Firewall problem: Unknown destination zone (alias)

Hunv · March 5, 2016, 9:16am

Hi,

first of all: I am really impressed of Nethserver. I have never seen it before, but it looks really great!
But now I have my first problem.
I installed Nethserver and setup the green and red interface. Green got the IP 10.0.0.1 during the installation. Red was configured with the public IP of my Rootserver. I installed the packages “Basic firewall”, “Bandwidth monitor”, “VPN” and “Intrusion Prevention System” because I want to use Nethserver primary as a Router, Firewall and VPN Gateway.
First I configured some Firewall Objects. By doing this, I recognized that I forgot to configure more IP-Addresses for Green Interface. So I added 10.1.0.1, 10.2.0.1 and 10.3.0.1 as an additional IP Alias for my Green eth1 interface.
After that I configured more Firewall Objects. The first thing I want to do is:
Forward HTTP-Traffic to Server 10.1.0.101 using a hostobject in the firewall rules configurator.
When I apply this, I get the following Error Message:

Task completed with error
Configuring shorewall #24 (exit status 1)
ERROR: Unknown destination zone (alias) /etc/shorewall/rules (line 121)

I tried to research about that error and found somebody that had problems with the IPS module. So I uninstalled it: no changes.
After that I realized, that there are Updates available for the Nethserver. I installed all Updates: No changes
After that I reinstalled the Firewall-Pack: No changes.

Now I don’t know what I can do to fix this issue.
When I change to the Network-Configuration, I get a hint, that the firewall is not running. When I click on this I get a page with this text:

Checking...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Loading Modules...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Checking /etc/shorewall/hosts...
Determining Hosts in Zones...
Locating Action Files...
Checking /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Adding Anti-smurf Rules
Adding rules for DHCP
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking /etc/shorewall/masq...
Checking MAC Filtration -- Phase 1...
Checking /etc/shorewall/rules...
   ERROR: Unknown destination zone (alias) /etc/shorewall/rules (line 121)

What do I have to do to get this running?

Finally the mentioned content of the file, that is mentioned in the error message:

# ================= DO NOT MODIFY THIS FILE =================
# 
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at https://dev.nethesis.it/projects/nethserver/wiki/NethServer
# original work from http://www.contribs.org/development/
#
# Copyright (C) 2013 Nethesis S.r.l. 
# http://www.nethesis.it - support@nethesis.it
# 
#
# Shorewall version 4 - Rules File
#
# For information on the settings in this file, type "man shorewall-rules"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-rules.html
#
######################################################################################################################################################################################
#ACTION		SOURCE		DEST		PROTO	DEST	SOURCE		ORIGINAL	RATE		USER/	MARK	CONNLIMIT	TIME         HEADERS         SWITCH
#							PORT	PORT(S)		DEST		LIMIT		GROUP
#SECTION ALL
#
#
# SECTION ESTABLISHED
#
?SECTION ESTABLISHED


#
# SECTION RELATED
#
?SECTION RELATED


#
# SECTION NEW
#
?SECTION NEW

#
# Accept Ping from the "bad" net zone.
#
Ping/ACCEPT   net             $FW

#
#  Make ping work bi-directionally between the dmz, net, Firewall and local zone
#  (assumes that the loc-> net policy is ACCEPT).
#
Ping/ACCEPT     loc            $FW

#
#       Accept DNS connections from the firewall to the Internet
#
DNS/ACCEPT      $FW             net
#
#	Service: httpd-admin Access: public
#
?COMMENT httpd-admin
ACCEPT	loc	$FW	tcp	980
ACCEPT	net	$FW	tcp	980
#
#	Service: nmb Access: private
#
ACCEPT	loc	$FW	udp	137
ACCEPT	loc	$FW	udp	138
#
#	Service: ntpd Access: private
#
ACCEPT	loc	$FW	udp	123
#
#	Service: openvpn Access: public
#
ACCEPT	loc	$FW	udp	1194
ACCEPT	net	$FW	udp	1194
#
#	Service: redis-ntopng Access: NONE
#
#
#	Service: slapd Access: private
#
?COMMENT slapd
ACCEPT	loc	$FW	tcp	389
#
#	Service: smb Access: private
#
?COMMENT smb
ACCEPT	loc	$FW	tcp	139
?COMMENT smb
ACCEPT	loc	$FW	tcp	445
#
#	Service: sshd Access: public
#
?COMMENT sshd
ACCEPT	loc	$FW	tcp	222
ACCEPT	net	$FW	tcp	222

