Package: psad
Version: 1.4.5-1
Severity: normal
The IPTABLES_AUTO_RULENUM is documented as follows in the default
configuration file:
### Specify the position or rule number within the iptables
### policy where auto block rules get added.
There then follows a configurable list of chains IPT_AUTO_CHAIN{n} that
can be created automatically to hold the per-host blocking rules created
by psad. Each "auto-chain" line has a field to specify which existing
chain should jump to that auto-chain, but no field to say where in the
calling chain the jump should be inserted.
My impression was that this was what IPTABLES_AUTO_RULENUM did. I was
wrong. It turns out that IPTABLES_AUTO_RULENUM determines where a new
blocking rule for an offensive host should be inserted into the
applicable auto-chain itself.
The real gotcha is this: IPTABLES_AUTO_RULENUM becomes a boobytrap when
auto-chains are used. If an auto-chain is empty initially, the *only*
setting for IPTABLES_AUTO_RULENUM that makes any sense at all is 1.
Anything else and rule insertion will simply not work, because the given
index will be out of range. (A log message will say that it isn't
working, but fail to give any indication of what goes wrong--that's in a
separate bug report).
Some things that I imagine could be done:
* Add a warning to the IPTABLES_AUTO_RULENUM documentation about the
dangers in combination with IPT_AUTO_CHAIN.
* Fail to start when auto-chains are used and IPTABLES_AUTO_RULENUM is
not set to 1.
* Add an optional insertion index to IPT_AUTO_CHAIN entries to take
away any confusion about what IPTABLES_AUTO_RULENUM means.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (50, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.11
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages psad depends on:
ii ipchains 1.3.10-15 Network firewalling for Linux 2.2.
ii iptables 1.3.1-2 Linux kernel 2.4+ iptables adminis
ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries an
ii libcarp-clan-perl 5.3-3 Perl enhancement to Carp error log
ii libdate-calc-perl 5.4-3 Perl library for accessing dates
ii libnetwork-ipv4addr-perl 0.10-1.1 The Net::IPv4Addr perl module API
ii libunix-syslog-perl 0.100-4 Perl interface to the UNIX syslog(
ii perl 5.8.4-8sarge3 Larry Wall's Practical Extraction
ii psmisc 21.6-1 Utilities that use the proc filesy
ii sysklogd [syslogd] 1.4.1-17 System Logging Daemon
ii whois 4.7.5 the GNU whois client
-- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
