start script fails with upstart (if config requires DNS resolv)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
firehol (Ubuntu) |
Triaged
|
High
|
Unassigned |
Bug Description
Binary package hint: firehol
ubuntu 9.10, 10.04, 10.10, ...
The failure to load with domain names used in the firehol.conf may have arisen with the network now set up by upstart's native /etc/init mechanism (instead of with symlinks in/ets/rc?.d) or been present all the time.
However, a proper fix should now be to ship firehol with specific upstart definitions and corresponding config files:
1) /etc/init/
2) /etc/init/
Symtoms (with domain names used like in "client http accept dst archive.
* /etc/init.d/firehol script is there
* /etc/firehol/
* firehol can be started with "/etc/init.
* symlinks in /etc/rc?.d do exist
However, after a reboot the chains are empty:
# iptables iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Solution:
Load only a basic (blocking) config file with numeric IPs in the early boot process,
and (re)load the real firehol.conf later, each time a network device got set up.
Workaround:
Call "firehol /etc/firehol/
(Warning: System is without protection until a successful firehol start.)
summary: |
- firhol not started on boot (with START_FIREHOL=yes) + firehol not started on boot (with START_FIREHOL=yes) |
Changed in firehol (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → High |
summary: |
- firehol not started on boot (with START_FIREHOL=yes) + not started on boot (DNS resolv fails) |
description: | updated |
description: | updated |
description: | updated |
summary: |
- not started on boot (DNS resolv fails) + start script fails (if config requires DNS resolv) |
description: | updated |
description: | updated |
summary: |
- start script fails (if config requires DNS resolv) + start script fails with upstart (if config requires DNS resolv) |
Duplicated the wrong way round? Surely the newer ticket should me made a duplicate of the older ticket?
Still, marked as security vulnerability. Not having a firewall after bootup is a security risk.