[Firewall] Minor BUG in 2.0.1, and maybe also in newer versions

Lonnie Abelbeck lists at lonnie.abelbeck.com
Tue Feb 14 23:48:25 CET 2012


Hi Konrad,

I tried your example test, using AIF v2.0.1:
--
DMZ_LAN_HOST_OPEN_TCP="0/0>123.132.123.123~25,53,80 192.168.122.2,192.168.122.3,192.168.122.4>123.132.123.123~3306,26010"
--

snippet from "arno-iptables-firewall restart"
--
 Setting up DMZ->LAN policy
  Allowing 0/0(DMZ) to 123.132.123.123(LAN) for TCP port(s): 25,53,80
  Allowing 192.168.122.2,192.168.122.3,192.168.122.4(DMZ) to 123.132.123.123(LAN) for TCP port(s): 3306,26010
--

snippet from "iptables -nvL DMZ_LAN_FORWARD_CHAIN"
--
Chain DMZ_LAN_FORWARD_CHAIN (3 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            123.132.123.123      tcp dpt:25
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            123.132.123.123      tcp dpt:53
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            123.132.123.123      tcp dpt:80
    0     0 ACCEPT     tcp  --  *      *       192.168.122.2        123.132.123.123      tcp dpt:3306
    0     0 ACCEPT     tcp  --  *      *       192.168.122.2        123.132.123.123      tcp dpt:26010
    0     0 ACCEPT     tcp  --  *      *       192.168.122.3        123.132.123.123      tcp dpt:3306
    0     0 ACCEPT     tcp  --  *      *       192.168.122.3        123.132.123.123      tcp dpt:26010
    0     0 ACCEPT     tcp  --  *      *       192.168.122.4        123.132.123.123      tcp dpt:3306
    0     0 ACCEPT     tcp  --  *      *       192.168.122.4        123.132.123.123      tcp dpt:26010
--

It seems to work properly for me on my test box.

What is your default shell ? what version ? ie.

$ ls -l /bin/sh

$ /bin/sh --version  # for example

Lonnie


On Feb 14, 2012, at 12:30 PM, kcem wrote:

> I found one bug in many places.
> I explain problem on this example code:
> 
> -- cut
>   # TCP ports to ALLOW for certain DMZ hosts
>   ##########################################
>   unset IFS
>   for rule in $DMZ_LAN_HOST_OPEN_TCP; do
>     shosts=`get_hosts_ih $(echo "$rule" |cut -s -d'>' -f1) "$ANYHOST"`
>     dhosts=`get_hosts_hp $(echo "$rule" |cut -s -d'>' -f2)`
>     ports=`get_ports_hp $(echo "$rule" |cut -s -d'>' -f2) "$ANYPORT"`
> 
>     echo "  Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports"
> 
>     IFS=','
> (...)
>   done
> -- cut
> 
> "unset IFS" should be inside for loop. In example when someone do this:
> DMZ_LAN_HOST_OPEN_TCP="0/0>123.132.123.123~25,53,80 192.168.122.2,192.168.122.3,192.168.122.4>123.132.123.123~3306,26010"
> first entry on list will work, and second entry won't.
>  
> This is output:
> Setting up DMZ->LAN policy
>   Allowing 0/0(DMZ) to 123.132.123.123(LAN) for TCP port(s): 25,53,80
>   Allowing 192.168.122.2(DMZ) to 123.132.123.123(LAN) for TCP port(s): 3306
>   Allowing 0/0(DMZ) to 123.132.123.123(LAN) for UDP port(s): 25,53,80
>   Allowing 192.168.122.2(DMZ) to 123.132.123.123(LAN) for UDP port(s): 3306
> 
>  
> Should be:
> -- cut
>   # TCP ports to ALLOW for certain DMZ hosts
>   ##########################################
>   for rule in $DMZ_LAN_HOST_OPEN_TCP; do
>     unset IFS
>     shosts=`get_hosts_ih $(echo "$rule" |cut -s -d'>' -f1) "$ANYHOST"`
>     dhosts=`get_hosts_hp $(echo "$rule" |cut -s -d'>' -f2)`
>     ports=`get_ports_hp $(echo "$rule" |cut -s -d'>' -f2) "$ANYPORT"`
> 
>     echo "  Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports"
> 
>     IFS=','
> (...)
>   done
> -- cut
>  
> Inside loops IFS is setting, also unset should be done inside loops.
>  
>  
> Greetings,
> Konrad Cempura





More information about the Firewall mailing list