,21 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC D4:85:64:xx:xx:xx multiport dports 20,21 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 00:08:02:xx:xx:xx multiport dports 20,21 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 00:17:31:xx:xx:xx multiport dports 20,21 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC D4:85:64:xx:xx:xx multiport dports 20,21 TIME from 00:00:00 to 00:00:00
10 4220 RETURN tcp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 6C:83:36:xx:xx:xx TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 30:85:A9:xx:xx:xx TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 00:1E:65:xx:xx:xx TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 6C:83:36:xx:xx:xx TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 30:85:A9:xx:xx:xx TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 00:1E:65:xx:xx:xx TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 5C:AC:4C:xx:xx:xx TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 5C:AC:4C:xx:xx:xx TIME from 00:00:00 to 00:00:00
119 7140 RETURN tcp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 00:26:9E:xx:xx:xx TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 00:26:9E:xx:xx:xx TIME from 00:00:00 to 00:00:00
22 5916 RETURN tcp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 00:1D:73:xx:xx:xx TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 00:1D:73:xx:xx:xx TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 00:06:5B:xx:xx:xx TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 00:06:5B:xx:xx:xx TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 88:AE:1D:xx:xx:xx multiport dports 20,21 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 88:AE:1D:xx:xx:xx multiport dports 20,21 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 00:0E:7F:xx:xx:xx TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * red0 0.0.0.0/0 0.0.0.0/0 MAC 00:0E:7F:xx:xx:xx TIME from 00:00:00 to 00:00:00
44 4636 LOG all -- * red0 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `DROP_OUTGOINGFW '
520 29874 DROP all -- * red0 0.0.0.0/0 0.0.0.0/0 /* DROP_OUTGOINGFW */
------------------------------------------------------
Thanks,
Francis
I have some interesting, hopefully helpful, information on this bug. Don't have the budget for a test environment (I know virtualization and all that but that's not the point here). I installed Core Update 62 on my production machine. Had no problems for a week on Core Update 62. I made a change in Outgoing Firewall rules and immediately the MAC rules stopped working. Applied the outgoing firewall patch attached to this bug report. MAC rules worked but now interface rules stopped. For example: rules to allow email ports on Green interface stopped working after the patch. I reversed the patch to get email going for client machines and everything started working again like normal INCLUDING the MAC rules. As soon as I make a change in Outgoing Firewall the MAC rules stop working. I reverse the patch, restart the firewall (/etc/init.d/firewall restart) and everything works again including MAC rules. I can reproduce this 100% of the time. Thanks, Francis As far as I can see the OUTGOINGFW and OUTGOINGFWMAC chains are perfectly fine. iptables -L -n -v? --- I am quite confused what to do right now. I am getting some reports that confirm the problem has been solved with the patch. Others don't. Hi there!
Core62, no workaround, no patch = no access from blue to red, regardless if you use a mac address in your rule or not
Core62 patch1 = access from blue to red okay, only if you use a mac address in your rule
Core62 patch1 = no access from greeen to red
If you need more information, please let me know!
