New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

invalid port/service 310000 specified in firewall mode most_open #484

Closed
hoedlmoser opened this Issue Nov 25, 2018 · 0 comments

Comments

Projects
None yet
2 participants
@hoedlmoser
Contributor

hoedlmoser commented Nov 25, 2018

Describe the bug
in case of Firewall-Richtlinie is set to Ports offen in RaspberryMatic 3.41.11.20181124 you'll get error message homematic user.info firewall: iptables v1.6.2: invalid port/service 310000 specified Try 'iptables -h' or 'iptables --help' for more information. in syslog. even this is only a info log, it just means a malfunction in firewall script and therefor should be taken serious.

To Reproduce
set Firewall-Richtlinie to Ports offen in Startseite > Einstellungen > Systemsteuerung > Firewall konfigurieren and run /bin/setfirewall.tcl

System information

  • RaspberryMatic 3.41.11.20181124
  • Charly with Raspberry Pi 3 B+

Additional context
in firewall most_open mode, in /lib/libfirewall.tcl procedure FirewallInternal::Firewall_configureFirewallMostOpen just blocks all internal ports (3xxxx)

	#block internal ports 
	foreach port $service(PORTS) {
        if { $port < 40000 && ![string equal "SNMP" $serviceName] } {
            try_exec_cmd "/usr/sbin/iptables -A INPUT -p tcp --dport 3$port -j DROP"  
            if {$has_ip6tables} {      
                try_exec_cmd "/usr/sbin/ip6tables -A INPUT -p tcp --dport 3$port -j DROP"
            }
        }
	}

but this causes ports > 65535, which is not in accordance with specification, already at $port >= 10000, as it is for NeoServer as defined in /etc/config/firewall.conf

[SERVICE NEOSERVER]
Id = NEOSERVER
Ports = 1901 1902 5987 8088 9099 10000 48899 49880
Access = none

additional this blocking of internal ports should not applied for the NeoServer, there are just no internal ports for NeoServer as far as I can see in /etc/lighttpd/conf.d/proxy.conf.

see also https://homematic-forum.de/forum/viewtopic.php?f=65&t=47020&start=110#p470693

I prepared already a diff

--- /lib/libfirewall.tcl.orig
+++ /lib/libfirewall.tcl
@@ -416,7 +416,7 @@
 	
 	#block internal ports 
 	foreach port $service(PORTS) {
-        if { $port < 40000 && ![string equal "SNMP" $serviceName] } {
+        if { $port < 10000 && ![string equal "SNMP" $serviceName] && ![string equal "NEOSERVER" $serviceName] } {
             try_exec_cmd "/usr/sbin/iptables -A INPUT -p tcp --dport 3$port -j DROP"  
             if {$has_ip6tables} {      
                 try_exec_cmd "/usr/sbin/ip6tables -A INPUT -p tcp --dport 3$port -j DROP"

hoedlmoser added a commit to hoedlmoser/RaspberryMatic that referenced this issue Nov 25, 2018

changes to /lib/libfirewall.tcl to not drop internal ports > 65535, s…
…olves jens-maus#484 invalid port/service 310000 specified in firewall mode most_open

jens-maus added a commit that referenced this issue Nov 26, 2018

changes to /lib/libfirewall.tcl to not drop internal ports > 65535 (#487
)

changes to /lib/libfirewall.tcl to not drop internal ports > 65535, solves #484 invalid port/service 310000 specified in firewall mode most_open

@jens-maus jens-maus added this to the next release milestone Nov 26, 2018

@jens-maus jens-maus closed this Nov 26, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment