[Bug 694464] New: SuSEfirewall2_setup wipes out site specific iptable rules on boot
https://bugzilla.novell.com/show_bug.cgi?id=694464 https://bugzilla.novell.com/show_bug.cgi?id=694464#c0 Summary: SuSEfirewall2_setup wipes out site specific iptable rules on boot Classification: openSUSE Product: openSUSE 11.4 Version: Factory Platform: x86-64 OS/Version: openSUSE 11.4 Status: NEW Severity: Critical Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: Curt.Blank@curtronics.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0.1) Gecko/20100101 Firefox/4.0.1 SuSEfirewall2_setup has "# Should-Start: $ALL ..." in it which makes it one of the last startup scripts to run. 1. it should run as soon as possible after the network is up to protect the system not after apps that listen to the network are already exposed. 2. I have startup scripts that run and add iptables rules then SuSEfirewall2_setup runs after them and wipes out the rules even though I have # Required-Start: $syslog $named SuSEfirewall2_setup # Should-Start: $syslog $named SuSEfirewall2_setup in my scripts but that $ALL in SuSEfirewall2_setup trumps these. This has been going on for a while and I'm finally tired of having to correct this after every darn update. $ALL never used to be in the last SuSEfirewall2_* script that ran on startup then one day many versions ago it showed up. PITA SuSEfirewall2_setup does not need to run last, in fact for the reason I mentioned above it should run as soon as possible after the network is up to protect the machine and not leave it exposed even for 10 seconds. Reproducible: Always Steps to Reproduce: 1. boot the system 2. 3. Actual Results: Wipes out site specific iptable rules. Expected Results: I expect it to run as soon as the network is up and not last and not wipe out other iptable rules. I consider this a critical bug because of network exposure. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=694464 https://bugzilla.novell.com/show_bug.cgi?id=694464#c1 Marcus Meissner <meissner@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |meissner@novell.com AssignedTo|bnc-team-screening@forge.pr |lnussel@novell.com |ovo.novell.com | --- Comment #1 from Marcus Meissner <meissner@novell.com> 2011-05-18 06:44:22 UTC --- Thats why you should hook your site specific rules into the site specific part of SuSEfirewall2. This hook script can be set in /etc/sysconfig/SuSEfirewall2 in FW_CUSTOMRULES="" and a sample one is in /etc/sysconfig/scripts/SuSEfirewall2-custom (you just need to decide at which stage to run your rules). For the initial protection we run the SuSEfirewall2_init script, which does initial blocking. assiging to ludwig if he has more comments. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=694464 https://bugzilla.novell.com/show_bug.cgi?id=694464#c2 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID --- Comment #2 from Ludwig Nussel <lnussel@novell.com> 2011-05-18 08:51:31 CEST --- couldn't explain it better -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=694464 https://bugzilla.novell.com/show_bug.cgi?id=694464#c3 --- Comment #3 from Curtis J Blank <Curt.Blank@curtronics.com> 2011-05-18 13:34:08 UTC --- Ah-ha! Looks like I can just add calls to my scripts in fw_custom_after_chain_creation(). That makes it easy. I was not aware of that hook, thank you! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=694464 https://bugzilla.novell.com/show_bug.cgi?id=694464#c4 Curtis J Blank <Curt.Blank@curtronics.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P1 - Urgent Status|RESOLVED |REOPENED Resolution|INVALID | --- Comment #4 from Curtis J Blank <Curt.Blank@curtronics.com> 2011-05-19 01:45:22 UTC --- Yeah well this is a good idea but it doesn't work. I create my own file "/etc/sysconfig/scripts/SuSEfirewall2-ipRules" using the "/etc/sysconfig/scripts/SuSEfirewall2-custom" file as a template and put my rules in the "fw_custom_after_chain_creation()" function and added it to "/etc/sysconfig/SuSEfirewall2" as FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-ipRules" and the last thing I do in the function is a "iptables -L -n" and "iptables -L -n nat" and I see my rules there but when "SuSEfirewall2_setup start" completes I look again with "iptables -L -n" and "iptables -L -n nat" and my rules are no longer there. They are gone, wiped out. So the concept is good but the execution is lacking. Where do we go from here? I can send you a verbose trace if you want. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=694464 https://bugzilla.novell.com/show_bug.cgi?id=694464#c5 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |INVALID --- Comment #5 from Ludwig Nussel <lnussel@novell.com> 2011-05-19 08:12:58 CEST --- Note that bugzilla is not a support forum. For help with your setup please consult our mailinglists. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=694464 https://bugzilla.novell.com/show_bug.cgi?id=694464#c6 Curtis J Blank <Curt.Blank@curtronics.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | --- Comment #6 from Curtis J Blank <Curt.Blank@curtronics.com> 2011-05-19 13:04:56 UTC --- "Ludwig Nussel 2011-05-19 06:12:58 UTC Note that bugzilla is not a support forum. For help with your setup please consult our mailinglists." Excuse me? That's hogwash. This is something that's broken. i.e. does not work. Something that doesn't work is bug. bugzilla is for reporting bugs. I am not asking for help writing iptable rules, I have been doing that since iptables came around. Before that, I used ipfilters. That is not where the problem lies. 1. SuSEfirewall2_setup starts up 2. SuSEfirewall2_setup calls fw_custom_after_chain_creation() 3. My rules are added and I see my rules in the chains 4. fw_custom_after_chain_creation() finishes and returns control to SuSEfirewall2_setup 5. SuSEfirewall2_setup finishes 6. my rules are no longer in the chains That is a bug. