Your message dated Tue, 27 Jun 2006 08:42:06 +0200 with message-id <[EMAIL PROTECTED]> has caused the Debian Bug report #351196, regarding psad: IPTABLES_AUTO_RULENUM hazard to be marked as having been forwarded to the upstream software author(s) Michael Rash <[EMAIL PROTECTED]>.
(NB: If you are a system administrator and have no idea what I am talking about this indicates a serious mail system misconfiguration somewhere. Please contact me immediately.) Debian bug tracking system administrator (administrator, Debian Bugs database)
--- Begin Message ---Hello Mike Forgot to forward this bug to you, can you help? Daniel On Fri, 2006-02-03 at 12:49 +0700, Jeroen Vermeulen wrote: > Package: psad > Version: 1.4.5-1 > Severity: normal > > > The IPTABLES_AUTO_RULENUM is documented as follows in the default > configuration file: > > ### Specify the position or rule number within the iptables > ### policy where auto block rules get added. > > There then follows a configurable list of chains IPT_AUTO_CHAIN{n} that > can be created automatically to hold the per-host blocking rules created > by psad. Each "auto-chain" line has a field to specify which existing > chain should jump to that auto-chain, but no field to say where in the > calling chain the jump should be inserted. > > My impression was that this was what IPTABLES_AUTO_RULENUM did. I was > wrong. It turns out that IPTABLES_AUTO_RULENUM determines where a new > blocking rule for an offensive host should be inserted into the > applicable auto-chain itself. > > The real gotcha is this: IPTABLES_AUTO_RULENUM becomes a boobytrap when > auto-chains are used. If an auto-chain is empty initially, the *only* > setting for IPTABLES_AUTO_RULENUM that makes any sense at all is 1. > Anything else and rule insertion will simply not work, because the given > index will be out of range. (A log message will say that it isn't > working, but fail to give any indication of what goes wrong--that's in a > separate bug report). > > Some things that I imagine could be done: > > * Add a warning to the IPTABLES_AUTO_RULENUM documentation about the > dangers in combination with IPT_AUTO_CHAIN. > > * Fail to start when auto-chains are used and IPTABLES_AUTO_RULENUM is > not set to 1. > > * Add an optional insertion index to IPT_AUTO_CHAIN entries to take > away any confusion about what IPTABLES_AUTO_RULENUM means. > > -- System Information: > Debian Release: 3.1 > APT prefers unstable > APT policy: (50, 'unstable') > Architecture: i386 (i686) > Shell: /bin/sh linked to /bin/bash > Kernel: Linux 2.6.11 > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) > > Versions of packages psad depends on: > ii ipchains 1.3.10-15 Network firewalling for Linux > 2.2. > ii iptables 1.3.1-2 Linux kernel 2.4+ iptables > adminis > ii libc6 2.3.2.ds1-22 GNU C Library: Shared libraries > an > ii libcarp-clan-perl 5.3-3 Perl enhancement to Carp error > log > ii libdate-calc-perl 5.4-3 Perl library for accessing dates > ii libnetwork-ipv4addr-perl 0.10-1.1 The Net::IPv4Addr perl module > API > ii libunix-syslog-perl 0.100-4 Perl interface to the UNIX > syslog( > ii perl 5.8.4-8sarge3 Larry Wall's Practical > Extraction > ii psmisc 21.6-1 Utilities that use the proc > filesy > ii sysklogd [syslogd] 1.4.1-17 System Logging Daemon > ii whois 4.7.5 the GNU whois client > > -- no debconf information
--- End Message ---
