[Firehol-support] firehol creates open firewall!
paracas at vodafone.net
paracas at vodafone.net
Thu Jun 9 13:46:10 BST 2005
Cheers Costa, nice to be answered from the Firehol Main Man himself!
RHEL has an /etc/sysconfig/iptables which is used by default , so perhaps that is interfering with things. I'll see if I can work out how that might interfere.
I ran a 'firehol explain' and it didnt seem to give any errors ( if bash was faulty , would you expect to see some errors in there ?
Here's the output of firehol debug, again I dont see any errors in there :
# /etc/init.d/firehol debug
FireHOL: Saving your old firewall to a temporary file: [ OK ]
FireHOL: Processing file /etc/firehol/firehol.conf: [ OK ]
#!/bin/sh
load_kernel_module ip_tables
load_kernel_module ip_conntrack
# Find all tables supported
tables=`/bin/cat /proc/net/ip_tables_names`
for t in ${tables}
do
# Reset/empty this table.
/sbin/iptables -t "${t}" -F >/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -F
/sbin/iptables -t "${t}" -X >/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -X
/sbin/iptables -t "${t}" -Z >/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -Z
# Find all default chains in this table.
chains=`/sbin/iptables -t "${t}" -nL | /bin/grep "^Chain " | /bin/cut -d ' ' -f 2`
# If this is the 'filter' table, remember the default chains.
# This will be used at the end to make it DROP all packets.
test "${t}" = "filter" && firehol_filter_chains="${chains}"
# Set the policy to ACCEPT on all default chains.
for c in ${chains}
do
/sbin/iptables -t "${t}" -P "${c}" ACCEPT
>/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t "${t}" -P "${c}"
ACCEPT
done
done
/sbin/iptables -t filter -P INPUT "${FIREHOL_INPUT_ACTIVATION_POLICY}"
>/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P INPUT
"${FIREHOL_INPUT_ACTIVATION_POLICY}"
/sbin/iptables -t filter -P OUTPUT "${FIREHOL_OUTPUT_ACTIVATION_POLICY}"
>/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P OUTPUT
"${FIREHOL_OUTPUT_ACTIVATION_POLICY}"
/sbin/iptables -t filter -P FORWARD "${FIREHOL_FORWARD_ACTIVATION_POLICY}"
>/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P FORWARD
"${FIREHOL_FORWARD_ACTIVATION_POLICY}"
# Accept everything in/out the loopback device.
if [ "${FIREHOL_TRUST_LOOPBACK}" = "1" ]
then
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
fi
# Drop all invalid packets.
# Netfilter HOWTO suggests to DROP all INVALID packets.
if [ "${FIREHOL_DROP_INVALID}" = "1" ]
then
/sbin/iptables -A INPUT -m state --state INVALID -j DROP
/sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
/sbin/iptables -A FORWARD -m state --state INVALID -j DROP
fi
# === CONFIGURATION STATEMENT =================================================
# CONF:INIT>>> version 5
# === CONFIGURATION STATEMENT =================================================
# CONF: 3>>> interface eth1 mylan
# INFO>>> Creating chain 'in_mylan' under 'INPUT' in table 'filter'
/sbin/iptables -t filter -N in_mylan
/sbin/iptables -t filter -A INPUT -j in_mylan
# INFO>>> Creating chain 'out_mylan' under 'OUTPUT' in table 'filter'
/sbin/iptables -t filter -N out_mylan
/sbin/iptables -t filter -A OUTPUT -j out_mylan
# === CONFIGURATION STATEMENT =================================================
# CONF: 5>>> policy reject
# INFO>>> Setting interface 'eth1' (mylan) policy to reject
# === CONFIGURATION STATEMENT =================================================
# CONF: 6>>> server ssh accept
# INFO>>> Preparing for service 'ssh' of type 'server' under interface 'mylan'
# INFO>>> Creating chain 'in_mylan_ssh_s1' under 'in_mylan' in table 'filter'
/sbin/iptables -t filter -N in_mylan_ssh_s1
/sbin/iptables -t filter -A in_mylan -j in_mylan_ssh_s1
# INFO>>> Creating chain 'out_mylan_ssh_s1' under 'out_mylan' in table 'filter'
/sbin/iptables -t filter -N out_mylan_ssh_s1
/sbin/iptables -t filter -A out_mylan -j out_mylan_ssh_s1
# INFO>>> Running simple rules for server 'ssh'
/sbin/iptables -t filter -A in_mylan_ssh_s1 -j ACCEPT
/sbin/iptables -t filter -A out_mylan_ssh_s1 -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 7>>> client ssh accept
# INFO>>> Preparing for service 'ssh' of type 'client' under interface 'mylan'
# INFO>>> Creating chain 'in_mylan_ssh_c2' under 'in_mylan' in table 'filter'
/sbin/iptables -t filter -N in_mylan_ssh_c2
/sbin/iptables -t filter -A in_mylan -j in_mylan_ssh_c2
