[Firewall] Firewall Digest, Vol 73, Issue 5

Humberto Alcazar humberto.alcazar at pe.g4s.com
Thu Feb 16 12:57:08 CET 2012


Please, do not see my answer. 

Thank You 

----- Mensaje original -----
De: firewall-request at rocky.eld.leidenuniv.nl 
Para: firewall at rocky.eld.leidenuniv.nl 
Enviados: Jueves, 16 de Febrero 2012 6:00:02 
Asunto: Firewall Digest, Vol 73, Issue 5 

Send Firewall mailing list submissions to 
firewall at rocky.eld.leidenuniv.nl 

To subscribe or unsubscribe via the World Wide Web, visit 
http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall 
or, via email, send a message with subject or body 'help' to 
firewall-request at rocky.eld.leidenuniv.nl 

You can reach the person managing the list at 
firewall-owner at rocky.eld.leidenuniv.nl 

When replying, please edit your Subject line so it is more specific 
than "Re: Contents of Firewall digest..." 


Today's Topics: 

1. Re: Minor BUG in 2.0.1, and maybe also in newer versions (kcem) 
2. Re: Minor BUG in 2.0.1, and maybe also in newer versions 
(Lonnie Abelbeck) 
3. question squid (Humberto Alcazar) 


---------------------------------------------------------------------- 

Message: 1 
Date: Wed, 15 Feb 2012 22:33:14 +0100 
From: kcem <kcem at op.pl> 
To: Arno's IPTABLES firewall script <firewall at rocky.eld.leidenuniv.nl> 
Subject: Re: [Firewall] Minor BUG in 2.0.1, and maybe also in newer 
versions 
Message-ID: <3893950-70077f5bb0db1605e6e69b082efad979 at pmq1.m5r2.onet> 
Content-Type: text/plain; charset="utf-8" 

I write the second message with subject: Possible BUG in 2.0.0a and maybe in newer versions 

There was two reasons. I sent first message too quickly (without new code test) and It tooks very long time to see it on mailing list. 
Please read and reply on message with subject: Possible BUG in 2.0.0a and maybe in newer versions 


This is my system and shell: 

Debian Squeeze 
ii bash 4.1-3 
GNU bash, version 4.1.5(1)-release-(x86_64-pc-linux-gnu) 
Firewall version: 2.0.0a 


