Bug in Susefirewall FW_ALLOW_INCOMING_HIGHPORTS_UDP
Hi list, just tried to use fresh installed Suse 9.3 updated with you. SuSEfirewall2-3.3-18.2 /etc/sysconfig/SuSEfirewall2 with FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes" Start FW complains, four lines "iptables: No chain/target/match by that name" Reasons are in /sbin/SuSEfirewall lines 1460 and 1469: for CHAIN in $input_zones; do --> chain=input_$chain should be "CHAIN=input_$CHAIN". Frank Stuehmer
Am Dienstag, 21. Juni 2005 14:38 schrieb Frank Stuehmer:
Hi list,
just tried to use fresh installed Suse 9.3 updated with you.
SuSEfirewall2-3.3-18.2
/etc/sysconfig/SuSEfirewall2 with FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
Start FW complains, four lines "iptables: No chain/target/match by that name"
Reasons are in /sbin/SuSEfirewall lines 1460 and 1469: for CHAIN in $input_zones; do --> chain=input_$chain
should be "CHAIN=input_$CHAIN".
Frank Stuehmer
you should send that to suse directly, ASAP. to get the right adress: rpm -qi SuSEfirewall2 and you might want to add the current/latest maintainer in a cc: to see, use rpm -qi SuSEfirewall2 --changelog and look for the newest changelog entry, there should be an email adress with it. bye, MH -- Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C
Hi Mathias,
lines 1460 and 1469: for CHAIN in $input_zones; do --> chain=input_$chain
should be "CHAIN=input_$CHAIN".
you should send that to suse directly, ASAP. to get the right adress: rpm -qi SuSEfirewall2 and you might want to add the current/latest maintainer in a cc: to see, use rpm -qi SuSEfirewall2 --changelog and look for the newest changelog entry, there should be an email adress with it.
done, thank you. Frank
Hi List, On Tuesday 21 June 2005 14:38, Frank Stuehmer wrote:
Hi list,
just tried to use fresh installed Suse 9.3 updated with you.
SuSEfirewall2-3.3-18.2
/etc/sysconfig/SuSEfirewall2 with FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
Start FW complains, four lines "iptables: No chain/target/match by that name"
Reasons are in /sbin/SuSEfirewall lines 1460 and 1469: for CHAIN in $input_zones; do --> chain=input_$chain
should be "CHAIN=input_$CHAIN".
Frank Stuehmer
There is another typo in line 1629 (the line-wrapping is done by kmail - originally this is one long line) $LAA $IPTABLES -A $chain -d $net1 $snet2 $proto $rport -i $dev -j LOG \ ${LOG}"-`rulelog $CHAIN`-ACC-MASQ " -m state --state ESTABLISHED,RELATED should probably read $LAA $IPTABLES -A $chain -d $net1 $snet2 $proto $rport -i $dev -j LOG \ ${LOG}"-`rulelog $chain`-ACC-MASQ " -m state --state ESTABLISHED,RELATED Bye, Jürgen
These mistakes would probably be avoided if people used set -o nounset in their scripts. It is like using -w in perl: why get your customers to debug your scripts if the interpreter does it for free? Bob On Tue, 21 Jun 2005, [iso-8859-15] Jürgen Mell wrote:
Hi List,
On Tuesday 21 June 2005 14:38, Frank Stuehmer wrote:
Hi list,
just tried to use fresh installed Suse 9.3 updated with you.
SuSEfirewall2-3.3-18.2
/etc/sysconfig/SuSEfirewall2 with FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
Start FW complains, four lines "iptables: No chain/target/match by that name"
Reasons are in /sbin/SuSEfirewall lines 1460 and 1469: for CHAIN in $input_zones; do --> chain=input_$chain
should be "CHAIN=input_$CHAIN".
Frank Stuehmer
There is another typo in line 1629 (the line-wrapping is done by kmail - originally this is one long line)
$LAA $IPTABLES -A $chain -d $net1 $snet2 $proto $rport -i $dev -j LOG \ ${LOG}"-`rulelog $CHAIN`-ACC-MASQ " -m state --state ESTABLISHED,RELATED
should probably read
$LAA $IPTABLES -A $chain -d $net1 $snet2 $proto $rport -i $dev -j LOG \ ${LOG}"-`rulelog $chain`-ACC-MASQ " -m state --state ESTABLISHED,RELATED
Bye, Jürgen
============================================================== Bob Vickers R.Vickers@cs.rhul.ac.uk Dept of Computer Science, Royal Holloway, University of London WWW: http://www.cs.rhul.ac.uk/home/bobv Phone: +44 1784 443691
On Tue, Jun 21, 2005 at 06:45:14PM +0200, Jürgen Mell wrote:
Hi List,
On Tuesday 21 June 2005 14:38, Frank Stuehmer wrote:
Hi list,
just tried to use fresh installed Suse 9.3 updated with you.
SuSEfirewall2-3.3-18.2
/etc/sysconfig/SuSEfirewall2 with FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
Start FW complains, four lines "iptables: No chain/target/match by that name"
Reasons are in /sbin/SuSEfirewall lines 1460 and 1469: for CHAIN in $input_zones; do --> chain=input_$chain
should be "CHAIN=input_$CHAIN".
