Unable to add orange (DMZ) interface

AZChas · April 13, 2015, 8:01pm

I’ve created green, blue and red interfaces and firewall rules on my new NethServer gateway, but orange is creating an error. I’m starting in Network and assigning an unused NIC to the role of orange. When I do, shorewall comes back with an error: Unknown source zone (orange) /etc/shorewall/rules line 36. I thought perhaps I should create an orange zone first, but when I try that it tells me that there is already a zone named “orang”.

Previously, I assigned a NIC to a role, then went in and created firewall rules for that particular interface. I wonder if there is some additional step for the DMZ? Any help would be appreciated.

filippo_carletti · April 13, 2015, 9:14pm

No additional steps needed. What you did seems correct to me. No need to create a zone. When you assign a role to a NIC a zone is “created” under the hood.
I’m suspicious about the error “Unknown source zone (orange) /etc/shorewall/rules line 36” because zone names are limited to 5 chars.
I’d start with:

grep -r orang /etc/shorewall/

You should find:

zones:orang ipv4
interfaces:orang eth2 dhcp,nosmurfs,routeback
policy: many lines with accept or reject
rules: a line for every defined rule

You could post the output of grep if you like.

AZChas · April 13, 2015, 10:40pm

Thanks for the quick response, Filippo. Before adding the orange NIC, I get no results at all with grep. After adding the NIC, I get a mix of “orange” and “orang”.

/etc/shorewall/policy:# Zone:orange
/etc/shorewall/rules: NFQBY orange net
NFQBY blue orange

The rules entries appear twice. Then, as you say, I also see zones:orang:ipv4, etc.

AZChas · April 20, 2015, 8:56pm

Here is the actual output of grep after adding the orange interface and grepping “orange”:

/etc/shorewall/policy:# Zone: orange
/etc/shorewall/rules:NFQBY orange net
/etc/shorewall/rules:NFQBY blue orange
/etc/shorewall/rules:NFQBY orange net
/etc/shorewall/rules:NFQBY blue orange

I thought I might be able to edit /etc/shorewall/rules to change orange to orang, but the “rules” file gets restored back to this on a reboot, and perhaps when shorewall is restarted.

However, I just created a 2nd NethServer machine that doesn’t seem to have this problem, so perhaps the issue is some corruption in the installation I’m working with. I’ll keep playing and keep you posted.

AZChas · April 21, 2015, 1:38am

The problem seems to occur when I enable the IPS module. Prior to that, the orange interface is added without complaint. After enabling IPS, the following appears in /etc/shorewall/rules:

/etc/shorewall/rules:NFQBY orange net
/etc/shorewall/rules:NFQBY blue orange
/etc/shorewall/rules:NFQBY orange net
/etc/shorewall/rules:NFQBY blue orange

Since network objects are limited to 5 character names, the word “orange” blows up the firewall rules table. This seems to be a bug. I’ll create a new post on the bugs category to report it.

giacomo · April 21, 2015, 8:56am

This is a bug, thank you for reporting:
http://dev.nethserver.org/issues/3129

You will find the new rpm available tomorrow and ready for testing.

alefattorini · May 5, 2015, 3:06pm

@giacomo please could you reward @azchas with a like on the first post?
So I can close the topic

giacomo · May 5, 2015, 3:13pm

Done! (“Post must be at least 10 characters” AAARGH!!!)