Package: shorewall
Version: 4.5.5.3-3
Severity: normal
I can understand that Debian wants 'service foo stop' to do what Debian
users expect a Debian service to do when told to "stop", not necessarily
the same thing that upstream planned. I found the SAFESTOP variable in
/etc/default/shorewall, which can be used to change this behavior, and
that's a great solution, but ...
I think this Debianized feature is a bit of a trap. After digging, I
found that all I needed to know was in fact documented, but it would
have been very nice if when I issued 'service shorewall stop' the output
would note that shorewall's "clear" command (not "stop") is really being
used.
Current init script output line:
echo -n "Stopping \"Shorewall firewall\": "
Proposed line:
echo -n "Clearing all \"Shorewall firewall\" rules: "
I'd ideally like to see a reference to some documentation, or some
in-line documentation, right there in the message, but I understand that
lines like that should be kept to a reasonable length.
I consider this a security issue (although not a vulnerability per se),
as the default settings make it easy for a novice (or
experienced-but-momentarily-careless) user to remove all firewall rules,
allowing open access, when he intended to enter shorewall's relatively
locked down "stopped" state.
Shorewall has its own idea of what it means to "stop", so if we're going
to do something different when a user, in principle, yells out, "Hey
shorewall, stop!", I think we should at least make it as clear as
possible what we really did.
I'll also note the name of the variable SAFESTOP. The name implies,
"Set this option if you want 'stop' to be 'safe'." The impression I get
is that the "stop" action is, by default, UNsafe. (That may be a bit of
a stretch, but I thought I'd throw it out there.)
-- System Information:
Debian Release: 7.1
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages shorewall depends on:
ii bc 1.06.95-2
ii debconf [debconf-2.0] 1.5.49
ii iproute 20120521-3+b3
ii iptables 1.4.14-3.1
ii perl-modules 5.14.2-21
ii shorewall-core 4.5.5.3-3
shorewall recommends no packages.
Versions of packages shorewall suggests:
ii linux-image-3.2.0-4-686-pae [linux-image] 3.2.46-1+deb7u1
pn make <none>
pn shorewall-doc <none>
-- Configuration Files:
/etc/default/shorewall changed:
startup=1
OPTIONS=""
STARTOPTIONS=""
RESTARTOPTIONS=""
INITLOG=/dev/null
SAFESTOP=1
/etc/shorewall/params [Errno 13] Permission denied: u'/etc/shorewall/params'
/etc/shorewall/shorewall.conf changed:
STARTUP_ENABLED=Yes
VERBOSITY=1
BLACKLIST_LOGLEVEL=
LOG_MARTIANS=Yes
LOG_VERBOSITY=2
LOGALLNEW=
LOGFILE=/var/log/messages
LOGFORMAT="Shorewall:%s:%s:"
LOGTAGONLY=No
LOGLIMIT=
MACLIST_LOG_LEVEL=info
RELATED_LOG_LEVEL=
SFILTER_LOG_LEVEL=info
SMURF_LOG_LEVEL=info
STARTUP_LOG=/var/log/shorewall-init.log
TCP_FLAGS_LOG_LEVEL=info
CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"
GEOIPDIR=/usr/share/xt_geoip/LE
IPTABLES=
IP=
IPSET=
LOCKFILE=
MODULESDIR=
PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"
PERL=/usr/bin/perl
RESTOREFILE=restore
SHOREWALL_SHELL=/bin/sh
SUBSYSLOCK=""
TC=
ACCEPT_DEFAULT=none
DROP_DEFAULT=Drop
NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none
REJECT_DEFAULT=Reject
RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'
ACCOUNTING=Yes
ACCOUNTING_TABLE=filter
ADD_IP_ALIASES=No
ADD_SNAT_ALIASES=No
ADMINISABSENTMINDED=No
AUTO_COMMENT=Yes
AUTOMAKE=No
BLACKLISTNEWONLY=Yes
CLAMPMSS=No
CLEAR_TC=Yes
COMPLETE=No
DELETE_THEN_ADD=Yes
DETECT_DNAT_IPADDRS=No
DISABLE_IPV6=Yes
DONT_LOAD=
DYNAMIC_BLACKLIST=Yes
EXPAND_POLICIES=Yes
EXPORTMODULES=Yes
FASTACCEPT=No
FORWARD_CLEAR_MARK=
IMPLICIT_CONTINUE=No
IPSET_WARNINGS=Yes
IP_FORWARDING=Keep
KEEP_RT_TABLES=No
LEGACY_FASTSTART=Yes
LOAD_HELPERS_ONLY=No
MACLIST_TABLE=filter
MACLIST_TTL=
MANGLE_ENABLED=Yes
MAPOLDACTIONS=No
MARK_IN_FORWARD_CHAIN=No
MODULE_SUFFIX=ko
MULTICAST=No
MUTEX_TIMEOUT=60
NULL_ROUTE_RFC1918=No
OPTIMIZE=0
OPTIMIZE_ACCOUNTING=No
REQUIRE_INTERFACE=No
RESTORE_DEFAULT_ROUTE=Yes
RETAIN_ALIASES=No
ROUTE_FILTER=Yes
SAVE_IPSETS=No
TC_ENABLED=Internal
TC_EXPERT=No
TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"
TRACK_PROVIDERS=No
USE_DEFAULT_RT=No
USE_PHYSICAL_NAMES=No
ZONE2ZONE=2
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
RELATED_DISPOSITION=ACCEPT
SMURF_DISPOSITION=DROP
SFILTER_DISPOSITION=DROP
TCP_FLAGS_DISPOSITION=DROP
TC_BITS=
PROVIDER_BITS=
PROVIDER_OFFSET=
MASK_BITS=
ZONE_BITS=0
IPSECFILE=zones
-- debconf information:
shorewall/dont_restart:
shorewall/major_release:
shorewall/invalid_config:
--
Aaron Bugher
IT Support Specialist
Geophysical Fluid Dynamics Institute
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
