If you have a paid version you can already do:

rm -rf /var/cache/yum/

yum update app-firewall

The patch has been pushed and everyone should receive it overnight. The repos are currently sync'ing, but you can try a "yum update app-firewall". Having said that, as you've patched your program already, there is no rush.

Nick Howitt wrote: when the firewall restarts which can be weeks later.

I guess that was this morning when I restarted the OS after trouble shooting DNS issue
(Turns out I banned the DNS IP's of opendns, google and cloudflare's (fail2ban portprobing, no clue how/why those DNS servers would try to ESTABLISH a NEW connection to a closed port on my WAN, I am clueless))

How soon would the patch be pushed?
Once again many thanks

The patch was released to the Community on 26/5 and to paid users a week later but an update to app-firewall does not trigger a firewall restart. The issue would only become apparent when the firewall restarts which can be weeks later.

Do you know when this bug/change was introduced? just wondering how long I have been having issues without realising.

Nick Howitt wrote:
In /usr/clearos/apps/firewall/deploy, please can you try uncommenting (remove the "--") line 2268 and 2269 so they read:

                    iptables("nat",

                        string.format("-A POSTROUTING -s %s -j SNAT --to %s", toip, r_addr))

You are only referring to the file "firewall.lua". correct? (you specified only the dir)

If it fixes it, please post back and I'll push through an urgent patch.

it FIXED it!!!!!
thank you so much

What is the LAN IP affected? 26.26.26.30? if so, you appear to be missing a bunch of rules which SNAT 26.26.26.30 back to your WAN IP.

In /usr/clearos/apps/firewall/deploy, please can you try uncommenting (remove the "--") line 2268 and 2269 so they read:

                    iptables("nat",

                        string.format("-A POSTROUTING -s %s -j SNAT --to %s", toip, r_addr))

I don't think they should have really been in the ICMP section and should not have been commented out.

Then restart the firewall with a "systemctl firewall restart" and see if it fixes it.

If it fixes it, please post back and I'll push through an urgent patch.

The output of iptables -nvL -t nat https://termbin.com/e84y I replaced my wan ip with xx.xx.xx, 26.26.26.0/24 is a vlan i use (I know it doesn't conform to standards, have not yet gotten around to change it.. it's been working fine for 7 years)

I did not restart the firewall directly but i did restart the OS several times.

I misread and thought ppp0:200 was a VLAN not a virtual IP. Also I meant the MultiWAN app and not the 1-to-1 NAT app. All in all not a good response of mine first time! Lets try again.

I thought with the 1-to-1 NAT app it automatically added the rules but I was never 100% certain - there is one spcific rule I don't like. I'd love to get those rules rewritten but I can't get any traction.

What is the output of

iptables -nvL -t nat

I thought the right rules were there to SNAT outgoing packets. Perhaps try restarting the firewall.

Are you doing 1-to-1 NAT on the all traffic on the ppp0:200 IP or just specic ports and protocols. If you are doing it for specific ports and protocols, can you try doing it for all traffic?

Thanks for your response
1. Destination Port rule? do you mean a incoming rule? how will that help?
2. I added all the ip's to current spf records (i dont have reverse dns), problem is its taking long for many ISP's to populate... meanwhile 100's of sent emails are getting rejected. (I updated the SPF records ~4 hours ago, so far hotmail works, gmail still showing spf fail)
3. ppp0:200 is auto generated after adding 1-to-1 NAT rules with that ip (for example NAT_TWS_PRI_HTTPS_443||0x10000080|6|x.x.x.x|443|ppp0_192.168.20.22 \)
I really need a way to make all traffic from a specific lan ip use ppp0:200, i never had such a route and can not figure out what recently changed that it stopped using this iface

Can you use the 1-to-1 NAT app and do a Destination Port rule where the destination port is 25?

Can you create an spf rule which allows all your interfaces? The only thing is that all should then have a reverse DNS record.

Out of interest, how did you set up your ppp0:200 VLAN as it is not a usual identifier?