Your message dated Wed, 5 Sep 2018 15:45:50 +0200
with message-id
<ca+fnjvdaenavyersk-1nn7r0rucfomjl0tperd_tmueqccp...@mail.gmail.com>
and subject line
has caused the Debian Bug report #739251,
regarding iptables: Upgrade breaks existing rules (and is not documented)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
739251: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=739251
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: iptables
Version: 1.4.14-3.1
Severity: grave
Tags: security
Justification: user security hole
X-Debbugs-Cc: t...@security.debian.org,
secure-testing-t...@lists.alioth.debian.org
After a squeeze -> wheezy upgrade, iptables refuses to load rules that
worked in squeeze and were generated using squeeze's iptables-save.
The result is that after the upgrade the entire iptables system is
broken, leaving the machine completely open to the network. It is a
mostly silent failure, and the admin would only discover it by
reviewing startup logs or portscanning the machine. There are no
notifications of the incompatible change during the upgrade and it's
not even documented in either of the changelogs.
The specific syntax change to rules was:
squeeze: -d !123.123.123.123
wheezy: ! -d 123.123.123.123
where -d could be any of a number of flags that accept negative
arguments. Because iptables-restore uses an all-or-nothing approach,
having even one rule with the incompatible syntax will prevent all
rules from being loaded.
If an upgrade breaks existing rules in a way that will cause
iptables-restore to fail, there should be a VERY prominent warning
during the upgrade. I'd say that about almost any package, but for
one as security-critical as iptables to break silently after a routine
upgrade really seems to fall below Debian's quality standards.
To fill in a bit of relevant information, Debian's iptables package
doesn't include a method of automatically saving or restoring rules on
shutdown/boot. That means this bug could manifest itself in a number
of ways depending on how the admin has configured the save/restore
process. The simplest and possibly most common method would be to use
/etc/rc.local or an /etc/init.d script to run iptables-restore. In
any case the restore would certainly be done automatically on boot in
order to secure the network as soon as possible. If the admin had set
up an automatic iptables-save during shutdown they may have avoided
this bug by happenstance since the rules would be saved by wheezy's
iptables-save before the next reboot. However automatically saving
rules may not be common, and the iptables-persistent package in Debian
only auto-restores and does not auto-save.
-- System Information:
Debian Release: 7.4
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-5-686-bigmem (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages iptables depends on:
ii libc6 2.13-38+deb7u1
ii libnfnetlink0 1.0.0-1.1
iptables recommends no packages.
iptables suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
--- End Message ---
