16030 – firestarter 0.9.0 generates a bad firewall that allows "stealth" connections

Bug 16030 - firestarter 0.9.0 generates a bad firewall that allows "stealth" connections

Summary: firestarter 0.9.0 generates a bad firewall that allows "stealth" connections

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High major (vote)
Assignee:	foser (RETIRED)

URL:	http://scan.sygate.com/stealthscan.html
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2003-02-19 15:29 UTC by Mr. Bones. (RETIRED)
Modified:	2003-03-16 13:50 UTC (History)
CC List:	3 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mr. Bones. (RETIRED) gentoo-dev

2003-02-19 15:29:10 UTC

I believe that there is a bug in the firewall.sh that firestarter 0.9.0
generates.

http://scan.sygate.com/stealthscan.html will show open/closed ports when run
rather than blocked ports as they should be.

I think the problem is in this line from firewall.sh:
$IPT -I STATE -m state --state NEW -i ! lo -j ACCEPT

firestarter 0.9.1 generates:
$IPT -I STATE -m state --state NEW -i ! lo -j $STOP

instead, which results in the proper blocked ports behavior.

Reproducible: Always
Steps to Reproduce:
1. Generate firewall.sh from firestarter
2. go to the above url.

Actual Results:  
url shows open/closed ports

Expected Results:  
url should show only blocked ports

Portage 2.0.47-r2 (default-1.0, gcc-2.95.3, glibc-2.2.5-r2,2.2.5-r7)
=================================================================
System uname: 2.4.19-gentoo-r7 i586 Pentium MMX
GENTOO_MIRRORS="http://csociety-ftp.ecn.purdue.edu/pub/gentoo
http://gentoo.oregonstate.edu/
http://www.ibiblio.org/pub/Linux/distributions/gentoo"
CONFIG_PROTECT="/etc /var/qmail/control /usr/share/config
/usr/kde/2/share/config /usr/kde/3/share/config /usr/X11R6/lib/X11/xkb"
CONFIG_PROTECT_MASK="/etc/bash_completion /etc/sound/events /etc/X11/rstart
/etc/X11/xdm /etc/pango /etc/gconf /etc/env.d"
PORTDIR="/usr/portage"
DISTDIR="/usr/portage/distfiles"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR_OVERLAY="/usr/local/portage"
USE="x86 oss 3dnow apm avi crypt cups encode jpeg libg++ mikmod mmx mpeg ncurses
pdflib qtmt sdl spell truetype xml2 xmms xv berkdb esd gdbm gif gnome gnome-libs
gtk guile java libwww oggvorbis opengl pam perl png python readline slang snmp
ssl tcpd tetex tiff X -quicktime -svga -motif -nls -imlib -kde -qt -arts gpm
mozilla"
COMPILER=""
CHOST="i586-pc-linux-gnu"
CFLAGS="-march=i586 -O3 -pipe"
CXXFLAGS="-march=i586 -O3 -pipe"
ACCEPT_KEYWORDS="x86"
MAKEOPTS="-j2"
AUTOCLEAN="yes"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
FEATURES="sandbox ccache userpriv"

Comment 1 Martin Holzer (RETIRED) gentoo-dev

2003-02-19 16:26:09 UTC

foser: what do you think about this ?

Comment 2 foser (RETIRED) gentoo-dev

2003-02-19 16:52:43 UTC

i can't really test this, it is certain that only 0.9.0 has this problem (older (gtk1) versions work correct?).

Comment 3 Mr. Bones. (RETIRED) gentoo-dev

2003-02-19 17:58:40 UTC

The more I look at this the more I'm convinced it's broken.

Consider this output:

# pwd
/var/tmp/portage
# grep "\<lo\>" firestarter-*/*/*/*/netfilter*c | grep "state NEW"
firestarter-0.8.2/work/firestarter-0.8.2/src/netfilter-script.c:grep "stfprintf (script, "$IPT -N STATE 2> /dev/null\n$IPT -F STATE\n$IPT -I STATE -m state --state ESTABLISHED,RELATED -j ACCEPT\n$IPT -A STATE -m state --state NEW -i ! lo -j ACCEPT\n$IPT -A STATE -j $STOP\n\n");
firestarter-0.8.3/work/firestarter-0.8.3/src/netfilter-script.c:	fprintf (script, "$IPT -N STATE 2> /dev/null\n$IPT -F STATE\n$IPT -I STATE -m state --state NEW -i ! lo -j ACCEPT\n$IPT -A STATE -m state --state ESTABLISHED -j ACCEPT\n$IPT -A STATE -m state --state RELATED -j ACCEPT\n$IPT -A STATE -j $STOP\n\n");
firestarter-0.9.0/work/firestarter-0.9.0/src/netfilter-script.c:	fprintf (script, "$IPT -N STATE 2> /dev/null\n$IPT -F STATE\n$IPT -I STATE -m state --state NEW -i ! lo -j ACCEPT\n$IPT -A STATE -m state --state ESTABLISHED,RELATED -j ACCEPT\n$IPT -A STATE -j $STOP\n\n");
firestarter-0.9.1/work/firestarter-0.9.1/src/netfilter-script.c:	fprintf (script, "$IPT -N STATE 2> /dev/null\n$IPT -F STATE\n$IPT -I STATE -m state --state NEW -i ! lo -j $STOP\n$IPT -A STATE -m state --state ESTABLISHED,RELATED -j ACCEPT\n$IPT -A STATE -j $STOP\n\n");

Note that it's --state NEW -i ! lo -j ACCEPT until 0.9.1 where it changes to
--state NEW -i ! lo -j $STOP which I believe is correct.  There may be other
things in the generated firewall.sh that mask the problem in earlier versions
(ie the 0.8 versions) but in the 0.9 versions I think only 0.9.1 provides a
good firewall.

I'm running the ~x86 instance of version 0.9.1 here and it's working well. I
recommend this be marked stable.

Comment 4 Mr. Bones. (RETIRED) gentoo-dev

2003-02-28 15:28:42 UTC

Please mark 0.9.1 stable

Comment 5 foser (RETIRED) gentoo-dev

2003-03-03 14:46:54 UTC

it's stable now for x86 im trying to get the other arches to do so as well, so i can remove the 0.9.0 ebuild.

Comment 6 foser (RETIRED) gentoo-dev

2003-03-04 07:07:10 UTC

aliz, should there be a GLSA about this one ?

Comment 7 Aron Griffis (RETIRED) gentoo-dev

2003-03-04 15:56:14 UTC

Tested and marked stable on alpha.

Comment 8 Mr. Bones. (RETIRED) gentoo-dev

2003-03-13 18:01:19 UTC

This bug can be marked closed as far as I'm concerned.

Thanks for your work on this foser.

Comment 9 foser (RETIRED) gentoo-dev

2003-03-16 13:50:19 UTC

removed the 0.9.0 ebuild and 0.9.1 marked stable x86, sparc

only sparc has followed so far, but there's not much else i can do then give them (the other arches) a poke.

closing

reporter, thanks for your help