Ciao for now
JB
-----iptabels-----
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
141 13801 BADTCP all -- * * 0.0.0.0/0 0.0.0.0/0
141 13801 CUSTOMINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
141 13801 GUARDIAN all -- * * 0.0.0.0/0 0.0.0.0/0
141 13801 IPTVINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
141 13801 GUIINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
109 11359 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
24 1770 IPSECINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
24 1770 OPENSSLVIRTUAL all -- * * 0.0.0.0/0 0.0.0.0/0 /* OPENSSLVIRTUAL INPUT */
12 799 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0 state NEW
0 0 DROP all -- * * 0.0.0.0/0 127.0.0.0/8 state NEW
12 971 ACCEPT !icmp -- green0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DHCPBLUEINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 OPENSSLPHYSICAL all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 WIRELESSINPUT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 REDINPUT all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 XTACCESS all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `DROP_INPUT '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* DROP_INPUT */
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
439 37772 BADTCP all -- * * 0.0.0.0/0 0.0.0.0/0
9 456 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
436 36324 GUARDIAN all -- * * 0.0.0.0/0 0.0.0.0/0
436 36324 CUSTOMFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
436 36324 IPTVFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
6 504 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
430 35820 IPSECFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
430 35820 OPENSSLVIRTUAL all -- * * 0.0.0.0/0 0.0.0.0/0 /* OPENSSLVIRTUAL FORWARD */
430 35820 OUTGOINGFWMAC all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 DROP all -- * * 127.0.0.0/8 0.0.0.0/0 state NEW
0 0 DROP all -- * * 0.0.0.0/0 127.0.0.0/8 state NEW
421 35364 ACCEPT all -- green0 * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 WIRELESSFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 REDFORWARD all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 PORTFWACCESS all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `DROP_OUTPUT '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* DROP_OUTPUT */
Chain OUTPUT (policy ACCEPT 84 packets, 16780 bytes)
pkts bytes target prot opt in out source destination
142 21245 CUSTOMOUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
142 21245 OUTGOINGFW all -- * * 0.0.0.0/0 0.0.0.0/0
142 21245 IPSECOUTPUT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain BADTCP (2 references)
pkts bytes target prot opt in out source destination
23 1990 RETURN all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x01
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 PSCAN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
3 1448 NEWNOTSYN tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:!0x17/0x02 state NEW
Chain CUSTOMFORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain CUSTOMINPUT (1 references)
pkts bytes target prot opt in out source destination
Chain CUSTOMOUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain DHCPBLUEINPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- blue0 * 0.0.0.0/0 0.0.0.0/0 tcp spt:68 dpt:67
0 0 ACCEPT udp -- blue0 * 0.0.0.0/0 0.0.0.0/0 udp spt:68 dpt:67
Chain DMZHOLES (6 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- blue0 green0 192.168.2.0/24 192.168.1.0/24 udp dpt:53
0 0 ACCEPT tcp -- blue0 green0 192.168.2.0/24 192.168.1.0/24 tcp dpt:443
0 0 ACCEPT tcp -- blue0 green0 192.168.2.0/24 192.168.1.7 tcp dpt:465
0 0 ACCEPT tcp -- blue0 green0 192.168.2.0/24 192.168.1.7 tcp dpt:993
0 0 ACCEPT tcp -- blue0 green0 192.168.2.0/24 192.168.1.7 tcp dpt:995
0 0 ACCEPT tcp -- blue0 green0 192.168.2.0/24 192.168.1.7 tcp dpt:143
0 0 ACCEPT tcp -- blue0 green0 192.168.2.0/24 192.168.1.7 tcp dpt:25
0 0 ACCEPT udp -- blue0 green0 192.168.2.0/24 192.168.1.7 udp dpt:137
0 0 ACCEPT tcp -- blue0 green0 192.168.2.0/24 192.168.1.7 tcp dpt:389
0 0 ACCEPT tcp -- blue0 green0 192.168.2.0/24 192.168.1.7 tcp dpt:139
0 0 ACCEPT tcp -- blue0 green0 192.168.2.0/24 192.168.1.7 tcp dpt:445
0 0 ACCEPT tcp -- blue0 green0 192.168.2.0/24 192.168.1.7 tcp dpt:88
0 0 ACCEPT tcp -- blue0 green0 192.168.2.0/24 192.168.1.7 tcp dpt:8530
