Bug 10223 - Outgoing firewall bug with MAC addresses on Core 62
Summary: Outgoing firewall bug with MAC addresses on Core 62
Status: CLOSED FIXED
Alias: None
Product: IPFire
Classification: Unclassified
Component: firewall (show other bugs)
Version: 2
Hardware: all Linux
: - Unknown - - Unknown -
Assignee: Michael Tremer
QA Contact:
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-17 09:55 UTC by Erik Kapfer
Modified: 2012-11-26 00:09 UTC (History)
6 users (show)

See Also:


Attachments
Outgoing firewall patch (3.66 KB, patch)
2012-09-21 14:51 UTC, Michael Tremer
Details
Outgoing firewall patch #2 (3.97 KB, patch)
2012-11-01 16:59 UTC, Michael Tremer
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Erik Kapfer 2012-09-17 09:55:23 UTC
Hi all,
i want to report a bug from the forum where the outgoing firewall can´t be configured with MAC addresses.
In here --> http://forum.ipfire.org/index.php/topic,6882.msg46347.html#msg46347 the discussion can be found.

Greetings

Erik
Comment 1 Michael Tremer 2012-09-17 20:53:01 UTC
Need a more detailed description about what is going wrong here.
Comment 2 nocheiner 2012-09-19 14:51:20 UTC
Hi there,

you can find additional information in this post: http://forum.ipfire.org/index.php/topic,6858.0.html

And I'll try to describe it here:

- The device is listed in "GUI: Firewall / Blue Access" with its MAC-address
- "GUI: Firewall / Outgoing Firewall" contains al corresponding rule like:
      all  mac  ALL:80 allow HTTP  active  Source MAC Address: 34:51:C9:31:5B:3C

This device is unable a host in the internet! Error messages:
      DROP_OUTGOINGFW  blue0  TCP  192.168.2.51  62747  193.99.144.85  80

- If you allow access to port 443 for the whole blue network, you'll receive the following error message for WORKING connection:
      DROP_OUTPUT  blue0  TCP  192.168.2.51  62753  191.189.90.19  443

These are my experiences.

Further questions? Please let me know!

Ciao for now
Joerg
Comment 3 Thomas Mayer 2012-09-20 16:11:00 UTC
Hi there,

i have the same issues:
My firewall is configured in modus 1.
I have some computers that should not be blocked by firewall, so i put in a firewall-rule by source-mac-adress (like: all/mac/ALL:ALL). That was working since updating to Core 62.
With a firewall-rule by ip/network (like: all/ip/ALL:ALL) it is still working, but no more with the mac-rule. Even after a complete reinstall of core 62 it didn't work out for me.

Greetings
Tom.
Comment 4 erik.moons 2012-09-20 23:44:05 UTC
(In reply to comment #1)
> Need a more detailed description about what is going wrong here.

It seems the OUTGOINGFWMAC rule RETURNs for the valid MAC and the packets get dropped in the OUTGOINGFW rule.
an example iptables -L extract

--------------------------------------
Chain FORWARD (policy DROP)
target     prot opt source               destination         
...
OUTGOINGFWMAC  all  --  anywhere             anywhere            
OUTGOINGFW  all  --  anywhere             anywhere            
...

Chain OUTGOINGFW (2 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
RETURN     icmp --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            /* DROP_OUTGOINGFW  */ 

Chain OUTGOINGFWMAC (1 references)
target     prot opt source               destination         
RETURN     all  --  anywhere             anywhere            state RELATED,ESTABLISHED 
RETURN     icmp --  anywhere             anywhere            
LOG        tcp  --  anywhere             anywhere            MAC 00:25:64:96:B9:E9 TIME from 00:00:00 to 00:00:00 limit: avg 10/min burst 5 LOG level warning prefix `LOG_OUTGOINGFW ' 
RETURN     tcp  --  anywhere             anywhere            MAC 00:25:64:96:B9:E9 TIME from 00:00:00 to 00:00:00 
LOG        udp  --  anywhere             anywhere            MAC 00:25:64:96:B9:E9 TIME from 00:00:00 to 00:00:00 limit: avg 10/min burst 5 LOG level warning prefix `LOG_OUTGOINGFW ' 
RETURN     udp  --  anywhere             anywhere            MAC 00:25:64:96:B9:E9 TIME from 00:00:00 to 00:00:00 
----------------------------

Regards,

Erik
Comment 5 Michael Tremer 2012-09-21 14:51:37 UTC
Created attachment 71 [details]
Outgoing firewall patch

Please try the attached patch, which will create two different tables with all the rules of the outgoing firewall. But the MAC rules will only apply to the FORWARD chain, because MAC addresses rules cannot be applied to the OUTPUT chain (obviously).
Comment 6 Francis Daly 2012-09-22 06:34:39 UTC
I can confirm this bug.

