FYI
Daniel
-------- Forwarded Message --------
> From: Michael Rash <[EMAIL PROTECTED]>
> To: Daniel Gubser <[EMAIL PROTECTED]>
> Subject: Re: Bug#351196: psad: IPTABLES_AUTO_RULENUM hazard
> Date: Tue, 27 Jun 2006 09:34:36 -0400
> Thanks for the bug report. Yes, I need to fix the IPTABLES_AUTO_RULENUM
> functionality as it is currently broken. I will most likely do the
> following:
>
> - Extend the IPT_AUTO_CHAIN{n} symantics so that the placement of the
> jump rule can be specified as well as the placement of the rules
> within the auto-chain itself. This will make the
> IPTABLES_AUTO_RULENUM functionality obselete.
>
> - Add better diagnostic messages so that the admin is better informed
> about what is happening with auto-generated rule placement.
>
> - If the values for the placement of the rules (either the jump rule or
> the auto-generated rules) don't make sense, i.e. they are too high
> because there aren't enough other rules in the chain, then a warning
> will be generated and the values will be re-interpreted to mean the
> highest possible _valid_ values.
>
> Note that the IPTABLES_AUTO_RULENUM functionality is mostly only useful
> if the admin decides to manually add rules to the AUTO chains (probably
> not a good idea, but I wanted psad to be compatible with this just in
> case).
>
> --
> Michael Rash
> http://www.cipherdyne.org/
> Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
>
>
> On Jun 27, 2006, Daniel Gubser wrote:
>
> > Hello Mike
> >
> > Forgot to forward this bug to you, can you help?
> >
> > Daniel
> >
> > On Fri, 2006-02-03 at 12:49 +0700, Jeroen Vermeulen wrote:
> > > Package: psad
> > > Version: 1.4.5-1
> > > Severity: normal
> > >
> > >
> > > The IPTABLES_AUTO_RULENUM is documented as follows in the default
> > > configuration file:
> > >
> > > ### Specify the position or rule number within the iptables
> > > ### policy where auto block rules get added.
> > >
> > > There then follows a configurable list of chains IPT_AUTO_CHAIN{n} that
> > > can be created automatically to hold the per-host blocking rules created
> > > by psad. Each "auto-chain" line has a field to specify which existing
> > > chain should jump to that auto-chain, but no field to say where in the
> > > calling chain the jump should be inserted.
> > >
> > > My impression was that this was what IPTABLES_AUTO_RULENUM did. I was
> > > wrong. It turns out that IPTABLES_AUTO_RULENUM determines where a new
> > > blocking rule for an offensive host should be inserted into the
> > > applicable auto-chain itself.
> > >
> > > The real gotcha is this: IPTABLES_AUTO_RULENUM becomes a boobytrap when
> > > auto-chains are used. If an auto-chain is empty initially, the *only*
> > > setting for IPTABLES_AUTO_RULENUM that makes any sense at all is 1.
> > > Anything else and rule insertion will simply not work, because the given
> > > index will be out of range. (A log message will say that it isn't
> > > working, but fail to give any indication of what goes wrong--that's in a
> > > separate bug report).
> > >
> > > Some things that I imagine could be done:
> > >
> > > * Add a warning to the IPTABLES_AUTO_RULENUM documentation about the
> > > dangers in combination with IPT_AUTO_CHAIN.
> > >
> > > * Fail to start when auto-chains are used and IPTABLES_AUTO_RULENUM is
> > > not set to 1.
> > >
> > > * Add an optional insertion index to IPT_AUTO_CHAIN entries to take
> > > away any confusion about what IPTABLES_AUTO_RULENUM means.
> > >
> > > -- System Information:
> > > Debian Release: 3.1
> > > APT prefers unstable
> > > APT policy: (50, 'unstable')
> > > Architecture: i386 (i686)
> > > Shell: /bin/sh linked to /bin/bash
> > > Kernel: Linux 2.6.11
> > > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> > >
> > > Versions of packages psad depends on:
> > > ii ipchains 1.3.10-15 Network firewalling for
> > > Linux 2.2.
> > > ii iptables 1.3.1-2 Linux kernel 2.4+ iptables
> > > adminis
> > > ii libc6 2.3.2.ds1-22 GNU C Library: Shared
> > > libraries an
> > > ii libcarp-clan-perl 5.3-3 Perl enhancement to Carp
> > > error log
> > > ii libdate-calc-perl 5.4-3 Perl library for accessing
> > > dates
> > > ii libnetwork-ipv4addr-perl 0.10-1.1 The Net::IPv4Addr perl
> > > module API
> > > ii libunix-syslog-perl 0.100-4 Perl interface to the UNIX
> > > syslog(
> > > ii perl 5.8.4-8sarge3 Larry Wall's Practical
> > > Extraction
> > > ii psmisc 21.6-1 Utilities that use the proc
> > > filesy
> > > ii sysklogd [syslogd] 1.4.1-17 System Logging Daemon
> > > ii whois 4.7.5 the GNU whois client
> > >
> > > -- no debconf information
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
