Shorewall devel - Mar 2008 - Dangerous BUG: Beware non-existent variables in your rules

Previously:
*ACCEPT loc:$ADMIN all all*

with a non-existent variable ADMIN gererates an error:
*ERROR: Empty source zone or qualifier: rule "ACCEPT loc: net all     
"*

NOW IT BECOMES ''n'' POLICIES FOR ALL ZONES IN YOUR FIREWALL.

It´s the same creating these policies:
loc net ACCEPT
loc dmz ACCEPT
loc vpn ACCEPT
loc web ACCEPT
loc wifi ACCEPT
loc z1 ACCEPT
loc z2 ACCEPT
and so on, for every zone in your firewall.

output with debug:
-A loc2dmz -p 0 -j ACCEPT
-A loc2fw -p 0 -j ACCEPT
-A loc2net -p 0 -j ACCEPT
-A loc2vpn -p 0 -j ACCEPT
-A loc2web -p 0 -j ACCEPT
-A loc2wifi -p 0 -j ACCEPT
-A loc2z1 -p 0 -j ACCEPT
-A loc2z2 -p 0 -j ACCEPT


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Guilsson . wrote:
> Previously:
> *ACCEPT loc:$ADMIN all all*
> 
> with a non-existent variable ADMIN gererates an error:
> *ERROR: Empty source zone or qualifier: rule "ACCEPT loc: net all     
"*
> 
> NOW IT BECOMES ''n'' POLICIES FOR ALL ZONES IN YOUR
FIREWALL.
> 
> It´s the same creating these policies:
> loc net ACCEPT
> loc dmz ACCEPT
> loc vpn ACCEPT
> loc web ACCEPT
> loc wifi ACCEPT
> loc z1 ACCEPT
> loc z2 ACCEPT
> and so on, for every zone in your firewall.
> 
> output with debug:
> -A loc2dmz -p 0 -j ACCEPT
> -A loc2fw -p 0 -j ACCEPT
> -A loc2net -p 0 -j ACCEPT
> -A loc2vpn -p 0 -j ACCEPT
> -A loc2web -p 0 -j ACCEPT
> -A loc2wifi -p 0 -j ACCEPT
> -A loc2z1 -p 0 -j ACCEPT
> -A loc2z2 -p 0 -j ACCEPT
Attached is a patch that will correct this egregious bug.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom Eastep wrote:
> 
> Attached is a patch that will correct this egregious bug.
> 
Turning serious for a moment, the attached is a less sarcastic patch which
will generate a fatal error if a non-existant variable is used (a variable
not defined in /etc/shorewall/params and not exported by the shell).

Empty variables can be useful, so it seems unwise to reject them out of
hand. I could add an option to reject them, however.

Any opinions?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Thu, Mar 06, 2008 at 10:07:06AM -0800, Tom Eastep
wrote:
> > Attached is a patch that will correct this egregious bug.
> > 
> 
> Turning serious for a moment, the attached is a less sarcastic patch which
> will generate a fatal error if a non-existant variable is used (a variable
> not defined in /etc/shorewall/params and not exported by the shell).
> 
> Empty variables can be useful, so it seems unwise to reject them out of
> hand. I could add an option to reject them, however.
> 
> Any opinions?
Require spaces that ''should'' contain a value to contain a
non-empty
stringa after expansion, but allow it to be a dash to indicate "I
really mean this space to go to its wildcard form". Don''t ever let
the
empty string be meaningful.