Installed Core Update 62 a week ago. Had no problems until this morning when I added a MAC rule to Outgoing Firewall to bypass the firewall for a client PC.

As soon as I saved the new rule I started having problems with my personal PC that has a MAC based bypass rule. Any new rules or existing rules added to Outgoing Firewall using Source MAC Address option to bypass firewall did not work.

Applied the patch listed. Restarted the IPFire box.

Seems to be working fine now.

Thanks!
Comment 7 Michael Tremer 2012-09-22 09:45:51 UTC
Thanks for testing.

I am awaiting a little bit more feedback before I merge the patch.
Comment 8 nocheiner 2012-09-22 11:44:51 UTC
Hi there!

Because I haven't got an development environment yet, I wasn't able to apply the patch easily until now.
Please be a bit more patient. ;-)

Ciao for now
Joerg
Comment 9 nocheiner 2012-09-22 23:40:31 UTC
Hallo!

Test results with outgoingfw-fix1.patch in firewall mode 1:
- MAC-address based outgoing firewall rules for blue are working fine now
- interface based outgoing firewall rules for blue do not work = DROP_OUTGOINGFW
- interface based outgoing firewall rules for all do not work = DROP_OOUTGOINGFW
- interface based outgoing firewall rules for green dot not work = DROP_OUTGOINGFW

If you need further information (like my patched files?) please let me know.
I'm not aware of any faults, but I'm not sure. ;-) Please advise.

Ciao for now
Joerg
Comment 10 Michael Tremer 2012-09-24 13:38:52 UTC
Thanks for testing.

Could you please provide the content of those two chains?

iptables -L OUTGOINGFW -n -v
iptables -L OUTGOINGFWMAC -n -v

Thanks.
Comment 11 Francis Daly 2012-09-24 19:17:14 UTC
Also confirm interface rules not working.

Output for iptables -L OUTGOINGFW -n -v:
------------------------------------------------------
Chain OUTGOINGFW (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 2149  698K RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    9   936 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     tcp  --  *      red0    192.168.0.116        0.0.0.0/0           TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      red0    192.168.0.116        0.0.0.0/0           TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      red0    192.168.0.103        0.0.0.0/0           TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      red0    192.168.0.103        0.0.0.0/0           TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      red0    192.168.0.18         0.0.0.0/0           TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      red0    192.168.0.18         0.0.0.0/0           TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      red0    97.xxx.xxx.xx2       0.0.0.0/0           multiport dports 53 TIME from 00:00:00 to 00:00:00 
   41  2602 RETURN     udp  --  *      red0    97.xxx.xxx.xx2       0.0.0.0/0           multiport dports 53 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      red0    97.xxx.xxx.xx2       0.0.0.0/0           multiport dports 20,21,115 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      red0    97.xxx.xxx.xx2       0.0.0.0/0           multiport dports 20,21,115 TIME from 00:00:00 to 00:00:00 
   40  2400 RETURN     tcp  --  *      red0    97.xxx.xxx.xx2       0.0.0.0/0           multiport dports 80 TIME from 00:00:00 to 00:00:00 
    1    60 RETURN     tcp  --  *      red0    97.xxx.xxx.xx2       0.0.0.0/0           multiport dports 443 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      red0    97.xxx.xxx.xx2       0.0.0.0/0           multiport dports 123 TIME from 00:00:00 to 00:00:00 
    0     0 LOG        all  --  *      red0    0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `DROP_OUTGOINGFW ' 
    0     0 DROP       all  --  *      red0    0.0.0.0/0            0.0.0.0/0           /* DROP_OUTGOINGFW  */
------------------------------------------------------

