Bug#594326: marked as done (arno-iptables-firewall leaves Debian hosts open on ipv6 without warning the user)

Debian Bug Tracking System Sat, 28 Aug 2010 07:36:19 -0700

Your message dated Sat, 28 Aug 2010 14:32:07 +0000
with message-id <[email protected]>
and subject line Bug#594326: fixed in arno-iptables-firewall 1.9.2.k-3
has caused the Debian Bug report #594326,
regarding arno-iptables-firewall leaves Debian hosts open on ipv6 without 
warning the user
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
594326: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=594326
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: arno-iptables-firewall
Version: 1.9.2.k-2
Severity: normal
Tags: upstream ipv6

Although the version of arno-iptables-firewall contains preliminary ipv6
support, it is turned off by default, and it doesn't appear thta it can
be enabled at the same time as ipv4 support is enabled.  Running
arno-iptables-firewall on a default squeeze install leaves the following
firewall policy in place for IPv6 packets:

r...@ermintrude:/home/tim# ip6tables -L -v
Chain INPUT (policy ACCEPT 18163 packets, 3581K bytes)
 pkts bytes target     prot opt in     out     source
 destination         

 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target     prot opt in     out     source
  destination         

  Chain OUTPUT (policy ACCEPT 17501 packets, 3428K bytes)
   pkts bytes target     prot opt in     out     source
   destination         


As IPv6 is enabled by default in Debian, this leaves hosts vulnerable to
attacks via IPv6.  e.g. without any IPv6 infrastructure in place it
leaves machines open to the local LAN via the IPv6 automatic link-local
IP addresses:

r...@ermintrude:/home/tim# ping6 -c 2 -I eth0 ff02::1
PING ff02::1(ff02::1) from fe80::201:3ff:fe48:4f1e ethInet: 56 data
bytes
64 bytes from fe80::201:3ff:fe48:4f1e: icmp_seq=1 ttl=64 time=0.020 ms
64 bytes from fe80::2e0:81ff:fe74:9783: icmp_seq=1 ttl=64 time=0.302 ms (DUP!)
64 bytes from fe80::240:48ff:feb1:175e: icmp_seq=1 ttl=64 time=0.414 ms (DUP!)
64 bytes from fe80::20c:29ff:fef8:aa3: icmp_seq=1 ttl=64 time=0.528 ms (DUP!)
64 bytes from fe80::20c:29ff:fecb:3cac: icmp_seq=1 ttl=64 time=0.642 ms (DUP!)
[...]
r...@ermintrude:/home/tim# nmap -PN -6 fe80::240:48ff:feb1:175e%eth0

Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-25 10:57 BST
Interesting ports on fe80::240:48ff:feb1:175e:
Not shown: 998 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
179/tcp open  bgp
[...]

but with fully routable IPv6 in place (as may well become commonplace during the
lifetime of newly installed machines), attacks against machines would be
possible from the Internet at large.

Whilst not intrinsically a problem with arno-iptables-firewall, it is at the
very least probably not what the user was expecting, and it would very
useful if the user was alerted to this current behaviour (i.e.
arno-iptables-firewall will not block any inbound IPv6 traffic, even
when tight controls on IPv4 exist), along with information on how
to block or disable IPv6, if that's what they wish to do (in the absense of
useful IPv6 support by the package).

Thanks,

Tim.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-openvz-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages arno-iptables-firewall depends on:
ii  debconf                   1.5.35         Debian configuration management sy
ii  gawk                      1:3.1.7.dfsg-5 GNU awk, a pattern scanning and pr
ii  iproute                   20100519-3     networking and traffic control too
ii  iptables                  1.4.8-3        administration tools for packet fi

Versions of packages arno-iptables-firewall recommends:
ii  dnsutils               1:9.7.1.dfsg.P2-2 Clients provided with BIND
ii  lynx                   2.8.8dev.4-2      Text-mode WWW Browser (transitiona

arno-iptables-firewall suggests no packages.

-- Configuration Files:
/etc/arno-iptables-firewall/custom-rules changed [not included]
/etc/arno-iptables-firewall/firewall.conf changed [not included]

-- debconf information excluded

--- End Message ---

--- Begin Message ---

Source: arno-iptables-firewall
Source-Version: 1.9.2.k-3

We believe that the bug you reported is fixed in the latest version of
arno-iptables-firewall, which is due to be installed in the Debian FTP archive:

arno-iptables-firewall_1.9.2.k-3.debian.tar.gz
  to 
main/a/arno-iptables-firewall/arno-iptables-firewall_1.9.2.k-3.debian.tar.gz
arno-iptables-firewall_1.9.2.k-3.dsc
  to main/a/arno-iptables-firewall/arno-iptables-firewall_1.9.2.k-3.dsc
arno-iptables-firewall_1.9.2.k-3_all.deb
  to main/a/arno-iptables-firewall/arno-iptables-firewall_1.9.2.k-3_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Michael Hanke <[email protected]> (supplier of updated 
arno-iptables-firewall package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 28 Aug 2010 10:03:15 -0400
Source: arno-iptables-firewall
Binary: arno-iptables-firewall
Architecture: source all
Version: 1.9.2.k-3
Distribution: unstable
Urgency: low
Maintainer: Michael Hanke <[email protected]>
Changed-By: Michael Hanke <[email protected]>
Description: 
 arno-iptables-firewall - single- and multi-homed firewall script with DSL/ADSL 
support
Closes: 594326
Changes: 
 arno-iptables-firewall (1.9.2.k-3) unstable; urgency=low
 .
   * Hosts were open to IPv6 connections, even when the firewall was up
     (Closes: #594326). Thanks to Tim Small for reporting.
   * Fix typo in debian/control that caused misc:Depends to be dropped.
Checksums-Sha1: 
 c43ece7e01ccfa7f64e747aa6c9cf93c9ca7c67f 1322 
arno-iptables-firewall_1.9.2.k-3.dsc
 58c23e8591701f8789cc0db8b0239b0bba2c7860 46701 
arno-iptables-firewall_1.9.2.k-3.debian.tar.gz
 eaebad317005c874f1c3dc8cc1a06b4eb952c906 132346 
arno-iptables-firewall_1.9.2.k-3_all.deb
Checksums-Sha256: 
 cf6d107aa1b1a5144e2bcb642efd788f3f2ad8397dd9ab0f340bd42f259862a9 1322 
arno-iptables-firewall_1.9.2.k-3.dsc
 abe029f98858144e796a01db0889a3efbd4bf3baf0d4f866697b4377389f8227 46701 
arno-iptables-firewall_1.9.2.k-3.debian.tar.gz
 5e91a3bbbeb4820493ea19e14f7a9884acbc8075ff15614037e09694daf699f6 132346 
arno-iptables-firewall_1.9.2.k-3_all.deb
Files: 
 2f003e8fb854c6ce1f455b83af24119e 1322 net optional 
arno-iptables-firewall_1.9.2.k-3.dsc
 a772932f42bbe5090a4bb71b522a0fbf 46701 net optional 
arno-iptables-firewall_1.9.2.k-3.debian.tar.gz
 3560e8fba63624c42e871e600ef137c7 132346 net optional 
arno-iptables-firewall_1.9.2.k-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkx5GysACgkQ93+NsjFEvg/ZMgCfeUXf3P1XSu1+54qvNrIJ+7o8
dYcAn1rEbEMjl420rg9/FYRPFnDdSOHY
=jizV
-----END PGP SIGNATURE-----

--- End Message ---

Bug#594326: marked as done (arno-iptables-firewall leaves Debian hosts open on ipv6 without warning the user)

Reply via email to