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Thu, Mar 06, 2008 at 06:33:44PM +0000, Andrew Suffield
wrote:
> On Thu, Mar 06, 2008 at 10:07:06AM -0800, Tom Eastep wrote:
> > > Attached is a patch that will correct this egregious bug.
> > > 
> > 
> > Turning serious for a moment, the attached is a less sarcastic patch
which
> > will generate a fatal error if a non-existant variable is used (a
variable
> > not defined in /etc/shorewall/params and not exported by the shell).
> > 
> > Empty variables can be useful, so it seems unwise to reject them out
of
> > hand. I could add an option to reject them, however.
> > 
> > Any opinions?
> 
> Require spaces that ''should'' contain a value to contain a
non-empty
> stringa after expansion, but allow it to be a dash to indicate "I
> really mean this space to go to its wildcard form". Don''t
ever let the
> empty string be meaningful.
> 
I agree.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Tom Eastep wrote:
> Tom Eastep wrote:
> 
>> Attached is a patch that will correct this egregious bug.
>>
> 
> Turning serious for a moment, the attached is a less sarcastic patch which
> will generate a fatal error if a non-existant variable is used (a variable
> not defined in /etc/shorewall/params and not exported by the shell).
> 
> Empty variables can be useful, so it seems unwise to reject them out of
> hand. I could add an option to reject them, however.
> 
> Any opinions?
I think you know my thoughts on this already - anything that saves me 
from my own fat fingers is a good thing.  :-)

Paul

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Hello,
what Shorewall releases are affected?
Bye

Paolo Basenghi - Centro elaborazione dati
Az.Spec.Farmacie Comunali Riunite
Via Doberdo'' 9 - 42100 Reggio Emilia
Tel +39(0522)543312
email: paolo.basenghi@fcr.re.it
www.fcr.re.it - www.informazionisuifarmaci.it
www.saninforma.it - www.futurfarma.it



Tom Eastep ha scritto:
> Guilsson . wrote:
>> Previously:
>> *ACCEPT loc:$ADMIN all all*
>>
>> with a non-existent variable ADMIN gererates an error:
>> *ERROR: Empty source zone or qualifier: rule "ACCEPT loc: net
>> all      "*
>>
>> NOW IT BECOMES ''n'' POLICIES FOR ALL ZONES IN YOUR
FIREWALL.
>>
>> It´s the same creating these policies:
>> loc net ACCEPT
>> loc dmz ACCEPT
>> loc vpn ACCEPT
>> loc web ACCEPT
>> loc wifi ACCEPT
>> loc z1 ACCEPT
>> loc z2 ACCEPT
>> and so on, for every zone in your firewall.
>>
>> output with debug:
>> -A loc2dmz -p 0 -j ACCEPT
>> -A loc2fw -p 0 -j ACCEPT
>> -A loc2net -p 0 -j ACCEPT
>> -A loc2vpn -p 0 -j ACCEPT
>> -A loc2web -p 0 -j ACCEPT
>> -A loc2wifi -p 0 -j ACCEPT
>> -A loc2z1 -p 0 -j ACCEPT
>> -A loc2z2 -p 0 -j ACCEPT
>
> Attached is a patch that will correct this egregious bug.
>
> -Tom
>   

-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Fri, Mar 07, 2008 at 09:11:13AM +0100, Paolo Basenghi
wrote:
> Hello,
> what Shorewall releases are affected?
> Bye
> 
Basically all.  The next release will be patched against it.  But the
workaround is "don''t use undefined shell variables."

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Roberto C. Sánchez wrote:
> On Fri, Mar 07, 2008 at 09:11:13AM +0100, Paolo Basenghi wrote:
>> Hello,
>> what Shorewall releases are affected?
>> Bye
>>
> Basically all.  The next release will be patched against it.  But the
> workaround is "don''t use undefined shell variables."
The particular bug reported is in Shorewall-perl only though.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key



-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

On Fri, Mar 07, 2008 at 06:16:16AM -0800, Tom Eastep
wrote:
> Roberto C. Sánchez wrote:
> >On Fri, Mar 07, 2008 at 09:11:13AM +0100, Paolo Basenghi wrote:
> >>Hello,
> >>what Shorewall releases are affected?
> >>Bye
> >>
> >Basically all.  The next release will be patched against it.  But the
> >workaround is "don''t use undefined shell variables."
> 
> The particular bug reported is in Shorewall-perl only though.
> 
Yes, of course.  Apologies for the ambiguity.

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/