Output for iptables -L OUTGOINGFWMAC -n -v:
------------------------------------------------------
Chain OUTGOINGFWMAC (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     tcp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 00:08:02:xx:xx:xx multiport dports 20,21 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 00:17:31:xx:xx:xx multiport dports 20,21 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC D4:85:64:xx:xx:xx multiport dports 20,21 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 00:08:02:xx:xx:xx multiport dports 20,21 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 00:17:31:xx:xx:xx multiport dports 20,21 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC D4:85:64:xx:xx:xx multiport dports 20,21 TIME from 00:00:00 to 00:00:00 
   10  4220 RETURN     tcp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 6C:83:36:xx:xx:xx TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 30:85:A9:xx:xx:xx TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 00:1E:65:xx:xx:xx TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 6C:83:36:xx:xx:xx TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 30:85:A9:xx:xx:xx TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 00:1E:65:xx:xx:xx TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 5C:AC:4C:xx:xx:xx TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 5C:AC:4C:xx:xx:xx TIME from 00:00:00 to 00:00:00 
  119  7140 RETURN     tcp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 00:26:9E:xx:xx:xx TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 00:26:9E:xx:xx:xx TIME from 00:00:00 to 00:00:00 
   22  5916 RETURN     tcp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 00:1D:73:xx:xx:xx TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 00:1D:73:xx:xx:xx TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 00:06:5B:xx:xx:xx TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 00:06:5B:xx:xx:xx TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 88:AE:1D:xx:xx:xx multiport dports 20,21 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 88:AE:1D:xx:xx:xx multiport dports 20,21 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 00:0E:7F:xx:xx:xx TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      red0    0.0.0.0/0            0.0.0.0/0           MAC 00:0E:7F:xx:xx:xx TIME from 00:00:00 to 00:00:00 
   44  4636 LOG        all  --  *      red0    0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `DROP_OUTGOINGFW ' 
  520 29874 DROP       all  --  *      red0    0.0.0.0/0            0.0.0.0/0           /* DROP_OUTGOINGFW  */
------------------------------------------------------

Thanks,
Francis
Comment 12 Francis Daly 2012-09-24 23:07:54 UTC
I have some interesting, hopefully helpful, information on this bug.

Don't have the budget for a test environment (I know virtualization and all that but that's not the point here). I installed Core Update 62 on my production machine. Had no problems for a week on Core Update 62. I made a change in Outgoing Firewall rules and immediately the MAC rules stopped working.

Applied the outgoing firewall patch attached to this bug report. MAC rules worked but now interface rules stopped. For example: rules to allow email ports on Green interface stopped working after the patch.

I reversed the patch to get email going for client machines and everything started working again like normal INCLUDING the MAC rules.

As soon as I make a change in Outgoing Firewall the MAC rules stop working. I reverse the patch, restart the firewall (/etc/init.d/firewall restart) and everything works again including MAC rules.

I can reproduce this 100% of the time.

Thanks,
Francis
Comment 13 Michael Tremer 2012-09-26 16:33:35 UTC
As far as I can see the OUTGOINGFW and OUTGOINGFWMAC chains are perfectly fine.

iptables -L -n -v?

---

I am quite confused what to do right now. I am getting some reports that confirm the problem has been solved with the patch. Others don't.
Comment 14 nocheiner 2012-09-28 23:02:47 UTC
Hi there!

Core62, no workaround, no patch = no access from blue to red, regardless if you use a mac address in your rule or not

Core62 patch1 = access from blue to red okay, only if you use a mac address in your rule
Core62 patch1 = no access from greeen to red

If you need more information, please let me know!