Frank Stuehmer
There is another typo in line 1629 (the line-wrapping is done by kmail - originally this is one long line)
$LAA $IPTABLES -A $chain -d $net1 $snet2 $proto $rport -i $dev -j LOG \ ${LOG}"-`rulelog $CHAIN`-ACC-MASQ " -m state --state ESTABLISHED,RELATED
should probably read
$LAA $IPTABLES -A $chain -d $net1 $snet2 $proto $rport -i $dev -j LOG \ ${LOG}"-`rulelog $chain`-ACC-MASQ " -m state --state ESTABLISHED,RELATED
I have opened a bugreport for these problems and we will be fixing this. Ciao, Marcus
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! Marcus Meissner schrieb:
On Tue, Jun 21, 2005 at 06:45:14PM +0200, Jürgen Mell wrote:
Hi List,
On Tuesday 21 June 2005 14:38, Frank Stuehmer wrote:
Hi list,
just tried to use fresh installed Suse 9.3 updated with you.
SuSEfirewall2-3.3-18.2
/etc/sysconfig/SuSEfirewall2 with FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
Start FW complains, four lines "iptables: No chain/target/match by that name"
Reasons are in /sbin/SuSEfirewall lines 1460 and 1469: for CHAIN in $input_zones; do --> chain=input_$chain
should be "CHAIN=input_$CHAIN".
Frank Stuehmer
There is another typo in line 1629 (the line-wrapping is done by kmail - originally this is one long line)
$LAA $IPTABLES -A $chain -d $net1 $snet2 $proto $rport -i $dev -j LOG \ ${LOG}"-`rulelog $CHAIN`-ACC-MASQ " -m state --state ESTABLISHED,RELATED
should probably read
$LAA $IPTABLES -A $chain -d $net1 $snet2 $proto $rport -i $dev -j LOG \ ${LOG}"-`rulelog $chain`-ACC-MASQ " -m state --state ESTABLISHED,RELATED
I have opened a bugreport for these problems and we will be fixing this.
Ciao, Marcus
There is another bug (no real bugs but useless chains): If I got a Webserver and don't use the SuSE bux as a router but only as a firewall for the webserver or whatever single nic server you get unnecesary chains: forward and dmz rules If you don't need dmz rules there is no specific rule to not set them up. For that purpose I rewrote it kind'a' more suitible for me. Next thing is I setup special rulesets for me: block internal (machines with no access to internet, e.g. printserver, ) block external (machines which do malicious stuff, standard block groups, etc.) Would be a nice feature to implement that. Reguards Philippe - -- Diese Nachricht ist digital signiert und enthält weder Siegel noch Unterschrift! Die unaufgeforderte Zusendung einer Werbemail an Privatleute verstößt gegen §1 UWG und 823 I BGB (Beschluß des LG Berlin vom 2.8.1998 Az: 16 O 201/98). Jede kommerzielle Nutzung der übermittelten persönlichen Daten sowie deren Weitergabe an Dritte ist ausdrücklich untersagt! -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iQD1AwUBQrlP+ENg1DRVIGjBAQInMgb/WwfRmVkBt7Ozqc9hdlmn/1RQt4Hjkhal l/r8iwCPYn5Dwa9fZQutHJ72gno5RI9juzoKuNBaZmj7xOLyjwuOkHbyU0eI7z6n z8UmNZPAAfEY9lA/bVUdKLICu3XPdWmZm5hD/I0t7sc32Oz+aPNC4gEYwzhcrL3h Rcbr8DfNwing57qo6Vi2Xj1/vVKR7XzSp09HRQCRZM9AKLCoS3/fiziuMkpP17LS ObO/2lmPE89pxdUD7KTxjVdphTyo+fsZPYu67pvhJOACmL1D6UjpPqcnoBqMwpRH bpEZgEsXAys= =bwaC -----END PGP SIGNATURE-----
Am 22.06.2005 13:48schrieb Philippe Vogel:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello!
Marcus Meissner schrieb:
[...]
I have opened a bugreport for these problems and we will be fixing this.
Ciao, Marcus
well - if you are working on SuSEFirewall - I found another bug/feature.
SuSE 9.2 in the Firewall-Config it says: # 10.) # Which services should be accessible from 'trusted' hosts or nets? # # Define trusted hosts or networks (doesn't matter whether they are internal or # external) and the services (tcp,udp,icmp) they are allowed to use. This can # be used instead of FW_SERVICES_* for further access restriction. Please note # that this is no replacement for authentication since IP addresses can be # spoofed. Also note that trusted hosts/nets are not allowed to ping the # firewall until you also permit icmp. # # Format: space separated list of network[,protocol[,port]] # in case of icmp, port means the icmp type # # Example: "172.20.1.1 172.20.0.0/16 1.1.1.1,icmp 2.2.2.2,tcp,22" but in SuSE 9.2 (I don't know if 9.1 also) SuSEFirewall is complaining if no protocol is given to the ip. If you want a whole access from one IP you have to write s.th. like "x.x.x.x,tcp x.x.x.x,udp x.x.x.x,icmp" etc etc... (maybe already fixed in 9.3 but I didn't get any Update for 9.2). Regards Christian
Frank Stuehmer wrote:
just tried to use fresh installed Suse 9.3 updated with you.