-- 
KC 


W dniu 2012-02-14 23:48:25 u?ytkownik Lonnie Abelbeck <lists at lonnie.abelbeck.com> napisa?: 
> Hi Konrad, 
> 
> I tried your example test, using AIF v2.0.1: 
> -- 
> DMZ_LAN_HOST_OPEN_TCP="0/0>123.132.123.123~25,53,80 192.168.122.2,192.168.122.3,192.168.122.4>123.132.123.123~3306,26010" 
> -- 
> 
> snippet from "arno-iptables-firewall restart" 
> -- 
> Setting up DMZ->LAN policy 
> Allowing 0/0(DMZ) to 123.132.123.123(LAN) for TCP port(s): 25,53,80 
> Allowing 192.168.122.2,192.168.122.3,192.168.122.4(DMZ) to 123.132.123.123(LAN) for TCP port(s): 3306,26010 
> -- 
> 
> snippet from "iptables -nvL DMZ_LAN_FORWARD_CHAIN" 
> -- 
> Chain DMZ_LAN_FORWARD_CHAIN (3 references) 
> pkts bytes target prot opt in out source destination 
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 123.132.123.123 tcp dpt:25 
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 123.132.123.123 tcp dpt:53 
> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 123.132.123.123 tcp dpt:80 
> 0 0 ACCEPT tcp -- * * 192.168.122.2 123.132.123.123 tcp dpt:3306 
> 0 0 ACCEPT tcp -- * * 192.168.122.2 123.132.123.123 tcp dpt:26010 
> 0 0 ACCEPT tcp -- * * 192.168.122.3 123.132.123.123 tcp dpt:3306 
> 0 0 ACCEPT tcp -- * * 192.168.122.3 123.132.123.123 tcp dpt:26010 
> 0 0 ACCEPT tcp -- * * 192.168.122.4 123.132.123.123 tcp dpt:3306 
> 0 0 ACCEPT tcp -- * * 192.168.122.4 123.132.123.123 tcp dpt:26010 
> -- 
> 
> It seems to work properly for me on my test box. 
> 
> What is your default shell ? what version ? ie. 
> 
> $ ls -l /bin/sh 
> 
> $ /bin/sh --version # for example 
> 
> Lonnie 
> 
> 
> On Feb 14, 2012, at 12:30 PM, kcem wrote: 
> 
> > I found one bug in many places. 
> > I explain problem on this example code: 
> > 
> > -- cut 
> > # TCP ports to ALLOW for certain DMZ hosts 
> > ########################################## 
> > unset IFS 
> > for rule in $DMZ_LAN_HOST_OPEN_TCP; do 
> > shosts=`get_hosts_ih $(echo "$rule" |cut -s -d'>' -f1) "$ANYHOST"` 
> > dhosts=`get_hosts_hp $(echo "$rule" |cut -s -d'>' -f2)` 
> > ports=`get_ports_hp $(echo "$rule" |cut -s -d'>' -f2) "$ANYPORT"` 
> > 
> > echo " Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports" 
> > 
> > IFS=',' 
> > (...) 
> > done 
> > -- cut 
> > 
> > "unset IFS" should be inside for loop. In example when someone do this: 
> > DMZ_LAN_HOST_OPEN_TCP="0/0>123.132.123.123~25,53,80 192.168.122.2,192.168.122.3,192.168.122.4>123.132.123.123~3306,26010" 
> > first entry on list will work, and second entry won't. 
> > 
> > This is output: 
> > Setting up DMZ->LAN policy 
> > Allowing 0/0(DMZ) to 123.132.123.123(LAN) for TCP port(s): 25,53,80 
> > Allowing 192.168.122.2(DMZ) to 123.132.123.123(LAN) for TCP port(s): 3306 
> > Allowing 0/0(DMZ) to 123.132.123.123(LAN) for UDP port(s): 25,53,80 
> > Allowing 192.168.122.2(DMZ) to 123.132.123.123(LAN) for UDP port(s): 3306 
> > 
> > 
> > Should be: 
> > -- cut 
> > # TCP ports to ALLOW for certain DMZ hosts 
> > ########################################## 
> > for rule in $DMZ_LAN_HOST_OPEN_TCP; do 
> > unset IFS 
> > shosts=`get_hosts_ih $(echo "$rule" |cut -s -d'>' -f1) "$ANYHOST"` 
> > dhosts=`get_hosts_hp $(echo "$rule" |cut -s -d'>' -f2)` 
> > ports=`get_ports_hp $(echo "$rule" |cut -s -d'>' -f2) "$ANYPORT"` 
> > 
> > echo " Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports" 
> > 
> > IFS=',' 
> > (...) 
> > done 
> > -- cut 
> > 
> > Inside loops IFS is setting, also unset should be done inside loops. 
> > 
> > 
> > Greetings, 
> > Konrad Cempura 
> 
> 
> 
> _______________________________________________ 
> Firewall mailing list 
> Firewall at rocky.eld.leidenuniv.nl 
> http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall 
> Arno's (Linux IPTABLES Firewall) Homepage: 
> http://rocky.eld.leidenuniv.nl 
> 





------------------------------ 

Message: 2 
Date: Wed, 15 Feb 2012 18:57:10 -0600 
From: Lonnie Abelbeck <lists at lonnie.abelbeck.com> 
To: Arno's IPTABLES firewall script <firewall at rocky.eld.leidenuniv.nl> 
Subject: Re: [Firewall] Minor BUG in 2.0.1, and maybe also in newer 
versions 
Message-ID: <C21E7DD1-90B7-412E-B479-C1D97AF1F1F8 at lonnie.abelbeck.com> 
Content-Type: text/plain; charset=utf-8 

Konrad, 

I gave AIF 2.0.0a a try and was able to reproduce your problem. 

Your problem is fixed with AIF 2.0.1. 

