Modify ↓
Ticket #4916 (closed defect: worksforme)
Unexpected firewall behaviour
| Reported by: | gassiepaard@… | Owned by: | jamor@… |
|---|---|---|---|
| Milestone: | 3.0 | Component: | firewall |
| Severity: | normal | Keywords: | |
| Cc: |
Description
When the mysql server password is changed the firewall is not working, the packet filter rules are ignored... Also there is no notification that there is something wrong.
It would be wise to ask for a root mysql password when installing.
Attachments
Change History
comment:2 Changed 9 months ago by jamor@…
Also you can try to put the same password in the file '/var/lib/zentyal/conf/zentyal-mysql.passwd' and reload the log module.
comment:3 Changed 9 months ago by gassiepaard@…
- Summary changed from Firewall not working when mysql password is changed to Unexpected firewall behaviour
My mistake, I did change something before. I added a service in the external to zentyal packet filter: protocol: any source port: any destination: 23424
When enabled, any port on the zentyal box is open :(
comment:4 follow-up: ↓ 5 Changed 9 months ago by jamor@…
Sorry, I don't undestand what was the configuration of your service. The 23424 for which parameter stands?
comment:5 in reply to: ↑ 4 Changed 9 months ago by gassiepaard@…
Replying to jamor@…:
Sorry, I don't undestand what was the configuration of your service. The 23424 for which parameter stands?
portnumber
comment:6 Changed 9 months ago by jamor@…
Ok, if I put this configuration I get two lines added to the iexternal chain (the last ones):
Chain iexternal (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- eth1 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- eth2 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- eth3 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- tap7 * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:23424 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:23424 state NEW
It is correct.
How do you checked your open ports?. Maybe you checked it using a internal interface and in that case the rule set enforced is 'Internal networks to Zentyal' instead of the 'External to the zentyal'.
comment:7 Changed 9 months ago by jamor@…
- Status changed from accepted to closed
- Resolution set to worksforme
Reopen, if you can confirm that is a bug. To see the dump of the firewall rules you can use the command "sudo iptables -vL -n".
Regards,
Javier
comment:8 Changed 9 months ago by gassiepaard@…
I configured it in External networks to Zentyal.
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
34777 9828K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
12 480 idrop all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
86039 59M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
127K 36M inospoof all -- * * 0.0.0.0/0 0.0.0.0/0
127K 36M iexternalmodules all -- * * 0.0.0.0/0 0.0.0.0/0
127K 36M iexternal all -- * * 0.0.0.0/0 0.0.0.0/0
4656 795K inoexternal all -- * * 0.0.0.0/0 0.0.0.0/0
4656 795K imodules all -- * * 0.0.0.0/0 0.0.0.0/0
4656 795K iintservs all -- * * 0.0.0.0/0 0.0.0.0/0
4656 795K iglobal all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmptype 0 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmptype 4 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmptype 12 state NEW
2 677 idrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 fdrop all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 fnospoof all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 fredirects all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 fmodules all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ffwdrules all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 fnoexternal all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 fdns all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 fobjects all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 fglobal all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmptype 0 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmptype 4 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmptype 12 state NEW
0 0 fdrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
66785 11M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0
0 0 odrop all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
77719 5678K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
71164 10M ointernal all -- * * 0.0.0.0/0 0.0.0.0/0
70823 10M omodules all -- * * 0.0.0.0/0 0.0.0.0/0
70594 10M oglobal all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmptype 8 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmptype 0 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmptype 3 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmptype 4 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 state NEW
0 0 ACCEPT icmp !f * * 0.0.0.0/0 0.0.0.0/0 icmptype 12 state NEW
2 212 odrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain drop (4 references)
pkts bytes target prot opt in out source destination
