[Firehol-support] firehol creates open firewall!

Costa Tsaousis costa at tsaousis.gr
Sun Jun 12 17:47:26 BST 2005 

It seems that your BASH is faulty.
This is yours:

# Command: server ssh accept

# Running simple rules for  server 'ssh'
/sbin/iptables -t filter -A in_mylan_ssh_s1 -j ACCEPT
/sbin/iptables -t filter -A out_mylan_ssh_s1 -j ACCEPT

This is mine:

# Command: server ssh accept

# Running simple rules for  server 'ssh'
/sbin/iptables -t filter -A in_mylan_ssh_s1 -p tcp --sport 1024:65535
--dport 22 -m state --state NEW\,ESTABLISHED -j ACCEPT
/sbin/iptables -t filter -A out_mylan_ssh_s1 -p tcp --sport 22 --dport
1024:65535 -m state --state ESTABLISHED -j ACCEPT

The faulty BASH of RHEL silently ignores all array variables. This means
you will not necessarily get an error. For sure you will get faulty
iptables commands generation...

Please install a working BASH...

Regards,

Costa


On Thu, June 9, 2005 15:46, paracas at vodafone.net said:
> Cheers Costa, nice to be answered from the Firehol Main Man himself!
>
> RHEL has an /etc/sysconfig/iptables which is used by default , so perhaps
> that is interfering with things. I'll see if I can work out how that might
> interfere.
>
> I ran a 'firehol explain' and it didnt seem to give any errors ( if bash
> was faulty , would you expect to see some errors in there ?
>
> Here's the output of firehol debug, again I dont see any errors in there :
>
> # /etc/init.d/firehol debug
> FireHOL: Saving your old firewall to a temporary file:     [  OK  ]
> FireHOL: Processing file /etc/firehol/firehol.conf:        [  OK  ]
> #!/bin/sh
>
> load_kernel_module ip_tables
> load_kernel_module ip_conntrack
>
> # Find all tables supported
> tables=`/bin/cat /proc/net/ip_tables_names`
> for t in ${tables}
> do
>         # Reset/empty this table.
>         /sbin/iptables -t "${t}" -F
> >/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
>         r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT
> /sbin/iptables -t "${t}" -F
>
>         /sbin/iptables -t "${t}" -X
> >/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
>         r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT
> /sbin/iptables -t "${t}" -X
>
>         /sbin/iptables -t "${t}" -Z
> >/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
>         r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT
> /sbin/iptables -t "${t}" -Z
>
>         # Find all default chains in this table.
>         chains=`/sbin/iptables -t "${t}" -nL | /bin/grep "^Chain " |
> /bin/cut -d ' ' -f 2`
>
>         # If this is the 'filter' table, remember the default chains.
>         # This will be used at the end to make it DROP all packets.
>         test "${t}" = "filter" && firehol_filter_chains="${chains}"
>
>         # Set the policy to ACCEPT on all default chains.
>         for c in ${chains}
>         do
>                 /sbin/iptables -t "${t}" -P "${c}" ACCEPT
>
>>/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
>                 r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT
> /sbin/iptables -t "${t}" -P "${c}"
>
> ACCEPT
>         done
> done
>
> /sbin/iptables -t filter -P INPUT "${FIREHOL_INPUT_ACTIVATION_POLICY}"
>
>>/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
> r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t
> filter -P INPUT
>
> "${FIREHOL_INPUT_ACTIVATION_POLICY}"
>
> /sbin/iptables -t filter -P OUTPUT "${FIREHOL_OUTPUT_ACTIVATION_POLICY}"
>
>>/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
> r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t
> filter -P OUTPUT
>
> "${FIREHOL_OUTPUT_ACTIVATION_POLICY}"
>
> /sbin/iptables -t filter -P FORWARD "${FIREHOL_FORWARD_ACTIVATION_POLICY}"