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=694464 https://bugzilla.novell.com/show_bug.cgi?id=694464#c7 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |INVALID --- Comment #7 from Ludwig Nussel <lnussel@novell.com> 2011-05-19 15:31:29 CEST --- test:~ # grep ^FW_CUST /etc/sysconfig/SuSEfirewall2 FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom" test:~ # cat /etc/sysconfig/scripts/SuSEfirewall2-custom fw_custom_after_chain_creation() { iptables -A INPUT -s 7.7.7.7 -j LOG } test:~ # SuSEfirewall2 SuSEfirewall2: Setting up rules from /etc/sysconfig/SuSEfirewall2 ... SuSEfirewall2: using default zone 'ext' for interface eth0 SuSEfirewall2: Firewall customary rules loaded from /etc/sysconfig/scripts/SuSEfirewall2-custom SuSEfirewall2: Firewall rules successfully set test:~ # iptables -vnL|grep 7.7.7.7 0 0 LOG all -- * * 7.7.7.7 0.0.0.0/0 LOG flags 0 level 4 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=694464 https://bugzilla.novell.com/show_bug.cgi?id=694464#c8 --- Comment #8 from Ludwig Nussel <lnussel@novell.com> 2011-05-19 15:36:20 CEST --- could it be that you are calling iptables with absolute path? That won't work due to the batch commit feature. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=694464 https://bugzilla.novell.com/show_bug.cgi?id=694464#c9 --- Comment #9 from Curtis J Blank <Curt.Blank@curtronics.com> 2011-05-19 15:57:07 UTC --- No, no absolute path, just "iptables blah blah blah". Thanks for your test that helped and your patience. Did this on my test machine: fw_custom_after_chain_creation() { iptables -N ipINacc iptables -A ipINacc -p tcp -s 7.7.7.7 -d 0/0 iptables -I INPUT 1 -s 0.0.0.0/0 -d 0.0.0.0/0 -j ipINacc true } And it worked on my test machine that normally does not run the firewall so it hardly had any rules. And as you can see I create my own chains. On the server with the problem I have this: fw_custom_after_chain_creation() { /usr/local/bin/ipRules status=$? iptables -L -n if [ $status = 0 ] ; then true else false fi } That -L shows my rules were added. /usr/local/bin/ipRules has this: /etc/init.d/ip_block start /etc/init.d/ip_fw start /etc/init.d/ip_accept start For simplification the status capturing and returning it is not shown. Thanks for pointing out this is not a bug. I will dig deeper. It's just confusing, the rules are there while it's executing and then they're gone when it's completed. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=694464 https://bugzilla.novell.com/show_bug.cgi?id=694464#c10 Curtis J Blank <Curt.Blank@curtronics.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | --- Comment #10 from Curtis J Blank <Curt.Blank@curtronics.com> 2011-05-20 01:35:10 UTC --- Here's the problem. Do this: In: FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-ipRules" There is this: fw_custom_after_chain_creation() { /etc/init.d/ip_accept_test true } # cat /etc/init.d/ip_accept_test #!/usr/bin/ksh iptables -N ipINacc iptables -A ipINacc -p tcp -s 7.7.7.7 -d 0/0 iptables -I INPUT 1 -s 0.0.0.0/0 -d 0.0.0.0/0 -j ipINacc exit 0 # That does not work. If you put the "iptables" statement in the function in the file pointed to by FW_CUSTOMRULES it works. If you call scripts in the function to put the rules in it does *not* work. I've got hundreds of rules that are generated by 3 scripts each using data from data files. To have to put each rule in individually in the fw_custom_after_chain_creation() function would be a nightmare to try and maintain. Plus the rules are generate from accumulated data thus dynamic to thwart off attacks. So. When the rules are added by a script that is called from the function it does not work. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=694464 https://bugzilla.novell.com/show_bug.cgi?id=694464#c11 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |INVALID --- Comment #11 from Ludwig Nussel <lnussel@novell.com> 2011-05-20 08:30:36 CEST --- either source the script so it runs in the same shell context as SuSEfirwall2 or set FW_USE_IPTABLES_BATCH=no. With batch committing on iptables is an alias that does not exist in external scripts of course. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=694464 https://bugzilla.novell.com/show_bug.cgi?id=694464#c12 --- Comment #12 from Ludwig Nussel <lnussel@novell.com> 2011-05-20 08:39:34 CEST --- I've added your case to the FAQ now: http://www.suse.de/~lnussel/SuSEfirewall2/FAQ.html -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=694464 https://bugzilla.novell.com/show_bug.cgi?id=694464#c13 --- Comment #13 from Bernhard Wiedemann <bwiedemann@suse.com> 2011-09-07 17:00:27 CEST --- This is an autogenerated message for OBS integration: This bug (694464) was mentioned in https://build.opensuse.org/request/show/81346 Factory / SuSEfirewall2 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=694464 https://bugzilla.novell.com/show_bug.cgi?id=694464#c14 Curtis J Blank <Curt.Blank@curtronics.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | --- Comment #14 from Curtis J Blank <Curt.Blank@curtronics.com> 2011-09-08 19:27:57 UTC --- Be nicer if you came up with a better method to do it. Could never get it to work I suspect because you use batch mode and my scripts put them in one at a time. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=694464 https://bugzilla.novell.com/show_bug.cgi?id=694464#c15 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|REOPENED |RESOLVED Resolution| |INVALID --- Comment #15 from Ludwig Nussel <lnussel@suse.com> 2011-09-09 10:34:27 CEST --- I don't see any other way besides documenting it, sorry. Batch mode has to be on by default in order to not slow down the boot process. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com