I believe that there is a bug in the firewall.sh that firestarter 0.9.0 generates. http://scan.sygate.com/stealthscan.html will show open/closed ports when run rather than blocked ports as they should be. I think the problem is in this line from firewall.sh: $IPT -I STATE -m state --state NEW -i ! lo -j ACCEPT firestarter 0.9.1 generates: $IPT -I STATE -m state --state NEW -i ! lo -j $STOP instead, which results in the proper blocked ports behavior. Reproducible: Always Steps to Reproduce: 1. Generate firewall.sh from firestarter 2. go to the above url. Actual Results: url shows open/closed ports Expected Results: url should show only blocked ports Portage 2.0.47-r2 (default-1.0, gcc-2.95.3, glibc-2.2.5-r2,2.2.5-r7) ================================================================= System uname: 2.4.19-gentoo-r7 i586 Pentium MMX GENTOO_MIRRORS="http://csociety-ftp.ecn.purdue.edu/pub/gentoo http://gentoo.oregonstate.edu/ http://www.ibiblio.org/pub/Linux/distributions/gentoo" CONFIG_PROTECT="/etc /var/qmail/control /usr/share/config /usr/kde/2/share/config /usr/kde/3/share/config /usr/X11R6/lib/X11/xkb" CONFIG_PROTECT_MASK="/etc/bash_completion /etc/sound/events /etc/X11/rstart /etc/X11/xdm /etc/pango /etc/gconf /etc/env.d" PORTDIR="/usr/portage" DISTDIR="/usr/portage/distfiles" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR_OVERLAY="/usr/local/portage" USE="x86 oss 3dnow apm avi crypt cups encode jpeg libg++ mikmod mmx mpeg ncurses pdflib qtmt sdl spell truetype xml2 xmms xv berkdb esd gdbm gif gnome gnome-libs gtk guile java libwww oggvorbis opengl pam perl png python readline slang snmp ssl tcpd tetex tiff X -quicktime -svga -motif -nls -imlib -kde -qt -arts gpm mozilla" COMPILER="" CHOST="i586-pc-linux-gnu" CFLAGS="-march=i586 -O3 -pipe" CXXFLAGS="-march=i586 -O3 -pipe" ACCEPT_KEYWORDS="x86" MAKEOPTS="-j2" AUTOCLEAN="yes" SYNC="rsync://rsync.gentoo.org/gentoo-portage" FEATURES="sandbox ccache userpriv"
foser: what do you think about this ?
i can't really test this, it is certain that only 0.9.0 has this problem (older (gtk1) versions work correct?).
The more I look at this the more I'm convinced it's broken. Consider this output: # pwd /var/tmp/portage # grep "\<lo\>" firestarter-*/*/*/*/netfilter*c | grep "state NEW" firestarter-0.8.2/work/firestarter-0.8.2/src/netfilter-script.c:grep "stfprintf (script, "$IPT -N STATE 2> /dev/null\n$IPT -F STATE\n$IPT -I STATE -m state --state ESTABLISHED,RELATED -j ACCEPT\n$IPT -A STATE -m state --state NEW -i ! lo -j ACCEPT\n$IPT -A STATE -j $STOP\n\n"); firestarter-0.8.3/work/firestarter-0.8.3/src/netfilter-script.c: fprintf (script, "$IPT -N STATE 2> /dev/null\n$IPT -F STATE\n$IPT -I STATE -m state --state NEW -i ! lo -j ACCEPT\n$IPT -A STATE -m state --state ESTABLISHED -j ACCEPT\n$IPT -A STATE -m state --state RELATED -j ACCEPT\n$IPT -A STATE -j $STOP\n\n"); firestarter-0.9.0/work/firestarter-0.9.0/src/netfilter-script.c: fprintf (script, "$IPT -N STATE 2> /dev/null\n$IPT -F STATE\n$IPT -I STATE -m state --state NEW -i ! lo -j ACCEPT\n$IPT -A STATE -m state --state ESTABLISHED,RELATED -j ACCEPT\n$IPT -A STATE -j $STOP\n\n"); firestarter-0.9.1/work/firestarter-0.9.1/src/netfilter-script.c: fprintf (script, "$IPT -N STATE 2> /dev/null\n$IPT -F STATE\n$IPT -I STATE -m state --state NEW -i ! lo -j $STOP\n$IPT -A STATE -m state --state ESTABLISHED,RELATED -j ACCEPT\n$IPT -A STATE -j $STOP\n\n"); Note that it's --state NEW -i ! lo -j ACCEPT until 0.9.1 where it changes to --state NEW -i ! lo -j $STOP which I believe is correct. There may be other things in the generated firewall.sh that mask the problem in earlier versions (ie the 0.8 versions) but in the 0.9 versions I think only 0.9.1 provides a good firewall. I'm running the ~x86 instance of version 0.9.1 here and it's working well. I recommend this be marked stable.
Please mark 0.9.1 stable
it's stable now for x86 im trying to get the other arches to do so as well, so i can remove the 0.9.0 ebuild.
aliz, should there be a GLSA about this one ?
Tested and marked stable on alpha.
This bug can be marked closed as far as I'm concerned. Thanks for your work on this foser.
removed the 0.9.0 ebuild and 0.9.1 marked stable x86, sparc only sparc has followed so far, but there's not much else i can do then give them (the other arches) a poke. closing reporter, thanks for your help