[Firewall] Minor BUG in 2.0.1, and maybe also in newer versions

kcem kcem at op.pl
Tue Feb 14 19:30:21 CET 2012


I found one bug in many places.
I explain problem on this example code:
-- cut
  # TCP ports to ALLOW for certain DMZ hosts
  ##########################################
  unset IFS
  for rule in $DMZ_LAN_HOST_OPEN_TCP; do
    shosts=`get_hosts_ih $(echo "$rule" |cut -s -d'>' -f1) "$ANYHOST"`
    dhosts=`get_hosts_hp $(echo "$rule" |cut -s -d'>' -f2)`
    ports=`get_ports_hp $(echo "$rule" |cut -s -d'>' -f2) "$ANYPORT"`
    echo "  Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports"
    IFS=','
(...)
  done
-- cut
"unset IFS" should be inside for loop. In example when someone do this:
DMZ_LAN_HOST_OPEN_TCP="0/0>123.132.123.123~25,53,80 192.168.122.2,192.168.122.3,192.168.122.4>123.132.123.123~3306,26010"
first entry on list will work, and second entry won't.
 
This is output:
Setting up DMZ->LAN policy
  Allowing 0/0(DMZ) to 123.132.123.123(LAN) for TCP port(s): 25,53,80
  Allowing 192.168.122.2(DMZ) to 123.132.123.123(LAN) for TCP port(s): 3306
  Allowing 0/0(DMZ) to 123.132.123.123(LAN) for UDP port(s): 25,53,80
  Allowing 192.168.122.2(DMZ) to 123.132.123.123(LAN) for UDP port(s): 3306
 
Should be:
-- cut
  # TCP ports to ALLOW for certain DMZ hosts
  ##########################################
  for rule in $DMZ_LAN_HOST_OPEN_TCP; do
    unset IFS
    shosts=`get_hosts_ih $(echo "$rule" |cut -s -d'>' -f1) "$ANYHOST"`
    dhosts=`get_hosts_hp $(echo "$rule" |cut -s -d'>' -f2)`
    ports=`get_ports_hp $(echo "$rule" |cut -s -d'>' -f2) "$ANYPORT"`
    echo "  Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports"
    IFS=','
(...)
  done
-- cut
 
Inside loops IFS is setting, also unset should be done inside loops.
 
 
Greetings,
Konrad Cempura
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20120214/e705c4c5/attachment.html>


More information about the Firewall mailing list