Ciao for now
JB

-----iptabels-----
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  141 13801 BADTCP     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  141 13801 CUSTOMINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  141 13801 GUARDIAN   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  141 13801 IPTVINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  141 13801 GUIINPUT   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  109 11359 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
   24  1770 IPSECINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
   24  1770 OPENSSLVIRTUAL  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* OPENSSLVIRTUAL INPUT */ 
   12   799 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 DROP       all  --  *      *       127.0.0.0/8          0.0.0.0/0           state NEW 
    0     0 DROP       all  --  *      *       0.0.0.0/0            127.0.0.0/8         state NEW 
   12   971 ACCEPT    !icmp --  green0 *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 DHCPBLUEINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 OPENSSLPHYSICAL  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 WIRELESSINPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 REDINPUT   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 XTACCESS   all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `DROP_INPUT ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* DROP_INPUT */ 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  439 37772 BADTCP     all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    9   456 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
  436 36324 GUARDIAN   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  436 36324 CUSTOMFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  436 36324 IPTVFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    6   504 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  430 35820 IPSECFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  430 35820 OPENSSLVIRTUAL  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* OPENSSLVIRTUAL FORWARD */ 
  430 35820 OUTGOINGFWMAC  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 DROP       all  --  *      *       127.0.0.0/8          0.0.0.0/0           state NEW 
    0     0 DROP       all  --  *      *       0.0.0.0/0            127.0.0.0/8         state NEW 
  421 35364 ACCEPT     all  --  green0 *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 WIRELESSFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 REDFORWARD  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 PORTFWACCESS  all  --  *      *       0.0.0.0/0            0.0.0.0/0           state NEW 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `DROP_OUTPUT ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* DROP_OUTPUT */ 

Chain OUTPUT (policy ACCEPT 84 packets, 16780 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  142 21245 CUSTOMOUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  142 21245 OUTGOINGFW  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
  142 21245 IPSECOUTPUT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain BADTCP (2 references)
 pkts bytes target     prot opt in     out     source               destination         
   23  1990 RETURN     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29 
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00 
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x01 
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06 
    0     0 PSCAN      tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03 
    3  1448 NEWNOTSYN  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW 

Chain CUSTOMFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain CUSTOMINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain CUSTOMOUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain DHCPBLUEINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  blue0  *       0.0.0.0/0            0.0.0.0/0           tcp spt:68 dpt:67 
    0     0 ACCEPT     udp  --  blue0  *       0.0.0.0/0            0.0.0.0/0           udp spt:68 dpt:67 

Chain DMZHOLES (6 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  blue0  green0  192.168.2.0/24       192.168.1.0/24      udp dpt:53 
    0     0 ACCEPT     tcp  --  blue0  green0  192.168.2.0/24       192.168.1.0/24      tcp dpt:443 
    0     0 ACCEPT     tcp  --  blue0  green0  192.168.2.0/24       192.168.1.7         tcp dpt:465 
    0     0 ACCEPT     tcp  --  blue0  green0  192.168.2.0/24       192.168.1.7         tcp dpt:993 
    0     0 ACCEPT     tcp  --  blue0  green0  192.168.2.0/24       192.168.1.7         tcp dpt:995 
    0     0 ACCEPT     tcp  --  blue0  green0  192.168.2.0/24       192.168.1.7         tcp dpt:143 
    0     0 ACCEPT     tcp  --  blue0  green0  192.168.2.0/24       192.168.1.7         tcp dpt:25 
    0     0 ACCEPT     udp  --  blue0  green0  192.168.2.0/24       192.168.1.7         udp dpt:137 
    0     0 ACCEPT     tcp  --  blue0  green0  192.168.2.0/24       192.168.1.7         tcp dpt:389 
    0     0 ACCEPT     tcp  --  blue0  green0  192.168.2.0/24       192.168.1.7         tcp dpt:139 
    0     0 ACCEPT     tcp  --  blue0  green0  192.168.2.0/24       192.168.1.7         tcp dpt:445 
    0     0 ACCEPT     tcp  --  blue0  green0  192.168.2.0/24       192.168.1.7         tcp dpt:88 
    0     0 ACCEPT     tcp  --  blue0  green0  192.168.2.0/24       192.168.1.7         tcp dpt:8530 
    0     0 ACCEPT     tcp  --  blue0  green0  192.168.2.0/24       192.168.1.7         tcp dpt:135 
    0     0 ACCEPT     tcp  --  blue0  green0  192.168.2.0/24       192.168.1.7         tcp dpt:1026 
    0     0 ACCEPT     udp  --  blue0  green0  192.168.2.0/24       192.168.1.7         udp dpt:123 
    0     0 ACCEPT     tcp  --  blue0  green0  192.168.2.0/24       192.168.1.7         tcp dpt:631 
    0     0 ACCEPT     tcp  --  blue0  green0  192.168.2.0/24       192.168.1.7         tcp dpt:3268 
    0     0 ACCEPT     tcp  --  blue0  green0  192.168.2.0/24       192.168.1.0/24      tcp dpt:5900 
    0     0 ACCEPT     tcp  --  blue0  green0  192.168.2.0/24       192.168.1.0/24      tcp dpt:3389 
    0     0 ACCEPT     udp  --  blue0  green0  192.168.2.0/24       192.168.1.0/24      udp dpt:5252 
    0     0 ACCEPT     tcp  --  blue0  green0  192.168.2.0/24       192.168.1.7         tcp dpts:49152:49157 
    0     0 ACCEPT     udp  --  blue0  green0  192.168.2.0/24       192.168.1.7         udp dpts:49152:49157 
    0     0 ACCEPT     udp  --  blue0  green0  192.168.2.0/24       192.168.1.7         udp dpt:389 
    0     0 ACCEPT     udp  --  blue0  green0  192.168.2.0/24       192.168.1.7         udp dpt:88 

