Package: netfilter-persistent Severity: grave X-Debbugs-CC: whonix-de...@whonix.org Tags: security
Dear maintainer, there is a security issue with the netfilter-persistent systemd service. [1] If the netfilter-persistent wrapper [2] fails for some reason, it does not load any firewall rules and does not lock the network. For example `whoami` or `run-parts` could be corrupted on disk or otherwise broken. Or one of the firewall scripts in /usr/share/netfilter-persistent/plugins.d folder could be broken. If the netfilter-persistent wrapper fails on system startup, it should lock the network. I.e. set all iptables and ip6tables policies to drop. Cheers, Patrick Credits for finding this bug go to rustybird. [3] [4] (I am only seconding and reporting it.) (Using severity grave as this could pose a security risk, i.e. the firewall getting up too late.) [1] https://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/tree/systemd/netfilter-persistent.service [2] https://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/tree/netfilter-persistent [3] https://github.com/rustybird [4] https://github.com/rustybird/corridor/issues/8#issuecomment-230266161
