Project

General

Profile

Actions
Copy link

Bug #13171

closed

Changing the redirect target for a Port Forward with an associated filter creates an incorrect firewall rule

Added by Azamat Khakimyanov over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Viktor Gurov
Category:
Rules / NAT
Target version:
2.7.0
Start date:
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
22.05
Release Notes:
Default
Affected Version:
2.6.0
Affected Architecture:

Description

Tested on 22.01 but I saw the same issue on 21.05_p2 too.

To reproduce this issue:
- I created alias for internal host 'MyHost: 192.168.87.125'
- then I created PortForwarding NAT rule with 'Redirect target IP: MyHost' ('PortForwarding_initial_rule.png'). So Firewall rule were created on WAN with 'Destination: MyHost' ('Initial_firewall_rule.png')
From /tmp/rules.debug:
pass in quick on $WAN reply-to ( vtnet0 192.168.122.1 ) inet proto tcp from any to $MyHost port 22 ridentifier 1652698285 flags S/SA keep state label "USER_RULE: NAT TestPF2"

- and when I used IP-address instead of MyHost alias ('Redirect target IP: 192.168.87.125'), related firewall rule was changed correctly.
From /tmp/rules.debug
pass in quick on $WAN reply-to ( vtnet0 192.168.122.1 ) inet proto tcp from any to 192.168.87.125 port 22 ridentifier 1652698285 flags S/SA keep state label "USER_RULE: NAT TestPF2"

- then I used 'Redirect target IP: LAN address', again firewall rule was changed correctly. From /tmp/rules.debug:
pass in quick on $WAN reply-to ( vtnet0 192.168.122.1 ) inet proto tcp from any to 192.168.87.1 port 22 ridentifier 1652698285 flags S/SA keep state label "USER_RULE: NAT TestPF2"

AND when again I used 'Redirect target IP: MyHost', on a Dashboard I saw firewall rule with "Destination: LAN address' ('firewall_rule_after_using_alias.png') which had 'LAN_address' marked as an alias and this alias were correctly showed as 'MyHost: 192.168.87.125' ('LAN_address_showed_as_my_alias.png')
BUT according to /tmp/rules.debug firewall rule wasn't changed:
pass in quick on $WAN reply-to ( vtnet0 192.168.122.1 ) inet proto tcp from any to 192.168.87.1 port 22 ridentifier 1652698285 flags S/SA keep state label "USER_RULE: NAT TestPF2"
and still had 'LAN address: 192.168.87.1' as a Destination.

- if now I change 'Redirect target IP', firewall rule gets 'Destination: LAN Address' and there is no way to change it. I used several different options, Redirect IP:
  1. 1. LAN address
  2. 2. MyHost alias
  3. 3. IP: 192.168.87.125
    but firewall rule always had 'Destination: LAN Address'

So using these built-in aliases (LAN/WAN address) as a 'Redirect target IP' in PortForwarding NAT rules breaks the logic of creating related firewall rules.

Files

Download all files
PortForwarding_initial_rule.png (131 KB) PortForwarding_initial_rule.png Azamat Khakimyanov, 05/16/2022 05:24 AM
Initial_firewall_rule.png (6.93 KB) Initial_firewall_rule.png Azamat Khakimyanov, 05/16/2022 05:26 AM
firewall_rule_after_using_alias.png (52.7 KB) firewall_rule_after_using_alias.png Azamat Khakimyanov, 05/16/2022 05:35 AM
LAN_address_showed_as_my_alias.png (53.7 KB) LAN_address_showed_as_my_alias.png Azamat Khakimyanov, 05/16/2022 05:37 AM
Actions
Copy link

Also available in: Atom PDF