Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 51762

Summary: Misconception in net-firewall/dynfw ipblock script
Product: Gentoo Security Reporter: Tobias Klausmann (RETIRED) <klausman>
Component: VulnerabilitiesAssignee: Seemant Kulleen (RETIRED) <seemant>
Status: RESOLVED FIXED    
Severity: normal CC: mr_bones_, pfeifer
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
Package list:
Runtime testing required: ---

Description Tobias Klausmann (RETIRED) gentoo-dev 2004-05-22 14:32:42 UTC 
The ipblock script from dynfw reads in part:

#block outside IP address that's causing problems
iptables $INSERT INPUT   -s $1 -j DROP
iptables $INSERT INPUT   -p tcp -s $1 -j REJECT --reject-with tcp-reset
iptables $INSERT OUTPUT  -d $1 -j DROP
iptables $INSERT OUTPUT  -p tcp -d $1 -j REJECT --reject-with tcp-reset
iptables $INSERT FORWARD -d $1 -j DROP
iptables $INSERT FORWARD -p tcp -d $1 -j REJECT --reject-with tcp-reset
echo "IP ${1} block ${2}."

Now the lines 4 and 5 (those modifying the OUTPUT chain) cause a problem:
They result in the TCP RST packets generated as a result of lines 2 and 3 to be  discarded, resulting in the same behaviour as if the rules with the REJECT target weren't there. Consequently, the rules should be more precise, allowing TCP RST packets to said destination. 

I for one do not limit outgoing connections at all and have commented out lines 4 and 5, resulting in the desired behaviour.

dynfw version: 1.0.1
Comment 1 Kurt Lieber (RETIRED) gentoo-dev 2004-05-22 16:50:57 UTC 
bug wranglers: no idea who's maintaining this package these days.
Comment 2 Seemant Kulleen (RETIRED) gentoo-dev 2004-05-23 11:39:23 UTC 
adding mr_bones_ coz he's fix0red the ebuild, pfeifer coz he's leet with iptables
Comment 3 Mr. Bones. (RETIRED) gentoo-dev 2004-05-24 00:49:18 UTC 
no maintainer?  Seems like it could be removed from portage if you ask me unless
drobbins feels like picking it up again.  I recommend firestarter for home
firewalling needs.
Comment 4 Seemant Kulleen (RETIRED) gentoo-dev 2004-05-31 18:12:06 UTC 
Tobias,

I'd like to remove this package from portage -- I'll be putting into portage something called fwipsec, which *is* constantly maintained upstream.  Unless you object strongly AND you want to maintain this package, please speak to me.
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2004-06-01 01:15:18 UTC 
I'm comfy with the package being deleted - I stumbled across it when browsing IBMs developer page and just had a peek. FWIW, I can re-code what I need for my own system.
Comment 6 Seemant Kulleen (RETIRED) gentoo-dev 2004-06-04 12:55:21 UTC 
removed from portage.  I have added net-firewall/fwipsec though, which is quite nice.