SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264
Anonymous | Login | 2018-04-24 21:07 UTC | ![]() |
Main | My View | View Issues | Change Log | Roadmap |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||||
0002687 | Endian Firewall | Firewall (iptables) | public | 2010-02-15 14:28 | 2011-02-02 09:09 | ||||||
Reporter | aender | ||||||||||
Assigned To | peter-endian | ||||||||||
Priority | normal | Severity | feature | Reproducibility | always | ||||||
Status | confirmed | Resolution | open | ||||||||
Platform | OS | OS Version | |||||||||
Product Version | 2.3 | ||||||||||
Target Version | future | Fixed in Version | |||||||||
Summary | 0002687: drop rules do not block connections which are already ESTABLISHED | ||||||||||
Description | We have setup a rule to allow SMB-All from a server in ORANGE to a server in GREEN. All works fine. We copied some files and after that we disabled the rule. After disabling the rule all SMB traffic is still allowed. See also connections in status screen with port 445. We have to logout and login at the server in ORANGE to have no access to the server at GREEN. So it looks like disabling the rule does not affect to sessions that exists. All SMB session should be killed if we disable a SMB rule. | ||||||||||
Tags | No tags attached. | ||||||||||
Attached Files | |||||||||||
![]() |
||||||
|
![]() |
|
(0003796) peter-endian (administrator) 2010-02-15 16:11 |
firewall rules affect only the connection initiation. due to the statefulness established connections will not be blocked. Can't change this easily, otherwise we degrade firewall performance and remove statefulness Killing every established connection affected by a rule is not that easy also, since we can't identify them only with the rule-information, because they are not that specific most of the time. We can implement an option to kill an established connection manually, through connections.cgi |
(0003798) aender (reporter) 2010-02-15 16:16 |
Yes. Please implement something like that. Is there a workaround possible? Maybe a command at the shell to kill established connections? |
(0003799) luca-endian (developer) 2010-02-15 16:58 |
conntrack -F |
![]() |
|||
Date Modified | Username | Field | Change |
2010-02-15 14:28 | aender | New Issue | |
2010-02-15 16:11 | peter-endian | Note Added: 0003796 | |
2010-02-15 16:11 | peter-endian | Status | new => confirmed |
2010-02-15 16:11 | peter-endian | Target Version | => future |
2010-02-15 16:13 | peter-endian | Summary | SMB traffic still allowed after disable a rule => drop rules do not block connections which are already ESTABLISHED |
2010-02-15 16:16 | aender | Note Added: 0003798 | |
2010-02-15 16:58 | luca-endian | Note Added: 0003799 | |
2010-03-10 17:42 | peter-endian | Relationship added | related to 0000183 |
2011-02-02 09:07 | lorenzo-endian | Customer Occurencies | => 0 |
2011-02-02 09:07 | lorenzo-endian | Assigned To | => peter-endian |
2011-02-02 09:09 | lorenzo-endian | Severity | major => feature |
Copyright © 2000 - 2012 MantisBT Group |