Bug #13171
closed
Changing the redirect target for a Port Forward with an associated filter creates an incorrect firewall rule
100%
Description
Tested on 22.01 but I saw the same issue on 21.05_p2 too.
To reproduce this issue:
- I created alias for internal host 'MyHost: 192.168.87.125'
- then I created PortForwarding NAT rule with 'Redirect target IP: MyHost' ('PortForwarding_initial_rule.png'). So Firewall rule were created on WAN with 'Destination: MyHost' ('Initial_firewall_rule.png')
From /tmp/rules.debug:
pass in quick on $WAN reply-to ( vtnet0 192.168.122.1 ) inet proto tcp from any to $MyHost port 22 ridentifier 1652698285 flags S/SA keep state label "USER_RULE: NAT TestPF2"
- and when I used IP-address instead of MyHost alias ('Redirect target IP: 192.168.87.125'), related firewall rule was changed correctly.
From /tmp/rules.debug
pass in quick on $WAN reply-to ( vtnet0 192.168.122.1 ) inet proto tcp from any to 192.168.87.125 port 22 ridentifier 1652698285 flags S/SA keep state label "USER_RULE: NAT TestPF2"
- then I used 'Redirect target IP: LAN address', again firewall rule was changed correctly. From /tmp/rules.debug:
pass in quick on $WAN reply-to ( vtnet0 192.168.122.1 ) inet proto tcp from any to 192.168.87.1 port 22 ridentifier 1652698285 flags S/SA keep state label "USER_RULE: NAT TestPF2"
AND when again I used 'Redirect target IP: MyHost', on a Dashboard I saw firewall rule with "Destination: LAN address' ('firewall_rule_after_using_alias.png') which had 'LAN_address' marked as an alias and this alias were correctly showed as 'MyHost: 192.168.87.125' ('LAN_address_showed_as_my_alias.png')
BUT according to /tmp/rules.debug firewall rule wasn't changed:
pass in quick on $WAN reply-to ( vtnet0 192.168.122.1 ) inet proto tcp from any to 192.168.87.1 port 22 ridentifier 1652698285 flags S/SA keep state label "USER_RULE: NAT TestPF2"
and still had 'LAN address: 192.168.87.1' as a Destination.
- 1. LAN address
- 2. MyHost alias
- 3. IP: 192.168.87.125
but firewall rule always had 'Destination: LAN Address'
So using these built-in aliases (LAN/WAN address) as a 'Redirect target IP' in PortForwarding NAT rules breaks the logic of creating related firewall rules.
Files
Updated by Viktor Gurov over 2 years ago
- Category changed from Translations to Rules / NAT
- Assignee set to Viktor Gurov
- Target version set to 2.7.0
- Plus Target Version set to 22.05
- Affected Version set to 2.6.0
Updated by Jim Pingle over 2 years ago
- Status changed from New to Pull Request Review
Updated by Viktor Gurov over 2 years ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset 6f0d088a8451802aacd4e7fa6be95d00707babd9.
Updated by Jim Pingle over 2 years ago
- Subject changed from Changing Redirect target IP for PortForwarding NAT rule with 'Add associated filter rule' option creates weid Firewall rules to Changing the redirect target for a Port Forward with an associated filter creates an incorrect firewall rule
Updating subject for release notes.
Updated by Danilo Zrenjanin over 2 years ago
- Status changed from Feedback to Resolved
Tested:
2.7.0-DEVELOPMENT (amd64) built on Thu May 19 06:14:05 UTC 2022 FreeBSD 12.3-STABLE
It works as expected. I am marking this ticket resolved.