Chain GUARDIAN (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain GUIINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    8   672 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 

Chain IPSECFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IPSECINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IPSECOUTPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IPTVFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain IPTVINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain LOG_DROP (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 4 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain LOG_REJECT (0 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 4 
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           reject-with icmp-port-unreachable 

Chain NEWNOTSYN (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    3  1448 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `DROP_NEWNOTSYN ' 
    3  1448 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* DROP_NEWNOTSYN */ 

Chain OPENSSLPHYSICAL (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain OPENSSLVIRTUAL (2 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTGOINGFW (1 references)
 pkts bytes target     prot opt in     out     source               destination         
   93 17803 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    3   292 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     tcp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           multiport dports 10000 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           multiport dports 10000 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           multiport dports 53 TIME from 00:00:00 to 00:00:00 
   13   889 RETURN     udp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           multiport dports 53 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           multiport dports 443 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           multiport dports 443 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           multiport dports 993 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           multiport dports 993 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           multiport dports 465 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           multiport dports 465 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           multiport dports 3478:3497 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  blue0  ppp0    192.168.2.0/24       0.0.0.0/0           multiport dports 5223 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  blue0  ppp0    192.168.2.0/24       0.0.0.0/0           multiport dports 16384:16387 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  blue0  ppp0    192.168.2.0/24       0.0.0.0/0           multiport dports 16393:16402 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  green0 ppp0    192.168.1.0/24       0.0.0.0/0           multiport dports 9418 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  green0 ppp0    192.168.1.0/24       0.0.0.0/0           multiport dports 9418 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  green0 ppp0    192.168.1.0/24       0.0.0.0/0           multiport dports 3000 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      ppp0    192.168.1.0/24       192.168.3.0/24      multiport dports 1:65535 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      ppp0    192.168.1.0/24       192.168.3.0/24      multiport dports 1:65535 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      ppp0    192.168.3.0/24       192.168.1.0/24      multiport dports 1:65535 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      ppp0    192.168.3.0/24       192.168.1.0/24      multiport dports 1:65535 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      ppp0    192.168.1.7          0.0.0.0/0           multiport dports 143 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      ppp0    192.168.1.7          0.0.0.0/0           multiport dports 143 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      ppp0    192.168.1.7          0.0.0.0/0           multiport dports 110 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      ppp0    192.168.1.7          0.0.0.0/0           multiport dports 110 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      ppp0    192.168.1.7          0.0.0.0/0           multiport dports 995 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      ppp0    192.168.1.7          0.0.0.0/0           multiport dports 995 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      ppp0    192.168.1.7          0.0.0.0/0           multiport dports 25 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      ppp0    192.168.1.7          0.0.0.0/0           multiport dports 25 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      ppp0    192.168.1.7          0.0.0.0/0           multiport dports 21 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      ppp0    192.168.1.7          0.0.0.0/0           multiport dports 21 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      ppp0    88.88.88.88        0.0.0.0/0           multiport dports 123 TIME from 00:00:00 to 00:00:00 
    8   608 RETURN     udp  --  *      ppp0    88.88.88.88        0.0.0.0/0           multiport dports 123 TIME from 00:00:00 to 00:00:00 
    3   180 RETURN     tcp  --  *      ppp0    88.88.88.88        0.0.0.0/0           multiport dports 80 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      ppp0    88.88.88.88        0.0.0.0/0           multiport dports 43 TIME from 00:00:00 to 00:00:00 
    0     0 LOG        all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `DROP_OUTGOINGFW ' 
    0     0 DROP       all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           /* DROP_OUTGOINGFW  */ 

