[Bug 679192] New: SuSEfirewall FORWARD chain bug, no reverse RELATED,ESTABLISHED but a double FORWARD
https://bugzilla.novell.com/show_bug.cgi?id=679192 https://bugzilla.novell.com/show_bug.cgi?id=679192#c0 Summary: SuSEfirewall FORWARD chain bug, no reverse RELATED,ESTABLISHED but a double FORWARD Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: x86 OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Network AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: arjennw@zeilers.net QAContact: qa@suse.de Found By: --- Blocker: --- Created an attachment (id=419006) --> (http://bugzilla.novell.com/attachment.cgi?id=419006) pathc which adds the correctline to /sbin/SuSEfirewall2 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b12) Gecko/20110222 Firefox/4.0b12 The SuSEfirewall does not produce the reverse ESTABLISHED,RELATED rule for network forwards Reproducible: Always Steps to Reproduce: 1. Set FW_FORWARD="2001:xx:yy::/48,0/0" in /etc/sysconfig/SuSEfirewall2 2. # /sbin/SuSEfirewall2 debug | grep ESTABLISHED | grep 2001 SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... SuSEfirewall2: using default zone 'ext' for interface eth1 SuSEfirewall2: Firewall rules successfully set ip6tables -A forward_int -s 2001:xx:yy::/48 -d 0/0 -j ACCEPT -m conntrack --ctstate NEW,ESTABLISHED,RELATED ip6tables -A forward_int -s 2001:xx:yy::/48 -d 0/0 -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED ip6tables -A forward_ext -s 2001:xx:yy::/48 -d 0/0 -j ACCEPT -m conntrack --ctstate NEW,ESTABLISHED,RELATED ip6tables -A forward_ext -s 2001:xx:yy::/48 -d 0/0 -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED 3. It is the same for IPv4 Actual Results: I am not able to establish a connection, since the ACK SYN reply is dropped. Expected Results: # ./SuSEfirewall2.mine debug | grep ESTABLISHED | grep 2001 SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... SuSEfirewall2: using default zone 'ext' for interface eth1 SuSEfirewall2: Firewall rules successfully set ip6tables -A forward_int -s 2001:xx:yy::/48 -d 0/0 -j ACCEPT -m conntrack --ctstate NEW,ESTABLISHED,RELATED ip6tables -A forward_int -s 0/0 -d 2001:xx:yy::/48 -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED ip6tables -A forward_ext -s 2001:xx:yy::/48 -d 0/0 -j ACCEPT -m conntrack --ctstate NEW,ESTABLISHED,RELATED ip6tables -A forward_ext -s 0/0 -d 2001:xx:yy::/48 -j ACCEPT -m conntrack --ctstate ESTABLISHED,RELATED I have tested this and it works for me. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=679192
https://bugzilla.novell.com/show_bug.cgi?id=679192#c
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=679192
https://bugzilla.novell.com/show_bug.cgi?id=679192#c1
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=679192
https://bugzilla.novell.com/show_bug.cgi?id=679192#c2
--- Comment #2 from Arjen Runsink
regression probably caused due to introduction of the new zonein and zoneout parameters. Maybe adding them as workaround helps to get things working again.
I have tried the suggested workaround. 1st test suggests that only the ESTABLISHED,RELATED rule is added. But I am not able to verify that anymore. At the moment _no_ forward rule is generated for when I use the following parameter: FW_FORWARD="2001:xx:yy::/48,0/0,,,zonein=INT,zoneout=EXT" That is the right format, isn't it? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=679192
https://bugzilla.novell.com/show_bug.cgi?id=679192#c3
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=679192
https://bugzilla.novell.com/show_bug.cgi?id=679192#c4
--- Comment #4 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=679192
https://bugzilla.novell.com/show_bug.cgi?id=679192#c5
--- Comment #5 from Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=679192
https://bugzilla.novell.com/show_bug.cgi?id=679192#c6
Christian Dengler
https://bugzilla.novell.com/show_bug.cgi?id=679192
https://bugzilla.novell.com/show_bug.cgi?id=679192#c7
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=679192
https://bugzilla.novell.com/show_bug.cgi?id=679192#c8
Christian Dengler
https://bugzilla.novell.com/show_bug.cgi?id=679192
https://bugzilla.novell.com/show_bug.cgi?id=679192#c9
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=679192
https://bugzilla.novell.com/show_bug.cgi?id=679192#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=679192
https://bugzilla.novell.com/show_bug.cgi?id=679192#c10
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=679192
https://bugzilla.novell.com/show_bug.cgi?id=679192#c
Swamp Workflow Management
https://bugzilla.novell.com/show_bug.cgi?id=679192
https://bugzilla.novell.com/show_bug.cgi?id=679192#c11
--- Comment #11 from Bernhard Wiedemann
https://bugzilla.novell.com/show_bug.cgi?id=679192
https://bugzilla.novell.com/show_bug.cgi?id=679192#c12
--- Comment #12 from Bernhard Wiedemann
participants (1)
-
bugzilla_noreply@novell.com