# INFO>>> Creating chain 'out_mylan_ssh_c2' under 'out_mylan' in table 'filter'
/sbin/iptables -t filter -N out_mylan_ssh_c2
/sbin/iptables -t filter -A out_mylan -j out_mylan_ssh_c2
# INFO>>> Running simple rules for client 'ssh'
/sbin/iptables -t filter -A out_mylan_ssh_c2 -j ACCEPT
/sbin/iptables -t filter -A in_mylan_ssh_c2 -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 9>>> interface eth0 internet
# INFO>>> Finilizing interface 'mylan'
/sbin/iptables -t filter -A in_mylan -j ACCEPT
/sbin/iptables -t filter -A out_mylan -j ACCEPT
/sbin/iptables -t filter -A in_mylan -m limit --limit 1/second --limit-burst 5 -j LOG
/sbin/iptables -t filter -A in_mylan -j REJECT
/sbin/iptables -t filter -A out_mylan -m limit --limit 1/second --limit-burst 5 -j LOG
/sbin/iptables -t filter -A out_mylan -j REJECT
# INFO>>> Creating chain 'in_internet' under 'INPUT' in table 'filter'
/sbin/iptables -t filter -N in_internet
/sbin/iptables -t filter -A INPUT -j in_internet
# INFO>>> Creating chain 'out_internet' under 'OUTPUT' in table 'filter'
/sbin/iptables -t filter -N out_internet
/sbin/iptables -t filter -A OUTPUT -j out_internet
# === CONFIGURATION STATEMENT =================================================
# CONF: 10>>> policy reject
# INFO>>> Setting interface 'eth0' (internet) policy to reject
# === CONFIGURATION STATEMENT =================================================
# CONF: 11>>> server ssh accept
# INFO>>> Preparing for service 'ssh' of type 'server' under interface 'internet'
# INFO>>> Creating chain 'in_internet_ssh_s1' under 'in_internet' in table 'filter'
/sbin/iptables -t filter -N in_internet_ssh_s1
/sbin/iptables -t filter -A in_internet -j in_internet_ssh_s1
# INFO>>> Creating chain 'out_internet_ssh_s1' under 'out_internet' in table 'filter'
/sbin/iptables -t filter -N out_internet_ssh_s1
/sbin/iptables -t filter -A out_internet -j out_internet_ssh_s1
# INFO>>> Running simple rules for server 'ssh'
/sbin/iptables -t filter -A in_internet_ssh_s1 -j ACCEPT
/sbin/iptables -t filter -A out_internet_ssh_s1 -j ACCEPT
# === CONFIGURATION STATEMENT =================================================
# CONF: 12>>> client ssh accept
# INFO>>> Preparing for service 'ssh' of type 'client' under interface 'internet'
# INFO>>> Creating chain 'in_internet_ssh_c2' under 'in_internet' in table 'filter'
/sbin/iptables -t filter -N in_internet_ssh_c2
/sbin/iptables -t filter -A in_internet -j in_internet_ssh_c2
# INFO>>> Creating chain 'out_internet_ssh_c2' under 'out_internet' in table 'filter'
/sbin/iptables -t filter -N out_internet_ssh_c2
/sbin/iptables -t filter -A out_internet -j out_internet_ssh_c2
# INFO>>> Running simple rules for client 'ssh'
/sbin/iptables -t filter -A out_internet_ssh_c2 -j ACCEPT
/sbin/iptables -t filter -A in_internet_ssh_c2 -j ACCEPT
# INFO>>> Finilizing interface 'internet'
/sbin/iptables -t filter -A in_internet -j ACCEPT
/sbin/iptables -t filter -A out_internet -j ACCEPT
/sbin/iptables -t filter -A in_internet -m limit --limit 1/second --limit-burst 5 -j LOG
/sbin/iptables -t filter -A in_internet -j REJECT
/sbin/iptables -t filter -A out_internet -m limit --limit 1/second --limit-burst 5 -j LOG
/sbin/iptables -t filter -A out_internet -j REJECT
# INFO>>> Finilizing firewall policies
/sbin/iptables -t filter -A INPUT -j ACCEPT
/sbin/iptables -t filter -A OUTPUT -j ACCEPT
/sbin/iptables -t filter -A FORWARD -j ACCEPT
/sbin/iptables -t filter -A INPUT -m limit --limit 1/second --limit-burst 5 -j LOG
/sbin/iptables -t filter -A INPUT -j DROP
/sbin/iptables -t filter -A OUTPUT -m limit --limit 1/second --limit-burst 5 -j LOG
/sbin/iptables -t filter -A OUTPUT -j DROP
/sbin/iptables -t filter -A FORWARD -m limit --limit 1/second --limit-burst 5 -j LOG
/sbin/iptables -t filter -A FORWARD -j DROP
# Make it drop everything on table 'filter'.
for c in ${firehol_filter_chains}
do
/sbin/iptables -t filter -P "${c}" DROP >/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t filter -P "${c}" DROP
done
FireHOL: Restoring old firewall: [ OK ]
#
thanks
Robin
>
> Try the 'debug' or 'explain' option of FireHOL to verify you don't have a
> faulty BASH.
>
> Unfortunatelly, I don't use RHEL myself, so I suggest to fill a bug report
> at RedHat for more help.
>
> Regards,
>
> Costa
More information about the Firehol-support
mailing list