Unable to add orange (DMZ) interface


(Charlie Lehardy) #1

I’ve created green, blue and red interfaces and firewall rules on my new NethServer gateway, but orange is creating an error. I’m starting in Network and assigning an unused NIC to the role of orange. When I do, shorewall comes back with an error: Unknown source zone (orange) /etc/shorewall/rules line 36. I thought perhaps I should create an orange zone first, but when I try that it tells me that there is already a zone named “orang”.

Previously, I assigned a NIC to a role, then went in and created firewall rules for that particular interface. I wonder if there is some additional step for the DMZ? Any help would be appreciated.


(Filippo Carletti) #2

No additional steps needed. What you did seems correct to me. No need to create a zone. When you assign a role to a NIC a zone is “created” under the hood.
I’m suspicious about the error “Unknown source zone (orange) /etc/shorewall/rules line 36” because zone names are limited to 5 chars.
I’d start with:

grep -r orang /etc/shorewall/

You should find:

  1. zones:orang ipv4
  2. interfaces:orang eth2 dhcp,nosmurfs,routeback
  3. policy: many lines with accept or reject
  4. rules: a line for every defined rule

You could post the output of grep if you like.


(Charlie Lehardy) #3

Thanks for the quick response, Filippo. Before adding the orange NIC, I get no results at all with grep. After adding the NIC, I get a mix of “orange” and “orang”.

/etc/shorewall/policy:# Zone:orange
/etc/shorewall/rules: NFQBY orange net
NFQBY blue orange

The rules entries appear twice. Then, as you say, I also see zones:orang:ipv4, etc.


(Charlie Lehardy) #4

Here is the actual output of grep after adding the orange interface and grepping “orange”:

/etc/shorewall/policy:# Zone: orange
/etc/shorewall/rules:NFQBY orange net
/etc/shorewall/rules:NFQBY blue orange
/etc/shorewall/rules:NFQBY orange net
/etc/shorewall/rules:NFQBY blue orange

I thought I might be able to edit /etc/shorewall/rules to change orange to orang, but the “rules” file gets restored back to this on a reboot, and perhaps when shorewall is restarted.

However, I just created a 2nd NethServer machine that doesn’t seem to have this problem, so perhaps the issue is some corruption in the installation I’m working with. I’ll keep playing and keep you posted.


(Charlie Lehardy) #5

The problem seems to occur when I enable the IPS module. Prior to that, the orange interface is added without complaint. After enabling IPS, the following appears in /etc/shorewall/rules:

/etc/shorewall/rules:NFQBY orange net
/etc/shorewall/rules:NFQBY blue orange
/etc/shorewall/rules:NFQBY orange net
/etc/shorewall/rules:NFQBY blue orange

Since network objects are limited to 5 character names, the word “orange” blows up the firewall rules table. This seems to be a bug. I’ll create a new post on the bugs category to report it.


(Giacomo Sanchietti) #6

This is a bug, thank you for reporting:
http://dev.nethserver.org/issues/3129

You will find the new rpm available tomorrow and ready for testing.


(Alessio Fattorini) #7

@giacomo please could you reward @azchas with a like on the first post?
So I can close the topic :smile:


(Giacomo Sanchietti) #8

Done! (“Post must be at least 10 characters” AAARGH!!!)