Package: ipkungfu Severity: grave Tags: security Justification: user security hole
i rarely file grave severity but i think this is warranted because even unstable users must know what a firewall is doing. feel free to wishlist it or whatever you want if contrary to appearances it's not actually a potential security hole. i do not want to reinstall. see below. errors in purging lower confidence. how does a user know for sure, without reading the scripts in detail, whether ipkungfu didn't change scripts in such a way that the next reboot will change the firewall? could there be any files left lying around in /etc? the description field does not say that iptables affects the system simply by installing it. see also bug 311868. the user cannot assume that it installs a firewall or exactly how or where it does it or whether or how it is reversible. remember that different users install firewalls in different ways, and there are different places for various scripts (upon boot, upon ipup, etc.). ipkungfu also does not tell the user what it is doing when it is installed or purged. then it produces an error. i would examine the scripts if i could, but cannot now. does it leave a firewall in a different state? if so how does it know that it is more secure than whatever the user is already running? does it know what servers are running? i was installing ipkungfu just to look at its documentation. please change the description field, fix the init.d bugs, and have the init.d script be more verbose. please also document, perhaps in the changelog, for users who experienced this problem exactly what was done and whether anything needs to be done to clean up. to somebody who knows what ipkungfu is doing, this might seem like an overreaction. but please look at it from the perspective of somebody who does not. you and i know to search for the install and purge scripts, but many people do not. Remember, the doc says: ... can be also used by people that have only limited knowledge of proper security and IP filtering practices. Thanks. Starting ipkungfu: Checking configuration... Loading IRC connection tracking module... #will loading modules change kernel operation or is it only a set of calls? Loading IRC NAT module... ULOG kernel support detected! #huh? /usr/sbin/ipkungfu: line 928: /proc/sys/net/ipv4/tcp_syncookies: No such file or directory Clearing old chains and tables... #some users won't know that this means actual change rather than something internal Implementing custom rules... ipkungfu. .... 0 03-Fri-16-34-24 ~# dpkg-reconfigure ipkungfu Stopping ipkungfu: invoke-rc.d: initscript ipkungfu, action "stop" failed. #hmm Starting ipkungfu: Checking configuration... ULOG kernel support detected! #what is that? /usr/sbin/ipkungfu: line 928: /proc/sys/net/ipv4/tcp_syncookies: No such file or directory Clearing old chains and tables... Implementing custom rules... ipkungfu. 0 03-Fri-16-34-35 ~# /etc/init.d/ip ipkungfu* iptables* 0 03-Fri-16-34-35 ~# /etc/init.d/ipkungfu stop Stopping ipkungfu: 1 03-Fri-16-35-17 ~# 1 03-Fri-16-35-19 ~# /etc/init.d/ipkungfu stop Stopping ipkungfu: 1 03-Fri-16-35-20 ~# 1 03-Fri-16-35-21 ~# aptitude purge ipkungfu Reading Package Lists... Done Building Dependency Tree Reading extended state information Initializing package states... Done The following packages have been kept back: xserver-xfree86 The following packages will be REMOVED: ipkungfu 0 packages upgraded, 0 newly installed, 1 to remove and 1 not upgraded. Need to get 0B of archives. After unpacking 205kB will be freed. Do you want to continue? [Y/n/?] Writing extended state information... Done (Reading database ... 144114 files and directories currently installed.) Removing ipkungfu ... Stopping ipkungfu: invoke-rc.d: initscript ipkungfu, action "stop" failed. #well ok then :-( Purging configuration files for ipkungfu ... Reading Package Lists... Done Building Dependency Tree Reading extended state information Initializing package states... Done -- System Information: Debian Release: 3.1 Architecture: i386 (i686) Kernel: Linux 2.6.11--from-2.6.9-proc-config-and-menuconfig Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Versions of packages ipkungfu depends on: ii iproute 20041019-3 Professional tools to control the ii iptables 1.2.11-10 Linux kernel 2.4+ iptables adminis -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]