12 480 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fdns (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 127.0.0.1 state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 208.67.222.222 state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 208.67.222.222 state NEW tcp dpt:53
0 0 ACCEPT udp -- * * 0.0.0.0/0 192.168.0.1 state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.1 state NEW tcp dpt:53
Chain fdrop (5 references)
pkts bytes target prot opt in out source destination
0 0 drop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain ffwdrules (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain fglobal (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fmodules (1 references)
pkts bytes target prot opt in out source destination
Chain fnoexternal (1 references)
pkts bytes target prot opt in out source destination
0 0 fdrop all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain fnospoof (1 references)
pkts bytes target prot opt in out source destination
0 0 fnospoofmodules all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 fdrop all -- !eth1 * 10.0.0.0/24 0.0.0.0/0
Chain fnospoofmodules (1 references)
pkts bytes target prot opt in out source destination
Chain fobjects (1 references)
pkts bytes target prot opt in out source destination
Chain fredirects (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 10.0.0.1 state NEW udp dpt:22
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 10.0.0.1 state NEW tcp dpt:22
Chain ftoexternalonly (0 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- * eth0 0.0.0.0/0 0.0.0.0/0
0 0 fdrop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain idrop (4 references)
pkts bytes target prot opt in out source destination
14 1157 drop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain iexternal (1 references)
pkts bytes target prot opt in out source destination
4654 795K RETURN all -- eth1 * 0.0.0.0/0 0.0.0.0/0
122K 36M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 state NEW
Chain iexternalmodules (1 references)
pkts bytes target prot opt in out source destination
4654 795K RETURN all -- eth1 * 0.0.0.0/0 0.0.0.0/0
Chain iglobal (1 references)
pkts bytes target prot opt in out source destination
4654 795K ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:88 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:88 state NEW
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:464 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:464 state NEW
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:390 state NEW
0 0 drop udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123 state NEW
Chain iintservs (1 references)
pkts bytes target prot opt in out source destination
Chain imodules (1 references)
pkts bytes target prot opt in out source destination
Chain inoexternal (1 references)
pkts bytes target prot opt in out source destination
0 0 idrop all -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain inointernal (0 references)
pkts bytes target prot opt in out source destination
Chain inospoof (1 references)
pkts bytes target prot opt in out source destination
127K 36M inospoofmodules all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 idrop all -- !eth1 * 10.0.0.0/24 0.0.0.0/0
Chain inospoofmodules (1 references)
pkts bytes target prot opt in out source destination
Chain log (0 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain odrop (2 references)
pkts bytes target prot opt in out source destination
2 212 drop all -- * * 0.0.0.0/0 0.0.0.0/0
Chain oglobal (1 references)
pkts bytes target prot opt in out source destination
70592 10M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state NEW
Chain ointernal (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- * * 0.0.0.0/0 127.0.0.1 state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 127.0.0.1 state NEW tcp dpt:53
10 638 ACCEPT udp -- * * 0.0.0.0/0 208.67.222.222 state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 208.67.222.222 state NEW tcp dpt:53
12 3936 ACCEPT udp -- * eth0 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:67
319 21469 ACCEPT udp -- * * 0.0.0.0/0 192.168.0.1 state NEW udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.0.1 state NEW tcp dpt:53
Chain omodules (1 references)
pkts bytes target prot opt in out source destination
229 16681 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:53
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
comment:9 Changed 9 months ago by gassiepaard@…
I checked the open ports on a remote location. I have apache running on port 8001 and made sure that port isn't in the external to zentyal configuration. But when I opened a browser to my ip and that portnumber it responded with the default website.....
Note: See
TracTickets for help on using
tickets.
Hello Gassiepaard,
if Zentyal cannot access to mysql the log services should be affected but not the firewall one. Have you done any changes in Zentyal configuration after changing the password?. Can you attach the file /var/log/zentyal/zentyal.log ?.
Also if you have enabled the log modules you could try to diable it and restart the firewall service to see if this enables it agian. It could be a workaround until we clear up this problem.
Regards,
Javier