Bug#345759: guarddog: Guarddog fails to allow bidirectional UDP traffic for User Defined Protocols

Chema Tue, 03 Jan 2006 03:03:43 -0800

Package: guarddog
Version: 2.4.0-1
Severity: important

Hi there.


Guraddog doesn't writes the second bidirectional iptables command for
User Defined UDP protocols.  The resutling script has:

# Traffic from 'Internet' to 'Local'
# Allow 'userdefined3'
iptables -A f0to1 -p udp --sport 0:65535 --dport 8767:8767 -j ACCEPT

Instead of:

# Traffic from 'Internet' to 'Local'
# Allow 'userdefined3'
iptables -A f0to1 -p udp --sport 0:65535 --dport 8767:8767 -j ACCEPT
iptables -A f1to0 -p udp --sport 8767:8767 --dport 0:65535 -j ACCEPT


The full history:

After setting up Guarddog, my TeamSpeak server stoped working.  I had
enabled it in Guarddog User Defined Protocols of course.

Looking at /var/log/messages, I found:

Dec  3 02:06:01 severo kernel: DROPPED IN= OUT=eth1 SRC=10.10.10.1
DST=10.10.10.10 LEN=464 TOS=0x00 PREC=0x00 TTL=64 ID=2 DF PROTO=UDP
SPT=8767 DPT=2636 LEN=444 

10.10.10.1 is my server, 10.10.10.10 is my client, so it seemed the
server was receiving the client request, but the answer packets were
being dropped.  I then went on checking what was Guarddog's script
actually doing with the Teamspeak port (8767):

# perl -nwe 'if(/^# Traffic/){$section=$_;$s=0;}
# elsif(/^#/){$title=$_;$t=0;} elsif(/8767/i){print( ($s++? "":$section)
# . ($t++? "": $title) . $_);}' rc.firewall.test 
# Traffic from 'Internet' to 'Local'
# Allow 'userdefined3'
ipchains -A f0to1 -p udp --sport 0:65535 --dport 8767:8767 -j ACCEPT
ipchains -A f1to0 -p udp --sport 8767:8767 --dport 0:65535 -j ACCEPT
# Traffic from 'Local' to 'Internet'
# Allow 'userdefined3'
ipchains -A f1to0 -p udp --sport 0:65535 --dport 8767:8767 -j ACCEPT
ipchains -A f0to1 -p udp --sport 8767:8767 --dport 0:65535 -j ACCEPT
# Traffic from 'Red Local' to 'Internet'
# Allow 'userdefined3'
ipchains -A f2to0 -p udp --sport 0:65535 --dport 8767:8767 -j ACCEPT
ipchains -A f0to2 -p udp --sport 8767:8767 --dport 0:65535 -j ACCEPT
# Traffic from 'Red Local' to 'Local'
# Allow 'userdefined3'
ipchains -A f2to1 -p udp --sport 0:65535 --dport 8767:8767 -j ACCEPT
ipchains -A f1to2 -p udp --sport 8767:8767 --dport 0:65535 -j ACCEPT
# Traffic from 'Internet' to 'Local'
# Allow 'userdefined3'
iptables -A f0to1 -p udp --sport 0:65535 --dport 8767:8767 -j ACCEPT
# Traffic from 'Local' to 'Internet'
# Allow 'userdefined3'
iptables -A f1to0 -p udp --sport 0:65535 --dport 8767:8767 -j ACCEPT
# Traffic from 'Red Local' to 'Internet'
# Allow 'userdefined3'
iptables -A f2to0 -p udp --sport 0:65535 --dport 8767:8767 -j ACCEPT
# Traffic from 'Red Local' to 'Local'
# Allow 'userdefined3'
iptables -A f2to1 -p udp --sport 0:65535 --dport 8767:8767 -j ACCEPT

At this point it was clear to me that Guarddog was not writing the
bidirectional iptables commands for User Defined UDP Protocols (ipchains
commands look fine though).  After manually adding those:


# Traffic from 'Internet' to 'Local'
# Allow 'userdefined3'
iptables -A f0to1 -p udp --sport 0:65535 --dport 8767:8767 -j ACCEPT
iptables -A f1to0 -p udp --sport 8767:8767 --dport 0:65535 -j ACCEPT
# Traffic from 'Local' to 'Internet'
# Allow 'userdefined3'
iptables -A f1to0 -p udp --sport 0:65535 --dport 8767:8767 -j ACCEPT
iptables -A f0to1 -p udp --sport 8767:8767 --dport 0:65535 -j ACCEPT
# Traffic from 'Red Local' to 'Internet'
# Allow 'userdefined3'
iptables -A f2to0 -p udp --sport 0:65535 --dport 8767:8767 -j ACCEPT
iptables -A f0to2 -p udp --sport 8767:8767 --dport 0:65535 -j ACCEPT
# Traffic from 'Red Local' to 'Local'
# Allow 'userdefined3'
iptables -A f2to1 -p udp --sport 0:65535 --dport 8767:8767 -j ACCEPT
iptables -A f1to2 -p udp --sport 8767:8767 --dport 0:65535 -j ACCEPT


and then restarting Teamspeak, my server was functional again (seems TSS
is a bit "sensible" to not being able to answer back, and will not
accept new connections after an "EIdSocketError.Host not found." error).


Ciao.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages guarddog depends on:
ii  gawk               1:3.1.4-2             GNU awk, a pattern scanning and pr
ii  kdelibs4           4:3.3.2-6.2           KDE core libraries
ii  libart-2.0-2       2.3.17-1              Library of functions for 2D graphi
ii  libc6              2.3.5-6               GNU C Library: Shared libraries an
ii  libfam0c102        2.7.0-6               client library to control the FAM 
ii  libgcc1            1:3.4.3-13            GCC support library
ii  libice6            4.3.0.dfsg.1-14sarge1 Inter-Client Exchange library
ii  libidn11           0.5.13-1.0            GNU libidn library, implementation
ii  libpng12-0         1.2.8rel-1            PNG library - runtime
ii  libqt3c102-mt      3:3.3.4-3             Qt GUI Library (Threaded runtime v
ii  libsm6             4.3.0.dfsg.1-14sarge1 X Window System Session Management
ii  libstdc++5         1:3.3.6-10            The GNU Standard C++ Library v3
ii  libx11-6           4.3.0.dfsg.1-14sarge1 X Window System protocol client li
ii  libxext6           4.3.0.dfsg.1-14sarge1 X Window System miscellaneous exte
ii  libxrender1        0.8.3-7               X Rendering Extension client libra
ii  xlibs              4.3.0.dfsg.1-14sarge1 X Keyboard Extension (XKB) configu
ii  zlib1g             1:1.2.2-4.sarge.2     compression library - runtime

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Bug#345759: guarddog: Guarddog fails to allow bidirectional UDP traffic for User Defined Protocols

Reply via email to