[Firewall] Minor BUG in 2.0.1, and maybe also in newer versions

kcem kcem at op.pl
Thu Feb 16 12:25:04 CET 2012


Thanks for your reply.
It's time to upgrate firewall and system.

-- 
KC

W dniu 2012-02-16 01:57:10 użytkownik Lonnie Abelbeck <lists at lonnie.abelbeck.com> napisał:
> Konrad,
> 
> I gave AIF 2.0.0a a try and was able to reproduce your problem.
> 
> Your problem is fixed with AIF 2.0.1.
> 
> Looking at the 2.0.0a code snippet
> --
>  # TCP ports to ALLOW for certain DMZ hosts
>   ##########################################
>   unset IFS
>   for rule in $DMZ_LAN_HOST_OPEN_TCP; do
>     shosts=`get_hosts_ih $(echo "$rule" |cut -s -d'>' -f1) "$ANYHOST"`
>     dhosts=`get_hosts_hp $(echo "$rule" |cut -s -d'>' -f2)`
>     ports=`get_ports_hp $(echo "$rule" |cut -s -d'>' -f2) "$ANYPORT"`
> 
>     echo "  Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports"
> 
>     IFS=','
>     for shost in `ip_range "$shosts"`; do
>       for dhost in `ip_range "$dhosts"`; do
>         for port in $ports; do
>           iptables -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p tcp --dport $port -j ACCEPT
>         done
>       done
>     done
>   done
> --
> 
> The proper fix is to quote the $(...) entities used as arguments, in particular...
> --
>     shosts=`get_hosts_ih "$(echo "$rule" |cut -s -d'>' -f1)" "$ANYHOST"`
>     dhosts=`get_hosts_hp "$(echo "$rule" |cut -s -d'>' -f2)"`
>     ports=`get_ports_hp "$(echo "$rule" |cut -s -d'>' -f2)" "$ANYPORT"`
> --
> 
> As you mentioned adding "unset IFS" before shosts= also fixes it.
> 
> AIF 2.0.1 uses a new function parse_rule() that always quotes the arguments so IFS=',' doesn't cause unintended argument splitting.
> 
> Thanks for pointing this out.
> 
> Lonnie
> 
> 
> 
> On Feb 15, 2012, at 3:33 PM, kcem wrote:
> 
> > This is my system and shell:
> > 
> > Debian Squeeze
> > ii  bash                     4.1-3
> > GNU bash, version 4.1.5(1)-release-(x86_64-pc-linux-gnu)
> > Firewall version: 2.0.0a
> > 
> > 
> > -- 
> > KC
> > 
> > 
> > W dniu 2012-02-14 23:48:25 użytkownik Lonnie Abelbeck <lists at lonnie.abelbeck.com> napisał:
> >> Hi Konrad,
> >> 
> >> I tried your example test, using AIF v2.0.1:
> >> --
> >> DMZ_LAN_HOST_OPEN_TCP="0/0>123.132.123.123~25,53,80 192.168.122.2,192.168.122.3,192.168.122.4>123.132.123.123~3306,26010"
> >> --
> >> 
> >> snippet from "arno-iptables-firewall restart"
> >> --
> >> Setting up DMZ->LAN policy
> >>  Allowing 0/0(DMZ) to 123.132.123.123(LAN) for TCP port(s): 25,53,80
> >>  Allowing 192.168.122.2,192.168.122.3,192.168.122.4(DMZ) to 123.132.123.123(LAN) for TCP port(s): 3306,26010
> >> --
> >> 
> >> snippet from "iptables -nvL DMZ_LAN_FORWARD_CHAIN"
> >> --
> >> Chain DMZ_LAN_FORWARD_CHAIN (3 references)
> >> pkts bytes target     prot opt in     out     source               destination         
> >>    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            123.132.123.123      tcp dpt:25
> >>    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            123.132.123.123      tcp dpt:53
> >>    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            123.132.123.123      tcp dpt:80