0 0 ACCEPT tcp -- blue0 green0 192.168.2.0/24 192.168.1.7 tcp dpt:135
0 0 ACCEPT tcp -- blue0 green0 192.168.2.0/24 192.168.1.7 tcp dpt:1026
0 0 ACCEPT udp -- blue0 green0 192.168.2.0/24 192.168.1.7 udp dpt:123
0 0 ACCEPT tcp -- blue0 green0 192.168.2.0/24 192.168.1.7 tcp dpt:631
0 0 ACCEPT tcp -- blue0 green0 192.168.2.0/24 192.168.1.7 tcp dpt:3268
0 0 ACCEPT tcp -- blue0 green0 192.168.2.0/24 192.168.1.0/24 tcp dpt:5900
0 0 ACCEPT tcp -- blue0 green0 192.168.2.0/24 192.168.1.0/24 tcp dpt:3389
0 0 ACCEPT udp -- blue0 green0 192.168.2.0/24 192.168.1.0/24 udp dpt:5252
0 0 ACCEPT tcp -- blue0 green0 192.168.2.0/24 192.168.1.7 tcp dpts:49152:49157
0 0 ACCEPT udp -- blue0 green0 192.168.2.0/24 192.168.1.7 udp dpts:49152:49157
0 0 ACCEPT udp -- blue0 green0 192.168.2.0/24 192.168.1.7 udp dpt:389
0 0 ACCEPT udp -- blue0 green0 192.168.2.0/24 192.168.1.7 udp dpt:88
Chain GUARDIAN (2 references)
pkts bytes target prot opt in out source destination
Chain GUIINPUT (1 references)
pkts bytes target prot opt in out source destination
8 672 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8
Chain IPSECFORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain IPSECINPUT (1 references)
pkts bytes target prot opt in out source destination
Chain IPSECOUTPUT (1 references)
pkts bytes target prot opt in out source destination
Chain IPTVFORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain IPTVINPUT (1 references)
pkts bytes target prot opt in out source destination
Chain LOG_DROP (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain LOG_REJECT (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
Chain NEWNOTSYN (1 references)
pkts bytes target prot opt in out source destination
3 1448 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `DROP_NEWNOTSYN '
3 1448 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* DROP_NEWNOTSYN */
Chain OPENSSLPHYSICAL (1 references)
pkts bytes target prot opt in out source destination
Chain OPENSSLVIRTUAL (2 references)
pkts bytes target prot opt in out source destination
Chain OUTGOINGFW (1 references)
pkts bytes target prot opt in out source destination
93 17803 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
3 292 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 multiport dports 10000 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 multiport dports 10000 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 multiport dports 53 TIME from 00:00:00 to 00:00:00
13 889 RETURN udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 multiport dports 53 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 multiport dports 443 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 multiport dports 443 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 multiport dports 993 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 multiport dports 993 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 multiport dports 465 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 multiport dports 465 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 multiport dports 3478:3497 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- blue0 ppp0 192.168.2.0/24 0.0.0.0/0 multiport dports 5223 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- blue0 ppp0 192.168.2.0/24 0.0.0.0/0 multiport dports 16384:16387 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- blue0 ppp0 192.168.2.0/24 0.0.0.0/0 multiport dports 16393:16402 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- green0 ppp0 192.168.1.0/24 0.0.0.0/0 multiport dports 9418 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- green0 ppp0 192.168.1.0/24 0.0.0.0/0 multiport dports 9418 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- green0 ppp0 192.168.1.0/24 0.0.0.0/0 multiport dports 3000 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * ppp0 192.168.1.0/24 192.168.3.0/24 multiport dports 1:65535 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * ppp0 192.168.1.0/24 192.168.3.0/24 multiport dports 1:65535 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * ppp0 192.168.3.0/24 192.168.1.0/24 multiport dports 1:65535 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * ppp0 192.168.3.0/24 192.168.1.0/24 multiport dports 1:65535 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * ppp0 192.168.1.7 0.0.0.0/0 