Bug#594326: arno-iptables-firewall leaves Debian hosts open on ipv6 without warning the user

2010-08-26 Thread Tim Small 

Thanks,

That patch works against 1.9.2.k-2  (when applied with patch -F 3).

r...@ermintrude:/usr/share/arno-iptables-firewall# ip6tables -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   
destination


Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source   
destination


Chain OUTPUT (policy DROP 5 packets, 908 bytes)
 pkts bytes target prot opt in out source   
destination


Tim.

--
South East Open Source Solutions Limited
Registered in England and Wales with company number 06134732.
Registered Office: 2 Powell Gardens, Redhill, Surrey, RH1 1TQ
VAT number: 900 6633 53  http://seoss.co.uk/ +44-(0)1273-808309




--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#594326: arno-iptables-firewall leaves Debian hosts open on ipv6 without warning the user

2010-08-25 Thread Tim Small 
Package: arno-iptables-firewall
Version: 1.9.2.k-2
Severity: normal
Tags: upstream ipv6

Although the version of arno-iptables-firewall contains preliminary ipv6
support, it is turned off by default, and it doesn't appear thta it can
be enabled at the same time as ipv4 support is enabled.  Running
arno-iptables-firewall on a default squeeze install leaves the following
firewall policy in place for IPv6 packets:

r...@ermintrude:/home/tim# ip6tables -L -v
Chain INPUT (policy ACCEPT 18163 packets, 3581K bytes)
 pkts bytes target prot opt in out source
 destination 

 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
  pkts bytes target prot opt in out source
  destination 

  Chain OUTPUT (policy ACCEPT 17501 packets, 3428K bytes)
   pkts bytes target prot opt in out source
   destination 


As IPv6 is enabled by default in Debian, this leaves hosts vulnerable to
attacks via IPv6.  e.g. without any IPv6 infrastructure in place it
leaves machines open to the local LAN via the IPv6 automatic link-local
IP addresses:

r...@ermintrude:/home/tim# ping6 -c 2 -I eth0 ff02::1
PING ff02::1(ff02::1) from fe80::201:3ff:fe48:4f1e ethInet: 56 data
bytes
64 bytes from fe80::201:3ff:fe48:4f1e: icmp_seq=1 ttl=64 time=0.020 ms
64 bytes from fe80::2e0:81ff:fe74:9783: icmp_seq=1 ttl=64 time=0.302 ms (DUP!)
64 bytes from fe80::240:48ff:feb1:175e: icmp_seq=1 ttl=64 time=0.414 ms (DUP!)
64 bytes from fe80::20c:29ff:fef8:aa3: icmp_seq=1 ttl=64 time=0.528 ms (DUP!)
64 bytes from fe80::20c:29ff:fecb:3cac: icmp_seq=1 ttl=64 time=0.642 ms (DUP!)
[...]
r...@ermintrude:/home/tim# nmap -PN -6 fe80::240:48ff:feb1:175e%eth0

Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-25 10:57 BST
Interesting ports on fe80::240:48ff:feb1:175e:
Not shown: 998 closed ports
PORTSTATE SERVICE
22/tcp  open  ssh
179/tcp open  bgp
[...]

but with fully routable IPv6 in place (as may well become commonplace during the
lifetime of newly installed machines), attacks against machines would be
possible from the Internet at large.

Whilst not intrinsically a problem with arno-iptables-firewall, it is at the
very least probably not what the user was expecting, and it would very
useful if the user was alerted to this current behaviour (i.e.
arno-iptables-firewall will not block any inbound IPv6 traffic, even
when tight controls on IPv4 exist), along with information on how
to block or disable IPv6, if that's what they wish to do (in the absense of
useful IPv6 support by the package).

Thanks,

Tim.