> >>    0     0 ACCEPT     tcp  --  *      *       192.168.122.2        123.132.123.123      tcp dpt:3306
> >>    0     0 ACCEPT     tcp  --  *      *       192.168.122.2        123.132.123.123      tcp dpt:26010
> >>    0     0 ACCEPT     tcp  --  *      *       192.168.122.3        123.132.123.123      tcp dpt:3306
> >>    0     0 ACCEPT     tcp  --  *      *       192.168.122.3        123.132.123.123      tcp dpt:26010
> >>    0     0 ACCEPT     tcp  --  *      *       192.168.122.4        123.132.123.123      tcp dpt:3306
> >>    0     0 ACCEPT     tcp  --  *      *       192.168.122.4        123.132.123.123      tcp dpt:26010
> >> --
> >> 
> >> It seems to work properly for me on my test box.
> >> 
> >> What is your default shell ? what version ? ie.
> >> 
> >> $ ls -l /bin/sh
> >> 
> >> $ /bin/sh --version  # for example
> >> 
> >> Lonnie
> >> 
> >> 
> >> On Feb 14, 2012, at 12:30 PM, kcem wrote:
> >> 
> >>> I found one bug in many places.
> >>> I explain problem on this example code:
> >>> 
> >>> -- cut
> >>>  # TCP ports to ALLOW for certain DMZ hosts
> >>>  ##########################################
> >>>  unset IFS
> >>>  for rule in $DMZ_LAN_HOST_OPEN_TCP; do
> >>>    shosts=`get_hosts_ih $(echo "$rule" |cut -s -d'>' -f1) "$ANYHOST"`
> >>>    dhosts=`get_hosts_hp $(echo "$rule" |cut -s -d'>' -f2)`
> >>>    ports=`get_ports_hp $(echo "$rule" |cut -s -d'>' -f2) "$ANYPORT"`
> >>> 
> >>>    echo "  Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports"
> >>> 
> >>>    IFS=','
> >>> (...)
> >>>  done
> >>> -- cut
> >>> 
> >>> "unset IFS" should be inside for loop. In example when someone do this:
> >>> DMZ_LAN_HOST_OPEN_TCP="0/0>123.132.123.123~25,53,80 192.168.122.2,192.168.122.3,192.168.122.4>123.132.123.123~3306,26010"
> >>> first entry on list will work, and second entry won't.
> >>> 
> >>> This is output:
> >>> Setting up DMZ->LAN policy
> >>>  Allowing 0/0(DMZ) to 123.132.123.123(LAN) for TCP port(s): 25,53,80
> >>>  Allowing 192.168.122.2(DMZ) to 123.132.123.123(LAN) for TCP port(s): 3306
> >>>  Allowing 0/0(DMZ) to 123.132.123.123(LAN) for UDP port(s): 25,53,80
> >>>  Allowing 192.168.122.2(DMZ) to 123.132.123.123(LAN) for UDP port(s): 3306
> >>> 
> >>> 
> >>> Should be:
> >>> -- cut
> >>>  # TCP ports to ALLOW for certain DMZ hosts
> >>>  ##########################################
> >>>  for rule in $DMZ_LAN_HOST_OPEN_TCP; do
> >>>    unset IFS
> >>>    shosts=`get_hosts_ih $(echo "$rule" |cut -s -d'>' -f1) "$ANYHOST"`
> >>>    dhosts=`get_hosts_hp $(echo "$rule" |cut -s -d'>' -f2)`
> >>>    ports=`get_ports_hp $(echo "$rule" |cut -s -d'>' -f2) "$ANYPORT"`
> >>> 
> >>>    echo "  Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports"
> >>> 
> >>>    IFS=','
> >>> (...)
> >>>  done
> >>> -- cut
> >>> 
> >>> Inside loops IFS is setting, also unset should be done inside loops.
> >>> 
> >>> 
> >>> Greetings,
> >>> Konrad Cempura
> 
> 
> _______________________________________________
> Firewall mailing list
> Firewall at rocky.eld.leidenuniv.nl
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall
> Arno's (Linux IPTABLES Firewall) Homepage:
> http://rocky.eld.leidenuniv.nl





More information about the Firewall mailing list