[Firewall] Minor BUG in 2.0.1, and maybe also in newer versions

Lonnie Abelbeck lists at lonnie.abelbeck.com
Thu Feb 16 01:57:10 CET 2012


Konrad,

I gave AIF 2.0.0a a try and was able to reproduce your problem.

Your problem is fixed with AIF 2.0.1.

Looking at the 2.0.0a code snippet
--
 # TCP ports to ALLOW for certain DMZ hosts
  ##########################################
  unset IFS
  for rule in $DMZ_LAN_HOST_OPEN_TCP; do
    shosts=`get_hosts_ih $(echo "$rule" |cut -s -d'>' -f1) "$ANYHOST"`
    dhosts=`get_hosts_hp $(echo "$rule" |cut -s -d'>' -f2)`
    ports=`get_ports_hp $(echo "$rule" |cut -s -d'>' -f2) "$ANYPORT"`

    echo "  Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports"

    IFS=','
    for shost in `ip_range "$shosts"`; do
      for dhost in `ip_range "$dhosts"`; do
        for port in $ports; do
          iptables -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p tcp --dport $port -j ACCEPT
        done
      done
    done
  done
--

The proper fix is to quote the $(...) entities used as arguments, in particular...
--
    shosts=`get_hosts_ih "$(echo "$rule" |cut -s -d'>' -f1)" "$ANYHOST"`
    dhosts=`get_hosts_hp "$(echo "$rule" |cut -s -d'>' -f2)"`
    ports=`get_ports_hp "$(echo "$rule" |cut -s -d'>' -f2)" "$ANYPORT"`
--

As you mentioned adding "unset IFS" before shosts= also fixes it.

AIF 2.0.1 uses a new function parse_rule() that always quotes the arguments so IFS=',' doesn't cause unintended argument splitting.

Thanks for pointing this out.

Lonnie



On Feb 15, 2012, at 3:33 PM, kcem wrote:

> This is my system and shell:
> 
> Debian Squeeze
> ii  bash                     4.1-3
> GNU bash, version 4.1.5(1)-release-(x86_64-pc-linux-gnu)
> Firewall version: 2.0.0a
> 
> 
> -- 
> KC
> 
> 
> W dniu 2012-02-14 23:48:25 użytkownik Lonnie Abelbeck <lists at lonnie.abelbeck.com> napisał:
>> Hi Konrad,
>> 
>> I tried your example test, using AIF v2.0.1:
>> --
>> DMZ_LAN_HOST_OPEN_TCP="0/0>123.132.123.123~25,53,80 192.168.122.2,192.168.122.3,192.168.122.4>123.132.123.123~3306,26010"
>> --
>> 
>> snippet from "arno-iptables-firewall restart"
>> --
>> Setting up DMZ->LAN policy
>>  Allowing 0/0(DMZ) to 123.132.123.123(LAN) for TCP port(s): 25,53,80
>>  Allowing 192.168.122.2,192.168.122.3,192.168.122.4(DMZ) to 123.132.123.123(LAN) for TCP port(s): 3306,26010
>> --
>> 
>> snippet from "iptables -nvL DMZ_LAN_FORWARD_CHAIN"
>> --
>> Chain DMZ_LAN_FORWARD_CHAIN (3 references)
>> pkts bytes target     prot opt in     out     source               destination         
>>    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            123.132.123.123      tcp dpt:25
>>    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            123.132.123.123      tcp dpt:53
>>    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            123.132.123.123      tcp dpt:80
>>    0     0 ACCEPT     tcp  --  *      *       192.168.122.2        123.132.123.123      tcp dpt:3306
>>    0     0 ACCEPT     tcp  --  *      *       192.168.122.2        123.132.123.123      tcp dpt:26010
>>    0     0 ACCEPT     tcp  --  *      *       192.168.122.3        123.132.123.123      tcp dpt:3306
>>    0     0 ACCEPT     tcp  --  *      *       192.168.122.3        123.132.123.123      tcp dpt:26010
>>    0     0 ACCEPT     tcp  --  *      *       192.168.122.4        123.132.123.123      tcp dpt:3306
>>    0     0 ACCEPT     tcp  --  *      *       192.168.122.4        123.132.123.123      tcp dpt:26010
>> --
>> 
>> It seems to work properly for me on my test box.
>> 
>> What is your default shell ? what version ? ie.
>> 
>> $ ls -l /bin/sh
>> 
>> $ /bin/sh --version  # for example
>> 
>> Lonnie
>> 
>> 
>> On Feb 14, 2012, at 12:30 PM, kcem wrote:
>> 
>>> I found one bug in many places.
>>> I explain problem on this example code:
>>> 
>>> -- cut
>>>  # TCP ports to ALLOW for certain DMZ hosts
>>>  ##########################################
>>>  unset IFS
>>>  for rule in $DMZ_LAN_HOST_OPEN_TCP; do
>>>    shosts=`get_hosts_ih $(echo "$rule" |cut -s -d'>' -f1) "$ANYHOST"`
>>>    dhosts=`get_hosts_hp $(echo "$rule" |cut -s -d'>' -f2)`
>>>    ports=`get_ports_hp $(echo "$rule" |cut -s -d'>' -f2) "$ANYPORT"`
>>> 
>>>    echo "  Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports"
>>> 
>>>    IFS=','
>>> (...)
>>>  done
>>> -- cut
>>> 
>>> "unset IFS" should be inside for loop. In example when someone do this:
>>> DMZ_LAN_HOST_OPEN_TCP="0/0>123.132.123.123~25,53,80 192.168.122.2,192.168.122.3,192.168.122.4>123.132.123.123~3306,26010"
>>> first entry on list will work, and second entry won't.
>>> 
>>> This is output:
>>> Setting up DMZ->LAN policy
>>>  Allowing 0/0(DMZ) to 123.132.123.123(LAN) for TCP port(s): 25,53,80
>>>  Allowing 192.168.122.2(DMZ) to 123.132.123.123(LAN) for TCP port(s): 3306
>>>  Allowing 0/0(DMZ) to 123.132.123.123(LAN) for UDP port(s): 25,53,80
>>>  Allowing 192.168.122.2(DMZ) to 123.132.123.123(LAN) for UDP port(s): 3306
>>> 
>>> 
>>> Should be:
>>> -- cut
>>>  # TCP ports to ALLOW for certain DMZ hosts
>>>  ##########################################
>>>  for rule in $DMZ_LAN_HOST_OPEN_TCP; do
>>>    unset IFS
>>>    shosts=`get_hosts_ih $(echo "$rule" |cut -s -d'>' -f1) "$ANYHOST"`
>>>    dhosts=`get_hosts_hp $(echo "$rule" |cut -s -d'>' -f2)`
>>>    ports=`get_ports_hp $(echo "$rule" |cut -s -d'>' -f2) "$ANYPORT"`
>>> 
>>>    echo "  Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports"
>>> 
>>>    IFS=','
>>> (...)
>>>  done
>>> -- cut
>>> 
>>> Inside loops IFS is setting, also unset should be done inside loops.
>>> 
>>> 
>>> Greetings,
>>> Konrad Cempura




More information about the Firewall mailing list