Modify

Opened 5 years ago

Closed 5 years ago

#13029 closed defect (wontfix)

firewall3 dublicate entries

Reported by: jeroen.louwes@… Owned by: developers
Priority: low Milestone: Chaos Calmer 15.05
Component: packages Version: Trunk
Keywords: firewall firewall3 duplicate Cc:

Description

Hi guys,

I have installed the new firewall3 package. What i found is that when a zone consists of multiple interfaces, some iptables rules are duplicate, for example:

/etc/config/firewall

config zone
	option name 'wan'
	option network 'wan1 wan2'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config redirect
	option name 'Synology-Access'
	option src 'wan'
	option proto 'tcp'
	option src_dip '213.154.232.10'
	option src_dport '2235'
	option dest_ip '192.168.33.6'
	option dest_port '22'
	option target 'DNAT'
	option family 'ipv4'
	option dest 'lan'

config redirect
	option name 'Synology-Access'
	option src 'wan'
	option proto 'tcp'
	option src_dip '95.97.227.170'
	option src_dport '2235'
	option dest_ip '192.168.33.6'
	option dest_port '22'
	option target 'DNAT'
	option family 'ipv4'
	option dest 'lan'

which results in:

root@mercurius:~# iptables -L zone_wan_forward -v -n
Chain zone_wan_forward (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    1    60 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.33.6        tcp dpt:22 /* --comment */ 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            192.168.33.6        tcp dpt:22 /* --comment */ 
    0     0 zone_wan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0 

That it results in two identical rules is not really a problem and very understandable, because there are two redirect rules configured. But what does strike me is the following:

root@mercurius:~# iptables -L zone_lan_forward -v -n
Chain zone_lan_forward (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 zone_lan_dest_ACCEPT  tcp  --  *      *       192.168.33.0/24      192.168.33.6        tcp dpt:22 /* --comment */ 
    0     0 zone_lan_dest_ACCEPT  tcp  --  *      *       192.168.33.0/24      192.168.33.6        tcp dpt:22 /* --comment */ 
    0     0 zone_lan_dest_ACCEPT  tcp  --  *      *       192.168.33.0/24      192.168.33.6        tcp dpt:22 /* --comment */ 
    0     0 zone_lan_dest_ACCEPT  tcp  --  *      *       192.168.33.0/24      192.168.33.6        tcp dpt:22 /* --comment */ 
   35  3013 zone_wan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* --comment */ 
    0     0 zone_vpn_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0           /* --comment */ 
    0     0 zone_lan_dest_REJECT  all  --  *      *       0.0.0.0/0            0.0.0.0/0

Why are there four identical rules in the lan_forward table? With a source and destination from the same network. These rules are never matched, because traffic from 192.168.33.0/24 to 192.168.33.6 is never routed. I did not configure these rules in /etc/config/firewall. I think this is an error ?!?

Thank you!

Attachments (0)

Change History (1)

comment:1 Changed 5 years ago by jow

  • Resolution set to wontfix
  • Status changed from new to closed

These duplicates are caused by nat reflection which emits an additional forward rule for each redirect.

Add Comment

Modify Ticket

Action
as closed .
The resolution will be deleted. Next status will be 'reopened'.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.