invalid port/service 310000 specified in firewall mode most_open #484

hoedlmoser · 2018-11-25T20:31:19Z

Describe the bug
in case of Firewall-Richtlinie is set to Ports offen in RaspberryMatic 3.41.11.20181124 you'll get error message homematic user.info firewall: iptables v1.6.2: invalid port/service 310000 specified Try 'iptables -h' or 'iptables --help' for more information. in syslog. even this is only a info log, it just means a malfunction in firewall script and therefor should be taken serious.

To Reproduce
set Firewall-Richtlinie to Ports offen in Startseite > Einstellungen > Systemsteuerung > Firewall konfigurieren and run /bin/setfirewall.tcl

System information

RaspberryMatic 3.41.11.20181124
Charly with Raspberry Pi 3 B+

Additional context
in firewall most_open mode, in /lib/libfirewall.tcl procedure FirewallInternal::Firewall_configureFirewallMostOpen just blocks all internal ports (3xxxx)

	#block internal ports 
	foreach port $service(PORTS) {
        if { $port < 40000 && ![string equal "SNMP" $serviceName] } {
            try_exec_cmd "/usr/sbin/iptables -A INPUT -p tcp --dport 3$port -j DROP"  
            if {$has_ip6tables} {      
                try_exec_cmd "/usr/sbin/ip6tables -A INPUT -p tcp --dport 3$port -j DROP"
            }
        }
	}

but this causes ports > 65535, which is not in accordance with specification, already at $port >= 10000, as it is for NeoServer as defined in /etc/config/firewall.conf

[SERVICE NEOSERVER]
Id = NEOSERVER
Ports = 1901 1902 5987 8088 9099 10000 48899 49880
Access = none

additional this blocking of internal ports should not applied for the NeoServer, there are just no internal ports for NeoServer as far as I can see in /etc/lighttpd/conf.d/proxy.conf.

see also https://homematic-forum.de/forum/viewtopic.php?f=65&t=47020&start=110#p470693

I prepared already a diff

--- /lib/libfirewall.tcl.orig
+++ /lib/libfirewall.tcl
@@ -416,7 +416,7 @@
 	
 	#block internal ports 
 	foreach port $service(PORTS) {
-        if { $port < 40000 && ![string equal "SNMP" $serviceName] } {
+        if { $port < 10000 && ![string equal "SNMP" $serviceName] && ![string equal "NEOSERVER" $serviceName] } {
             try_exec_cmd "/usr/sbin/iptables -A INPUT -p tcp --dport 3$port -j DROP"  
             if {$has_ip6tables} {      
                 try_exec_cmd "/usr/sbin/ip6tables -A INPUT -p tcp --dport 3$port -j DROP"

The text was updated successfully, but these errors were encountered:

) changes to /lib/libfirewall.tcl to not drop internal ports > 65535, solves #484 invalid port/service 310000 specified in firewall mode most_open

hoedlmoser mentioned this issue Nov 25, 2018

changes to /lib/libfirewall.tcl to not drop internal ports > 65535 #487

Merged

jens-maus pushed a commit that referenced this issue Nov 26, 2018

changes to /lib/libfirewall.tcl to not drop internal ports > 65535 (#487

94a1553

) changes to /lib/libfirewall.tcl to not drop internal ports > 65535, solves #484 invalid port/service 310000 specified in firewall mode most_open

jens-maus added 🐛 bug-report Something isn't working 🏷️ WebUI This refs the WebUI component ➡️ third-party issue This is a bug/issue for/in other third-party software labels Nov 26, 2018

jens-maus added this to the next release milestone Nov 26, 2018

jens-maus closed this as completed Nov 26, 2018

jens-maus modified the milestones: next release, 3.41.11.20181126 Nov 28, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

invalid port/service 310000 specified in firewall mode most_open #484

invalid port/service 310000 specified in firewall mode most_open #484

hoedlmoser commented Nov 25, 2018 •

edited

Loading

invalid port/service 310000 specified in firewall mode most_open #484

invalid port/service 310000 specified in firewall mode most_open #484

Comments

hoedlmoser commented Nov 25, 2018 • edited Loading

hoedlmoser commented Nov 25, 2018 •

edited

Loading