Looking at the 2.0.0a code snippet 
-- 
# TCP ports to ALLOW for certain DMZ hosts 
########################################## 
unset IFS 
for rule in $DMZ_LAN_HOST_OPEN_TCP; do 
shosts=`get_hosts_ih $(echo "$rule" |cut -s -d'>' -f1) "$ANYHOST"` 
dhosts=`get_hosts_hp $(echo "$rule" |cut -s -d'>' -f2)` 
ports=`get_ports_hp $(echo "$rule" |cut -s -d'>' -f2) "$ANYPORT"` 

echo " Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports" 

IFS=',' 
for shost in `ip_range "$shosts"`; do 
for dhost in `ip_range "$dhosts"`; do 
for port in $ports; do 
iptables -A DMZ_LAN_FORWARD_CHAIN -s $shost -d $dhost -p tcp --dport $port -j ACCEPT 
done 
done 
done 
done 
-- 

The proper fix is to quote the $(...) entities used as arguments, in particular... 
-- 
shosts=`get_hosts_ih "$(echo "$rule" |cut -s -d'>' -f1)" "$ANYHOST"` 
dhosts=`get_hosts_hp "$(echo "$rule" |cut -s -d'>' -f2)"` 
ports=`get_ports_hp "$(echo "$rule" |cut -s -d'>' -f2)" "$ANYPORT"` 
-- 

As you mentioned adding "unset IFS" before shosts= also fixes it. 

AIF 2.0.1 uses a new function parse_rule() that always quotes the arguments so IFS=',' doesn't cause unintended argument splitting. 

Thanks for pointing this out. 

Lonnie 



On Feb 15, 2012, at 3:33 PM, kcem wrote: 

> This is my system and shell: 
> 
> Debian Squeeze 
> ii bash 4.1-3 
> GNU bash, version 4.1.5(1)-release-(x86_64-pc-linux-gnu) 
> Firewall version: 2.0.0a 
> 
> 
> -- 
> KC 
> 
> 
> W dniu 2012-02-14 23:48:25 u?ytkownik Lonnie Abelbeck <lists at lonnie.abelbeck.com> napisa?: 
>> Hi Konrad, 
>> 
>> I tried your example test, using AIF v2.0.1: 
>> -- 
>> DMZ_LAN_HOST_OPEN_TCP="0/0>123.132.123.123~25,53,80 192.168.122.2,192.168.122.3,192.168.122.4>123.132.123.123~3306,26010" 
>> -- 
>> 
>> snippet from "arno-iptables-firewall restart" 
>> -- 
>> Setting up DMZ->LAN policy 
>> Allowing 0/0(DMZ) to 123.132.123.123(LAN) for TCP port(s): 25,53,80 
>> Allowing 192.168.122.2,192.168.122.3,192.168.122.4(DMZ) to 123.132.123.123(LAN) for TCP port(s): 3306,26010 
>> -- 
>> 
>> snippet from "iptables -nvL DMZ_LAN_FORWARD_CHAIN" 
>> -- 
>> Chain DMZ_LAN_FORWARD_CHAIN (3 references) 
>> pkts bytes target prot opt in out source destination 
>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 123.132.123.123 tcp dpt:25 
>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 123.132.123.123 tcp dpt:53 
>> 0 0 ACCEPT tcp -- * * 0.0.0.0/0 123.132.123.123 tcp dpt:80 
>> 0 0 ACCEPT tcp -- * * 192.168.122.2 123.132.123.123 tcp dpt:3306 
>> 0 0 ACCEPT tcp -- * * 192.168.122.2 123.132.123.123 tcp dpt:26010 
>> 0 0 ACCEPT tcp -- * * 192.168.122.3 123.132.123.123 tcp dpt:3306 
>> 0 0 ACCEPT tcp -- * * 192.168.122.3 123.132.123.123 tcp dpt:26010 
>> 0 0 ACCEPT tcp -- * * 192.168.122.4 123.132.123.123 tcp dpt:3306 
>> 0 0 ACCEPT tcp -- * * 192.168.122.4 123.132.123.123 tcp dpt:26010 
>> -- 
>> 
>> It seems to work properly for me on my test box. 
>> 
>> What is your default shell ? what version ? ie. 
>> 
>> $ ls -l /bin/sh 
>> 
>> $ /bin/sh --version # for example 
>> 
>> Lonnie 
>> 
>> 
>> On Feb 14, 2012, at 12:30 PM, kcem wrote: 
>> 
>>> I found one bug in many places. 
>>> I explain problem on this example code: 
>>> 
>>> -- cut 
>>> # TCP ports to ALLOW for certain DMZ hosts 
>>> ########################################## 
>>> unset IFS 
>>> for rule in $DMZ_LAN_HOST_OPEN_TCP; do 
>>> shosts=`get_hosts_ih $(echo "$rule" |cut -s -d'>' -f1) "$ANYHOST"` 
>>> dhosts=`get_hosts_hp $(echo "$rule" |cut -s -d'>' -f2)` 
>>> ports=`get_ports_hp $(echo "$rule" |cut -s -d'>' -f2) "$ANYPORT"` 
>>> 
>>> echo " Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports" 
>>> 
>>> IFS=',' 
>>> (...) 
>>> done 
>>> -- cut 
>>> 
>>> "unset IFS" should be inside for loop. In example when someone do this: 
>>> DMZ_LAN_HOST_OPEN_TCP="0/0>123.132.123.123~25,53,80 192.168.122.2,192.168.122.3,192.168.122.4>123.132.123.123~3306,26010" 
>>> first entry on list will work, and second entry won't. 
>>> 
>>> This is output: 
>>> Setting up DMZ->LAN policy 
>>> Allowing 0/0(DMZ) to 123.132.123.123(LAN) for TCP port(s): 25,53,80 
>>> Allowing 192.168.122.2(DMZ) to 123.132.123.123(LAN) for TCP port(s): 3306 
>>> Allowing 0/0(DMZ) to 123.132.123.123(LAN) for UDP port(s): 25,53,80 
>>> Allowing 192.168.122.2(DMZ) to 123.132.123.123(LAN) for UDP port(s): 3306 
>>> 
>>> 
>>> Should be: 
>>> -- cut 
>>> # TCP ports to ALLOW for certain DMZ hosts 
>>> ########################################## 
>>> for rule in $DMZ_LAN_HOST_OPEN_TCP; do 
>>> unset IFS 
>>> shosts=`get_hosts_ih $(echo "$rule" |cut -s -d'>' -f1) "$ANYHOST"` 
>>> dhosts=`get_hosts_hp $(echo "$rule" |cut -s -d'>' -f2)` 
>>> ports=`get_ports_hp $(echo "$rule" |cut -s -d'>' -f2) "$ANYPORT"` 
>>> 
>>> echo " Allowing $shosts(DMZ) to $dhosts(LAN) for TCP port(s): $ports" 
>>> 
>>> IFS=',' 
>>> (...) 
>>> done 
>>> -- cut 
>>> 
>>> Inside loops IFS is setting, also unset should be done inside loops. 
>>> 
>>> 
>>> Greetings, 
>>> Konrad Cempura 




