Opened 5 years ago

Closed 5 years ago

Last modified 4 years ago

#12945 closed defect (duplicate)

Firewall forwarding to networks of same zone opens forwarding to everywhere

Reported by: rene <opennet@…> Owned by: developers
Priority: highest Milestone: Barrier Breaker 14.07
Component: base system Version: Trunk
Keywords: firewall Cc:


Problem: If a forward to networks of the same zone is configured as "ACCEPTED", forwarding to all zones will be allowed.

Description: Example-Zone is called "opennet"

If forwarding between different networks within the zone is allowed, the chain zone_opennet_forward will get some chain zone_opennet_ACCEPT added. The rules in this chain will match incoming or outgoing traffic trough interfaces of this zone, and will therefore trigger positive for every traffic entering through networks of this zone. This way traffic-forwarding is allowed to all interfaces.

#> part of /etc/config/firewall
config zone 'zone_opennet'

option name 'opennet'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option network 'on_wifi_0 on_eth_0'

#> part of iptables -L -v -n

Chain forward (1 references)
target prot opt in out source destination
zone_opennet_forward all -- eth0.10 *

Chain zone_opennet_ACCEPT (5 references)
target prot opt in out source destination
ACCEPT all -- * eth0.10
ACCEPT all -- eth0.10 * <---- Problem

Chain zone_opennet_forward (1 references)
target prot opt in out source destination
zone_opennet_ACCEPT all -- * *

Attachments (0)

Change History (3)

comment:1 Changed 5 years ago by rene <opennet@…>

got the notice that this is a duplicate of #11453, please give it a higher priority. It's a showstopper for a router-software if it has a broken firewall configuration!

comment:2 Changed 5 years ago by jow

  • Resolution set to duplicate
  • Status changed from new to closed

comment:3 Changed 4 years ago by jow

  • Milestone changed from Attitude Adjustment 12.09 to Barrier Breaker 14.07

Milestone Attitude Adjustment 12.09 deleted

Add Comment

Modify Ticket

as closed .
The resolution will be deleted. Next status will be 'reopened'.

E-mail address and user name can be saved in the Preferences.

Note: See TracTickets for help on using tickets.