Ubuntu
firehol package

Fails to start, firewall left open

Bug #41087 reported by Tero Karvinen
256
Affects Status Importance Assigned to Milestone
firehol (Debian)
Fix Released
Unknown
firehol (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Firehol claims it is "already running" but fails to start. Firewall is left completely open.

1) $ sudo /etc/init.d/firehol stop
Stopping iptables firewall: FireHOL ...FireHOL: Clearing Firewall: OK
done.
2) $ sudo /etc/init.d/firehol start
Starting iptables firewall: FireHOL ...Stopping: FireHOL is already running.
done.

What should happen: firewall should be enabled, blocking unwanted traffic.

What actually happens: Firewall is open, letting everything trough.
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Bug bypass: 'sudo /etc/init.d/firehol restart'

Tested on Ubuntu 5.10 Breezy Badger, firehol 1.231-2 and iptables 1.3.1-2ubuntu1.1. Was reproducible on multiple computers. Vesa Nieminen and "Linux-verkon hallinta" course helped to find this bug.

See original description
Revision history for this message
In , Alexander Wirt (formorer) wrote : Bug#315399: fixed in firehol 1.231-3

Source: firehol
Source-Version: 1.231-3

We believe that the bug you reported is fixed in the latest version of
firehol, which is due to be installed in the Debian FTP archive:

firehol_1.231-3.diff.gz
  to pool/main/f/firehol/firehol_1.231-3.diff.gz
firehol_1.231-3.dsc
  to pool/main/f/firehol/firehol_1.231-3.dsc
firehol_1.231-3_all.deb
  to pool/main/f/firehol/firehol_1.231-3_all.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Wirt <email address hidden> (supplier of updated firehol package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Sun, 10 Jul 2005 08:52:50 +0200
Source: firehol
Binary: firehol
Architecture: source all
Version: 1.231-3
Distribution: unstable
Urgency: low
Maintainer: Alexander Wirt <email address hidden>
Changed-By: Alexander Wirt <email address hidden>
Description:
 firehol - An easy to use but powerful iptables stateful firewall
Closes: 309651 315399
Changes:
 firehol (1.231-3) unstable; urgency=low
 .
   * Fixed lockfile deletion (Closes: #315399,#309651)
Files:
 dbaaa8759c62616a5613fbf55348d95c 578 net optional firehol_1.231-3.dsc
 93e451ad0d78c94efc99415a8c10229b 8354 net optional firehol_1.231-3.diff.gz
 f32a91151132893372cfdf7ae372251b 160232 net optional firehol_1.231-3_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFC0Mxa01u8mbx9AgoRAoKIAJ45OkpPdkYwlHk8WPyysIrwGtgwGQCbBE+C
65RBnIxgqzJytWhQGVUIPzQ=
=7Rh0
-----END PGP SIGNATURE-----

Revision history for this message
In , Tilman Koschnick (til) wrote : Sarge's FireHOL fails to start if previously stopped

Hi,

FireHOL, an iptables configuration package, fails to start again if it
was previously stopped (#315399, #309651):

| # /etc/init.d/firehol stop ; /etc/init.d/firehol start
| Stopping iptables firewall: FireHOL ...FireHOL: Clearing Firewall: OK
|
| done.
| Starting iptables firewall: FireHOL ...Stopping: FireHOL is already |
| running.
| done.

According to the changelog, this is fixed in firehol 1.231-3; Sarge has
1.231-2. This bug could possibly leave a system without a firewall
activated, so I'm wondering if the bugfix would warrant an upload to the
security archive.

Cheers, Til

Revision history for this message
In , Alexander Wirt (formorer) wrote : Re: Bug#315399: Sarge's FireHOL fails to start if previously stopped

Tilman Koschnick schrieb am Dienstag, den 25. Oktober 2005:

> Hi,
>
> FireHOL, an iptables configuration package, fails to start again if it
> was previously stopped (#315399, #309651):
>
> | # /etc/init.d/firehol stop ; /etc/init.d/firehol start
> | Stopping iptables firewall: FireHOL ...FireHOL: Clearing Firewall: OK
> |
> | done.
> | Starting iptables firewall: FireHOL ...Stopping: FireHOL is already |
> | running.
> | done.
>
> According to the changelog, this is fixed in firehol 1.231-3; Sarge has
> 1.231-2. This bug could possibly leave a system without a firewall
> activated, so I'm wondering if the bugfix would warrant an upload to the
> security archive.
No I don,t think so, but it wil probaply be fixed in sarge r1.

