TCP port 0 service showing up on imported firewalls | FWCloud Forum

TCP port 0 service showing up on imported firewalls

J

Jeremy M

New member
I'm working on importing some firewalls into a local FWCloud installed on RHEL 9 via the Import Wizard and an FWCloud Agent. On several of my servers, I'm finding anomalous TCP port 0 services showing up, where they are not supposed to be. Here's a simplified example:

FWCloud-UI-port-0.png

What I would expect to see is:

FWCloud-UI-no-port-0.png

I tracked the issue down to multiport imports on the import wizard. If I use this iptables-save example (which is the default you get with RHEL 9), I don't see a TCP port 0 on the services column:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 33033 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Click to expand...

Yet, if I merge the port 22 and port 33033 lines into a mutliport line, I get the error:

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp -m multiport --dports 22,33033 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Click to expand...

I've confirmed that if I either rebuild the complete remote firewall and import it without multiport entries, or import an iptables-save without multiport entries everything works.

Thanks,

Jeremy
 
Carles Munyoz

Carles Munyoz

Administrator
Staff member
Thanks for the report.
We will reproduce it in development environment, solve it and add the fix to the next FWCloud release.

Nevertheless, it is always important that you take a careful review of the imported policy in order to make sure yourself that the policy has been imported right as, in fact, you have already done (y)
 
Carles Munyoz

Carles Munyoz

Administrator
Staff member
We have already fixed this bug and it will be solved in the next FWCloud-API patch release that we will publish very soon.

We would like to mention you in the CHANGELOG.md file as the bug reporter for both, this one and the other one that you reported related with the FWCloud-Installer script.
Which name do you want that we use?
Do you have a LinkedIn or GitHub account for use as a reference to you?
 
J

Jeremy M

New member
Jeremy Mueller is fine to use as my name. And no, I don't have a GitHub or LinkedIn account.

Thanks!

Jeremy
 
You must log in or register to reply here.
Top