Firewall rules do not work (UPDATE)

General questions.
Post Reply
donaldo
Posts: 168
Joined: March 21st, 2013, 9:55 am

Firewall rules do not work (UPDATE)

Post by donaldo » May 28th, 2019, 6:39 am

Hi to everybody

I have a problem with the last version of IpFire

if i set a firewall rule (like in the image) i can't see the port open if i test in site like www.canyouseeme.org
280519.jpg
old rules it's ok

what's wrong?

Thanks
Donatello
Last edited by donaldo on May 30th, 2019, 1:11 pm, edited 1 time in total.

donaldo
Posts: 168
Joined: March 21st, 2013, 9:55 am

Re: Firewall rules do not work

Post by donaldo » May 28th, 2019, 8:16 am

hi

i have find in the /var/ipfire/firewall the file config with this setting:

39,ACCEPT,FORWARDFW,ON,std_net_src,ALL,tgt_addr,10.0.0.80/32,,TCP,,,ON,,,TGT_PORT,9600,x Silvio,,,,,,,,,,00:00,00:00,ON,Default IP,9600,dnat,,,,,second
40,ACCEPT,FORWARDFW,ON,std_net_src,ALL,tgt_addr,10.0.0.80/32,,UDP,,,ON,,,TGT_PORT,9600,x Silvio,,,,,,,,,,00:00,00:00,ON,Default IP,9600,dnat,,,,,second


i think it's ok, egual other line in the setting

it is possible that this setting isn't charged in acl, only registered in the file?

i have make a reboot but nothing.
all the port of the router are open and CPE are transparent

what's wrong?

Thanks
Donatello

donaldo
Posts: 168
Joined: March 21st, 2013, 9:55 am

Re: Firewall rules do not work

Post by donaldo » May 29th, 2019, 12:53 pm

Hi

other people have my same problem?
or i have make a mistake?

please tell me

thanks
Donatello

donaldo
Posts: 168
Joined: March 21st, 2013, 9:55 am

Re: Firewall rules do not work

Post by donaldo » May 30th, 2019, 5:59 am

Hi to everybody

i can confirm this problem
time ago i had disabled a rule (at the time it's work) for opening a port

if i enable now, and try to test, the port it's closed

so the button Apply changes don't work

Please help me

thanks
Donatello

donaldo
Posts: 168
Joined: March 21st, 2013, 9:55 am

Re: Firewall rules do not work

Post by donaldo » May 30th, 2019, 1:10 pm

Hi

i have created a test port in another server with the last ipfire (another internet connection) and if i check with this site https://www.yougetsignal.com/tools/open-ports/ the port is closed.

So i think that the problem is in the last version of ipfire

someone can open a bug (a BIG Bug) ?

thanks
Donatello

GeoKen
Posts: 8
Joined: May 8th, 2019, 12:03 pm

Re: Firewall rules do not work (UPDATE)

Post by GeoKen » May 31st, 2019, 2:04 pm

I have installed 2.23 131 and have the same problem. The rules do not being applied. Is this a known bug?

hardwareRVR
Posts: 11
Joined: September 26th, 2017, 7:56 am

Re: Firewall rules do not work (UPDATE)

Post by hardwareRVR » May 31st, 2019, 3:58 pm

Hello,
rules seems ok, you must have a service open with port 9600 on IP 10.0.0.80 obviously and you reach it ie http://WANIP:9600 but you need run apache open with port 9600

rigth ?

Andrea T.

GeoKen
Posts: 8
Joined: May 8th, 2019, 12:03 pm

Re: Firewall rules do not work (UPDATE)

Post by GeoKen » June 1st, 2019, 2:56 pm

Hi Andrea T. I think you may have missed the point. In release 2.23 131 New firewall rules are not being applied when the Apply button is pressed.
Do you have that release? If so could you test allowing or denying traffic through a port using the firewall rules please?

BeBiMa
Posts: 2842
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: Firewall rules do not work (UPDATE)

Post by BeBiMa » June 2nd, 2019, 1:03 pm

This is not true!

If you can document this behaviour, please post to bugzilla.
Image
Unitymedia Cable Internet ( 32MBit )

donaldo
Posts: 168
Joined: March 21st, 2013, 9:55 am

Re: Firewall rules do not work (UPDATE)

Post by donaldo » June 3rd, 2019, 5:25 am

hardwareRVR wrote:
May 31st, 2019, 3:58 pm
Hello,
rules seems ok, you must have a service open with port 9600 on IP 10.0.0.80 obviously and you reach it ie http://WANIP:9600 but you need run apache open with port 9600

rigth ?

Andrea T.
Hi, not true. I have a service at the port 9600 and isn't http.
also i have make time ago same rules and all in working

if you use the https://www.yougetsignal.com/tools/open-ports/ you can verify if the port is open

thanks
Donatello

donaldo
Posts: 168
Joined: March 21st, 2013, 9:55 am

Re: Firewall rules do not work (UPDATE)

Post by donaldo » June 3rd, 2019, 8:38 am

BeBiMa wrote:
June 2nd, 2019, 1:03 pm
This is not true!

If you can document this behaviour, please post to bugzilla.
Hi

i have opened a bug but Mr Tremer closed it :'(

So now i can't know how resolve this trouble

Someone can help me? Please

thanks
Donatello

BeBiMa
Posts: 2842
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: Firewall rules do not work (UPDATE)

Post by BeBiMa » June 3rd, 2019, 11:02 am

@Donaldo:
hardwareRVR wrote:
May 31st, 2019, 3:58 pm
Hello,
rules seems ok, you must have a service open with port 9600 on IP 10.0.0.80 obviously and you reach it ie http://WANIP:9600 but you need run apache open with port 9600

rigth ?

Andrea T.
I've just checked this. The port is shown open only, if there is service running on the destination with this port.
The rules are added to iptables.
Thus Michael's answer in the bugzilla is just ok.
Image
Unitymedia Cable Internet ( 32MBit )

donaldo
Posts: 168
Joined: March 21st, 2013, 9:55 am

Re: Firewall rules do not work (UPDATE)

Post by donaldo » June 4th, 2019, 8:43 am

Follow this Link:
viewtopic.php?f=27&t=22879

Now all works
Thanks
Donatello

BeBiMa
Posts: 2842
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: Firewall rules do not work (UPDATE)

Post by BeBiMa » June 4th, 2019, 9:38 am

To complete this thread, I just quote the other thread linked above
Hi to everybody

I make a Mea Culpa
For 2 days i have had a big trouble with ftp. I have thought it was the firewall rules

But after many test i have found the trouble.
It was the Intrusion Prevention System with the Thalos VRT Rules.
If the malware-backdoor.rules is enable, it block the TSL Cyper of the FTP Filezilla Server and nothing work


I hope that this help user of IpFire

Thanks
Donatello
To conclude:
  • firewall maintenance works as before core131
  • with IPS you can block more connections than you wish. IPS demands a high maintenance effort.
  • you should do exactly that, what you want ;)
Image
Unitymedia Cable Internet ( 32MBit )

Post Reply