multiport dports 143 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * ppp0 192.168.1.7 0.0.0.0/0 multiport dports 143 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * ppp0 192.168.1.7 0.0.0.0/0 multiport dports 110 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * ppp0 192.168.1.7 0.0.0.0/0 multiport dports 110 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * ppp0 192.168.1.7 0.0.0.0/0 multiport dports 995 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * ppp0 192.168.1.7 0.0.0.0/0 multiport dports 995 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * ppp0 192.168.1.7 0.0.0.0/0 multiport dports 25 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * ppp0 192.168.1.7 0.0.0.0/0 multiport dports 25 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * ppp0 192.168.1.7 0.0.0.0/0 multiport dports 21 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * ppp0 192.168.1.7 0.0.0.0/0 multiport dports 21 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * ppp0 88.88.88.88 0.0.0.0/0 multiport dports 123 TIME from 00:00:00 to 00:00:00
8 608 RETURN udp -- * ppp0 88.88.88.88 0.0.0.0/0 multiport dports 123 TIME from 00:00:00 to 00:00:00
3 180 RETURN tcp -- * ppp0 88.88.88.88 0.0.0.0/0 multiport dports 80 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * ppp0 88.88.88.88 0.0.0.0/0 multiport dports 43 TIME from 00:00:00 to 00:00:00
0 0 LOG all -- * ppp0 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `DROP_OUTGOINGFW '
0 0 DROP all -- * ppp0 0.0.0.0/0 0.0.0.0/0 /* DROP_OUTGOINGFW */
Chain OUTGOINGFWMAC (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
418 35112 RETURN icmp -- * * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 MAC F0:A2:25:00:00:00 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 MAC F0:A2:25:00:00:00 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 MAC 00:16:CB:00:00:00 multiport dports 21 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 MAC 00:16:CB:00:00:00 multiport dports 21 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 MAC 34:51:C9:00:00:00 multiport dports 80 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 MAC 34:51:C9:00:00:00 multiport dports 80 TIME from 00:00:00 to 00:00:00
0 0 RETURN tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 MAC 00:16:CB:00:00:00 multiport dports 21 TIME from 00:00:00 to 00:00:00
0 0 RETURN udp -- * ppp0 0.0.0.0/0 0.0.0.0/0 MAC 00:16:CB:00:00:00 multiport dports 21 TIME from 00:00:00 to 00:00:00
6 308 LOG all -- * ppp0 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `DROP_OUTGOINGFW '
9 456 DROP all -- * ppp0 0.0.0.0/0 0.0.0.0/0 /* DROP_OUTGOINGFW */
Chain PORTFWACCESS (1 references)
pkts bytes target prot opt in out source destination
Chain PSCAN (5 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 /* DROP_TCP PScan */ LOG flags 0 level 4 prefix `DROP_TCP Scan '
0 0 LOG udp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 /* DROP_UDP PScan */ LOG flags 0 level 4 prefix `DROP_UDP Scan '
0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 /* DROP_ICMP PScan */ LOG flags 0 level 4 prefix `DROP_ICMP Scan '
0 0 LOG all -f * * 0.0.0.0/0 0.0.0.0/0 limit: avg 10/min burst 5 /* DROP_FRAG PScan */ LOG flags 0 level 4 prefix `DROP_FRAG Scan '
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 /* DROP_PScan */
Chain REDFORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain REDINPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- red0 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- red0 * 0.0.0.0/0 0.0.0.0/0
Chain UPNPFW (0 references)
pkts bytes target prot opt in out source destination
Chain WIRELESSFORWARD (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- blue0 !green0 0.0.0.0/0 0.0.0.0/0 MAC 00:16:CB:00:00:00
0 0 DMZHOLES all -- blue0 * 0.0.0.0/0 0.0.0.0/0 MAC 00:16:CB:00:00:00
0 0 ACCEPT all -- blue0 !green0 0.0.0.0/0 0.0.0.0/0 MAC 34:51:C9:00:00:00
0 0 DMZHOLES all -- blue0 * 0.0.0.0/0 0.0.0.0/0 MAC 34:51:C9:00:00:00
0 0 ACCEPT all -- blue0 !green0 0.0.0.0/0 0.0.0.0/0 MAC 00:14:A5:00:00:00
0 0 DMZHOLES all -- blue0 * 0.0.0.0/0 0.0.0.0/0 MAC 00:14:A5:00:00:00
0 0 ACCEPT all -- blue0 !green0 0.0.0.0/0 0.0.0.0/0 MAC 00:1C:BF:00:00:00
0 0 DMZHOLES all -- blue0 * 0.0.0.0/0 0.0.0.0/0 MAC 00:1C:BF:00:00:00
0 0 ACCEPT all -- blue0 !green0 0.0.0.0/0 0.0.0.0/0 MAC 00:1F:3C:00:00:00
0 0 DMZHOLES all -- blue0 * 0.0.0.0/0 0.0.0.0/0 MAC 00:1F:3C:00:00:00
