Bug#594326: arno-iptables-firewall leaves Debian hosts open on ipv6 without warning the user
Thanks, That patch works against 1.9.2.k-2 (when applied with patch -F 3). r...@ermintrude:/usr/share/arno-iptables-firewall# ip6tables -L -v Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 5 packets, 908 bytes) pkts bytes target prot opt in out source destination Tim. -- South East Open Source Solutions Limited Registered in England and Wales with company number 06134732. Registered Office: 2 Powell Gardens, Redhill, Surrey, RH1 1TQ VAT number: 900 6633 53 http://seoss.co.uk/ +44-(0)1273-808309 -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#594326: arno-iptables-firewall leaves Debian hosts open on ipv6 without warning the user
Package: arno-iptables-firewall Version: 1.9.2.k-2 Severity: normal Tags: upstream ipv6 Although the version of arno-iptables-firewall contains preliminary ipv6 support, it is turned off by default, and it doesn't appear thta it can be enabled at the same time as ipv4 support is enabled. Running arno-iptables-firewall on a default squeeze install leaves the following firewall policy in place for IPv6 packets: r...@ermintrude:/home/tim# ip6tables -L -v Chain INPUT (policy ACCEPT 18163 packets, 3581K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 17501 packets, 3428K bytes) pkts bytes target prot opt in out source destination As IPv6 is enabled by default in Debian, this leaves hosts vulnerable to attacks via IPv6. e.g. without any IPv6 infrastructure in place it leaves machines open to the local LAN via the IPv6 automatic link-local IP addresses: r...@ermintrude:/home/tim# ping6 -c 2 -I eth0 ff02::1 PING ff02::1(ff02::1) from fe80::201:3ff:fe48:4f1e ethInet: 56 data bytes 64 bytes from fe80::201:3ff:fe48:4f1e: icmp_seq=1 ttl=64 time=0.020 ms 64 bytes from fe80::2e0:81ff:fe74:9783: icmp_seq=1 ttl=64 time=0.302 ms (DUP!) 64 bytes from fe80::240:48ff:feb1:175e: icmp_seq=1 ttl=64 time=0.414 ms (DUP!) 64 bytes from fe80::20c:29ff:fef8:aa3: icmp_seq=1 ttl=64 time=0.528 ms (DUP!) 64 bytes from fe80::20c:29ff:fecb:3cac: icmp_seq=1 ttl=64 time=0.642 ms (DUP!) [...] r...@ermintrude:/home/tim# nmap -PN -6 fe80::240:48ff:feb1:175e%eth0 Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-25 10:57 BST Interesting ports on fe80::240:48ff:feb1:175e: Not shown: 998 closed ports PORTSTATE SERVICE 22/tcp open ssh 179/tcp open bgp [...] but with fully routable IPv6 in place (as may well become commonplace during the lifetime of newly installed machines), attacks against machines would be possible from the Internet at large. Whilst not intrinsically a problem with arno-iptables-firewall, it is at the very least probably not what the user was expecting, and it would very useful if the user was alerted to this current behaviour (i.e. arno-iptables-firewall will not block any inbound IPv6 traffic, even when tight controls on IPv4 exist), along with information on how to block or disable IPv6, if that's what they wish to do (in the absense of useful IPv6 support by the package). Thanks, Tim. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-openvz-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages arno-iptables-firewall depends on: ii debconf 1.5.35 Debian configuration management sy ii gawk 1:3.1.7.dfsg-5 GNU awk, a pattern scanning and pr ii iproute 20100519-3 networking and traffic control too ii iptables 1.4.8-3administration tools for packet fi Versions of packages arno-iptables-firewall recommends: ii dnsutils 1:9.7.1.dfsg.P2-2 Clients provided with BIND ii lynx 2.8.8dev.4-2 Text-mode WWW Browser (transitiona arno-iptables-firewall suggests no packages. -- Configuration Files: /etc/arno-iptables-firewall/custom-rules changed [not included] /etc/arno-iptables-firewall/firewall.conf changed [not included] -- debconf information excluded -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#594326: arno-iptables-firewall leaves Debian hosts open on ipv6 without warning the user
This was the intended behaviour, but due to a bug it doesn't work. I'll fix it today, hopefully Debian will backport the fix or allow upcoming 1.9.2k to enter Sqeeuze. cheers, Arno Thanks for the report On 8/25/2010 12:09, Tim Small wrote: Package: arno-iptables-firewall Version: 1.9.2.k-2 Severity: normal Tags: upstream ipv6 Although the version of arno-iptables-firewall contains preliminary ipv6 support, it is turned off by default, and it doesn't appear thta it can be enabled at the same time as ipv4 support is enabled. Running arno-iptables-firewall on a default squeeze install leaves the following firewall policy in place for IPv6 packets: r...@ermintrude:/home/tim# ip6tables -L -v Chain INPUT (policy ACCEPT 18163 packets, 3581K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 17501 packets, 3428K bytes) pkts bytes target prot opt in out source destination As IPv6 is enabled by default in Debian, this leaves hosts vulnerable to attacks via IPv6. e.g. without any IPv6 infrastructure in place it leaves machines open to the local LAN via the IPv6 automatic link-local IP addresses: r...