Package: ipkungfu
Severity: grave
Tags: security
Justification: user security hole
i rarely file grave severity but i think this is warranted because
even unstable users must know what a firewall is doing. feel free to
wishlist it or whatever you want if contrary to appearances it's not
actually a potential security hole. i do not want to reinstall. see
below.
errors in purging lower confidence. how does a user know for sure,
without reading the scripts in detail, whether ipkungfu didn't change
scripts in such a way that the next reboot will change the firewall?
could there be any files left lying around in /etc?
the description field does not say that iptables affects the system
simply by installing it. see also bug 311868.
the user cannot assume that it installs a firewall or exactly how or
where it does it or whether or how it is reversible. remember that
different users install firewalls in different ways, and there are
different places for various scripts (upon boot, upon ipup, etc.).
ipkungfu also does not tell the user what it is doing when it is
installed or purged. then it produces an error. i would examine the
scripts if i could, but cannot now. does it leave a firewall in a
different state? if so how does it know that it is more secure than
whatever the user is already running? does it know what servers are
running?
i was installing ipkungfu just to look at its documentation. please
change the description field, fix the init.d bugs, and have the init.d
script be more verbose.
please also document, perhaps in the changelog, for users who
experienced this problem exactly what was done and whether anything
needs to be done to clean up.
to somebody who knows what ipkungfu is doing, this might seem like an
overreaction. but please look at it from the perspective of somebody
who does not. you and i know to search for the install and purge
scripts, but many people do not. Remember, the doc says:
... can be also used by people that have only limited
knowledge of proper security and IP filtering practices.
Thanks.
Starting ipkungfu: Checking configuration...
Loading IRC connection tracking module...
#will loading modules change kernel operation or is it only a set of calls?
Loading IRC NAT module...
ULOG kernel support detected!
#huh?
/usr/sbin/ipkungfu: line 928: /proc/sys/net/ipv4/tcp_syncookies: No such file
or directory
Clearing old chains and tables...
#some users won't know that this means actual change rather than something
internal
Implementing custom rules...
ipkungfu.
....
0 03-Fri-16-34-24 ~# dpkg-reconfigure ipkungfu
Stopping ipkungfu: invoke-rc.d: initscript ipkungfu, action "stop" failed.
#hmm
Starting ipkungfu: Checking configuration...
ULOG kernel support detected!
#what is that?
/usr/sbin/ipkungfu: line 928: /proc/sys/net/ipv4/tcp_syncookies: No such file
or directory
Clearing old chains and tables...
Implementing custom rules...
ipkungfu.
0 03-Fri-16-34-35 ~# /etc/init.d/ip
ipkungfu* iptables*
0 03-Fri-16-34-35 ~# /etc/init.d/ipkungfu stop
Stopping ipkungfu: 1 03-Fri-16-35-17 ~#
1 03-Fri-16-35-19 ~# /etc/init.d/ipkungfu stop
Stopping ipkungfu: 1 03-Fri-16-35-20 ~#
1 03-Fri-16-35-21 ~# aptitude purge ipkungfu
Reading Package Lists... Done
Building Dependency Tree
Reading extended state information
Initializing package states... Done
The following packages have been kept back:
xserver-xfree86
The following packages will be REMOVED:
ipkungfu
0 packages upgraded, 0 newly installed, 1 to remove and 1 not upgraded.
Need to get 0B of archives. After unpacking 205kB will be freed.
Do you want to continue? [Y/n/?]
Writing extended state information... Done
(Reading database ... 144114 files and directories currently installed.)
Removing ipkungfu ...
Stopping ipkungfu: invoke-rc.d: initscript ipkungfu, action "stop" failed.
#well ok then :-(
Purging configuration files for ipkungfu ...
Reading Package Lists... Done
Building Dependency Tree
Reading extended state information
Initializing package states... Done
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11--from-2.6.9-proc-config-and-menuconfig
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages ipkungfu depends on:
ii iproute 20041019-3 Professional tools to control the
ii iptables 1.2.11-10 Linux kernel 2.4+ iptables adminis
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