Chain OUTGOINGFWMAC (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
  418 35112 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 RETURN     tcp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           MAC F0:A2:25:00:00:00 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           MAC F0:A2:25:00:00:00 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           MAC 00:16:CB:00:00:00 multiport dports 21 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           MAC 00:16:CB:00:00:00 multiport dports 21 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           MAC 34:51:C9:00:00:00 multiport dports 80 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           MAC 34:51:C9:00:00:00 multiport dports 80 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     tcp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           MAC 00:16:CB:00:00:00 multiport dports 21 TIME from 00:00:00 to 00:00:00 
    0     0 RETURN     udp  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           MAC 00:16:CB:00:00:00 multiport dports 21 TIME from 00:00:00 to 00:00:00 
    6   308 LOG        all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 LOG flags 0 level 4 prefix `DROP_OUTGOINGFW ' 
    9   456 DROP       all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           /* DROP_OUTGOINGFW  */ 

Chain PORTFWACCESS (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain PSCAN (5 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 /* DROP_TCP PScan */ LOG flags 0 level 4 prefix `DROP_TCP Scan ' 
    0     0 LOG        udp  --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 /* DROP_UDP PScan */ LOG flags 0 level 4 prefix `DROP_UDP Scan ' 
    0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 /* DROP_ICMP PScan */ LOG flags 0 level 4 prefix `DROP_ICMP Scan ' 
    0     0 LOG        all  -f  *      *       0.0.0.0/0            0.0.0.0/0           limit: avg 10/min burst 5 /* DROP_FRAG PScan */ LOG flags 0 level 4 prefix `DROP_FRAG Scan ' 
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* DROP_PScan */ 

Chain REDFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain REDINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  red0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  red0   *       0.0.0.0/0            0.0.0.0/0           

Chain UPNPFW (0 references)
 pkts bytes target     prot opt in     out     source               destination         

Chain WIRELESSFORWARD (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  blue0  !green0  0.0.0.0/0            0.0.0.0/0           MAC 00:16:CB:00:00:00 
    0     0 DMZHOLES   all  --  blue0  *       0.0.0.0/0            0.0.0.0/0           MAC 00:16:CB:00:00:00 
    0     0 ACCEPT     all  --  blue0  !green0  0.0.0.0/0            0.0.0.0/0           MAC 34:51:C9:00:00:00 
    0     0 DMZHOLES   all  --  blue0  *       0.0.0.0/0            0.0.0.0/0           MAC 34:51:C9:00:00:00 
    0     0 ACCEPT     all  --  blue0  !green0  0.0.0.0/0            0.0.0.0/0           MAC 00:14:A5:00:00:00 
    0     0 DMZHOLES   all  --  blue0  *       0.0.0.0/0            0.0.0.0/0           MAC 00:14:A5:00:00:00 
    0     0 ACCEPT     all  --  blue0  !green0  0.0.0.0/0            0.0.0.0/0           MAC 00:1C:BF:00:00:00 
    0     0 DMZHOLES   all  --  blue0  *       0.0.0.0/0            0.0.0.0/0           MAC 00:1C:BF:00:00:00 
    0     0 ACCEPT     all  --  blue0  !green0  0.0.0.0/0            0.0.0.0/0           MAC 00:1F:3C:00:00:00 
    0     0 DMZHOLES   all  --  blue0  *       0.0.0.0/0            0.0.0.0/0           MAC 00:1F:3C:00:00:00 
    0     0 ACCEPT     all  --  blue0  !green0  0.0.0.0/0            0.0.0.0/0           MAC F0:A2:25:00:00:00 
    0     0 DMZHOLES   all  --  blue0  *       0.0.0.0/0            0.0.0.0/0           MAC F0:A2:25:00:00:00 
    0     0 LOG        all  --  blue0  *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `DROP_Wirelessforward' 
    0     0 DROP       all  --  blue0  *       0.0.0.0/0            0.0.0.0/0           /* DROP_Wirelessforward */ 

