Modify

Opened 4 years ago

#16670 new defect

Firewall SNAT not filtering zone

Reported by: piojan Owned by: developers
Priority: normal Milestone: Chaos Calmer 15.05
Component: packages Version: Trunk
Keywords: Cc:

Description

Setting up:

/etc/config/firewall

with:

config redirect
        option target 'SNAT'
        option src 'dmz'
        option dest 'lan'
        option proto 'all'
        option src_dip '192.168.0.1'
        option name 'dmz2lan'

results in:

iptables -n -v -L zone_dmz_forward | grep dmz2lan

 6799  494K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* dmz2lan */

which accepts ALL traffic from dmz forwarded to ... everywhere.
The script that sets up the firewall don't take into account the "option dest 'lan'" filter.

Apart from that there is a regular zone forwarding permission:

    0     0 zone_lan_dest_ACCEPT  all  --  *      *       0.0.0.0/0            0.0.0.0/0            /* forwarding dmz -> lan */

but all packets are accepted by the previous rule.

Attachments (0)

Change History (0)

Add Comment

Modify Ticket

Action
as new .
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.