------------------------------ 

Message: 3 
Date: Wed, 15 Feb 2012 22:43:48 -0500 (PET) 
From: Humberto Alcazar <humberto.alcazar at pe.g4s.com> 
To: firewall at rocky.eld.leidenuniv.nl 
Subject: [Firewall] question squid 
Message-ID: <16919052.7062.1329363828258.JavaMail.root at g4smail> 
Content-Type: text/plain; charset="utf-8" 



----- Mensaje original ----- 
Hi aRno: 

how I can enable the non-transparent squid in the AIF , I could only see the plugin transparent . 
Thank you. 

-- 

___________________________________________ 
Humberto Alcazar Zumaran 
Administrador de Infraestructura TI 
Gerencia Central de Soporte - Inform?tica 
G4S PERU S.A.C. 
Av. El Sol 916 La Campi?a, Chorrillos 
Tel?fono: +51 213 1200 Anexo: 1259 
Celular: +51 996 287532 RPM: #937068 
Rpc: 989125368 
www.g4s.com.pe 

Por favor considere el medio ambiente antes de imprimir este correo electr?nico. 
-------------- next part -------------- 
An HTML attachment was scrubbed... 
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20120215/0c846171/attachment-0001.html> 

------------------------------ 

_______________________________________________ 
Firewall mailing list 
Firewall at rocky.eld.leidenuniv.nl 
http://rocky.eld.leidenuniv.nl/mailman/listinfo/firewall 


End of Firewall Digest, Vol 73, Issue 5 
*************************************** 


-- 

___________________________________________ 
Humberto Alcazar Zumaran 
Administrador de Infraestructura TI 
Gerencia Central de Soporte - Informática 
G4S PERU S.A.C. 
Av. El Sol 916 La Campiña, Chorrillos 
Teléfono: +51 213 1200 Anexo: 1259 
Celular: +51 996 287532 RPM: #937068 
Rpc: 989125368 
www.g4s.com.pe 

Por favor considere el medio ambiente antes de imprimir este correo electrónico. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://rocky.eld.leidenuniv.nl/pipermail/firewall/attachments/20120216/68016ddb/attachment-0001.html>


More information about the Firewall mailing list