Chain WIRELESSINPUT (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     all  --  blue0  *       0.0.0.0/0            0.0.0.0/0           MAC 00:16:CB:00:00:00 
    0     0 ACCEPT     all  --  blue0  *       0.0.0.0/0            0.0.0.0/0           MAC 34:51:C9:00:00:00 
    0     0 ACCEPT     all  --  blue0  *       0.0.0.0/0            0.0.0.0/0           MAC 00:14:A5:00:00:00 
    0     0 ACCEPT     all  --  blue0  *       0.0.0.0/0            0.0.0.0/0           MAC 00:1C:BF:00:00:00 
    0     0 ACCEPT     all  --  blue0  *       0.0.0.0/0            0.0.0.0/0           MAC 00:1F:3C:00:00:00 
    0     0 ACCEPT     all  --  blue0  *       0.0.0.0/0            0.0.0.0/0           MAC F0:A2:25:00:00:00 
    0     0 LOG        all  --  blue0  *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `DROP_Wirelessinput' 
    0     0 DROP       all  --  blue0  *       0.0.0.0/0            0.0.0.0/0           /* DROP_Wirelessinput */ 

Chain XTACCESS (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            88.88.88.88       tcp dpt:113
Comment 15 nocheiner 2012-10-04 21:15:30 UTC
Hi there!

Are there any additional information required?
I'll do my very best. ;-)

Ciao for now
Joerg
Comment 16 nocheiner 2012-10-09 21:24:55 UTC
Hallo again,

Unfortunately I'm an unable to analyze iptabeles scripts. So, I need your help!

If I've made a fundamental mistake, please let me know!
If there is anything that I can do, please let me know!

Thank you!

Ciao for now
Joerg :-/
Comment 17 nocheiner 2012-10-17 22:55:42 UTC
I give up!

Bye
Comment 18 Michael Tremer 2012-10-18 10:07:52 UTC
(In reply to comment #17)
> I give up!
> 
> Bye

Well, that's odd.

I still have no idea what the problem is. Everything looks just fine and it also looks like it would work.

Unless there is a rule that permits a connection passing through, packets from green will never be blocked.
Comment 19 Francis Daly 2012-10-18 22:19:14 UTC
I just want to say that I am still experiencing the problem, I have just decided to wait on the next core update to see if it gets fixed.

The easier solution for me was to roll back the patch and just use 2.11 Core Update 62. The patch fixed the MAC based rule problem but made the interface based rules not work.

It is easier for me to just change the MAC based rules to IP based rules than to have the interface rules not work. The interface based rule covers ALL clients going through that interface. Without the interface rules working I would have to create a rule for EVERY client that accesses internet through the IPFire box.

I hope that this problem doesn't carry over to the next core update. Everything seemed to work fine with core update 61. I never noticed the problem about hosts on BLUE having access that wasn't granted.

I tried going back to see what changed to cause the problems I was experiencing with 62 but I just haven't had the time to go over it.

I would love to roll back to core update 61. Is there any way to do that without reinstalling and reconfiguring everything?

Michael, have you heard from others that are affected by this that aren't in this bug report? Or is it isolated to the few of us that have posted here?

Thanks for your help,
Francis
Comment 20 Michael Tremer 2012-10-19 10:53:46 UTC
(In reply to comment #19)
> I just want to say that I am still experiencing the problem, I have just
> decided to wait on the next core update to see if it gets fixed.
> 
> The easier solution for me was to roll back the patch and just use 2.11 Core
> Update 62. The patch fixed the MAC based rule problem but made the interface
> based rules not work.

I still don't have information about what "don't work" means. Is everything per se blocked? Is everything allowed to pass although it shouldn't?
 
> It is easier for me to just change the MAC based rules to IP based rules than
> to have the interface rules not work. The interface based rule covers ALL
> clients going through that interface. Without the interface rules working I
> would have to create a rule for EVERY client that accesses internet through the
> IPFire box.
> 
> I hope that this problem doesn't carry over to the next core update. Everything
> seemed to work fine with core update 61. I never noticed the problem about
> hosts on BLUE having access that wasn't granted.

Core Update 63, which has been released today, does not fix this bug. Fix a fast fix (i.e. rollback) see below.

> I tried going back to see what changed to cause the problems I was experiencing
> with 62 but I just haven't had the time to go over it.

