[Firehol-support] firehol creates open firewall!

paracas at vodafone.net paracas at vodafone.net
Thu Jun 9 13:46:10 BST 2005


Cheers Costa, nice to be answered from the Firehol Main Man himself!

RHEL has an /etc/sysconfig/iptables which is used by default , so perhaps that is interfering with things. I'll see if I can work out how that might interfere.

I ran a 'firehol explain' and it didnt seem to give any errors ( if bash was faulty , would you expect to see some errors in there ? 

Here's the output of firehol debug, again I dont see any errors in there :

# /etc/init.d/firehol debug
FireHOL: Saving your old firewall to a temporary file:     [  OK  ]
FireHOL: Processing file /etc/firehol/firehol.conf:        [  OK  ]
#!/bin/sh

load_kernel_module ip_tables
load_kernel_module ip_conntrack

# Find all tables supported
tables=`/bin/cat /proc/net/ip_tables_names`
for t in ${tables}
do
        # Reset/empty this table.
        /sbin/iptables -t "${t}" -F >/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
        r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -F

        /sbin/iptables -t "${t}" -X >/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
        r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -X

        /sbin/iptables -t "${t}" -Z >/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
        r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -Z

        # Find all default chains in this table.
        chains=`/sbin/iptables -t "${t}" -nL | /bin/grep "^Chain " | /bin/cut -d ' ' -f 2`

        # If this is the 'filter' table, remember the default chains.
        # This will be used at the end to make it DROP all packets.
        test "${t}" = "filter" && firehol_filter_chains="${chains}"

        # Set the policy to ACCEPT on all default chains.
        for c in ${chains}
        do
                /sbin/iptables -t "${t}" -P "${c}" ACCEPT 

>/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
                r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -P "${c}" 

ACCEPT
        done
done

/sbin/iptables -t filter -P INPUT "${FIREHOL_INPUT_ACTIVATION_POLICY}" 

>/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P INPUT 

"${FIREHOL_INPUT_ACTIVATION_POLICY}"

/sbin/iptables -t filter -P OUTPUT "${FIREHOL_OUTPUT_ACTIVATION_POLICY}" 

>/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P OUTPUT 

"${FIREHOL_OUTPUT_ACTIVATION_POLICY}"

/sbin/iptables -t filter -P FORWARD "${FIREHOL_FORWARD_ACTIVATION_POLICY}" 

>/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P FORWARD 

"${FIREHOL_FORWARD_ACTIVATION_POLICY}"

# Accept everything in/out the loopback device.
if [ "${FIREHOL_TRUST_LOOPBACK}" = "1" ]
then
        /sbin/iptables -A INPUT -i lo -j ACCEPT
        /sbin/iptables -A OUTPUT -o lo -j ACCEPT
fi

# Drop all invalid packets.
# Netfilter HOWTO suggests to DROP all INVALID packets.
if [ "${FIREHOL_DROP_INVALID}" = "1" ]
then
        /sbin/iptables -A INPUT -m state --state INVALID -j DROP
        /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
        /sbin/iptables -A FORWARD -m state --state INVALID -j DROP
fi



# === CONFIGURATION STATEMENT =================================================
# CONF:INIT>>>  version 5



# === CONFIGURATION STATEMENT =================================================
# CONF:  3>>>   interface eth1 mylan


# INFO>>> Creating chain 'in_mylan' under 'INPUT' in table 'filter'
/sbin/iptables -t filter -N in_mylan
/sbin/iptables -t filter -A INPUT -j in_mylan

# INFO>>> Creating chain 'out_mylan' under 'OUTPUT' in table 'filter'
/sbin/iptables -t filter -N out_mylan
/sbin/iptables -t filter -A OUTPUT -j out_mylan


# === CONFIGURATION STATEMENT =================================================
# CONF:  5>>>           policy reject


# INFO>>> Setting interface 'eth1' (mylan) policy to reject


# === CONFIGURATION STATEMENT =================================================
# CONF:  6>>>           server ssh accept


# INFO>>> Preparing for service 'ssh' of type 'server' under interface 'mylan'

# INFO>>> Creating chain 'in_mylan_ssh_s1' under 'in_mylan' in table 'filter'
/sbin/iptables -t filter -N in_mylan_ssh_s1
/sbin/iptables -t filter -A in_mylan -j in_mylan_ssh_s1

# INFO>>> Creating chain 'out_mylan_ssh_s1' under 'out_mylan' in table 'filter'
/sbin/iptables -t filter -N out_mylan_ssh_s1
/sbin/iptables -t filter -A out_mylan -j out_mylan_ssh_s1

# INFO>>> Running simple rules for  server 'ssh'
/sbin/iptables -t filter -A in_mylan_ssh_s1 -j ACCEPT
/sbin/iptables -t filter -A out_mylan_ssh_s1 -j ACCEPT


# === CONFIGURATION STATEMENT =================================================
# CONF:  7>>>           client ssh accept


# INFO>>> Preparing for service 'ssh' of type 'client' under interface 'mylan'

# INFO>>> Creating chain 'in_mylan_ssh_c2' under 'in_mylan' in table 'filter'
/sbin/iptables -t filter -N in_mylan_ssh_c2
/sbin/iptables -t filter -A in_mylan -j in_mylan_ssh_c2

