https://bugzilla.novell.com/show_bug.cgi?id=679192 https://bugzilla.novell.com/show_bug.cgi?id=679192#c0 Summary: SuSEfirewall FORWARD chain bug, no reverse RELATED,ESTABLISHED but a double FORWARD Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: x86 OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: arjennw@zeilers.net QAContact: qa@suse.de Found By: --- Blocker: --- Created an attachment (id=419006) --> (http://bugzilla.novell.com/attachment.cgi?id=419006) pathc which adds the correctline to /sbin/SuSEfirewall2 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b12) Gecko/20110222 Firefox/4.0b12 The SuSEfirewall does not produce the reverse ESTABLISHED,RELATED rule for network forwards Reproducible: Always Steps to Reproduce: 1. Set FW_FORWARD="2001:xx:yy::/48,0/0" in /etc/sysconfig/SuSEfirewall2 2. # /sbin/SuSEfirewall2 debug | grep ESTABLISHED | grep 2001 SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... SuSEfirewall2: using default zone 'ext' for interface eth1 SuSEfirewall2: Firewall rules successfully set ip6tables -A forward_int -s 2001:xx:yy::/48 -d 0/0 -j ACCEPT -m conntrack --ctstate NEW,ESTABLISHED,RELATED ip6tables -A forward_int -s 2001:xx:yy::/48 -d 0/0 -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED ip6tables -A forward_ext -s 2001:xx:yy::/48 -d 0/0 -j ACCEPT -m conntrack --ctstate NEW,ESTABLISHED,RELATED ip6tables -A forward_ext -s 2001:xx:yy::/48 -d 0/0 -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED 3. It is the same for IPv4 Actual Results: I am not able to establish a connection, since the ACK SYN reply is dropped. Expected Results: # ./SuSEfirewall2.mine debug | grep ESTABLISHED | grep 2001 SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... SuSEfirewall2: using default zone 'ext' for interface eth1 SuSEfirewall2: Firewall rules successfully set ip6tables -A forward_int -s 2001:xx:yy::/48 -d 0/0 -j ACCEPT -m conntrack --ctstate NEW,ESTABLISHED,RELATED ip6tables -A forward_int -s 0/0 -d 2001:xx:yy::/48 -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED ip6tables -A forward_ext -s 2001:xx:yy::/48 -d 0/0 -j ACCEPT -m conntrack --ctstate NEW,ESTABLISHED,RELATED ip6tables -A forward_ext -s 0/0 -d 2001:xx:yy::/48 -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED I have tested this and it works for me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.