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-openvz-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages arno-iptables-firewall depends on:
ii  debconf   1.5.35 Debian configuration management sy
ii  gawk  1:3.1.7.dfsg-5 GNU awk, a pattern scanning and pr
ii  iproute   20100519-3 networking and traffic control too
ii  iptables  1.4.8-3administration tools for packet fi

Versions of packages arno-iptables-firewall recommends:
ii  dnsutils   1:9.7.1.dfsg.P2-2 Clients provided with BIND
ii  lynx   2.8.8dev.4-2  Text-mode WWW Browser (transitiona

arno-iptables-firewall suggests no packages.

-- Configuration Files:
/etc/arno-iptables-firewall/custom-rules changed [not included]
/etc/arno-iptables-firewall/firewall.conf changed [not included]

-- debconf information excluded



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#594326: arno-iptables-firewall leaves Debian hosts open on ipv6 without warning the user

2010-08-25 Thread Arno van Amersfoort 
This was the intended behaviour, but due to a bug it doesn't work. I'll 
fix it today, hopefully Debian will backport the fix or allow upcoming 
1.9.2k to enter Sqeeuze.


cheers,

Arno

Thanks for the report

On 8/25/2010 12:09, Tim Small wrote:

Package: arno-iptables-firewall
Version: 1.9.2.k-2
Severity: normal
Tags: upstream ipv6

Although the version of arno-iptables-firewall contains preliminary ipv6
support, it is turned off by default, and it doesn't appear thta it can
be enabled at the same time as ipv4 support is enabled.  Running
arno-iptables-firewall on a default squeeze install leaves the following
firewall policy in place for IPv6 packets:

r...@ermintrude:/home/tim# ip6tables -L -v
Chain INPUT (policy ACCEPT 18163 packets, 3581K bytes)
  pkts bytes target prot opt in out source
  destination

  Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
   pkts bytes target prot opt in out source
   destination

   Chain OUTPUT (policy ACCEPT 17501 packets, 3428K bytes)
pkts bytes target prot opt in out source
destination


As IPv6 is enabled by default in Debian, this leaves hosts vulnerable to
attacks via IPv6.  e.g. without any IPv6 infrastructure in place it
leaves machines open to the local LAN via the IPv6 automatic link-local
IP addresses:

r...@ermintrude:/home/tim# ping6 -c 2 -I eth0 ff02::1
PING ff02::1(ff02::1) from fe80::201:3ff:fe48:4f1e ethInet: 56 data
bytes
64 bytes from fe80::201:3ff:fe48:4f1e: icmp_seq=1 ttl=64 time=0.020 ms
64 bytes from fe80::2e0:81ff:fe74:9783: icmp_seq=1 ttl=64 time=0.302 ms (DUP!)
64 bytes from fe80::240:48ff:feb1:175e: icmp_seq=1 ttl=64 time=0.414 ms (DUP!)
64 bytes from fe80::20c:29ff:fef8:aa3: icmp_seq=1 ttl=64 time=0.528 ms (DUP!)
64 bytes from fe80::20c:29ff:fecb:3cac: icmp_seq=1 ttl=64 time=0.642 ms (DUP!)
[...]
r...@ermintrude:/home/tim# nmap -PN -6 fe80::240:48ff:feb1:175e%eth0

Starting Nmap 5.00 ( http://nmap.org ) at 2010-08-25 10:57 BST
Interesting ports on fe80::240:48ff:feb1:175e:
Not shown: 998 closed ports
PORTSTATE SERVICE
22/tcp  open  ssh
179/tcp open  bgp
[...]

but with fully routable IPv6 in place (as may well become commonplace during the
lifetime of newly installed machines), attacks against machines would be
possible from the Internet at large.

Whilst not intrinsically a problem with arno-iptables-firewall, it is at the
very least probably not what the user was expecting, and it would very
useful if the user was alerted to this current behaviour (i.e.
arno-iptables-firewall will not block any inbound IPv6 traffic, even
when tight controls on IPv4 exist), along with information on how
to block or disable IPv6, if that's what they wish to do (in the absense of
useful IPv6 support by the package).

Thanks,

Tim.

