Blue zone cant access Green zone

[Guest]

[jeremycald]

I checked the logs and it is telling me that the chain FORWARD:DROP     br0 is what is blocking it.  I've been through the various firewall settings (inter, outer, inny, outty ;-) and have not been able to communicate.  The next step I tried just in case was turning off the HTTP proxy.  Still no dice.  I am thinking it may be the following:   http://kb.endian.com/entry/27/  but what I am afraid of is that will open EVERYTHING up and not allow me to eventually control the access. 

I am going to try it tonight after work hours because I have to reboot it of course.

Yipee!!! it worked   Now the next step is to try to see if we can control it.  Will report back.

[jeremycald]

After applying the update it worked and worked well.  . . . .  too well. It appears that it now applies the PortForward rules to the Blue interface as if it was another Red interface.  As well the Inter-Zone rules have only ALLOW effect, DENY has no effect.

This would be OK except that I would like to allow the Blue interface to also print to one of my printers on the Green interface and that will not work.

I may just have to go with the VPN in the end.

[npeterson]

Source: Blue Destination: IPaddress of printer or <green> Port 9000 allow. Simple.

[alex.enjoy]

Hello,

i run into the same trouble with the inter-zone firewall within efw 2.2 community.
But surprising: it seems that any change to the rules works only after re-booting the efw! 
just try it... does it work?

alex.

[jeremycald]

Believe it or not, I think you are right.  However I would like to do a bit more testing before I say that is the save all. I'll update soon.

[hpwr]

Hi, I think I have a similar problem with v.2.3;

Green IP: 192.168.0.1
Blue IP: 192.168.1.1

Green PC´s can ping and conenct to Blue ones
Blue PC´s can surf the internet
Blue PC´s CANNOT access or ping Green ones...

In Inter-Zone firewall configuration I have:

1     BLUE     <ANY>     <ANY>      ALLOW      

also tryed BLUE to GREEN or Blue Interface to Green Interface... Rebooting etc. but nothing with success.

This post is pretty old now, I cannot imagine this being a BUG for so much time.... Please help.

Thanks.

[Steve]

    
"Blue zone cant access Green zone" - This is normal.

Blue is intended to be used for a wireless network and is UNTRUSTED.
Green is the TRUSTED network.

To allow access from Blue to Green you need to use Zone Pinholes

[hpwr]

Thank you for the answer.

I know, actually I´m using an IPcop in this configuration, green for the lan and blue for some wifi stuff and some ´external´ computers that need to access some green ip´s. It is working with ´Blue Access´ and ´DMZ Pinholes´ but in endian that is controlled by the ´Inter-Zone firewall´.

I´ve created the rule above and some other tests without getting the computer at the blue side to see anything on the green, even disabling the entire inter-zone firewall didn´t change anything...  I have tryed this script ( kb.endian.com/entry/27 ) too equal without success.

Any idea what´s going wrong ?

[sn_helpdesk]

Hi,

i got the same problem on my Endian 2.4.
I can't get traffic from Blue/Orange to Green.
I also tried this script hpwr mentioned without any success.

Does anyone got a solution for this problem?

[rrch]

Hello!

I had the same problem with endian 2.5.1, so I wanted to do was to give access from the blue zone to a port of a PC in the green zone. In my case, the problem was that I activated a Routing Policy for all pc's in the blue area, (all pc's will use the uplink2 for everything), so the pc's in the blue never going to reach the green. I solved the problem by disabling that policy routing.

Later I added specific routes for the lan and then added the policy I mentioned earlier.

For those who want to give full access (bad idea) from blue to green (ping, etc), just add the rule in the inter-zone module:(source) blue - (destination) green - (service) any - (policy) Allow
In my case it was unnecessary to disable the proxy, or restart the computer or do something else.

Can corroborate this in efw 2.5.1 testing with a newly installed system. In my case I used virtualbox.

Sorry for my English but I'm usually much better reading than writing 

Greetings.