Package: netfilter-persistent Version: 1.0.3 Severity: grave Tags: security Justification: user security hole
If netfilter-persistent or one of its dependencies fails to load, system boot continues normally with a wide-open netfilter configuration. IMO, this should fail secure: If the firewall can't be brought up, at least networking should not be brought up either. In my case, netfilter was not brought up because the "lp" module was not present in the custom kernel I'm using, causing systemd-modules-load to fail. These are the relevant syslog lines: Mar 11 17:51:00 pc systemd-modules-load[307]: Failed to find module 'lp' Mar 11 17:51:00 pc systemd-modules-load[307]: Module 'ppdev' is builtin Mar 11 17:51:00 pc systemd-modules-load[307]: Module 'parport_pc' is builtin Mar 11 17:51:00 pc systemd-modules-load[307]: Module 'fuse' is builtin Mar 11 17:51:00 pc systemd[1]: systemd-modules-load.service: main process exited, code=exited, status=1/FAILURE Mar 11 17:51:00 pc systemd[1]: Failed to start Load Kernel Modules. Mar 11 17:51:00 pc systemd[1]: Dependency failed for netfilter persistent configuration. Mar 11 17:51:00 pc systemd[1]: Unit systemd-modules-load.service entered failed state. -- System Information: Debian Release: 8.0 APT prefers testing APT policy: (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.18.6jann (SMP w/8 CPU cores; PREEMPT) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages netfilter-persistent depends on: ii init-system-helpers 1.22 ii lsb-base 4.1+Debian13+nmu1 netfilter-persistent recommends no packages. netfilter-persistent suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