@ermintrude:/home/tim# ping6 -c 2 -I eth0 ff02::1 PING ff02::1(ff02::1) from fe80::201:3ff:fe48:4f1e ethInet: 56 data bytes 64 bytes from fe80::201:3ff:fe48:4f1e: icmp_seq=1 ttl=64 time=0.020 ms 64 bytes from fe80::2e0:81ff:fe74:9783: icmp_seq=1 ttl=64 time=0.302 ms (DUP!) 64 bytes from fe80::240:48ff:feb1:175e: icmp_seq=1 ttl=64 time=0.414 ms (DUP!) 64 bytes from fe80::20c:29ff:fef8:aa3: icmp_seq=1 ttl=64 time=0.528 ms (DUP!) 64 bytes from fe80::20c:29ff:fecb:3cac: icmp_seq=1 ttl=64 time=0.642 ms (DUP!) [...] r...@ermintrude:/home/tim# nmap -PN -6 fe80::240:48ff:feb1:175e%eth0 Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-25 10:57 BST Interesting ports on fe80::240:48ff:feb1:175e: Not shown: 998 closed ports PORTSTATE SERVICE 22/tcp open ssh 179/tcp open bgp [...] but with fully routable IPv6 in place (as may well become commonplace during the lifetime of newly installed machines), attacks against machines would be possible from the Internet at large. Whilst not intrinsically a problem with arno-iptables-firewall, it is at the very least probably not what the user was expecting, and it would very useful if the user was alerted to this current behaviour (i.e. arno-iptables-firewall will not block any inbound IPv6 traffic, even when tight controls on IPv4 exist), along with information on how to block or disable IPv6, if that's what they wish to do (in the absense of useful IPv6 support by the package). Thanks, Tim. -- System Information: Debian Release: squeeze/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-openvz-amd64 (SMP w/8 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages arno-iptables-firewall depends on: ii debconf 1.5.35 Debian configuration management sy ii gawk 1:3.1.7.dfsg-5 GNU awk, a pattern scanning and pr ii iproute 20100519-3 networking and traffic control too ii iptables 1.4.8-3administration tools for packet fi Versions of packages arno-iptables-firewall recommends: ii dnsutils 1:9.7.1.dfsg.P2-2 Clients provided with BIND ii lynx 2.8.8dev.4-2 Text-mode WWW Browser (transitiona arno-iptables-firewall suggests no packages. -- Configuration Files: /etc/arno-iptables-firewall/custom-rules changed [not included] /etc/arno-iptables-firewall/firewall.conf changed [not included] -- debconf information excluded -- Arno van Amersfoort E-mail: arn...@rocky.eld.leidenuniv.nl Donations are welcome through Paypal! --- Arno's (Linux IPTABLES Firewall) Homepage: http://rocky.eld.leidenuniv.nl -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#594326: arno-iptables-firewall leaves Debian hosts open on ipv6 without warning the user
Hi Arno, On Wed, Aug 25, 2010 at 01:33:08PM +0200, Arno van Amersfoort wrote: This was the intended behaviour, but due to a bug it doesn't work. I'll fix it today, hopefully Debian will backport the fix or allow upcoming 1.9.2k to enter Sqeeuze. Could you please provide me with a bugfix patch for the current -k release that fixes this. I'm not sure that a complete new upstream release will make it into squeeze (unless it doesn't have anything but bugfixes). Thanks, Arno -- GPG key: 1024D/3144BE0F Michael Hanke http://mih.voxindeserto.de -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#594326: arno-iptables-firewall leaves Debian hosts open on ipv6 without warning the user
Modified: trunk/share/arno-iptables-firewall/environment === --- trunk/share/arno-iptables-firewall/environment 2010-08-25 07:50:13 UTC (rev 274) +++ trunk/share/arno-iptables-firewall/environment 2010-08-25 12:01:51 UTC (rev 275) @@ -391,7 +391,11 @@ printf \033[40m\033[1;31msysctl $@: ($retval) $result\033[0m\n 2 return $retval fi - echo ${INDENT}sysctl $@ + + if [ -n $result ]; then +echo ${INDENT}$result + fi + return 0 } @@ -424,7 +428,9 @@ retval=$? if [ $retval = 0 ]; then -echo ${INDENT}${sysctl_commandline} +if [ -n $result ]; then + echo ${INDENT}$result +fi return 0 else printf \033[40m\033[1;31m${sysctl_commandline}: ($retval) $result\033[0m\n 2 This is the patch for 1.9.2l-DEVEL. Maybe it doesn't work on 1.9.2k properly, but the bottomline line is that sysctl() should only output its result when it's non-empty, and only that, not it's full commandline as it breaks grep's using the result. cheers, Arno On 8/25/2010 14:15, Michael Hanke wrote: Hi Arno, On Wed, Aug 25, 2010 at 01:33:08PM +0200, Arno van Amersfoort wrote: This was the intended behaviour, but due to a bug it doesn't work. I'll fix it today, hopefully Debian will backport the fix or allow upcoming 1.9.2k to enter Sqeeuze. Could you please provide me with a bugfix patch for the current -k release that fixes this. I'm not sure that a complete new upstream release will make it into squeeze (unless it doesn't have anything but bugfixes). Thanks, Arno -- Arno van Amersfoort E-mail: arn...@rocky.eld.leidenuniv.nl Donations are welcome through Paypal! --- Arno's (Linux IPTABLES Firewall) Homepage: http://rocky.eld.leidenuniv.nl -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org