[Firewall] Minor BUG in 2.0.1, and maybe also in newer versions

kcem kcem at op.pl
Wed Feb 15 22:33:14 CET 2012


I write the second message with subject: Possible BUG in 2.0.0a and maybe in newer versions

There was two reasons. I sent first message too quickly (without new code test) and It tooks very long time to see it on mailing list.
Please read and reply on message with subject: Possible BUG in 2.0.0a and maybe in newer versions


This is my system and shell:

Debian Squeeze
ii  bash                     4.1-3
GNU bash, version 4.1.5(1)-release-(x86_64-pc-linux-gnu)
Firewall version: 2.0.0a


-- 
KC


W dniu 2012-02-14 23:48:25 użytkownik Lonnie Abelbeck <lists at lonnie.abelbeck.com> napisał:
> Hi Konrad,
> 
> I tried your example test, using AIF v2.0.1:
> --
> DMZ_LAN_HOST_OPEN_TCP="0/0>123.132.123.123~25,53,80 192.168.122.2,192.168.122.3,192.168.122.4>123.132.123.123~3306,26010"
> --
> 
> snippet from "arno-iptables-firewall restart"
> --
>  Setting up DMZ->LAN policy
>   Allowing 0/0(DMZ) to 123.132.123.123(LAN) for TCP port(s): 25,53,80
>   Allowing 192.168.122.2,192.168.122.3,192.168.122.4(DMZ) to 123.132.123.123(LAN) for TCP port(s): 3306,26010
> --
> 
> snippet from "iptables -nvL DMZ_LAN_FORWARD_CHAIN"
> --
> Chain DMZ_LAN_FORWARD_CHAIN (3 references)
>  pkts bytes target     prot opt in     out     source               destination         
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            123.132.123.123      tcp dpt:25
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            123.132.123.123      tcp dpt:53
>     0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            123.132.123.123      tcp dpt:80
>     0     0 ACCEPT     tcp  --  *      *       192.168.122.2        123.132.123.123      tcp dpt:3306
>     0     0 ACCEPT     tcp  --  *      *       192.168.122.2        123.132.123.123      tcp dpt:26010
>     0     0 ACCEPT     tcp  --  *      *       192.168.122.3        123.132.123.123      tcp dpt:3306
>     0     0 ACCEPT     tcp  --  *      *       192.168.122.3        123.132.123.123      tcp dpt:26010
>     0     0 ACCEPT     tcp  --  *      *       192.168.122.4        123.132.123.123      tcp dpt:3306
>     0     0 ACCEPT     tcp  --  *      *       192.168.122.4        123.132.123.123      tcp dpt:26010
> --
> 
> It seems to work properly for me on my test box.
> 
> What is your default shell ? what version ? ie.
> 
> $ ls -l /bin/sh
> 
> $ /bin/sh --version  # for example
> 
> Lonnie
> 
> 
> On Feb 14, 2012, at 12:30 PM, kcem wrote:
> 
> > I found one bug in many places.
> > I explain problem on this example code:
> > 
> > -- cut
> >   # TCP ports to ALLOW for certain DMZ hosts
> >   ##########################################
> >   unset IFS
> >   for rule in $DMZ_LAN_HOST_OPEN_TCP; do
> >     shosts=`get_hosts_ih $(echo "$rule" |cut -s -d'>' -f1) "$ANYHOST"`
> >     dhosts=`get_hosts_hp $(echo "$rule" |cut -s -d'>' -f2)`
> >     ports=`get_ports_hp $(echo "$rule" |cut -s -d'>' -f2) "$ANYPORT"`
> > 
> >     echo "  Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports"
> > 
> >     IFS=','
> > (...)
> >   done
> > -- cut
> > 
> > "unset IFS" should be inside for loop. In example when someone do this:
> > DMZ_LAN_HOST_OPEN_TCP="0/0>123.132.123.123~25,53,80 192.168.122.2,192.168.122.3,192.168.122.4>123.132.123.123~3306,26010"
> > first entry on list will work, and second entry won't.
> >  
> > This is output:
> > Setting up DMZ->LAN policy
> >   Allowing 0/0(DMZ) to 123.132.123.123(LAN) for TCP port(s): 25,53,80
> >   Allowing 192.168.122.2(DMZ) to 123.132.123.123(LAN) for TCP port(s): 3306
> >   Allowing 0/0(DMZ) to 123.132.123.123(LAN) for UDP port(s): 25,53,80
> >   Allowing 192.168.122.2(DMZ) to 123.132.123.123(LAN) for UDP port(s): 3306
> > 
> >  
> > Should be:
> > -- cut
> >   # TCP ports to ALLOW for certain DMZ hosts
> >   ##########################################
> >   for rule in $DMZ_LAN_HOST_OPEN_TCP; do
> >     unset IFS
> >     shosts=`get_hosts_ih $(echo "$rule" |cut -s -d'>' -f1) "$ANYHOST"`
> >     dhosts=`get_hosts_hp $(echo "$rule" |cut -s -d'>' -f2)`
> >     ports=`get_ports_hp $(echo "$rule" |cut -s -d'>' -f2) "$ANYPORT"`
> > 
> >     echo "  Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports"
> > 
> >     IFS=','
> > (...)
> >   done
> > -- cut
> >  
> > Inside loops IFS is setting, also unset should be done inside loops.
> >  
> >  
> > Greetings,
> > Konrad Cempura
> 
> 
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl
> 





More information about the Firewall mailing list