Your message dated Wed, 23 Apr 2014 17:00:08 +0000
with message-id <[email protected]>
and subject line Bug#672296: fixed in iptables-persistent 1.0
has caused the Debian Bug report #672296,
regarding iptables-persistent: dangerous start/stop runlevels
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
672296: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=672296
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: iptables-persistent
Version: 0.5.3+nmu1
Severity: important
Tags: security
Hi.
I think the current start/stop run levels are quite dangerous.
I should have marked that bug as serious/grave, especially as iptables can
easily be the crucial point for securing a system.
Consider rules that demand from packets to come via IPsec (thereby giving
security) that allow access/control to/of the system.
stop (now 0 1 6):
- I don't think iptables should be ever stopped, in the sense of
clearing the rules set up by the user.
Especially as it's totally undefined what "stopped" means. Is it allow all?
Is it deny all but traffic on loopback?
- It's further not guaranteed that there is no networking in single user mode.
So stopping it for run-level 1 may open holes.
- Does it make sense at all to stop it on 0/6? I don't think so, at least unless
the chains are stored.
Suggestion: Go back to the previous (safe) default of
# Default-Stop:
start (now 2 3 4 5):
- Again "S" was safer default, though not perfect.
- Networking may already take place in runlevel S, which is now (even more)
unsecured.
- Starting this in 2 3 4 5 means it can be started basically at and time
during these runlevels.
But other services may already depend on iptables rules in place.
My own example is that of depending on rules to be in place, that
allow only IPsec connections to/from certain destinations/sources.
These connections are used by level 2/3/4/5 services, e.g. ejabberd.
With the new runlevels 2/3/4/5 of iptables-persistend it's not guaranteed
at all, that it runs before ejabberd comes in place.
Even worse, giving that people usually allow ESTABLISHED connections,
such a pre-iptables-rules-loaded connection may stay forever unsecured.
- Typically other services don't depend on iptables-persistent.
On can now argue, that other services should depend on itpables-persistent.
This is tempting, but a) it'll probably just never happen that this is adopted
b) it always leaves the gap that some new package misses this, especially
as there are so many "firewall" packages in Debian.
Suggestion: Go at least back to:
# Default-Start: S
This alone is not enough in principle, as netwokring may already take place in
run level S.
The best solution would be, if iptables-persistent could reverse-depend
on the networking initscript.
But I guess this is not possible, as iptables rules cannot be loaded before
networking runs, right?
So we need another way to secure, that iptables-persistent comes directly
after networking.
Cheers,
Chris.
--- End Message ---
--- Begin Message ---
Source: iptables-persistent
Source-Version: 1.0
We believe that the bug you reported is fixed in the latest version of
iptables-persistent, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jonathan Wiltshire <[email protected]> (supplier of updated iptables-persistent
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 19 Apr 2014 20:05:36 +0100
Source: iptables-persistent
Binary: netfilter-persistent iptables-persistent
Architecture: source all
Version: 1.0
Distribution: unstable
Urgency: low
Maintainer: Jonathan Wiltshire <[email protected]>
Changed-By: Jonathan Wiltshire <[email protected]>
Description:
iptables-persistent - boot-time loader for netfilter rules, iptables plugin
netfilter-persistent - boot-time loader for netfilter configuration
Closes: 665720 672296
Changes:
iptables-persistent (1.0) unstable; urgency=low
.
* [8be057] Rewrite main program entirely:
- new plugin architecture and binary (Enables: #693177, #697088)
- systemd support (Closes: #665720)
- packaging split into netfilter-persistent and iptables-persistent
* [72c333] Standards version 3.9.5
* [2d1b82] Start in runlevel S (Closes: #672296)
Checksums-Sha1:
8660a9d9b265bc3ffd6d83445926c49a3631b645 1742 iptables-persistent_1.0.dsc
563c0bfe5d17f5b40a05988606a7d49e19d3b944 13304 iptables-persistent_1.0.tar.xz
fabdb8aab36a4c9b2d18e8e734825ef7dd695ae4 7756 netfilter-persistent_1.0_all.deb
616e896a74fbf153fbde00b13f74a054a0242e8d 10614 iptables-persistent_1.0_all.deb
Checksums-Sha256:
05abc2ac014a9f9f6c91f308993843d560eb7d1cee16a5c16aedda7d163a46a0 1742
iptables-persistent_1.0.dsc
33642ccad01dc209c273075b19e67beb57b3eec766b9ba4f89006ef6ba056a0c 13304
iptables-persistent_1.0.tar.xz
7f0576f8eb3902eb5a7dc2426fc48a1b3c769377f97a8f190dd5279c87cc56e5 7756
netfilter-persistent_1.0_all.deb
4b87224d7f4370223112eaba1b2194bc092f0262daf9f3a721bb4a6dbf088e86 10614
iptables-persistent_1.0_all.deb
Files:
301c7e42e0423f81d76a64160a79a1dd 1742 admin optional
iptables-persistent_1.0.dsc
096a09f6ded065e9bb43d6f8ecea9913 13304 admin optional
iptables-persistent_1.0.tar.xz
7ed23721e6738241bc3e348390578d84 7756 admin optional
netfilter-persistent_1.0_all.deb
d157f048493f3c1295fff747dae3ee69 10614 admin optional
iptables-persistent_1.0_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQIcBAEBAgAGBQJTUsrNAAoJEFC7AtTIpr9h7UsP/02dtXjFnGCcHdLaYKumGpNV
QwaieS9JDaQm53lButjOwDh0hAYaBOebrw6xBJ+b1UUF6dt7mR0x+Yi499VIUevB
3GBniXBYprxfwb3GChaCWBQ1wTiJybSkwGDhJL5ELC1dai0r3MNeaXVQ/dQwRjyK
b0HxE/qmlPVJ7xyT0u6OdbRexlVV1ws2Ll/6xB5PSgqb1+otnGrUnafXwy02WGTb
uK8smMcSn+NqWLfAa/Hun+n1SSAkV+2QpDOuqVfbeS73znQNkMOwplwuyU9Fb4P3
ztzORCL2oE3fn4ZkiREWRU2dtNeTIS7RuuxNrWAtkfiEunY3mFxiTXuwcRdv82oE
agnvcBVGA2808QyBgW/pprFQ6Lde5ohtEogo0BTUMPSebu/N7rvPPR3THNi71nlo
6xBbwohcJ8w3/AeYhBhEQqhAaJFuztlZPhQKspIkBb9TQhWJa6OWBcpwwO/f4jfr
eKCMeUx0kvPNhYev81bUz0bG9Z2U4DW0CaXCDba1kIPH0BoCrN0hKIV9g1g74N8a
z18/8C+u1DO14nmnboYxnVEZr3WcD1dhw/ursgNYnHu7xjtIhZLdz5EAA5fnr+Es
4eggWf7tmm4El2VyMMcwQAXmFQYlozfuw74fsWTp76uUMnbVDGa3OroKnoTvwp7f
RQqf7tItCYlniR8KR2l0
=rWS6
-----END PGP SIGNATURE-----
--- End Message ---