>
>>/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
> r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT /sbin/iptables -t
> filter -P FORWARD
>
> "${FIREHOL_FORWARD_ACTIVATION_POLICY}"
>
> # Accept everything in/out the loopback device.
> if [ "${FIREHOL_TRUST_LOOPBACK}" = "1" ]
> then
>         /sbin/iptables -A INPUT -i lo -j ACCEPT
>         /sbin/iptables -A OUTPUT -o lo -j ACCEPT
> fi
>
> # Drop all invalid packets.
> # Netfilter HOWTO suggests to DROP all INVALID packets.
> if [ "${FIREHOL_DROP_INVALID}" = "1" ]
> then
>         /sbin/iptables -A INPUT -m state --state INVALID -j DROP
>         /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
>         /sbin/iptables -A FORWARD -m state --state INVALID -j DROP
> fi
>
>
>
> # === CONFIGURATION STATEMENT
> ================================================# CONF:INIT>>>  version 5
>
>
>
> # === CONFIGURATION STATEMENT
> ================================================# CONF:  3>>>   interface
> eth1 mylan
>
>
> # INFO>>> Creating chain 'in_mylan' under 'INPUT' in table 'filter'
> /sbin/iptables -t filter -N in_mylan
> /sbin/iptables -t filter -A INPUT -j in_mylan
>
> # INFO>>> Creating chain 'out_mylan' under 'OUTPUT' in table 'filter'
> /sbin/iptables -t filter -N out_mylan
> /sbin/iptables -t filter -A OUTPUT -j out_mylan
>
>
> # === CONFIGURATION STATEMENT
> ================================================# CONF:  5>>>
> policy reject
>
>
> # INFO>>> Setting interface 'eth1' (mylan) policy to reject
>
>
> # === CONFIGURATION STATEMENT
> ================================================# CONF:  6>>>
> server ssh accept
>
>
> # INFO>>> Preparing for service 'ssh' of type 'server' under interface
> 'mylan'
>
> # INFO>>> Creating chain 'in_mylan_ssh_s1' under 'in_mylan' in table
> 'filter'
> /sbin/iptables -t filter -N in_mylan_ssh_s1
> /sbin/iptables -t filter -A in_mylan -j in_mylan_ssh_s1
>
> # INFO>>> Creating chain 'out_mylan_ssh_s1' under 'out_mylan' in table
> 'filter'
> /sbin/iptables -t filter -N out_mylan_ssh_s1
> /sbin/iptables -t filter -A out_mylan -j out_mylan_ssh_s1
>
> # INFO>>> Running simple rules for  server 'ssh'
> /sbin/iptables -t filter -A in_mylan_ssh_s1 -j ACCEPT
> /sbin/iptables -t filter -A out_mylan_ssh_s1 -j ACCEPT
>
>
> # === CONFIGURATION STATEMENT
> ================================================# CONF:  7>>>
> client ssh accept
>
>
> # INFO>>> Preparing for service 'ssh' of type 'client' under interface
> 'mylan'
>
> # INFO>>> Creating chain 'in_mylan_ssh_c2' under 'in_mylan' in table
> 'filter'
> /sbin/iptables -t filter -N in_mylan_ssh_c2
> /sbin/iptables -t filter -A in_mylan -j in_mylan_ssh_c2
>
> # INFO>>> Creating chain 'out_mylan_ssh_c2' under 'out_mylan' in table
> 'filter'
> /sbin/iptables -t filter -N out_mylan_ssh_c2
> /sbin/iptables -t filter -A out_mylan -j out_mylan_ssh_c2
>
> # INFO>>> Running simple rules for  client 'ssh'
> /sbin/iptables -t filter -A out_mylan_ssh_c2 -j ACCEPT
> /sbin/iptables -t filter -A in_mylan_ssh_c2 -j ACCEPT
>
>
> # === CONFIGURATION STATEMENT
> ================================================# CONF:  9>>>   interface
> eth0 internet
>
>
> # INFO>>> Finilizing interface 'mylan'
> /sbin/iptables -t filter -A in_mylan -j ACCEPT
> /sbin/iptables -t filter -A out_mylan -j ACCEPT
> /sbin/iptables -t filter -A in_mylan -m limit --limit 1/second
> --limit-burst 5 -j LOG
> /sbin/iptables -t filter -A in_mylan -j REJECT
> /sbin/iptables -t filter -A out_mylan -m limit --limit 1/second
> --limit-burst 5 -j LOG
> /sbin/iptables -t filter -A out_mylan -j REJECT
>
> # INFO>>> Creating chain 'in_internet' under 'INPUT' in table 'filter'
> /sbin/iptables -t filter -N in_internet
> /sbin/iptables -t filter -A INPUT -j in_internet