0 0 ACCEPT all -- blue0 !green0 0.0.0.0/0 0.0.0.0/0 MAC F0:A2:25:00:00:00
0 0 DMZHOLES all -- blue0 * 0.0.0.0/0 0.0.0.0/0 MAC F0:A2:25:00:00:00
0 0 LOG all -- blue0 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `DROP_Wirelessforward'
0 0 DROP all -- blue0 * 0.0.0.0/0 0.0.0.0/0 /* DROP_Wirelessforward */
Chain WIRELESSINPUT (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- blue0 * 0.0.0.0/0 0.0.0.0/0 MAC 00:16:CB:00:00:00
0 0 ACCEPT all -- blue0 * 0.0.0.0/0 0.0.0.0/0 MAC 34:51:C9:00:00:00
0 0 ACCEPT all -- blue0 * 0.0.0.0/0 0.0.0.0/0 MAC 00:14:A5:00:00:00
0 0 ACCEPT all -- blue0 * 0.0.0.0/0 0.0.0.0/0 MAC 00:1C:BF:00:00:00
0 0 ACCEPT all -- blue0 * 0.0.0.0/0 0.0.0.0/0 MAC 00:1F:3C:00:00:00
0 0 ACCEPT all -- blue0 * 0.0.0.0/0 0.0.0.0/0 MAC F0:A2:25:00:00:00
0 0 LOG all -- blue0 * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix `DROP_Wirelessinput'
0 0 DROP all -- blue0 * 0.0.0.0/0 0.0.0.0/0 /* DROP_Wirelessinput */
Chain XTACCESS (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- ppp0 * 0.0.0.0/0 88.88.88.88 tcp dpt:113
Hi there! Are there any additional information required? I'll do my very best. ;-) Ciao for now Joerg Hallo again, Unfortunately I'm an unable to analyze iptabeles scripts. So, I need your help! If I've made a fundamental mistake, please let me know! If there is anything that I can do, please let me know! Thank you! Ciao for now Joerg :-/ I give up! Bye (In reply to comment #17) > I give up! > > Bye Well, that's odd. I still have no idea what the problem is. Everything looks just fine and it also looks like it would work. Unless there is a rule that permits a connection passing through, packets from green will never be blocked. I just want to say that I am still experiencing the problem, I have just decided to wait on the next core update to see if it gets fixed. The easier solution for me was to roll back the patch and just use 2.11 Core Update 62. The patch fixed the MAC based rule problem but made the interface based rules not work. It is easier for me to just change the MAC based rules to IP based rules than to have the interface rules not work. The interface based rule covers ALL clients going through that interface. Without the interface rules working I would have to create a rule for EVERY client that accesses internet through the IPFire box. I hope that this problem doesn't carry over to the next core update. Everything seemed to work fine with core update 61. I never noticed the problem about hosts on BLUE having access that wasn't granted. I tried going back to see what changed to cause the problems I was experiencing with 62 but I just haven't had the time to go over it. I would love to roll back to core update 61. Is there any way to do that without reinstalling and reconfiguring everything? Michael, have you heard from others that are affected by this that aren't in this bug report? Or is it isolated to the few of us that have posted here? Thanks for your help, Francis (In reply to comment #19) > I just want to say that I am still experiencing the problem, I have just > decided to wait on the next core update to see if it gets fixed. > > The easier solution for me was to roll back the patch and just use 2.11 Core > Update 62. The patch fixed the MAC based rule problem but made the interface > based rules not work. I still don't have information about what "don't work" means. Is everything per se blocked? Is everything allowed to pass although it shouldn't? > It is easier for me to just change the MAC based rules to IP based rules than > to have the interface rules not work. The interface based rule covers ALL > clients going through that interface. Without the interface rules working I > would have to create a rule for EVERY client that accesses internet through the > IPFire box. > > I hope that this problem doesn't carry over to the next core update. Everything > seemed to work fine with core update 61. I never noticed the problem about > hosts on BLUE having access that wasn't granted. Core Update 63, which has been released today, does not fix this bug. Fix a fast fix (i.e. rollback) see below. > I tried going back to see what changed to cause the problems I was experiencing > with 62 but I just haven't had the time to go over it. This is what changed: http://git.ipfire.org/?p=ipfire-2.x.git;a=history;f=config/outgoingfw/outgoingfw.pl;h=8bb49e0bd3fd2d9d789d729a68b78aaeda5b4ff5;hb=HEAD > I would love to roll back to core update 61. Is there any way to do that > without reinstalling and reconfiguring everything? Yes, just download the old script and copy it to /var/ipfire/outgoing/bin http://git.ipfire.org/?p=ipfire-2.x.git;a=blob_plain;f=config/outgoingfw/outgoingfw.pl;hb=d89eab6d695b14607512de9896f9ab9e8c825c90 Make sure to have a backup of the old one. > Michael, have you heard from others that are affected by this that aren't in > this bug report? Or is it isolated to the few of us that have posted here? No, there are some mentions on the forums. I don't read the forums regularly because of a lack of time. So there may be more. Nobody was able to give me some detailed information about what "does not work" after the patch posted in this bug report has been applied. I guess that the MAC address filtering part is not very widely used. This is also an explanation why this bug could pass QA in the first place. Hi all,
same Problem here.
Networt config: RED, GREEN
Outgoing Firewall: Mode 1
Rules for MAC-Adress on Port 110, 995, 25 to allow Outlook send and receive mails.
Since Update 61 the firewall block this traffic.
To 212.227.17.169 - 3 packets
Service: pop3s (tcp/995) (LOG_OUTGOINGFW) - 3 packets
To 212.227.17.185 - 4 packets
Service: pop3s (tcp/995) (LOG_OUTGOINGFW) - 4 packets
To reproduce this bug. Put IPFire FW to Mode 1. On a client Setup a Mailclient (Outlook, Thunderbird). Make a Rule IPFire to allow this client receive Mails.
For more information, please let me now.
David
Created attachment 94 [details]
Outgoing firewall patch #2
Stefan Schantl just provided the needed information to me.
Please test the updated version of this patch. My own testing was successful.
Please do your best and provide feedback as fast as possible, because I would like to add this fix to the next core update.
Hey Michael, Applied patch 2 and everything seems to be working. Rules in Outgoing Firewall using Source MAC Address are now working. Rules in Outgoing Firewall using source Network Green or Network Wireless are now working. With un-patched Core Update 62: rules in Outgoing Firewall using Source MAC Address to allow certain clients access to ports, or to allow complete access to the internet for certain clients, did not work. The clients could not access the ports that were allowed in the rule, and the clients that were to have complete access to the internet did not have any access. With patched core Update 62: rules in Outgoing Firewall using source Network Green/Wireless to allow that entire network access to ports like for email did not work. No one could access email using their email client software like Outlook or Thunderbird. My temporary solution was to remove the patch and create rules based on IP address instead of MAC because there were fewer affected than the entire Green or Wireless network with the patch applied. This is the first bug report I have submitted information to. I apologize if what I provided was not sufficient. I REALLY appreciate the work you've done here. Things seem to be working ok now. The issues that were affected without the patch are working, the issues that were affected with patch1 are working. Thanks, Francis (In reply to comment #23) > Hey Michael, > > Applied patch 2 and everything seems to be working. > > Rules in Outgoing Firewall using Source MAC Address are now working. Rules in > Outgoing Firewall using source Network Green or Network Wireless are now > working. Great! > This is the first bug report I have submitted information to. I apologize if > what I provided was not sufficient. > > I REALLY appreciate the work you've done here. Things seem to be working ok > now. The issues that were affected without the patch are working, the issues > that were affected with patch1 are working. Thank you very much, Francis, for your reply. This issue got us busy for some time, because it was hard to understand what was going wrong. Once you find the solution, it seems to be easy. I am waiting for one more positive feedback and will then merge the patch into the IPFire source code. In case you could do the testing, please do, because I would like to ship this patch with the next core update which is almost finished. Michael |