Page 1 of 1

Firewall rules do not work (UPDATE)

Posted: May 28th, 2019, 6:39 am
by donaldo
Hi to everybody

I have a problem with the last version of IpFire

if i set a firewall rule (like in the image) i can't see the port open if i test in site like www.canyouseeme.org
280519.jpg
old rules it's ok

what's wrong?

Thanks
Donatello

Re: Firewall rules do not work

Posted: May 28th, 2019, 8:16 am
by donaldo
hi

i have find in the /var/ipfire/firewall the file config with this setting:

39,ACCEPT,FORWARDFW,ON,std_net_src,ALL,tgt_addr,10.0.0.80/32,,TCP,,,ON,,,TGT_PORT,9600,x Silvio,,,,,,,,,,00:00,00:00,ON,Default IP,9600,dnat,,,,,second
40,ACCEPT,FORWARDFW,ON,std_net_src,ALL,tgt_addr,10.0.0.80/32,,UDP,,,ON,,,TGT_PORT,9600,x Silvio,,,,,,,,,,00:00,00:00,ON,Default IP,9600,dnat,,,,,second


i think it's ok, egual other line in the setting

it is possible that this setting isn't charged in acl, only registered in the file?

i have make a reboot but nothing.
all the port of the router are open and CPE are transparent

what's wrong?

Thanks
Donatello

Re: Firewall rules do not work

Posted: May 29th, 2019, 12:53 pm
by donaldo
Hi

other people have my same problem?
or i have make a mistake?

please tell me

thanks
Donatello

Re: Firewall rules do not work

Posted: May 30th, 2019, 5:59 am
by donaldo
Hi to everybody

i can confirm this problem
time ago i had disabled a rule (at the time it's work) for opening a port

if i enable now, and try to test, the port it's closed

so the button Apply changes don't work

Please help me

thanks
Donatello

Re: Firewall rules do not work

Posted: May 30th, 2019, 1:10 pm
by donaldo
Hi

i have created a test port in another server with the last ipfire (another internet connection) and if i check with this site https://www.yougetsignal.com/tools/open-ports/ the port is closed.

So i think that the problem is in the last version of ipfire

someone can open a bug (a BIG Bug) ?

thanks
Donatello

Re: Firewall rules do not work (UPDATE)

Posted: May 31st, 2019, 2:04 pm
by GeoKen
I have installed 2.23 131 and have the same problem. The rules do not being applied. Is this a known bug?

Re: Firewall rules do not work (UPDATE)

Posted: May 31st, 2019, 3:58 pm
by hardwareRVR
Hello,
rules seems ok, you must have a service open with port 9600 on IP 10.0.0.80 obviously and you reach it ie http://WANIP:9600 but you need run apache open with port 9600

rigth ?

Andrea T.

Re: Firewall rules do not work (UPDATE)

Posted: June 1st, 2019, 2:56 pm
by GeoKen
Hi Andrea T. I think you may have missed the point. In release 2.23 131 New firewall rules are not being applied when the Apply button is pressed.
Do you have that release? If so could you test allowing or denying traffic through a port using the firewall rules please?

Re: Firewall rules do not work (UPDATE)

Posted: June 2nd, 2019, 1:03 pm
by BeBiMa
This is not true!

If you can document this behaviour, please post to bugzilla.

Re: Firewall rules do not work (UPDATE)

Posted: June 3rd, 2019, 5:25 am
by donaldo
hardwareRVR wrote:
May 31st, 2019, 3:58 pm
Hello,
rules seems ok, you must have a service open with port 9600 on IP 10.0.0.80 obviously and you reach it ie http://WANIP:9600 but you need run apache open with port 9600

rigth ?

Andrea T.
Hi, not true. I have a service at the port 9600 and isn't http.
also i have make time ago same rules and all in working

if you use the https://www.yougetsignal.com/tools/open-ports/ you can verify if the port is open

thanks
Donatello

Re: Firewall rules do not work (UPDATE)

Posted: June 3rd, 2019, 8:38 am
by donaldo
BeBiMa wrote:
June 2nd, 2019, 1:03 pm
This is not true!

If you can document this behaviour, please post to bugzilla.
Hi

i have opened a bug but Mr Tremer closed it :'(

So now i can't know how resolve this trouble

Someone can help me? Please

thanks
Donatello

Re: Firewall rules do not work (UPDATE)

Posted: June 3rd, 2019, 11:02 am
by BeBiMa
@Donaldo:
hardwareRVR wrote:
May 31st, 2019, 3:58 pm
Hello,
rules seems ok, you must have a service open with port 9600 on IP 10.0.0.80 obviously and you reach it ie http://WANIP:9600 but you need run apache open with port 9600

rigth ?

Andrea T.
I've just checked this. The port is shown open only, if there is service running on the destination with this port.
The rules are added to iptables.
Thus Michael's answer in the bugzilla is just ok.

Re: Firewall rules do not work (UPDATE)

Posted: June 4th, 2019, 8:43 am
by donaldo
Follow this Link:
viewtopic.php?f=27&t=22879

Now all works
Thanks
Donatello

Re: Firewall rules do not work (UPDATE)

Posted: June 4th, 2019, 9:38 am
by BeBiMa
To complete this thread, I just quote the other thread linked above
Hi to everybody

I make a Mea Culpa
For 2 days i have had a big trouble with ftp. I have thought it was the firewall rules

But after many test i have found the trouble.
It was the Intrusion Prevention System with the Thalos VRT Rules.
If the malware-backdoor.rules is enable, it block the TSL Cyper of the FTP Filezilla Server and nothing work


I hope that this help user of IpFire

Thanks
Donatello
To conclude:
  • firewall maintenance works as before core131
  • with IPS you can block more connections than you wish. IPS demands a high maintenance effort.
  • you should do exactly that, what you want ;)