Bug#862485: fwsnort mustn't set iptables rules when purged
Axel Beckert wrote: > Point taken. Will move that line (or an "fwsnort --ipt-flush") into a > (to be created) prerm and do another QA upload. (Unless you're already > onto it. Feel free to do that.) Unfortunately "fwsnort --ipt-flush" only flushes the chains but does not remove the chains: # iptables -L -v -n Chain INPUT (policy ACCEPT 34 packets, 6672 bytes) pkts bytes target prot opt in out source destination 22598 17M FWSNORT_INPUT all -- !lo* 0.0.0.0/0 0.0.0.0/0 Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 FWSNORT_FORWARD all -- !lo* 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 34 packets, 2568 bytes) pkts bytes target prot opt in out source destination 22777 1488K FWSNORT_OUTPUT all -- * !lo 0.0.0.0/0 0.0.0.0/0 Chain FWSNORT_FORWARD (1 references) pkts bytes target prot opt in out source destination Chain FWSNORT_FORWARD_ESTAB (0 references) pkts bytes target prot opt in out source destination Chain FWSNORT_INPUT (1 references) pkts bytes target prot opt in out source destination Chain FWSNORT_INPUT_ESTAB (0 references) pkts bytes target prot opt in out source destination Chain FWSNORT_OUTPUT (1 references) pkts bytes target prot opt in out source destination Chain FWSNORT_OUTPUT_ESTAB (0 references) pkts bytes target prot opt in out source destination So a little bit more is needed in prerm to properly clean up: First remove the remaining references to FWSNORT_* chains, then delete all FWSNORT_* chains. Regards, Axel -- ,''`. | Axel Beckert, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Bug#862485: fwsnort mustn't set iptables rules when purged
Control: tag -1 + confirmed - moreinfo Hi Adrian, Adrian Bunk wrote: > > > Tags: security > > > > I also disagree with this tag. > > messing up the iptables setup at an unexpected time can have bad > consequences. bad != security > > > A case could be made for "fwsnort --ipt-flush" in prerm. > > > > This would be against the expectation of users that configurations, > > settings etc. are removed on purge and not on removal. > > When you remove (not purge) a package containing a webserver, do you > expect that the webserver is stopped or do you expect that the webserver > is still running after removing the package? Granted. Thanks for that comparison. > > > Or considering that activating any fwsnort rules is not done > > > automatically and that the package should not interfere with > > > what the the admin has done. > > > > I disagree. I expect a package to clean up its changes on purge which > > result on common usage. To be more specifically, seeing 11'000 > > iptables rules left on my system after pruging fwsnort with no chance > > to remove them without reinstalling the package or removing 11'000 > > rules by hand. Not cleaning up these rules is a bug. And cleaning up > > is a task for "purge", not for "remove". > > "Remove an installed package. This removes everything except conffiles" > This the dpkg (and similar in apt) description of what remove does. > > A package that is removed but not purged is in the Config-Files states. > This means the old configuration is still present if the package gets > installed again. > > Purging is supposed to remove the (at that point already unused) > configuration files of the package. Point taken. Will move that line (or an "fwsnort --ipt-flush") into a (to be created) prerm and do another QA upload. (Unless you're already onto it. Feel free to do that.) Regards, Axel -- ,''`. | Axel Beckert, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Bug#862485: fwsnort mustn't set iptables rules when purged
Control: severity -1 serious On Sat, May 13, 2017 at 07:27:27PM +0200, Axel Beckert wrote: > Control: tag -1 + moreinfo > Control: severity -1 important > > Hi Adrian, Hi Axel, > Adrian Bunk wrote: > > Severity: critical > > I think that's overly exaggerated. > > > Tags: security > > I also disagree with this tag. messing up the iptables setup at an unexpected time can have bad consequences. > > The #861999 fix adds the following on purging: > > grep -v FWSNORT /var/lib/fwsnort/fwsnort.save | iptables-restore > > Yes. In postrm on purge. > > > Imagine the following: > > 1. today I install fwsnort and try it > > 2. later today I uninstall it > > You usually purge package if you play with packages which make changes > to your system. > > > This