Your message dated Thu, 12 Mar 2015 22:04:09 +0000 with message-id <e1ywbd7-00074p...@franck.debian.org> and subject line Bug#779150: fixed in uif 1.1.4-2 has caused the Debian Bug report #779150, regarding uif/pings: false - accepts pings from non-trusted networks. to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 779150: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779150 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: uif Version: 1.1.4-1 Severity: important Dear Maintainer, I am sending this report from my wheezy system because my jessie system does not have email setup. I choose severity "important" because not answering pings is a fundamental requirement for a firewall, if so configured. I have verified that pings are accepted from localhost, as it is on a trusted network. I have verified that pings are accepted from a non-trusted network using the "ShieldsUp" web page feature from http://grc.com located at the following URL. https://www.grc.com/x/ne.dll?bh0bkyd2 Here is the debconf configuration information, # debconf-show uif * uif/workstation: * uif/traceroute: false * uif/pings: false * uif/trusted: 127.0.0.1 * uif/conf_method: workstation uif/error: I have attached the uif generated "uif.conf" file to this report. Thanks, Jeffrey Sheinberg -- System Information: Debian Release: 7.8 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-0.bpo.4-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages uif depends on: ii bsdutils 1:2.20.1-5.3 ii debconf [debconf-2.0] 1.5.49 ii iptables 1.4.14-3.1 pn libnet-ldap-perl <none> pn libnetaddr-ip-perl <none> ii perl 5.14.2-21+deb7u2 uif recommends no packages. Versions of packages uif suggests: ii fwlogwatch 1.2-2## uif Firewall Configuration ## automatically configured for Debian systems... ## This file has been automatically generated by debconf. It will be overwritten ## the next time you configure firewall without choosing "don't touch". ## Sysconfig definitions # These entries define the global behaviour of the firewall package. Normally # they are preset in /etc/default/uif and may be overwritten by this # section. # # syntax: LogLevel : set the kernel loglevel for iptables rules # LogPrefix: prepend this string to all iptables logs # LogLimit: set packet limit per time interval (times/interval) # LogBurst: set packet log burst # example: # sysconfig { # LogLevel debug # LogPrefix FW # LogLimit 20/minute # LogBurst 5 # AccountPrefix ACC_ # } ## Include predefined services # The include section takes a bunch of files and includes them into this # configuration file. # # syntax: "filename" include { "/etc/uif/services" } ## Services needed for workstation setup # The service section provides the protocol definitions you're # using in the rules. You're forced to declare everything you # need for your setup. # # syntax: service_name [tcp([source:range]/[dest:range])] [udp([source:range]/[dest:range])] # [protocol_name([source:range][/][dest:range])] [service_name] ... # examples: http tcp(/80) # dns tcp(/53) udp(/53) # group http dns tcp(/443) # ipsec esp(/) udp(/500) #service { # traceroute udp(32769:65535/33434:33523) icmp(11) # ping icmp(8) #} ## Network definitions needed for IPv4+6 workstation setup # The network definitions are included from two separate files. # 1. /etc/uif/uif-ipv4-networks.inc # 2. /etc/uif/uif-ipv6-networks.inc # # If you want to setup IPv4 and IPv6 firewalling easily, # make sure that all network names you use in your ruleset # in both include files. # # Additionally make /etc/uif/uif6.conf a symlink that points to # /etc/uif/uif.conf. # # IPv4 network definitions # # If you update from a version of UIF that supported IPv4 only, then # you probably want to leave the uif.conf file untouched for now and # move your network definitions block from uif.conf to uif-ipv4-networks.inc # manually later. include4 { "/etc/uif/uif-ipv4-networks.inc" } # IPv6 network definitions # # Make sure IPV6MODE is set to 1 in /etc/default/uif if you want to use # IPv6 support on your UIF based firewall. include6 { "/etc/uif/uif-ipv6-networks.inc" } ## Interface definitions # Since all definitions used in the filter section are symbolic, # you've to specify symbolic names for all your interfaces you're # going to use. # # syntax: interface_name [unix network interface] [interface_name] # examples: internal eth0 # external ippp0 ipsec0 # allppp ppp+ # group external allppp eth3 interface { loop lo } ## Filter definitions # The filter section defines the rules for in, out, forward, masquerading # and nat. All rules make use of the symbolic names defined above. This # section can be used multiple times in one config file. This makes more # senese when using one of these alias names: # filter, nat, input, output, forward, masquerade # # syntax: in[-/+] [i=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # out[-/+] [o=interface] [s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # fw[-/+] [i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # masq[-/+][i/o=interface][s=source_net] [d=dest_net] [p=protocol] [f=flag_1,..,flag_n] # nat[-/+] additionally allows [S=from source] [D=to destination] [P=to port:[range]] # flags: limit([count/time[,burst]]) # reject([reject type]) # log([name]) # account(name) # examples: # masq+ o=extern s=intranet # nat+ s=intranet p=http D=relayintern P=squid # in+ s=trusted p=ssh,ping,traceroute,http # out- s=intranet p=smb f=reject # fw- d=microsoft f=reject,log(ms-alert) # fw+ p=myhttp f=account(HTTP) # Take an attention about the protocol for your accounting rules. If you # want to count user http traffice, you may need a "myhttp tcp(80/)". filter { in+ i=loop s=localhost out+ o=loop d=localhost # IPv4 rules #in+ p=ping,traceroute in+ s=trusted4(4) # ICMP is a must in IPv6, blocking breaks compliancy # to RFC 4443 (http://tools.ietf.org/html/rfc4443) in+ s=all(6) p=ping,pong,noroute,packet-too-big,time-exceeded,parameter-problem,neighbor-advertisement,neighbor-solicitation #in+ s=trusted6(6) out+ d=all in- f=log(input),reject out- f=log(output),reject fw- f=log(forward),reject }
--- End Message ---
--- Begin Message ---Source: uif Source-Version: 1.1.4-2 We believe that the bug you reported is fixed in the latest version of uif, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 779...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Mike Gabriel <sunwea...@debian.org> (supplier of updated uif package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Wed, 11 Mar 2015 12:19:46 +0100 Source: uif Binary: uif Architecture: source all Version: 1.1.4-2 Distribution: unstable Urgency: medium Maintainer: Mike Gabriel <sunwea...@debian.org> Changed-By: Mike Gabriel <sunwea...@debian.org> Description: uif - Advanced iptables-firewall script Closes: 767285 772496 779150 Changes: uif (1.1.4-2) unstable; urgency=medium . * debian/po: + Add nl.po. Thanks to Frans Spiesschaert! (Closes: #767285). * debian/patches: + Add 0001_Debian-name-spelling.patch. Fix spelling of the expression "Debian package" (written with a capital "D", after browsing various project web pages) and another typo in an error message. (Closes: #772496). + Add 0002_correctly-ignore-ipv4+6-only-rules.patch. Fix severe flaw in IPv4-only/IPv6-only rule setup. Don't open IPv4 holes when setting up IPv6-only rules and vice versa. (Closes: #779150). Checksums-Sha1: 40337f98b7fc8e05152ea8a1188847ea4c961b50 1789 uif_1.1.4-2.dsc b6e305246f795101f2fe12843fe24b2ce8994293 26448 uif_1.1.4-2.debian.tar.xz 8b57c9d083379294f7721118de1f9b4bc2534b3d 56574 uif_1.1.4-2_all.deb Checksums-Sha256: fc21d4ae1895d3bf64abf6bab5009d41399d3bfb75c0678c67ea3c6a59f2b96e 1789 uif_1.1.4-2.dsc 0aa9a691c38661111738c468c1d5a9ca2a60b22070a54ca85b143fd5f4b0654f 26448 uif_1.1.4-2.debian.tar.xz ef7722556c5c276502a4a7717047b2169c35d1c3783e73bc8f1514e9151c8c8c 56574 uif_1.1.4-2_all.deb Files: fe45811b901e83541002c7e23c6cc5b1 1789 net optional uif_1.1.4-2.dsc 5e562a61e1ce10745a130a8cbfc109ef 26448 net optional uif_1.1.4-2.debian.tar.xz 2ce349d1b0c30ef4d9000a53ab7a355f 56574 net optional uif_1.1.4-2_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJVAglWAAoJEJr0azAldxsxlGgP/jJHwpnkJPsfxu+6N9ROaBDf TrkZTyefJdJgIFC1X/xmdzSWL40cv4w6GXnJ73wDWe80TuRiBS8K3B7+i0PAuBKP 9qoBX0NvWoIK5Rp4Gbu2F1V4yAcsp7DnCnBMt/q7NwP+Ok/suwiY+biIV9o/1urh q8Aqt/LD9I2HRh5xtEnIE9WFpz+JI/vpF9BwH0tpzy662s3h2vCTBBPexC1HtGIz rN9tQRY/isCSOv7xLgQuRKfKGXC8JyQXi6EBokt5VzyiOHb83UUv39yEZdryuHGG lcbfjLUrF/4dOPMoUT++DjohnchCDkMkQvVXydDrTZ5Mxhvwd3xjiGhWh1GA9plC n7q0JbURArXi3L6KHkO6v3eT9rWpnKtM+rDLRbEc4BVhObgf/0yD8mNrc/JlOziK eSvqNYmmZg730mfYkEdO+y/d+plp9ZcSPc/Pl8HDxyVTRh/ul/w3FcMlcp3EjNGF GVPtxDREeopLDOxUcE4VGLNbJfL956sq77UoQnAU+tcc0fm6wEmRnmd3NUImvsQB ZiOyTlHaDixlb2JvaxF8/ZlwTe1+HyQSO82N+yik+mORzuMHvDJ+5/NeU3WDVRfW TsW558t9frNLU9Di06+WOSnamUu5PkWlYNICGyhhDowqbgxIHCkQ/BZzFxWFwIWF bYe89r+xUfiej8GOxoWq =ELsc -----END PGP SIGNATURE-----
--- End Message ---
