Your message dated Sun, 17 Jul 2016 04:37:56 +0000 with message-id <[email protected]> and subject line Bug#726343: fixed in shorewall 5.0.10.1-1 has caused the Debian Bug report #726343, regarding shorewall: 'service shorewall stop' actually does '/sbin/shorewall clear', NOT '/sbin/shorewall stop' to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 726343: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726343 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: shorewall Version: 4.5.5.3-3 Severity: normal I can understand that Debian wants 'service foo stop' to do what Debian users expect a Debian service to do when told to "stop", not necessarily the same thing that upstream planned. I found the SAFESTOP variable in /etc/default/shorewall, which can be used to change this behavior, and that's a great solution, but ... I think this Debianized feature is a bit of a trap. After digging, I found that all I needed to know was in fact documented, but it would have been very nice if when I issued 'service shorewall stop' the output would note that shorewall's "clear" command (not "stop") is really being used. Current init script output line: echo -n "Stopping \"Shorewall firewall\": " Proposed line: echo -n "Clearing all \"Shorewall firewall\" rules: " I'd ideally like to see a reference to some documentation, or some in-line documentation, right there in the message, but I understand that lines like that should be kept to a reasonable length. I consider this a security issue (although not a vulnerability per se), as the default settings make it easy for a novice (or experienced-but-momentarily-careless) user to remove all firewall rules, allowing open access, when he intended to enter shorewall's relatively locked down "stopped" state. Shorewall has its own idea of what it means to "stop", so if we're going to do something different when a user, in principle, yells out, "Hey shorewall, stop!", I think we should at least make it as clear as possible what we really did. I'll also note the name of the variable SAFESTOP. The name implies, "Set this option if you want 'stop' to be 'safe'." The impression I get is that the "stop" action is, by default, UNsafe. (That may be a bit of a stretch, but I thought I'd throw it out there.) -- System Information: Debian Release: 7.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages shorewall depends on: ii bc 1.06.95-2 ii debconf [debconf-2.0] 1.5.49 ii iproute 20120521-3+b3 ii iptables 1.4.14-3.1 ii perl-modules 5.14.2-21 ii shorewall-core 4.5.5.3-3 shorewall recommends no packages. Versions of packages shorewall suggests: ii linux-image-3.2.0-4-686-pae [linux-image] 3.2.46-1+deb7u1 pn make <none> pn shorewall-doc <none> -- Configuration Files: /etc/default/shorewall changed: startup=1 OPTIONS="" STARTOPTIONS="" RESTARTOPTIONS="" INITLOG=/dev/null SAFESTOP=1 /etc/shorewall/params [Errno 13] Permission denied: u'/etc/shorewall/params' /etc/shorewall/shorewall.conf changed: STARTUP_ENABLED=Yes VERBOSITY=1 BLACKLIST_LOGLEVEL= LOG_MARTIANS=Yes LOG_VERBOSITY=2 LOGALLNEW= LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No LOGLIMIT= MACLIST_LOG_LEVEL=info RELATED_LOG_LEVEL= SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info STARTUP_LOG=/var/log/shorewall-init.log TCP_FLAGS_LOG_LEVEL=info CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall" GEOIPDIR=/usr/share/xt_geoip/LE IPTABLES= IP= IPSET= LOCKFILE= MODULESDIR= PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" PERL=/usr/bin/perl RESTOREFILE=restore SHOREWALL_SHELL=/bin/sh SUBSYSLOCK="" TC= ACCEPT_DEFAULT=none DROP_DEFAULT=Drop NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none REJECT_DEFAULT=Reject RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' RSH_COMMAND='ssh ${root}@${system} ${command}' ACCOUNTING=Yes ACCOUNTING_TABLE=filter ADD_IP_ALIASES=No ADD_SNAT_ALIASES=No ADMINISABSENTMINDED=No AUTO_COMMENT=Yes AUTOMAKE=No