Your message dated Mon, 03 Jul 2023 23:42:51 +0000 with message-id <[email protected]> and subject line Bug#1040239: Removed package(s) from unstable has caused the Debian Bug report #908655, regarding apf-firewall: The rules activated by PKT_SANITY_STUFFED are overzealous and block DSL customers to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 908655: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908655 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: apf-firewall Version: 9.7+rev1-5 Severity: normal Dear Maintainer, thanks for the time you make available for maintaining packages in Debian. I just had an issue in apf-firewall I hopefully expressed understandably below. * What led up to the situation? I got a report that someone could only access my website via his mobile phone, not via his landline internet access. After switching off apf-firewall access was possible, further investigation revealed a conceptional mistake. * What exactly did you do (or not do) that was effective (or ineffective)? Added the IP address directly to the allow hosts. * What was the outcome of this action? Access to website was restored, then went on to hunt rules which triggered with the orignal rulesets. Found the source rule in bt.rules and went and deactivated PKT_SANITY_STUFFED. Not every 0.0.0.255 is a broadcast, and even .191, .127 or .63 may be, why not also block those? * What outcome did you expect instead? Not to block 0.0.0.255 as you can't tell how the provider uses a big allocation like 92.252.0.0/17AS15747 for his customers. netnum: 92.252.8.0 - 92.252.111.255 With kind regards Peter -- System Information: Debian Release: 9.5 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apf-firewall depends on: ii iproute 1:4.9.0-1+deb9u1 ii iptables 1.6.0+snapshot20161117-6 ii lsb-base 9.20161125 ii wget 1.18-5+deb9u2 apf-firewall recommends no packages. apf-firewall suggests no packages. -- Configuration Files: /etc/apf-firewall/allow_hosts.rules changed: 92.252.xx.255 /etc/apf-firewall/conf.apf changed: DEVEL_MODE="0" INSTALL_PATH="/etc/apf-firewall" IFACE_IN="eth0" IFACE_OUT="eth0" IFACE_TRUSTED="" SET_VERBOSE="1" SET_FASTLOAD="0" SET_VNET="0" SET_ADDIFACE="0" SET_MONOKERN="0" SET_REFRESH="30" SET_TRIM="150" VF_ROUTE="1" VF_CROND="1" VF_LGATE="" RAB="1" RAB_SANITY="1" RAB_PSCAN_LEVEL="2" RAB_HITCOUNT="1" RAB_TIMER="300" RAB_TRIP="1" RAB_LOG_HIT="1" RAB_LOG_TRIP="0" TCP_STOP="RESET" UDP_STOP="RESET" ALL_STOP="DROP" PKT_SANITY="1" PKT_SANITY_INV="1" PKT_SANITY_FUDP="1" PKT_SANITY_PZERO="1" PKT_SANITY_STUFFED="0" TOS_DEF="0" TOS_DEF_RANGE="512:65535" TOS_0="" TOS_2="" TOS_4="" TOS_8="80,443" TOS_16="25,110,143,22" TCR_PASS="1" TCR_PORTS="33434:33534" ICMP_LIM="30/s" RESV_DNS="1" RESV_DNS_DROP="1" BLK_P2P_PORTS="" BLK_PORTS="111,135_139,445,513,520,1234,1433,1434,1524,3127" BLK_MCATNET="1" BLK_PRVNET="1" BLK_RESNET="1" BLK_IDENT="1" SYSCTL_CONNTRACK="34576" SYSCTL_TCP="1" SYSCTL_SYN="1" SYSCTL_ROUTE="1" SYSCTL_LOGMARTIANS="1" SYSCTL_ECN="1" SYSCTL_SYNCOOKIES="1" SYSCTL_OVERFLOW="0" HELPER_SSH="1" HELPER_SSH_PORT="22" HELPER_FTP="0" HELPER_FTP_PORT="21" HELPER_FTP_DATA="20" IG_TCP_CPORTS="22,25,465,587,80,443,993,995,1011,30033" IG_UDP_CPORTS="9987" IG_ICMP_TYPES="3,5,11,0,30,8" EGF="0" EG_TCP_CPORTS="21,25,80,443,43" EG_UDP_CPORTS="20,21,53" EG_ICMP_TYPES="all" EG_TCP_UID="" EG_UDP_UID="" EG_DROP_CMD="eggdrop psybnc bitchx BitchX init udp.pl" DLIST_PHP="1" DLIST_PHP_URL="rfxn.com/downloads/php_list" DLIST_PHP_URL_PROT="http" DLIST_SPAMHAUS="1" DLIST_SPAMHAUS_URL="www.spamhaus.org/drop/drop.lasso" DLIST_SPAMHAUS_URL_PROT="http" DLIST_DSHIELD="1" DLIST_DSHIELD_URL="feeds.dshield.org/top10-2.txt" DLIST_DSHIELD_URL_PROT="http" DLIST_RESERVED="1" DLIST_RESERVED_URL="rfxn.com/downloads/reserved.networks" DLIST_RESERVED_URL_PROT="http" DLIST_ECNSHAME="0" DLIST_ECNSHAME_URL="rfxn.com/downloads/ecnshame.lst" DLIST_ECNSHAME_URL_PROT="http" USE_RGT="0" GA_URL="yourhost.com/glob_allow.rules" GA_URL_PROT="http" GD_URL="yourhost.com/glob_deny.rules" GD_URL_PROT="http" LOG_DROP="0" LOG_LEVEL="crit" LOG_TARGET="LOG" LOG_IA="1" LOG_LGATE="0" LOG_EXT="0" LOG_RATE="30" LOG_APF="/var/log/apf_log" CNFINT="$INSTALL_PATH/internals/internals.conf" . $CNFINT /etc/default/apf-firewall changed: RUN="yes" -- no debconf information
--- End Message ---
--- Begin Message ---Version: 9.7+rev1-7+rm Dear submitter, as the package apf-firewall has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see https://bugs.debian.org/1040239 The version of this package that was in Debian prior to this removal can still be found using https://snapshot.debian.org/. Please note that the changes have been done on the master archive and will not propagate to any mirrors until the next dinstall run at the earliest. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]. Debian distribution maintenance software pp. Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---
