thr3ads.net - netfilter buglog - [Bug 727] New: Open your firewall by a simple typo [Jul 2011]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at bugzilla.netfilter.org

2011-Jul-02 18:51 UTC

[Bug 727] New: Open your firewall by a simple typo

http://bugzilla.netfilter.org/show_bug.cgi?id=727

           Summary: Open your firewall by a simple typo
           Product: iptables
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: iptables
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: rl-20100926 at xaq.nl
   Estimated Hours: 0.0


I was trying some rules with multiple source addresses:

iptables -A FORWARD -s 10.1.1.1,10.1.1.2 -j ACCEPT

This works fine. No problem. But I happened to make a typo:

iptables -A FORWARD -s 10.1.1.1,10.1.1.2, -j ACCEPT

(watch the comma after the 10.1.1.2)

Well, this is like entering:

iptables -A FORWARD -s 0.0.0.0/0 -j ACCEPT

iptables accepts this without any warning. I don't think it should.

Try this simple rule:

iptables -A INPUT -s 10.1.1.1, -j ACCEPT

and watch your system exposed to the world.

R.

Vanilla kernel 2.6.38.8
Vanilla iptables 1.4.11.1


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

bugzilla-daemon at bugzilla.netfilter.org

2011-Jul-04 07:40 UTC

head link

[Bug 727] Open your firewall by a simple typo

http://bugzilla.netfilter.org/show_bug.cgi?id=727


Richard Lucassen <rl-20100926 at xaq.nl> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |rl-20100926 at xaq.nl




--- Comment #1 from Richard Lucassen <rl-20100926 at xaq.nl>  2011-07-04
09:40:06 ---
Two minor things:

1) iptables accepts this wrong syntax without any warning:

-o eth0,eth1

This rule just doesn't work.

2) It would be nice if iptables accepts spaces after a comma:

iptables -A INPUT -s 10.1.1.1, 10.1.1.2, 10.1.1.3 -j ACCEPT

it's just more readable than:

iptables -A INPUT -s 10.1.1.1,10.1.1.2,10.1.1.3 -j ACCEPT

R.


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

bugzilla-daemon at bugzilla.netfilter.org

2011-Jul-09 00:46 UTC

head link

[Bug 727] Open your firewall by a simple typo

http://bugzilla.netfilter.org/show_bug.cgi?id=727


Jan Engelhardt <jengelh at medozas.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jengelh at medozas.de
         AssignedTo|netfilter-                  |jengelh at medozas.de
                   |buglog at lists.netfilter.org  |




-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.

bugzilla-daemon at bugzilla.netfilter.org

2011-Jul-09 13:33 UTC

head link

[Bug 727] Open your firewall by a simple typo

http://bugzilla.netfilter.org/show_bug.cgi?id=727


Jan Engelhardt <jengelh at medozas.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED




-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

bugzilla-daemon at bugzilla.netfilter.org

2011-Jul-09 14:20 UTC

head link

[Bug 727] Open your firewall by a simple typo

http://bugzilla.netfilter.org/show_bug.cgi?id=727


Jan Engelhardt <jengelh at medozas.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED




--- Comment #2 from Jan Engelhardt <jengelh at medozas.de>  2011-07-09
16:20:09 --->iptables -A FORWARD -s 10.1.1.1,10.1.1.2, -j ACCEPT
Fixed; (c0e69db337540b22a3b3f739b1143341e7b759b7)
>1) iptables accepts this wrong syntax without any warning: -o eth0,eth1
This is not wrong syntax. For one, -o does not accept lists (and that should be
pretty clear from the manpage), the other is that comma is a valid character in
an interface name.
>2) It would be nice if iptables accepts spaces after a comma:
>iptables -A INPUT -s 10.1.1.1, 10.1.1.2, 10.1.1.3 -j ACCEPT
added; (0c384449ae9511157cd9b34d73f8f4cb71123a45)


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.

Maybe Matching Threads

Search for more reasonably related threads

netfilter buglog - Jul 2011 - [Bug 727] New: Open your firewall by a simple typo

[Bug 727] New: Open your firewall by a simple typo

[Bug 727] Open your firewall by a simple typo

[Bug 727] Open your firewall by a simple typo

[Bug 727] Open your firewall by a simple typo

[Bug 727] Open your firewall by a simple typo

Maybe Matching Threads