#
# 40l2tp -- accept L2TP nego from ivpn zone
#
?COMMENT l2tp
ACCEPT  ivpn	$FW	udp	1701



#
# 50pf -- PORT FORWARDING
#



#
# 60rules
#

#
# RULE#3 any -> host;kappservertest 
#
?COMMENT RULE#3 
ACCEPT:none	any	alias:10.1.0.101	tcp	443

#
# RULE#1 any -> role;red 
#
?COMMENT RULE#1 Allow outbound traffic
ACCEPT:none	any	net	all

#
# RULE#2 iprange;knetwork -> iprange;hostnetwork 
#
?COMMENT RULE#2 No Hostnetwork Access
DROP:none	alias:10.1.0.0-10.1.0.255	loc:10.0.0.0-10.0.0.255	all



#
# 90dns_blue 
#

Edit:
I started all over again but configuring all Interfaces including Aliases and doing updates first: Same issue.

Nas · March 5, 2016, 10:02am

Hi what version you are trying to deploy? 6.7 or 7?

Hunv · March 5, 2016, 10:03am

System version:NethServer release 6.7 (final)
Kernel release:2.6.32-573.el6.x86_64

Edit:
I figured out, that the problem does not occure, if only Zones like "any, “red” or “green” are involved. And the same issue is, if I add hosts to Port Forwarding

Nas · March 5, 2016, 10:21am

Create ALIAS

Pasted image1176×192 6.15 KB
Create Firewall Object

Pasted image1160×213 7.29 KB
Create New ZONE for Alias subnet

Pasted image1157×195 7.66 KB
Create port Forward Rule

Pasted image1157×153 6.99 KB

Hunv · March 5, 2016, 10:38am

OK, good to known! Thanks for the fast help! Hopefully there will be a solution for this.

Would it be a workaround to add an additional interface for each subnet?

Nas · March 5, 2016, 12:39pm

@Hunv

I have update Instruction please review.
Please keep in mind when creating new Zone you should select interface on which your alias exists.

http://shorewall.net/Shorewall_and_Aliased_Interfaces.html
This doc helps me to understand the logic.

Hunv · March 5, 2016, 1:06pm

Hi Nas,

I checked it following your screenshots. It works. Thanks!

Nas · March 5, 2016, 1:12pm

Thus, mark topic as solved

Vicente_Pena · October 28, 2016, 11:44pm

Hello,
Sorry for commenting a solved post but I have the same issue.

I followed the instruction and it worked. I have access from internet.

But now, I don´t have access from the same network and the zone lost internet too.

In other words, first I have the network 10.2.0.1 and 10.1.0.1 with internet and access to server 10.2.0.2.
When I create the zone, the network 10.2.0.1/24 loose internet.
And the network 10.1.0.1 have internet but can´t access the server 10.2.0.2.
And I can access server 10.2.0.2 from internet.

I replicate the images example.
Do you know what can I do? Or maybe what I am doing wrong?

UPDATE: I have noticed something. My two networks are in a bridge for Virtual Machines. Your example don’t have a bridge.

Hunv · October 29, 2016, 7:54am

Hi @Vicente_Pena,

I changed my way of implementing this, but this is just an option if your Nethserver is a virtual machine or has multiple network adapters:
I created one network adapter for each subnet. So I don’t use the zones anymore. To configure the access, I use the CIDR Networks and create firewall rules to deny/control the access of this IP ranges.
This works pretty well for me.