Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 171719

Summary: net-firewall/firehol - "group with dst" creates backwards rules
Product: Gentoo Linux Reporter: Marshal Newrock <marshal>
Component: Current packagesAssignee: Dominik Stadler (RETIRED) <centic>
Status: RESOLVED FIXED    
Severity: normal CC: mike
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Bug Depends on: 176862    
Bug Blocks:    
Attachments: check "group with" direction to create correct firewall rules

Description Marshal Newrock 2007-03-21 20:11:56 UTC 
With "group with dst" in the config file, it generates rules such as:
-A in_public -d $ip -j in_group1
-A out_public -s $ip -j out_group2

This makes it check only the source IP for outgoing and the destination for
incoming, but using the IP of the requested destination. The result is
that no packets may go through for this case.


Reproducible: Always

Steps to Reproduce:




Upstream bug submitted at http://sourceforge.net/tracker/index.php?func=detail&aid=1685505&group_id=58425&atid=487692
Comment 1 Marshal Newrock 2007-03-21 20:12:39 UTC 
Created attachment 114011 [details, diff]
check "group with" direction to create correct firewall rules
Comment 2 Dominik Stadler (RETIRED) gentoo-dev 2007-04-26 21:16:04 UTC 
This is fixed in 1.250-r1 which will be available on the mirrors soon.
Comment 3 Mike Nerone 2007-05-01 01:08:12 UTC 
Please note at upstream bug submission URL in comment #1 that the author does not believe this to be a bug.
Comment 4 Mike Nerone 2007-05-02 23:35:25 UTC 
This patch broke "group with". Example (output captured from "firehol debug", with IPs changed to protect the innocent, or even me):

firehol-1.250, CORRECT:

# === CONFIGURATION STATEMENT =================================================
# CONF:INIT>>>  group with dst 1.2.3.4


# INFO>>> Starting new group No 1, under 'main'

# INFO>>> Creating chain 'in_group1' under 'in_main' in table 'filter'
/sbin/iptables -t filter -N in_group1
/sbin/iptables -t filter -A in_main -d 1.2.3.4 -j in_group1

# INFO>>> Creating chain 'out_group1' under 'out_main' in table 'filter'
/sbin/iptables -t filter -N out_group1
/sbin/iptables -t filter -A out_main -s 1.2.3.4 -j out_group1


firehol-1.250-r1, BROKEN:

# === CONFIGURATION STATEMENT =================================================
# CONF:INIT>>>  group with dst 1.2.3.4


# INFO>>> Starting new group No 1, under 'main'

# INFO>>> Creating chain 'in_group1' under 'in_main' in table 'filter'
/sbin/iptables -t filter -N in_group1
/sbin/iptables -t filter -A in_main -s 1.2.3.4 -j in_group1

# INFO>>> Creating chain 'out_group1' under 'out_main' in table 'filter'
/sbin/iptables -t filter -N out_group1
/sbin/iptables -t filter -A out_main -d 1.2.3.4 -j out_group1

Consider the input side for the moment: as you can see, when clearly using "group with" to to apply only to a *destination* of 1.2.3.4 (this box has multiple IPs and this group is for services I want only accessible on 1.2.3.4), firehol-1.250-r1 generates an input rule with "-s 1.2.3.4", checking only the source address. The mirror mistake is made on the output side. firehol-1.250 did it correctly.

This mistake ended up cutting off all access to my server.
Comment 5 Mike Nerone 2007-05-03 00:02:18 UTC 
BTW, at the upstream bug report (http://sourceforge.net/tracker/index.php?func=detail&aid=1685505&group_id=58425&atid=487692), the author clearly explains why this "bug" is a result of a fundamental misunderstanding by the user, and is not a bug at all.
Comment 6 Dominik Stadler (RETIRED) gentoo-dev 2007-05-05 12:02:29 UTC 
FYI, see Bug 176862 for the issue with this patch.