Some Forward Rules are not Created

MaTT
2009-04-24
2013-03-05
  • MaTT
    MaTT
    2009-04-24

    first what's first... Thanks for the great great product!

    now something weird..  I upgraded to 3.0.4 from and old 2 version, now some Forward rules are not created.

    Example:
    In the Policy window I have  an address range 192.168.1.1 to 192.168.1.50 that can access the world.  When this rule is compiled code generated is as follows:

    $IPTABLES -A INPUT -m iprange --src-range 192.168.1.1-192.168.1.50  -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT -m iprange --src-range 192.168.1.1-192.168.1.50  -m state --state NEW  -j ACCEPT

    Now I add a single host from the very same src-range and it gets a FORWARD rule:

    $IPTABLES -A INPUT -m iprange --src-range 192.168.1.1-192.168.1.50  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT  -s 192.168.1.3  -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT -m iprange --src-range 192.168.1.1-192.168.1.50  -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD  -s 192.168.1.3  -m state --state NEW  -j ACCEPT

    If I were doing this for the first time I would say its something Iam doing bad.. but it was an old firewall migrated... and is an Strange behaviour!! as  this Old firewall was compiled as follows:

    $IPTABLES -A INPUT  -s 192.168.1.1  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT  -s 192.168.1.2/31  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT  -s 192.168.1.4/30  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT  -s 192.168.1.8/29  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT  -s 192.168.1.16/28  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT  -s 192.168.1.32/28  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT  -s 192.168.1.48/31  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT  -s 192.168.1.50  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT  -s 192.168.0.33  -m state --state NEW  -j ACCEPT
    $IPTABLES -A INPUT  -s 192.168.0.3  -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT  -s 192.168.1.1  -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT  -s 192.168.1.2/31  -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT  -s 192.168.1.4/30  -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT  -s 192.168.1.8/29  -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT  -s 192.168.1.16/28  -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT  -s 192.168.1.32/28  -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT  -s 192.168.1.48/31  -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT  -s 192.168.1.50  -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT  -s 192.168.0.33  -m state --state NEW  -j ACCEPT
    $IPTABLES -A OUTPUT  -s 192.168.0.3  -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD  -s 192.168.1.2/31  -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD  -s 192.168.1.4/30  -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD  -s 192.168.1.8/29  -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD  -s 192.168.1.16/28  -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD  -s 192.168.1.32/28  -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD  -s 192.168.1.48/31  -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD  -s 192.168.1.50  -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD  -s 192.168.0.33  -m state --state NEW  -j ACCEPT
    $IPTABLES -A FORWARD  -s 192.168.0.3  -m state --state NEW  -j ACCEPT

    Any guide is appreciated!

    cheers

    MRB

     
    • Vadim Kurland
      Vadim Kurland
      2009-04-24

      please check if address of one of the interfaces of the firewall falls inside the range 192.168.1.1-192.168.1.50

      If yes, please file bug report. You can work around this issue before I fix the bug by splitting the range to make the address of the firewall not be inside each half.