BLACKLISTNEWONLY=Yes CLAMPMSS=No CLEAR_TC=Yes COMPLETE=No DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=No DISABLE_IPV6=Yes DONT_LOAD= DYNAMIC_BLACKLIST=Yes EXPAND_POLICIES=Yes EXPORTMODULES=Yes FASTACCEPT=No FORWARD_CLEAR_MARK= IMPLICIT_CONTINUE=No IPSET_WARNINGS=Yes IP_FORWARDING=Keep KEEP_RT_TABLES=No LEGACY_FASTSTART=Yes LOAD_HELPERS_ONLY=No MACLIST_TABLE=filter MACLIST_TTL= MANGLE_ENABLED=Yes MAPOLDACTIONS=No MARK_IN_FORWARD_CHAIN=No MODULE_SUFFIX=ko MULTICAST=No MUTEX_TIMEOUT=60 NULL_ROUTE_RFC1918=No OPTIMIZE=0 OPTIMIZE_ACCOUNTING=No REQUIRE_INTERFACE=No RESTORE_DEFAULT_ROUTE=Yes RETAIN_ALIASES=No ROUTE_FILTER=Yes SAVE_IPSETS=No TC_ENABLED=Internal TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=No USE_DEFAULT_RT=No USE_PHYSICAL_NAMES=No ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT SMURF_DISPOSITION=DROP SFILTER_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP TC_BITS= PROVIDER_BITS= PROVIDER_OFFSET= MASK_BITS= ZONE_BITS=0 IPSECFILE=zones -- debconf information: shorewall/dont_restart: shorewall/major_release: shorewall/invalid_config: -- Aaron Bugher IT Support Specialist Geophysical Fluid Dynamics Institute
--- End Message ---
--- Begin Message ---Source: shorewall Source-Version: 5.0.10.1-1 We believe that the bug you reported is fixed in the latest version of shorewall, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Roberto C. Sanchez <[email protected]> (supplier of updated shorewall package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sat, 16 Jul 2016 23:40:05 -0400 Source: shorewall Binary: shorewall Architecture: source all Version: 5.0.10.1-1 Distribution: unstable Urgency: medium Maintainer: Roberto C. Sanchez <[email protected]> Changed-By: Roberto C. Sanchez <[email protected]> Description: shorewall - Shoreline Firewall, netfilter configurator Closes: 726343 830110 830881 Changes: shorewall (5.0.10.1-1) unstable; urgency=medium . * New Upstream Version (Closes: #830110, #726343) * Use a more reliable check for systemd (Closes: #830881) Checksums-Sha1: 4d465ca0335a15c0e19da6ba20a5e6f33625e30a 1868 shorewall_5.0.10.1-1.dsc cb325d41fa1c1c323f05ae92ffe866eb17885df4 789820 shorewall_5.0.10.1.orig.tar.gz ede955dd5d75d2897fc70e7912404f0010762138 35232 shorewall_5.0.10.1-1.debian.tar.xz 9bfbd6ce3eee02728ab715c74d13e7b4756ed902 726942 shorewall_5.0.10.1-1_all.deb Checksums-Sha256: e6bd9c9c9cdf90eb6ed703b70942f3bde4ab96d6aeb8fd1f72f7396536fc9cb7 1868 shorewall_5.0.10.1-1.dsc 5a79e4cb934fb1162c8e3a66789adf85dbd8f38acd170a23f8bcc966ad55dc3d 789820 shorewall_5.0.10.1.orig.tar.gz 201f221742dfafc48f1b00d320a31f2292bcfed857e4b16b46f2dd1198f47a85 35232 shorewall_5.0.10.1-1.debian.tar.xz 5664ac38f4ab974b18150d3a29950a14729e7e0fbcbb7308389f7e8b65cdaa8b 726942 shorewall_5.0.10.1-1_all.deb Files: 90a937dc1ea8e7ccaa75a31c67b514d4 1868 net optional shorewall_5.0.10.1-1.dsc f001106919e35e28de0e9836ea017ec4 789820 net optional shorewall_5.0.10.1.orig.tar.gz 5788e48a17e05cd49b567288cae48e2d 35232 net optional shorewall_5.0.10.1-1.debian.tar.xz 02e05beb6cd6aad3d4a2ae6e07d86f78 726942 net optional shorewall_5.0.10.1-1_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCgAGBQJXiwPfAAoJECzXeF7dp7IPfkwP/RZohDaBRxNZjiqYXSeakoo2 n3zXYpoBm/pa3XDlw+Bhkoh2Mc7GCAKeOB4hAiQKB4VXEfVwPmGLeAkbByWUQhVX Ydj3DOD+4w0r/HuOxox09WyUdFPTrkcc2UgfnYhMbjzMPuDYBaPB0vDaaKaEFaE9 D84R1LbkMN5NL5buiCo/leXd/ZNY6ooBh8ky/cqQ11aev7n7hLH7cO4G3M6C5X5t /Y+CL6xXdeMoy0KAoG/rlI49pdIk3kFec5EMIGLMUogqLJSi475M1RlVXAtxvvoD 9FeulMn/k4FOx1VA+n+uWTZIkAfpUMDqQOy2THwgOBVcLhDjtn0Zp4ZgNRWkwxVx AMZnTDDUJmKJZ5GX2wTbnghGHK9/GkdQN7/+68VIjoeVBwp6cRLt/icxhWBHtpEW dxBAFufRdfQVHOTtZvdwJGdUL0H9YDEwBkE8EmkSNBOQB3tPwXmWvcN1oDHCN1WV A3pESZabKdlleUD8Pc7/uocSF2WjmhIimSvnXuyvSq5vFxRiqWy2ntnhGc54Tdxq UczlysLEZ242DjriS52usgFnFbFOJZRnGtNR740pMbtxl9rb99fU5jo8Mq2TDpYI 4tr9kzOzzizkrGdZoEz6Xo77ufT4O1u5N/HLYjQpNmEsMBc28gaedaPwDYViZjTz ykrYuyrbHV1h7ujbmG8s =N2oC -----END PGP SIGNATURE-----
--- End Message ---
