[Firewall] Possible BUG in 2.0.0a and maybe in newer versions

kcem kcem at op.pl
Tue Feb 14 20:45:23 CET 2012


I think I found one bug in many places.
I explain problem on this example code:
-- cut
# TCP ports to ALLOW for certain DMZ hosts
##########################################
unset IFS
  for rule in $DMZ_LAN_HOST_OPEN_TCP; do
  shosts=`get_hosts_ih $(echo "$rule" |cut -s -d'>' -f1) "$ANYHOST"`
  dhosts=`get_hosts_hp $(echo "$rule" |cut -s -d'>' -f2)`
  ports=`get_ports_hp $(echo "$rule" |cut -s -d'>' -f2) "$ANYPORT"`
  echo " Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports"
  IFS=','
(...)
done
-- cut
In example when someone do this:
DMZ_LAN_HOST_OPEN_TCP="0/0>123.132.123.123~25,53,80 192.168.122.2,192.168.122.3,192.168.122.4>123.132.123.123~3306,26010"
first entry on list will work, and second entry won't.
 
This is output:
 Setting up DMZ->LAN policy
  Allowing 0/0(DMZ) to 123.132.123.123(LAN) for TCP port(s): 25,53,80
  Allowing 192.168.122.2(DMZ) to 123.132.123.123(LAN) for TCP port(s): 3306
  Allowing 0/0(DMZ) to 123.132.123.123(LAN) for UDP port(s): 25,53,80
  Allowing 192.168.122.2(DMZ) to 123.132.123.123(LAN) for UDP port(s): 3306
 
Probably "unset IFS" should be also inside for loop (because IFS is being set also inside loops).
 
Should be:
-- cut
# TCP ports to ALLOW for certain DMZ hosts
##########################################
unset IFS # without this line first loop won't work
for rule in $DMZ_LAN_HOST_OPEN_TCP; do
  unset IFS # without this line second and next entries won't work
  shosts=`get_hosts_ih $(echo "$rule" |cut -s -d'>' -f1) "$ANYHOST"`
  dhosts=`get_hosts_hp $(echo "$rule" |cut -s -d'>' -f2)`
  ports=`get_ports_hp $(echo "$rule" |cut -s -d'>' -f2) "$ANYPORT"`
  echo " Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports"
  IFS=','
(...)
done
-- cut
 
Output after fix:
 Setting up DMZ->LAN policy
  Allowing 0/0(DMZ) to 123.132.123.123(LAN) for TCP port(s): 25,53,80
  Allowing 192.168.122.2,192.168.122.3,192.168.122.4(DMZ) to 123.132.123.123(LAN) for TCP port(s): 3306,26010
  Allowing 0/0(DMZ) to 123.132.123.123(LAN) for UDP port(s): 25,53,80
  Allowing 192.168.122.2,192.168.122.3,192.168.122.4(DMZ) to 123.132.123.123(LAN) for UDP port(s): 3306,26010
 
This output looks better :)
 
 
Greetings,
Konrad Cempura
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20120214/0f101fe6/attachment.html>


More information about the Firewall mailing list