search

yixuaning / x-wrt

Automatically exported from code.google.com/p/x-wrt
0 stars 0 forks source link

Ignored firewall rules #144

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. just set an accept rule for port 22
2. and it will be ignored 

What is the expected output? What do you see instead?
I should be able to connect to dropbear on port 22 from wan , but
connection is refused

What version of the product are you using? On what operating system and web
browser?
kamikaze 8.09 and kamikaze svn 
latest xwrt

Please provide any additional info below.
I found that this is breaking the rule

if you have 

option dest lan 
it will not work if I remove it it works , this workaround took me two days
and 10 reflashes! 

my not working code :

config 'rule'
    option 'proto' 'tcp'
    option 'src' 'wan'
    option 'dest' 'lan'
    option 'src_ip' ''
    option 'dest_ip' ''
    option 'dest_port' '22'
    option 'target' 'ACCEPT'

the working one :config 'rule'
    option 'proto' 'tcp'
    option 'src' 'wan'
    #option 'dest' 'lan'
    option 'src_ip' ''
    option 'dest_ip' ''
    option 'dest_port' '22'
    option 'target' 'ACCEPT'

Original issue reported on code.google.com by shwan.ciyako@gmail.com on 16 Jun 2009 at 10:07

GoogleCodeExporter commented 9 years ago 
I tried to fix this issue in the patch series r4782-4 in the trunk.

The basic problem was that the "Incoming Ports" part of the page always saved 
the
'dest' field causing the rules to become forwarding regardless of the src/dest 
contents.

It should be possible to create input rules by setting 'src' and 'dest' to the 
same
value now.
The page is very complex. I would not be surprised if my fix would break other
functionality. :-)
Please test it.

Sorry for the troubles. The author usually does not see his own errors and 
there are
not enough users able to read the code and fix them.

Original comment by lubekgc@gmail.com on 25 Jul 2009 at 5:25

GoogleCodeExporter commented 9 years ago 
I am guilty of not seeing some of my own errors.

r4809 contains what should be a good fix to the issue by allowing the src/dest 
to be
set to router. There maybe some cases where setting the src/dest to the same 
network
was applicable (bridged networking). The default src/dest will work for opening 
ports
to the router now.

Original comment by kemen04@gmail.com on 19 Aug 2009 at 5:55