Firewall UI: config failed msg if not "All IP"

Permissions, domain/LDAP, power, security, notification and more.
User avatar
1dimitri
Posts: 18
Joined: 30 Jun 2021, 19:25

Firewall UI: config failed msg if not "All IP"

Post by 1dimitri »

- TOS 4.2.15 on F2-221 (x86)
- STeps to reproduce:

1. Go to Control Panel > General Settings section > Security > Firewall
2. Add new rule by selecting create
3. Type in a name such as "fwtest1"
4. Select "Enable" as Operation and leave other options as is (enable unchecked), TCP and UDP as protocols checked
5. Click next
4. Select single IP Address and type "1.1.1.1" for example
5. Click next
6. Page displays only "All" as choice under Ports. >> BUG 1 <<
7. Click confirm
8. Config failed is displayed >> BUG 2 <<
User avatar
TMRyan
TerraMaster Team
Posts: 817
Joined: 01 Dec 2020, 11:50

Re: Firewall UI: config failed msg if not "All IP"

Post by TMRyan »

Hi,
Our permission rules are for the type of access protocol. Do you want to allow only certain ports of TCP or UDP for a certain IP?
To contact our team, please send email to following addresses, remember to replace (at) with @
Technical team: support(at)terra-master.com (for technical support)
Service team: service(at)terra-master.com (for purchasing, return, replacement)
User avatar
TMroy
TerraMaster Team
Posts: 2578
Joined: 10 Mar 2020, 14:04
China

Re: Firewall UI: config failed msg if not "All IP"

Post by TMroy »

I just made a test, but unfortunately, I didn't find such an issue as you described. would you provide more specific how-to reproduce such an issue?
firewalltest1.png
firewalltest2.png
firewalltest3.png
firewalltest4.png
To contact our team, please send email to following addresses, remember to replace (at) with @:
Support team: support(at)terra-master.com (for technical support only)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
User avatar
1dimitri
Posts: 18
Joined: 30 Jun 2021, 19:25

Re: Firewall UI: config failed msg if not "All IP"

Post by 1dimitri »

Capture d’écran du 2021-09-12 19-20-24.png
Capture d’écran du 2021-09-12 19-20-24.png (21.2 KiB) Viewed 2972 times
Capture d’écran du 2021-09-12 19-21-07.png
Capture d’écran du 2021-09-12 19-21-41.png
Capture d’écran du 2021-09-12 19-21-41.png (21.01 KiB) Viewed 2972 times
Capture d’écran du 2021-09-12 19-21-58.png
Capture d’écran du 2021-09-12 19-21-58.png (11.88 KiB) Viewed 2972 times
Capture d’écran du 2021-09-12 19-24-08.png
I've tested with Firefox latest and Brave latest to get 2 different HTML rendering engines
The issue seems that the fields are here but set with the display none attribute (see latest screenshot)

I'm not sure which logs could help you troubleshoot this. Do you want the network trace of files being loaded by the browser?
User avatar
1dimitri
Posts: 18
Joined: 30 Jun 2021, 19:25

Re: Firewall UI: config failed msg if not "All IP"

Post by 1dimitri »

Make sure to select Accept And not reject as in your example and the bug appears!
User avatar
TMSupport
TerraMaster Team
Posts: 2314
Joined: 13 Dec 2019, 15:15

Re: Firewall UI: config failed msg if not "All IP"

Post by TMSupport »

Hi!When setting firewall rules and checking the “Accept” operation, the IP of the computer you are using should be included, otherwise the setting will fail.
To contact our team, please send email to following addresses, remember to replace (at) with @
Technical team: support(at)terra-master.com (for technical support)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
User avatar
1dimitri
Posts: 18
Joined: 30 Jun 2021, 19:25

Re: Firewall UI: config failed msg if not "All IP"

Post by 1dimitri »

That doesn't solve the issue :
Capture d’écran du 2021-09-13 12-56-18.png
Capture d’écran du 2021-09-13 12-56-18.png (18.03 KiB) Viewed 2939 times
Capture d’écran du 2021-09-13 12-56-35.png
Capture d’écran du 2021-09-13 12-56-35.png (7.05 KiB) Viewed 2939 times
User avatar
TMnorah
TerraMaster Team
Posts: 117
Joined: 17 Aug 2021, 09:51

Re: Firewall UI: config failed msg if not "All IP"

Post by TMnorah »

Hi. This is normal firewall logic.
Generally speaking, if you do not set up a firewall, all IPs and ports are allowed, so setting "allow" means to disable other ips except the allowed ips. If other keys such as the ip of the network card are not listed in the allowed ip, they cannot be set. (Otherwise it will never be accessible)
To contact our team, please send email to following addresses, remember to replace (at) with @
Technical team: support(at)terra-master.com (for technical support)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
User avatar
1dimitri
Posts: 18
Joined: 30 Jun 2021, 19:25

Re: Firewall UI: config failed msg if not "All IP"

Post by 1dimitri »

That some rules must be enforced to avoid to saw off the branch you're sitting on is of course a valid point, but that's not the scenario here ;)

There is an inconsistency in the behavior you describe and the UI interface.

E.g.
You may well have the "Allow TELNET/SSH only from local network" enabled in the SSHD/Telnet part of the UI for example.

In that case, everything which is not from a private IP is denied access to ports 9222/23.
You are then unable to add an external IP to the list of allowed machines for SSHD without adding a "accept" rule.
How then would you do that?
Do not tell me to "Reject all" for that port, because in that case you're sawing off the branch on which you're sitting since you are not able to enter the "accept" rules for the external IP and the local private IP first....

In the same way, how would you some other services other than ssh/telnet to be allowed only from the local network (10.0.0.0/8, 172.16.0.0/12 and 192.168.0.0/16)?

In addition, as far as TOS 4.2.15 is concerned, even if there is no rule defined in the firewall UI, there are still rules defined in the iptables chain so you cannot say "firewall not set" since there are always some rules enforced. (I'm not mentioning here the fact that the interface doesn't give you a general enable/disable flag at the UI level or that the DOCKER application creates its own chain)
User avatar
TMSupport
TerraMaster Team
Posts: 2314
Joined: 13 Dec 2019, 15:15

Re: Firewall UI: config failed msg if not "All IP"

Post by TMSupport »

Hi!
Currently, you cannot customize the port when creating a firewall accept operation rule, but you can customize the port for a reject operation rule.
Enabling "Allow TELNET/SSH access only within the local network" only prohibits other network segments from accessing the NAS terminal, and you can still access the NAS in the browser.
To contact our team, please send email to following addresses, remember to replace (at) with @
Technical team: support(at)terra-master.com (for technical support)
Service team: service(at)terra-master.com (for purchasing, return, replacement, RMA service)
Locked