Don Drohman
2012-Jun-18 00:59 UTC
Re: Problem with Fedora 17 and comments / log commands with --log-prefix modifier
Greetings Comment and log commands with -log-prefix modifier seem to be generating actual loaded rules that are incorrect in newly created and upgraded Fedora 17 systems. I think it might have something to do with the way the double quote is being interpreted, as that seems to be common between the two issues, and if I take a single rule in the compiled output file and modify out (delete) the double quotes and then start that compiled file, it creates the rule correctly. This only works on comments and log commands with no spaces. I am not getting any errors during compile or load, and all the rules/functionality of the firewall seems to be intact. The only noticeable issue is logging output has an incorrect prefix. It doesn''t seem to be an iptables issue, as I can take a compiled line as-is and run it in using iptables command directly, and it loads fine. Steps to reproduce: Minimal install of Fedora 17, single interface Get all yum updates Use yum to install shorewall-core, shorewall (v4.5.4), and all dependencies -but I tested with 4.5.5.1 and found same results Stop and disable iptables Configure shorewall (config files attached in config.zip) Shorewall start Shorewall show (output is shorewall.show.1) (attached) Some sample problematic lines: 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix "--log-prefix" 0 0 reject tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 135,139,445 /* --c */ 0 0 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:1900 /* --co */ 0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmptype 11 /* --comment */ If it might be helpful, I also ran the command shorewall compile firewall.compiled (attached) And to wrap it up, have included the output from shorewall dump > shorewall.dump Any thoughts would be appreciated. Thank you -Don ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Tom Eastep
2012-Jun-18 12:56 UTC
Re: Problem with Fedora 17 and comments / log commands with --log-prefix modifier
On 06/17/2012 05:59 PM, Don Drohman wrote:> And to wrap it up, have included the output from shorewall dump> shorewall.dumpI don''t see an attachment. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Tom Eastep
2012-Jun-18 13:37 UTC
Re: Problem with Fedora 17 and comments / log commands with --log-prefix modifier
On 06/17/2012 05:59 PM, Don Drohman wrote:> > It doesn''t seem to be an iptables issue, as I can take a compiled > line as-is and run it in using iptables command directly, and it > loads fine.It *is* an iptables issue (iptables-restore, that is); try this simple experiment: iptables -N foo iptables -A foo -j LOG --log-prefix "foo bar" iptables -A foo -j ACCEPT -m comment --comment "foo bar" iptables -L -nv foo iptables-save > ipt iptables-restore < ipt iptables -L -nv foo The rules in the ''ipt'' file are fine, but when restored they are mangled. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Don Drohman
2012-Jun-18 17:57 UTC
Re: Problem with Fedora 17 and comments / log commands with --log-prefix modifier
Looks like attachments hung up in a filter somewhere due to size. Here are all zipped. I will try the iptables test this evening. Thanks -Don -----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, June 18, 2012 6:38 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Problem with Fedora 17 and comments / log commands with --log-prefix modifier On 06/17/2012 05:59 PM, Don Drohman wrote:> > It doesn''t seem to be an iptables issue, as I can take a compiled > line as-is and run it in using iptables command directly, and it > loads fine.It *is* an iptables issue (iptables-restore, that is); try this simple experiment: iptables -N foo iptables -A foo -j LOG --log-prefix "foo bar" iptables -A foo -j ACCEPT -m comment --comment "foo bar" iptables -L -nv foo iptables-save > ipt iptables-restore < ipt iptables -L -nv foo The rules in the ''ipt'' file are fine, but when restored they are mangled. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Tom Eastep
2012-Jun-18 18:08 UTC
Re: Problem with Fedora 17 and comments / log commands with --log-prefix modifier
On 06/18/2012 10:57 AM, Don Drohman wrote:> Looks like attachments hung up in a filter somewhere due to size. Here are all zipped. > > I will try the iptables test this evening.Thanks. If you get the same results, please report the problem to Fedora. The iptables version is 1.4.12.2-5; I run 1.4.12.2 as released by the Netfilter team, and that code doesn''t exhibit this incorrect behavior. So it must be something added by the Fedora folks. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Tom Eastep
2012-Jun-18 19:05 UTC
Re: Problem with Fedora 17 and comments / log commands with --log-prefix modifier
On 06/18/2012 11:08 AM, Tom Eastep wrote:> On 06/18/2012 10:57 AM, Don Drohman wrote: >> Looks like attachments hung up in a filter somewhere due to size. Here are all zipped. >> >> I will try the iptables test this evening. > > Thanks. If you get the same results, please report the problem to > Fedora. The iptables version is 1.4.12.2-5; I run 1.4.12.2 as released > by the Netfilter team, and that code doesn''t exhibit this incorrect > behavior. So it must be something added by the Fedora folks.The other thing to look at is /var/lib/shorewall/.iptables-restore-input. The Shorewall-generated script (/var/lib/shorewall/firewall) passed that file to iptables-restore during the last start/restart. I think you will see that the rules are correct in that file. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Don Drohman
2012-Jun-18 23:42 UTC
Re: Problem with Fedora 17 and comments / log commands with --log-prefix modifier
-----Original Message----- From: Tom Eastep [mailto:teastep@shorewall.net] Sent: Monday, June 18, 2012 11:09 AM To: shorewall-users@lists.sourceforge.net Subject: Re: [Shorewall-users] Problem with Fedora 17 and comments / log commands with --log-prefix modifier On 06/18/2012 10:57 AM, Don Drohman wrote:> Looks like attachments hung up in a filter somewhere due to size. Here are all zipped. > > I will try the iptables test this evening.Thanks. If you get the same results, please report the problem to Fedora. The iptables version is 1.4.12.2-5; I run 1.4.12.2 as released by the Netfilter team, and that code doesn''t exhibit this incorrect behavior. So it must be something added by the Fedora folks. -Tom -- Correct on both counts. 1) Simple test The ipt file had good data: # Generated by iptables-save v1.4.12.2 on Mon Jun 18 16:21:35 2012 *filter :INPUT ACCEPT [117:7793] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [129:13740] :foo - [0:0] -A foo -j LOG --log-prefix "foo bar" -A foo -m comment --comment "foo bar" -j ACCEPT COMMIT # Completed on Mon Jun 18 16:21:35 2012 But using iptables-restore < ipt resulted in a mess: Chain foo (0 references) pkts bytes target prot opt in out source destination 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 prefix "--log-p" 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* --comme */ 2) Review of /var/lib/shorewall/.iptables-restore-input all had commands that looked correct. I''m off to Fedora to file a bug report. Thanks Tom -Don ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today''s security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/