SuSEfirewall2-3.3-18.2
/etc/sysconfig/SuSEfirewall2 with FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
Start FW complains, four lines "iptables: No chain/target/match by that name"
Reasons are in /sbin/SuSEfirewall lines 1460 and 1469: for CHAIN in $input_zones; do --> chain=input_$chain
should be "CHAIN=input_$CHAIN".
Thanks for the report. I've prepared an update, it will take a bit until it appears in YOU though. Btw, what's your use case for this variable? I was actually thinking about dropping it. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
Bob Vickers wrote:
These mistakes would probably be avoided if people used set -o nounset in their scripts. It is like using -w in perl: why get your customers to debug your scripts if the interpreter does it for free?
That doesn't help as it only checks the code that is exectuted and not the whole script. If it triggers it terminates the script instantly whereas SuSEfirewall2 normally tries to set as much rules as possible despite errors. Furthermore there are many valid uses of unset variables, e.g. optional parameters. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
Hello, Am Dienstag, 28. Juni 2005 15:39 schrieb Ludwig Nussel:
Bob Vickers wrote:
These mistakes would probably be avoided if people used set -o nounset in their scripts. It is like using -w in perl: why get your customers to debug your scripts if the interpreter does it for free?
That doesn't help as it only checks the code that is exectuted and not the whole script. If it triggers it terminates the script instantly
OK, that's an argument against using it in production environment.
[...] Furthermore there are many valid uses of unset variables, e.g. optional parameters.
Hmm - when I hear about unset variables, I have to think to PHP's register_globals which is turned off by default now for security reasons. Are you _really_ sure that using unset / not initialized variables is a good idea? (I am not.) At least you should explicitly unset or initialize these variables to avoid trouble or possible attacks. Regards, Christian Boltz -- # GO AWAY ! # YOU DO NOT WANT TO SEE THIS SCRIPT !!! [from /opt/kde3/share/apps/krpmview/setup_temp_source]
Hi Ludwig, Ludwig Nussel schrieb:
/etc/sysconfig/SuSEfirewall2 with FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
Btw, what's your use case for this variable? I was actually thinking about dropping it. to tell the truth I don't know anymore :-), I use the same configuration from version to version since 7.2. Could be it was named or ftp.
I've just switch to "no" and now wait for user complaints. Bye, Frank
Frank Stuehmer wrote:
Ludwig Nussel schrieb:
/etc/sysconfig/SuSEfirewall2 with FW_ALLOW_INCOMING_HIGHPORTS_UDP="yes"
Btw, what's your use case for this variable? I was actually thinking about dropping it. to tell the truth I don't know anymore :-), I use the same configuration from version to version since 7.2. Could be it was named or ftp.
I've just switch to "no" and now wait for user complaints.
Ok, I've marked FW_ALLOW_INCOMING_HIGHPORTS_* as deprecated. Let me know if it turns out that they are still needed for something :-) cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2005-06-30 at 10:52 +0200, Ludwig Nussel wrote:
Ok, I've marked FW_ALLOW_INCOMING_HIGHPORTS_* as deprecated. Let me know if it turns out that they are still needed for something :-)
I use it: FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data" I have it so since SuSE 8.1 or thereabouts. What do you suggest we use instead? - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFCxHxwtTMYHG2NR9URAhpmAJwMoUUe1rhn/BLoG0bpID9W8U8FYgCeNupS OtnO6cS2k7gIZtbxR0brhwM= =a9e1 -----END PGP SIGNATURE-----
Am Donnerstag, 30. Juni 2005 10:52 schrieb Ludwig Nussel:
Ok, I've marked FW_ALLOW_INCOMING_HIGHPORTS_* as deprecated. Let me know if it turns out that they are still needed for something :-)
i use it as well, because of irc dcc and similar stuff. bye, MH
Carlos E. R. wrote:
The Thursday 2005-06-30 at 10:52 +0200, Ludwig Nussel wrote:
Ok, I've marked FW_ALLOW_INCOMING_HIGHPORTS_* as deprecated. Let me know if it turns out that they are still needed for something :-)
I use it:
FW_ALLOW_INCOMING_HIGHPORTS_TCP="ftp-data"
I have it so since SuSE 8.1 or thereabouts. What do you suggest we use instead?
The ftp conntrack module should handle that transparently. cu Ludwig -- (o_ Ludwig Nussel //\ SUSE LINUX Products GmbH, Development V_/_ http://www.suse.de/
participants (10)
-
Bob Vickers
-
Carlos E. R.
-
Christian Boltz
-
Christian Hernmarck
-
Frank Stuehmer
-
Jürgen Mell
-
Ludwig Nussel
-
Marcus Meissner
-
Mathias Homann
-
Philippe Vogel