Bug#495683: marked as done (sshguard: Current implementation skip any other iptables rules)

Thu, 29 Jan 2009 04:43:18 -0800 

Your message dated Thu, 29 Jan 2009 13:39:45 +0100
with message-id <20090129123944.gd6...@koocotte.org>
and subject line No bug
has caused the Debian Bug report #495683,
regarding sshguard: Current implementation skip any other iptables rules
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
495683: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=495683
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: sshguard
Version: 1.0-2~bpo40+1
Severity: normal

Current implementation is based on:
1. add a chain named sshguard
2. redirect any request on tcp/22 from INPUT to this chain

If any other mecanism add rules to INPUT, they will not apply for tcp/22

Solution:

1. add a chain named sshguard
1b. add a default rule to sshguard to return : 
        iptables -a -t sshguard -j RETURN
2. redirect any request on tcp/22 from INPUT to this chain
3. Change sshguard to insert new rules at the begining of the chain and not
   at the end.

When receiving a tcp/22 packet, rules from sshguard and INPUT will BOTH be
applied.

By the way, you can include in the package a file named
/etc/network/if-up.d/sshguard
        #!/bin/sh
        iptables -N sshguard
        iptables -A INPUT -p tcp --dport 22 -j sshguard
        iptables -A sshguard -j RETURN

and a similar /etc/network/if-down.d/sshguard to destroy rules chain.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (990, 'stable'), (100, 'oldstable')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.22-4-amd64
Locale: lang=fr...@euro, lc_ctype=fr...@euro (charmap=ISO-8859-15)

Versions of packages sshguard depends on:
ii  libc6                  2.3.6.ds1-13etch7 GNU C Library: Shared libraries

sshguard recommends no packages.

-- no debconf information

--- End Message ---
--- Begin Message --- 
This bug does not exist.

--- End Message ---

Reply via email to