-- System Information:
Debian Release: squeeze/sid
   APT prefers testing
   APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-openvz-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages arno-iptables-firewall depends on:
ii  debconf   1.5.35 Debian configuration management sy
ii  gawk  1:3.1.7.dfsg-5 GNU awk, a pattern scanning and pr
ii  iproute   20100519-3 networking and traffic control too
ii  iptables  1.4.8-3administration tools for packet fi

Versions of packages arno-iptables-firewall recommends:
ii  dnsutils   1:9.7.1.dfsg.P2-2 Clients provided with BIND
ii  lynx   2.8.8dev.4-2  Text-mode WWW Browser (transitiona

arno-iptables-firewall suggests no packages.

-- Configuration Files:
/etc/arno-iptables-firewall/custom-rules changed [not included]
/etc/arno-iptables-firewall/firewall.conf changed [not included]

-- debconf information excluded





--
Arno van Amersfoort
E-mail: arn...@rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#594326: arno-iptables-firewall leaves Debian hosts open on ipv6 without warning the user

2010-08-25 Thread Michael Hanke 
Hi Arno,

On Wed, Aug 25, 2010 at 01:33:08PM +0200, Arno van Amersfoort wrote:
 This was the intended behaviour, but due to a bug it doesn't work.
 I'll fix it today, hopefully Debian will backport the fix or allow
 upcoming 1.9.2k to enter Sqeeuze.

Could you please provide me with a bugfix patch for the current -k
release that fixes this. I'm not sure that a complete new upstream
release will make it into squeeze (unless it doesn't have anything but
bugfixes).

Thanks,

Arno

-- 
GPG key:  1024D/3144BE0F Michael Hanke
http://mih.voxindeserto.de



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#594326: arno-iptables-firewall leaves Debian hosts open on ipv6 without warning the user

2010-08-25 Thread Arno van Amersfoort 

Modified: trunk/share/arno-iptables-firewall/environment
===
--- trunk/share/arno-iptables-firewall/environment	2010-08-25 07:50:13 
UTC (rev 274)
+++ trunk/share/arno-iptables-firewall/environment	2010-08-25 12:01:51 
UTC (rev 275)

@@ -391,7 +391,11 @@
 printf \033[40m\033[1;31msysctl $@: ($retval) $result\033[0m\n 2
 return $retval
   fi
-  echo ${INDENT}sysctl $@
+
+  if [ -n $result ]; then
+echo ${INDENT}$result
+  fi
+
   return 0
 }

@@ -424,7 +428,9 @@
   retval=$?

   if [ $retval = 0 ]; then
-echo ${INDENT}${sysctl_commandline}
+if [ -n $result ]; then
+  echo ${INDENT}$result
+fi
 return 0
   else
 printf \033[40m\033[1;31m${sysctl_commandline}: ($retval) 
$result\033[0m\n 2



This is the patch for 1.9.2l-DEVEL. Maybe it doesn't work on 1.9.2k 
properly, but the bottomline line is that sysctl() should only output 
its result when it's non-empty, and only that, not it's full commandline 
as it breaks grep's using the result.



cheers,

Arno

On 8/25/2010 14:15, Michael Hanke wrote:

Hi Arno,

On Wed, Aug 25, 2010 at 01:33:08PM +0200, Arno van Amersfoort wrote:

This was the intended behaviour, but due to a bug it doesn't work.
I'll fix it today, hopefully Debian will backport the fix or allow
upcoming 1.9.2k to enter Sqeeuze.


Could you please provide me with a bugfix patch for the current -k
release that fixes this. I'm not sure that a complete new upstream
release will make it into squeeze (unless it doesn't have anything but
bugfixes).

Thanks,

Arno



--
Arno van Amersfoort
E-mail: arn...@rocky.eld.leidenuniv.nl
Donations are welcome through Paypal!
---
Arno's (Linux IPTABLES Firewall) Homepage:
http://rocky.eld.leidenuniv.nl



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org