This is what changed:
http://git.ipfire.org/?p=ipfire-2.x.git;a=history;f=config/outgoingfw/outgoingfw.pl;h=8bb49e0bd3fd2d9d789d729a68b78aaeda5b4ff5;hb=HEAD

> I would love to roll back to core update 61. Is there any way to do that
> without reinstalling and reconfiguring everything?

Yes, just download the old script and copy it to /var/ipfire/outgoing/bin
http://git.ipfire.org/?p=ipfire-2.x.git;a=blob_plain;f=config/outgoingfw/outgoingfw.pl;hb=d89eab6d695b14607512de9896f9ab9e8c825c90
Make sure to have a backup of the old one.

> Michael, have you heard from others that are affected by this that aren't in
> this bug report? Or is it isolated to the few of us that have posted here?

No, there are some mentions on the forums. I don't read the forums regularly because of a lack of time. So there may be more.

Nobody was able to give me some detailed information about what "does not work" after the patch posted in this bug report has been applied.

I guess that the MAC address filtering part is not very widely used. This is also an explanation why this bug could pass QA in the first place.
Comment 21 Lastdrum10 2012-10-26 10:19:41 UTC
Hi all,

same Problem here.

Networt config: RED, GREEN
Outgoing Firewall: Mode 1
Rules for MAC-Adress on Port 110, 995, 25 to allow Outlook send and receive mails.
Since Update 61 the firewall block this traffic.


 To 212.227.17.169 - 3 packets
          Service: pop3s (tcp/995) (LOG_OUTGOINGFW) - 3 packets
 To 212.227.17.185 - 4 packets
          Service: pop3s (tcp/995) (LOG_OUTGOINGFW) - 4 packets


To reproduce this bug. Put IPFire FW to Mode 1. On a client Setup a Mailclient (Outlook, Thunderbird). Make a Rule IPFire to allow this client receive Mails. 

For more information, please let me now.

David
Comment 22 Michael Tremer 2012-11-01 16:59:33 UTC
Created attachment 94 [details]
Outgoing firewall patch #2

Stefan Schantl just provided the needed information to me.

Please test the updated version of this patch. My own testing was successful.

Please do your best and provide feedback as fast as possible, because I would like to add this fix to the next core update.
Comment 23 Francis Daly 2012-11-02 21:19:26 UTC
Hey Michael,

Applied patch 2 and everything seems to be working.

Rules in Outgoing Firewall using Source MAC Address are now working. Rules in Outgoing Firewall using source Network Green or Network Wireless are now working.

With un-patched Core Update 62: rules in Outgoing Firewall using Source MAC Address to allow certain clients access to ports, or to allow complete access to the internet for certain clients, did not work. The clients could not access the ports that were allowed in the rule, and the clients that were to have complete access to the internet did not have any access.

With patched core Update 62: rules in Outgoing Firewall using source Network Green/Wireless to allow that entire network access to ports like for email did not work. No one could access email using their email client software like Outlook or Thunderbird.

My temporary solution was to remove the patch and create rules based on IP address instead of MAC because there were fewer affected than the entire Green or Wireless network with the patch applied.

This is the first bug report I have submitted information to. I apologize if what I provided was not sufficient.

I REALLY appreciate the work you've done here. Things seem to be working ok now. The issues that were affected without the patch are working, the issues that were affected with patch1 are working.

Thanks,
Francis
Comment 24 Michael Tremer 2012-11-03 11:07:13 UTC
(In reply to comment #23)
> Hey Michael,
> 
> Applied patch 2 and everything seems to be working.
> 
> Rules in Outgoing Firewall using Source MAC Address are now working. Rules in
> Outgoing Firewall using source Network Green or Network Wireless are now
> working.

Great!

> This is the first bug report I have submitted information to. I apologize if
> what I provided was not sufficient.
> 
> I REALLY appreciate the work you've done here. Things seem to be working ok
> now. The issues that were affected without the patch are working, the issues
> that were affected with patch1 are working.

Thank you very much, Francis, for your reply. This issue got us busy for some time, because it was hard to understand what was going wrong. Once you find the solution, it seems to be easy.

I am waiting for one more positive feedback and will then merge the patch into the IPFire source code. In case you could do the testing, please do, because I would like to ship this patch with the next core update which is almost finished.

Michael