# INFO>>> Creating chain 'out_mylan_ssh_c2' under 'out_mylan' in table 'filter'
/sbin/iptables -t filter -N out_mylan_ssh_c2
/sbin/iptables -t filter -A out_mylan -j out_mylan_ssh_c2

# INFO>>> Running simple rules for  client 'ssh'
/sbin/iptables -t filter -A out_mylan_ssh_c2 -j ACCEPT
/sbin/iptables -t filter -A in_mylan_ssh_c2 -j ACCEPT


# === CONFIGURATION STATEMENT =================================================
# CONF:  9>>>   interface eth0 internet


# INFO>>> Finilizing interface 'mylan'
/sbin/iptables -t filter -A in_mylan -j ACCEPT
/sbin/iptables -t filter -A out_mylan -j ACCEPT
/sbin/iptables -t filter -A in_mylan -m limit --limit 1/second --limit-burst 5 -j LOG
/sbin/iptables -t filter -A in_mylan -j REJECT
/sbin/iptables -t filter -A out_mylan -m limit --limit 1/second --limit-burst 5 -j LOG
/sbin/iptables -t filter -A out_mylan -j REJECT

# INFO>>> Creating chain 'in_internet' under 'INPUT' in table 'filter'
/sbin/iptables -t filter -N in_internet
/sbin/iptables -t filter -A INPUT -j in_internet

# INFO>>> Creating chain 'out_internet' under 'OUTPUT' in table 'filter'
/sbin/iptables -t filter -N out_internet
/sbin/iptables -t filter -A OUTPUT -j out_internet


# === CONFIGURATION STATEMENT =================================================
# CONF: 10>>>           policy reject


# INFO>>> Setting interface 'eth0' (internet) policy to reject


# === CONFIGURATION STATEMENT =================================================
# CONF: 11>>>           server ssh accept


# INFO>>> Preparing for service 'ssh' of type 'server' under interface 'internet'

# INFO>>> Creating chain 'in_internet_ssh_s1' under 'in_internet' in table 'filter'
/sbin/iptables -t filter -N in_internet_ssh_s1
/sbin/iptables -t filter -A in_internet -j in_internet_ssh_s1

# INFO>>> Creating chain 'out_internet_ssh_s1' under 'out_internet' in table 'filter'
/sbin/iptables -t filter -N out_internet_ssh_s1
/sbin/iptables -t filter -A out_internet -j out_internet_ssh_s1

# INFO>>> Running simple rules for  server 'ssh'
/sbin/iptables -t filter -A in_internet_ssh_s1 -j ACCEPT
/sbin/iptables -t filter -A out_internet_ssh_s1 -j ACCEPT


# === CONFIGURATION STATEMENT =================================================
# CONF: 12>>>           client ssh accept


# INFO>>> Preparing for service 'ssh' of type 'client' under interface 'internet'

# INFO>>> Creating chain 'in_internet_ssh_c2' under 'in_internet' in table 'filter'
/sbin/iptables -t filter -N in_internet_ssh_c2
/sbin/iptables -t filter -A in_internet -j in_internet_ssh_c2

# INFO>>> Creating chain 'out_internet_ssh_c2' under 'out_internet' in table 'filter'
/sbin/iptables -t filter -N out_internet_ssh_c2
/sbin/iptables -t filter -A out_internet -j out_internet_ssh_c2

# INFO>>> Running simple rules for  client 'ssh'
/sbin/iptables -t filter -A out_internet_ssh_c2 -j ACCEPT
/sbin/iptables -t filter -A in_internet_ssh_c2 -j ACCEPT

# INFO>>> Finilizing interface 'internet'
/sbin/iptables -t filter -A in_internet -j ACCEPT
/sbin/iptables -t filter -A out_internet -j ACCEPT
/sbin/iptables -t filter -A in_internet -m limit --limit 1/second --limit-burst 5 -j LOG
/sbin/iptables -t filter -A in_internet -j REJECT
/sbin/iptables -t filter -A out_internet -m limit --limit 1/second --limit-burst 5 -j LOG
/sbin/iptables -t filter -A out_internet -j REJECT

# INFO>>> Finilizing firewall policies
/sbin/iptables -t filter -A INPUT -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -j ACCEPT
/sbin/iptables -t filter -A FORWARD -j ACCEPT
/sbin/iptables -t filter -A INPUT -m limit --limit 1/second --limit-burst 5 -j LOG
/sbin/iptables -t filter -A INPUT -j DROP
/sbin/iptables -t filter -A OUTPUT -m limit --limit 1/second --limit-burst 5 -j LOG
/sbin/iptables -t filter -A OUTPUT -j DROP
/sbin/iptables -t filter -A FORWARD -m limit --limit 1/second --limit-burst 5 -j LOG
/sbin/iptables -t filter -A FORWARD -j DROP

# Make it drop everything on table 'filter'.
for c in ${firehol_filter_chains}
do
        /sbin/iptables -t filter -P "${c}" DROP >/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
        r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P "${c}" DROP
done


FireHOL: Restoring old firewall:                           [  OK  ]
#

thanks
Robin
 

  
> 
> Try the 'debug' or 'explain' option of FireHOL to verify you don't have a
> faulty BASH.
> 
> Unfortunatelly, I don't use RHEL myself, so I suggest to fill a bug report
> at RedHat for more help.
> 
> Regards,
> 
> Costa
 





More information about the Firehol-support mailing list