Package: shorewall Version: 4.5.5.3-3 Severity: normal I can understand that Debian wants 'service foo stop' to do what Debian users expect a Debian service to do when told to "stop", not necessarily the same thing that upstream planned. I found the SAFESTOP variable in /etc/default/shorewall, which can be used to change this behavior, and that's a great solution, but ...
I think this Debianized feature is a bit of a trap. After digging, I found that all I needed to know was in fact documented, but it would have been very nice if when I issued 'service shorewall stop' the output would note that shorewall's "clear" command (not "stop") is really being used. Current init script output line: echo -n "Stopping \"Shorewall firewall\": " Proposed line: echo -n "Clearing all \"Shorewall firewall\" rules: " I'd ideally like to see a reference to some documentation, or some in-line documentation, right there in the message, but I understand that lines like that should be kept to a reasonable length. I consider this a security issue (although not a vulnerability per se), as the default settings make it easy for a novice (or experienced-but-momentarily-careless) user to remove all firewall rules, allowing open access, when he intended to enter shorewall's relatively locked down "stopped" state. Shorewall has its own idea of what it means to "stop", so if we're going to do something different when a user, in principle, yells out, "Hey shorewall, stop!", I think we should at least make it as clear as possible what we really did. I'll also note the name of the variable SAFESTOP. The name implies, "Set this option if you want 'stop' to be 'safe'." The impression I get is that the "stop" action is, by default, UNsafe. (That may be a bit of a stretch, but I thought I'd throw it out there.) -- System Information: Debian Release: 7.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-686-pae (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages shorewall depends on: ii bc 1.06.95-2 ii debconf [debconf-2.0] 1.5.49 ii iproute 20120521-3+b3 ii iptables 1.4.14-3.1 ii perl-modules 5.14.2-21 ii shorewall-core 4.5.5.3-3 shorewall recommends no packages. Versions of packages shorewall suggests: ii linux-image-3.2.0-4-686-pae [linux-image] 3.2.46-1+deb7u1 pn make <none> pn shorewall-doc <none> -- Configuration Files: /etc/default/shorewall changed: startup=1 OPTIONS="" STARTOPTIONS="" RESTARTOPTIONS="" INITLOG=/dev/null SAFESTOP=1 /etc/shorewall/params [Errno 13] Permission denied: u'/etc/shorewall/params' /etc/shorewall/shorewall.conf changed: STARTUP_ENABLED=Yes VERBOSITY=1 BLACKLIST_LOGLEVEL= LOG_MARTIANS=Yes LOG_VERBOSITY=2 LOGALLNEW= LOGFILE=/var/log/messages LOGFORMAT="Shorewall:%s:%s:" LOGTAGONLY=No LOGLIMIT= MACLIST_LOG_LEVEL=info RELATED_LOG_LEVEL= SFILTER_LOG_LEVEL=info SMURF_LOG_LEVEL=info STARTUP_LOG=/var/log/shorewall-init.log TCP_FLAGS_LOG_LEVEL=info CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall" GEOIPDIR=/usr/share/xt_geoip/LE IPTABLES= IP= IPSET= LOCKFILE= MODULESDIR= PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin" PERL=/usr/bin/perl RESTOREFILE=restore SHOREWALL_SHELL=/bin/sh SUBSYSLOCK="" TC= ACCEPT_DEFAULT=none DROP_DEFAULT=Drop NFQUEUE_DEFAULT=none QUEUE_DEFAULT=none REJECT_DEFAULT=Reject RCP_COMMAND='scp ${files} ${root}@${system}:${destination}' RSH_COMMAND='ssh ${root}@${system} ${command}' ACCOUNTING=Yes ACCOUNTING_TABLE=filter ADD_IP_ALIASES=No ADD_SNAT_ALIASES=No ADMINISABSENTMINDED=No AUTO_COMMENT=Yes AUTOMAKE=No BLACKLISTNEWONLY=Yes CLAMPMSS=No CLEAR_TC=Yes COMPLETE=No DELETE_THEN_ADD=Yes DETECT_DNAT_IPADDRS=No DISABLE_IPV6=Yes DONT_LOAD= DYNAMIC_BLACKLIST=Yes EXPAND_POLICIES=Yes EXPORTMODULES=Yes FASTACCEPT=No FORWARD_CLEAR_MARK= IMPLICIT_CONTINUE=No IPSET_WARNINGS=Yes IP_FORWARDING=Keep KEEP_RT_TABLES=No LEGACY_FASTSTART=Yes LOAD_HELPERS_ONLY=No MACLIST_TABLE=filter MACLIST_TTL= MANGLE_ENABLED=Yes MAPOLDACTIONS=No MARK_IN_FORWARD_CHAIN=No MODULE_SUFFIX=ko MULTICAST=No MUTEX_TIMEOUT=60 NULL_ROUTE_RFC1918=No OPTIMIZE=0 OPTIMIZE_ACCOUNTING=No REQUIRE_INTERFACE=No RESTORE_DEFAULT_ROUTE=Yes RETAIN_ALIASES=No ROUTE_FILTER=Yes SAVE_IPSETS=No TC_ENABLED=Internal TC_EXPERT=No TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2" TRACK_PROVIDERS=No USE_DEFAULT_RT=No USE_PHYSICAL_NAMES=No ZONE2ZONE=2 BLACKLIST_DISPOSITION=DROP MACLIST_DISPOSITION=REJECT RELATED_DISPOSITION=ACCEPT SMURF_DISPOSITION=DROP SFILTER_DISPOSITION=DROP TCP_FLAGS_DISPOSITION=DROP TC_BITS= PROVIDER_BITS= PROVIDER_OFFSET= MASK_BITS= ZONE_BITS=0 IPSECFILE=zones -- debconf information: shorewall/dont_restart: shorewall/major_release: shorewall/invalid_config: -- Aaron Bugher IT Support Specialist Geophysical Fluid Dynamics Institute -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org