>
> # INFO>>> Creating chain 'out_internet' under 'OUTPUT' in table 'filter'
> /sbin/iptables -t filter -N out_internet
> /sbin/iptables -t filter -A OUTPUT -j out_internet
>
>
> # === CONFIGURATION STATEMENT
> ================================================# CONF: 10>>>
> policy reject
>
>
> # INFO>>> Setting interface 'eth0' (internet) policy to reject
>
>
> # === CONFIGURATION STATEMENT
> ================================================# CONF: 11>>>
> server ssh accept
>
>
> # INFO>>> Preparing for service 'ssh' of type 'server' under interface
> 'internet'
>
> # INFO>>> Creating chain 'in_internet_ssh_s1' under 'in_internet' in table
> 'filter'
> /sbin/iptables -t filter -N in_internet_ssh_s1
> /sbin/iptables -t filter -A in_internet -j in_internet_ssh_s1
>
> # INFO>>> Creating chain 'out_internet_ssh_s1' under 'out_internet' in
> table 'filter'
> /sbin/iptables -t filter -N out_internet_ssh_s1
> /sbin/iptables -t filter -A out_internet -j out_internet_ssh_s1
>
> # INFO>>> Running simple rules for  server 'ssh'
> /sbin/iptables -t filter -A in_internet_ssh_s1 -j ACCEPT
> /sbin/iptables -t filter -A out_internet_ssh_s1 -j ACCEPT
>
>
> # === CONFIGURATION STATEMENT
> ================================================# CONF: 12>>>
> client ssh accept
>
>
> # INFO>>> Preparing for service 'ssh' of type 'client' under interface
> 'internet'
>
> # INFO>>> Creating chain 'in_internet_ssh_c2' under 'in_internet' in table
> 'filter'
> /sbin/iptables -t filter -N in_internet_ssh_c2
> /sbin/iptables -t filter -A in_internet -j in_internet_ssh_c2
>
> # INFO>>> Creating chain 'out_internet_ssh_c2' under 'out_internet' in
> table 'filter'
> /sbin/iptables -t filter -N out_internet_ssh_c2
> /sbin/iptables -t filter -A out_internet -j out_internet_ssh_c2
>
> # INFO>>> Running simple rules for  client 'ssh'
> /sbin/iptables -t filter -A out_internet_ssh_c2 -j ACCEPT
> /sbin/iptables -t filter -A in_internet_ssh_c2 -j ACCEPT
>
> # INFO>>> Finilizing interface 'internet'
> /sbin/iptables -t filter -A in_internet -j ACCEPT
> /sbin/iptables -t filter -A out_internet -j ACCEPT
> /sbin/iptables -t filter -A in_internet -m limit --limit 1/second
> --limit-burst 5 -j LOG
> /sbin/iptables -t filter -A in_internet -j REJECT
> /sbin/iptables -t filter -A out_internet -m limit --limit 1/second
> --limit-burst 5 -j LOG
> /sbin/iptables -t filter -A out_internet -j REJECT
>
> # INFO>>> Finilizing firewall policies
> /sbin/iptables -t filter -A INPUT -j ACCEPT
> /sbin/iptables -t filter -A OUTPUT -j ACCEPT
> /sbin/iptables -t filter -A FORWARD -j ACCEPT
> /sbin/iptables -t filter -A INPUT -m limit --limit 1/second --limit-burst
> 5 -j LOG
> /sbin/iptables -t filter -A INPUT -j DROP
> /sbin/iptables -t filter -A OUTPUT -m limit --limit 1/second --limit-burst
> 5 -j LOG
> /sbin/iptables -t filter -A OUTPUT -j DROP
> /sbin/iptables -t filter -A FORWARD -m limit --limit 1/second
> --limit-burst 5 -j LOG
> /sbin/iptables -t filter -A FORWARD -j DROP
>
> # Make it drop everything on table 'filter'.
> for c in ${firehol_filter_chains}
> do
>         /sbin/iptables -t filter -P "${c}" DROP
> >/tmp/.firehol-tmp-5948-810-17087/firehol-out.sh.log 2>&1
>         r=$?; test ! ${r} -eq 0 && runtime_error error ${r} INIT
> /sbin/iptables -t filter -P "${c}" DROP
> done
>
>
> FireHOL: Restoring old firewall:                           [  OK  ]
> #
>
> thanks
> Robin
>
>
>
>>
>> Try the 'debug' or 'explain' option of FireHOL to verify you don't have
>> a
>> faulty BASH.
>>
>> Unfortunatelly, I don't use RHEL myself, so I suggest to fill a bug
>> report
>> at RedHat for more help.
>>
>> Regards,
>>
>> Costa
>
>
>

More information about the Firehol-support mailing list