would in 2 years set the iptables rules to what they > > were today before I shortly played with fwsnort. > > I consider this (i.e. just removing but not purging when wanting to > get rid of a package and all its effects) to be the admin's fault, not > the package's fault. > > > A case could be made for "fwsnort --ipt-flush" in prerm. > > This would be against the expectation of users that configurations, > settings etc. are removed on purge and not on removal. When you remove (not purge) a package containing a webserver, do you expect that the webserver is stopped or do you expect that the webserver is still running after removing the package? > > Or considering that activating any fwsnort rules is not done > > automatically and that the package should not interfere with > > what the the admin has done. > > I disagree. I expect a package to clean up its changes on purge which > result on common usage. To be more specifically, seeing 11'000 > iptables rules left on my system after pruging fwsnort with no chance > to remove them without reinstalling the package or removing 11'000 > rules by hand. Not cleaning up these rules is a bug. And cleaning up > is a task for "purge", not for "remove". "Remove an installed package. This removes everything except conffiles" This the dpkg (and similar in apt) description of what remove does. A package that is removed but not purged is in the Config-Files states. This means the old configuration is still present if the package gets installed again. Purging is supposed to remove the (at that point already unused) configuration files of the package. Purging is not supposed to do any reconfiguration of the system. > Regards, Axel cu Adrian -- "Is there not promise of rain?" Ling Tan asked suddenly out of the darkness. There had been need of rain for many days. "Only a promise," Lao Er said. Pearl S. Buck - Dragon Seed
Bug#862485: fwsnort mustn't set iptables rules when purged
Control: tag -1 + moreinfo Control: severity -1 important Hi Adrian, Adrian Bunk wrote: > Severity: critical I think that's overly exaggerated. > Tags: security I also disagree with this tag. > The #861999 fix adds the following on purging: > grep -v FWSNORT /var/lib/fwsnort/fwsnort.save | iptables-restore Yes. In postrm on purge. > Imagine the following: > 1. today I install fwsnort and try it > 2. later today I uninstall it You usually purge package if you play with packages which make changes to your system. > This would in 2 years set the iptables rules to what they > were today before I shortly played with fwsnort. I consider this (i.e. just removing but not purging when wanting to get rid of a package and all its effects) to be the admin's fault, not the package's fault. > A case could be made for "fwsnort --ipt-flush" in prerm. This would be against the expectation of users that configurations, settings etc. are removed on purge and not on removal. > Or considering that activating any fwsnort rules is not done > automatically and that the package should not interfere with > what the the admin has done. I disagree. I expect a package to clean up its changes on purge which result on common usage. To be more specifically, seeing 11'000 iptables rules left on my system after pruging fwsnort with no chance to remove them without reinstalling the package or removing 11'000 rules by hand. Not cleaning up these rules is a bug. And cleaning up is a task for "purge", not for "remove". Regards, Axel -- ,''`. | Axel Beckert, http://people.debian.org/~abe/ : :' : | Debian Developer, ftp.ch.debian.org Admin `. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5 `-| 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Bug#862485: fwsnort mustn't set iptables rules when purged
Package: fwsnort Version: 1.6.5-3 Severity: critical Tags: security The #861999 fix adds the following on purging: grep -v FWSNORT /var/lib/fwsnort/fwsnort.save | iptables-restore Imagine the following: 1. today I install fwsnort and try it 2. later today I uninstall it 3. 2 years later I purge all long-removed packages This would in 2 years set the iptables rules to what they were today before I shortly played with fwsnort. A case could be made for "fwsnort --ipt-flush" in prerm. Or considering that activating any fwsnort rules is not done automatically and that the package should not interfere with what the the admin has done.