Mailinglist Archive: opensuse-security (408 mails)
| < Previous | Next > |
Re: [suse-security] SuSE personal Firewall 1.1-4 / ppp*
- From: Roman Drahtmueller <draht@xxxxxxx>
- Date: Mon, 15 Apr 2002 12:09:58 +0200 (MEST)
- Message-id: <Pine.LNX.4.44.0204151204470.25922-100000@xxxxxxxxxxxx>
Hi Klaus,
> I may have found a security problem in SuSE personal firewall 1.1-4. Other
> versions might be affected as well.
>
> Description:
>
> condition:
> REJECT_ALL_INCOMING_CONNECTIONS=modem in /etc/rc.config.d/security.rc.config
>
> affected file:
> /sbin/SuSEpersonal-firewall
>
> In line 310 RAIC is set to "ppp*". This is later passed to iptables (or
> ipchains) as interface parameter leading to the warning
> "Warning: wierd character in interface `ppp*' (No aliases, :, ! or *)."
> in the log.
>
> fix:
> Set RAIC to "ppp+" instead. the "+" is the proper wildcard for the iptables
> and ipchains commands.
>
> Questions:
> Is this in fact a bug or did I miss something?
> Was a proper rule for the ppp* (ppp0, ppp1, ...) interface created? I did
> not check.
I think you did... The /sbin/SuSEpersonal-firewall runs two times during
boot and each time when some ppp link goes online (from /etc/ppp/ip-up).
With each run, it removes the rules from its own chains and sets new ones.
To find out which interfaces exist, it does
if [ "$iname" = "modem" ]; then
RAIC="$RAIC `cd /proc/sys/net/ipv4/conf; echo ppp* `"
else
RAIC="$RAIC $iname"
fi
...which results in the "ppp*" string if there is no interface named ppp*
present. The script is written for very fast execution, and echo <pattern>
is much faster than an ls <pattern>.
Agreed, it's not beautiful, it may be considered a bug, but it's not a
problem (except for the log message).
Thanks for your mail!
>
> Klaus
Roman.
--
- -
| Roman Drahtmüller <draht@xxxxxxx> // "You don't need eyes to see, |
SuSE Linux AG - Security Phone: // you need vision!"
| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -
> I may have found a security problem in SuSE personal firewall 1.1-4. Other
> versions might be affected as well.
>
> Description:
>
> condition:
> REJECT_ALL_INCOMING_CONNECTIONS=modem in /etc/rc.config.d/security.rc.config
>
> affected file:
> /sbin/SuSEpersonal-firewall
>
> In line 310 RAIC is set to "ppp*". This is later passed to iptables (or
> ipchains) as interface parameter leading to the warning
> "Warning: wierd character in interface `ppp*' (No aliases, :, ! or *)."
> in the log.
>
> fix:
> Set RAIC to "ppp+" instead. the "+" is the proper wildcard for the iptables
> and ipchains commands.
>
> Questions:
> Is this in fact a bug or did I miss something?
> Was a proper rule for the ppp* (ppp0, ppp1, ...) interface created? I did
> not check.
I think you did... The /sbin/SuSEpersonal-firewall runs two times during
boot and each time when some ppp link goes online (from /etc/ppp/ip-up).
With each run, it removes the rules from its own chains and sets new ones.
To find out which interfaces exist, it does
if [ "$iname" = "modem" ]; then
RAIC="$RAIC `cd /proc/sys/net/ipv4/conf; echo ppp* `"
else
RAIC="$RAIC $iname"
fi
...which results in the "ppp*" string if there is no interface named ppp*
present. The script is written for very fast execution, and echo <pattern>
is much faster than an ls <pattern>.
Agreed, it's not beautiful, it may be considered a bug, but it's not a
problem (except for the log message).
Thanks for your mail!
>
> Klaus
Roman.
--
- -
| Roman Drahtmüller <draht@xxxxxxx> // "You don't need eyes to see, |
SuSE Linux AG - Security Phone: // you need vision!"
| Nürnberg, Germany +49-911-740530 // Maxi Jazz, Faithless |
- -
| < Previous | Next > |