[email protected]
[Top] [All Lists]

Bug#351196: marked as forwarded (psad: IPTABLES_AUTO_RULENUM hazard)

Subject: Bug#351196: marked as forwarded psad: IPTABLES_AUTO_RULENUM hazard
From: Debian Bug Tracking System
Date: Tue, 27 Jun 2006 00:04:19 -0700
Your message dated Tue, 27 Jun 2006 08:42:06 +0200
with message-id <[email protected]>
has caused the Debian Bug report #351196,
regarding psad: IPTABLES_AUTO_RULENUM hazard
to be marked as having been forwarded to the upstream software
author(s) Michael Rash <[email protected]>.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)

--- Begin Message ---
Subject: Re: Bug#351196: psad: IPTABLES_AUTO_RULENUM hazard
From: Daniel Gubser
Date: Tue, 27 Jun 2006 08:42:06 +0200
Hello Mike

Forgot to forward this bug to you, can you help?


On Fri, 2006-02-03 at 12:49 +0700, Jeroen Vermeulen wrote:
> Package: psad
> Version: 1.4.5-1
> Severity: normal
> The IPTABLES_AUTO_RULENUM is documented as follows in the default
> configuration file:
> ### Specify the position or rule number within the iptables
> ### policy where auto block rules get added.
> There then follows a configurable list of chains IPT_AUTO_CHAIN{n} that
> can be created automatically to hold the per-host blocking rules created
> by psad.  Each "auto-chain" line has a field to specify which existing
> chain should jump to that auto-chain, but no field to say where in the
> calling chain the jump should be inserted.
> My impression was that this was what IPTABLES_AUTO_RULENUM did.  I was
> wrong.  It turns out that IPTABLES_AUTO_RULENUM determines where a new
> blocking rule for an offensive host should be inserted into the
> applicable auto-chain itself.
> The real gotcha is this: IPTABLES_AUTO_RULENUM becomes a boobytrap when
> auto-chains are used.  If an auto-chain is empty initially, the *only*
> setting for IPTABLES_AUTO_RULENUM that makes any sense at all is 1.
> Anything else and rule insertion will simply not work, because the given
> index will be out of range.  (A log message will say that it isn't
> working, but fail to give any indication of what goes wrong--that's in a
> separate bug report).
> Some things that I imagine could be done:
>  * Add a warning to the IPTABLES_AUTO_RULENUM documentation about the
>    dangers in combination with IPT_AUTO_CHAIN.
>  * Fail to start when auto-chains are used and IPTABLES_AUTO_RULENUM is
>    not set to 1.
>  * Add an optional insertion index to IPT_AUTO_CHAIN entries to take
>    away any confusion about what IPTABLES_AUTO_RULENUM means.
> -- System Information:
> Debian Release: 3.1
>   APT prefers unstable
>   APT policy: (50, 'unstable')
> Architecture: i386 (i686)
> Shell:  /bin/sh linked to /bin/bash
> Kernel: Linux 2.6.11
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Versions of packages psad depends on:
> ii  ipchains                   1.3.10-15     Network firewalling for Linux 
> 2.2.
> ii  iptables                   1.3.1-2       Linux kernel 2.4+ iptables 
> adminis
> ii  libc6                      2.3.2.ds1-22  GNU C Library: Shared libraries 
> an
> ii  libcarp-clan-perl          5.3-3         Perl enhancement to Carp error 
> log
> ii  libdate-calc-perl          5.4-3         Perl library for accessing dates
> ii  libnetwork-ipv4addr-perl   0.10-1.1      The Net::IPv4Addr perl module 
> API 
> ii  libunix-syslog-perl        0.100-4       Perl interface to the UNIX 
> syslog(
> ii  perl                       5.8.4-8sarge3 Larry Wall's Practical 
> Extraction 
> ii  psmisc                     21.6-1        Utilities that use the proc 
> filesy
> ii  sysklogd [syslogd]         1.4.1-17      System Logging Daemon
> ii  whois                      4.7.5         the GNU whois client
> -- no debconf information

--- End Message ---
<Prev in Thread] Current Thread [Next in Thread>
  • Bug#351196: marked as forwarded (psad: IPTABLES_AUTO_RULENUM hazard), Debian Bug Tracking System <=