Anonymous | Login | 2024-11-21 04:23 MST |
Main | My View | View Issues | Change Log | Roadmap | Repositories |
View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
ID | Project | Category | View Status | Date Submitted | Last Update | ||||
0017391 | ClearOS | app-firewall - Firewall | public | 2017-10-05 13:40 | 2019-02-23 19:46 | ||||
Reporter | user2 | ||||||||
Assigned To | dsokoloski | ||||||||
Priority | normal | Severity | minor | Reproducibility | have not tried | ||||
Status | closed | Resolution | suspended | ||||||
Platform | OS | OS Version | |||||||
Product Version | 7.3.1 | ||||||||
Target Version | 8.0.0 Beta 1 | Fixed in Version | |||||||
Summary | 0017391: IPsec marking method is old school and conflicts with QoS | ||||||||
Description | The IPsec handling in the firewall uses an old marking method to get traffic flowing. This handling can be improved so that it does not interfere with QoS. | ||||||||
Tags | No tags attached. | ||||||||
Attached Files | |||||||||
Notes | |
(0007151) user2 2018-02-20 11:46 |
From a customer: To recreate the issue: Establish a VPN connection between two systems. Ensure Bandwidth Engine is disabled while this occurs & that firewall rules for both IPSEC Traffic & webconfig ports are enabled Once you have established a VPN connection, then access the web interface of the source system from the host. You will find that it all goes through fine. Now this has been completed, turn the Bandwidth Engine on, wait for it to update, then attempt the connection to the webconfig of the source system from the host machine. You will find that there is a rule being generated somewhere that is somehow blocking webconfig access when the bandwidth engine is enabled. Disabling the Bandwidth Engine almost immediately restores access. |
(0007191) NickH (developer) 2018-02-27 14:32 |
On the Libreswan and Openswan mailing lists, I've never seen mentioned marking packets in the mangle table, so I tried removing the marking at my end: iptables -D PREROUTING -t mangle -p esp -j MARK --set-mark 0x64 I tested to the dogfood server and was still able to transfer files with WinSCP to and from my Desktop through the tunnel to the remote server. The server has no LAN attached so I can't test further. |
(0007551) NickH (developer) 2018-06-08 03:28 |
From https://tracker.clearos.com/view.php?id=19431#c7531: [^] With the testing I've done and also had done on ticket 558446 the following rules are needed: iptables -I INPUT -m policy --dir in --pol ipsec -j ACCEPT iptables -I FORWARD -m policy --dir in --pol ipsec -j ACCEPT These replace the current: iptables -I PREROUTING -t mangle -p esp -j MARK --set-mark 0x64 iptables -I INPUT -m mark --mark 0x64 -d clearos_wan_ip -j ACCEPT iptables -I INPUT -m mark --mark 0x64 -d clearos_lan_ip -j ACCEPT iptables -I FORWARD -m mark --mark 0x64 -j ACCEPT These have the advantage of being generic so don't have to be reset if either the LAN IP or WAN IP changes so can be made permanent or, optionally, can be activated when the incoming firewall Service IPsec is activated in the firewall. Also suggested by Libreswan, there are two POSTROUTING rules which can be combined: iptables - I POSTROUTING -t nat -m policy --dir out --pol ipsec -j ACCEPT iptables - I POSTROUTING -t nat -o WAN_interface -j MASQUERADE These can be combined to a single rule: iptables - I POSTROUTING -t nat -m policy --dir out --pol none -o WAN_interface -j MASQUERADE The only issue I see with combining these now are the new docker POSTROUTING rules which may also need the "-m policy --dir out --pol none" adding. |
(0009891) dloper (administrator) 2019-02-23 19:46 |
Migrated to: https://gitlab.com/clearos/feature-requests/issues/6 [^] |
Issue History | |||
Date Modified | Username | Field | Change |
2017-10-05 13:40 | user2 | New Issue | |
2017-10-05 13:40 | user2 | Assigned To | => dloper |
2017-10-05 13:40 | user2 | Status | new => assigned |
2017-10-05 13:40 | user2 | Assigned To | dloper => dsokoloski |
2018-02-12 10:06 | user2 | Target Version | 7.4.0 Updates => |
2018-02-20 11:46 | user2 | Target Version | => 7.5.0 |
2018-02-20 11:46 | user2 | Note Added: 0007151 | |
2018-02-27 14:32 | NickH | Note Added: 0007191 | |
2018-04-11 10:14 | user2 | Target Version | 7.5.0 => 7.6.0 Updates |
2018-04-11 10:18 | user2 | Target Version | 7.6.0 Updates => 7.5.0 Updates |
2018-04-11 10:44 | user2 | Target Version | 7.5.0 Updates => 7.5.0 |
2018-04-19 08:43 | user2 | Target Version | 7.5.0 => 7.5.0 Updates |
2018-06-08 03:28 | NickH | Note Added: 0007551 | |
2018-09-04 10:26 | user2 | Target Version | 7.5.0 Updates => 8.0.0 Beta 1 |
2019-02-23 19:46 | dloper | Note Added: 0009891 | |
2019-02-23 19:46 | dloper | Status | assigned => closed |
2019-02-23 19:46 | dloper | Resolution | open => suspended |