Bug#275450: fwbuilder: iptables, bad script generated

Wed, 28 Sep 2005 13:03:29 -0700

As 2.0.3-2 is the current version in stable, 2.0.7-1 in testing and I'm preparing 2.0.9-1 for unstable I believe this issue is no longer an issue. I would appreciate hearing a confirmation or any further information if this is still an issue with fwbuilder.
If I fail to hear confirmation within the next 2-4 weeks I'll consider the matter resolved and deal with appropriately. 

   Regards,
   Jeremy

Richardson Philip (C.C.I.) wrote:


Package: fwbuilder
Version: 2.0.2-2

I have created a group containing hosts and a group containing protocols
(http, ftp, domain and nntp).
When I use both groups in a rule. Hosts group to any with the service row
containing the protocols group, I have the following rule generated from
fwbuilder :

# Rule 14(global)

# 
# Permettre la mise a jour et la mise a l'heure des OS

#
....
$IPTABLES -A FORWARD -p tcp  -s 172.16.32.60  --source-port 1024:65535

--destination-port 1024:65535  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD -p tcp  -s 172.16.32.61  --source-port 1024:65535
--destination-port 1024:65535  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD -p tcp  -s 172.16.32.62  --source-port 1024:65535
--destination-port 1024:65535  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD -p tcp  -s 172.16.32.63  --source-port 1024:65535
--destination-port 1024:65535  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD -p tcp  -s 172.16.5.5  --source-port 1024:65535
--destination-port 1024:65535  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD -p tcp  -s 172.16.32.55  --source-port 1024:65535
--destination-port 1024:65535  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD -p tcp  -s 10.0.0.3  --source-port 1024:65535
--destination-port 1024:65535  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD -p tcp  -s 193.168.96.18  --source-port 1024:65535
--destination-port 1024:65535  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD -p tcp  -s 172.16.32.57  --source-port 1024:65535
--destination-port 1024:65535  -m state --state NEW  -j ACCEPT 
$IPTABLES -A FORWARD -p tcp  -s 172.16.32.56  --source-port 1024:65535
--destination-port 1024:65535  -m state --state NEW  -j ACCEPT 
.......


As you can see there is no restriction concerning the defined protocols
group.
The rule lets everything pass thru !
If I re-create the rule with the hosts group  but putting the protocols
individually in service row, the problem does not appear ???????


Thanks a lot 

 




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]















    











					Reply via email to