Best wishes
Alex

Revision history for this message
In , Alexander Wirt (formorer) wrote : Bug#315399: fixed in firehol 1.231-2sarge1

Source: firehol
Source-Version: 1.231-2sarge1

We believe that the bug you reported is fixed in the latest version of
firehol, which is due to be installed in the Debian FTP archive:

firehol_1.231-2sarge1.diff.gz
  to pool/main/f/firehol/firehol_1.231-2sarge1.diff.gz
firehol_1.231-2sarge1.dsc
  to pool/main/f/firehol/firehol_1.231-2sarge1.dsc
firehol_1.231-2sarge1_all.deb
  to pool/main/f/firehol/firehol_1.231-2sarge1_all.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Wirt <email address hidden> (supplier of updated firehol package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 25 Oct 2005 09:27:52 +0200
Source: firehol
Binary: firehol
Architecture: source all
Version: 1.231-2sarge1
Distribution: stable
Urgency: low
Maintainer: Alexander Wirt <email address hidden>
Changed-By: Alexander Wirt <email address hidden>
Description:
 firehol - An easy to use but powerful iptables stateful firewall
Closes: 309651 315399
Changes:
 firehol (1.231-2sarge1) stable; urgency=low
 .
   * Fixed lockfile deletion (Closes: #315399,#309651)
     Backported fix from unstable for sarge r1
Files:
 42ceedc465cfebf98bbf341528b95a96 590 net optional firehol_1.231-2sarge1.dsc
 fdd98e2599a94567cd212404f16d9382 8362 net optional firehol_1.231-2sarge1.diff.gz
 fc4a2ff127ca8d3fdedda7ec06cd1fb7 160262 net optional firehol_1.231-2sarge1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDXeFI01u8mbx9AgoRAhoZAKCac9ggRNZFnBdzfos5uibRBL9iOQCeOMQl
QcJmbq3PaS8v4b/RAxVvegw=
=jkya
-----END PGP SIGNATURE-----

Revision history for this message
In , Tilman Koschnick (til) wrote : Re: Bug#315399: Sarge's FireHOL fails to start if previously stopped

On Tue, 2005-10-25 at 08:20 +0200, Alexander Wirt wrote:
> > According to the changelog, this is fixed in firehol 1.231-3; Sarge has
> > 1.231-2. This bug could possibly leave a system without a firewall
> > activated, so I'm wondering if the bugfix would warrant an upload to the
> > security archive.
> No I don,t think so, but it wil probaply be fixed in sarge r1.

Okay, thanks, that sounds like a good solution to me.

Cheers, Til

Revision history for this message
In , Alexander Wirt (formorer) wrote : Bug#315399: fixed in firehol 1.231-2sarge1

Source: firehol
Source-Version: 1.231-2sarge1

We believe that the bug you reported is fixed in the latest version of
firehol, which is due to be installed in the Debian FTP archive:

firehol_1.231-2sarge1.diff.gz
  to pool/main/f/firehol/firehol_1.231-2sarge1.diff.gz
firehol_1.231-2sarge1.dsc
  to pool/main/f/firehol/firehol_1.231-2sarge1.dsc
firehol_1.231-2sarge1_all.deb
  to pool/main/f/firehol/firehol_1.231-2sarge1_all.deb

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to <email address hidden>,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alexander Wirt <email address hidden> (supplier of updated firehol package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing <email address hidden>)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Tue, 25 Oct 2005 09:27:52 +0200
Source: firehol
Binary: firehol
Architecture: source all
Version: 1.231-2sarge1
Distribution: stable
Urgency: low
Maintainer: Alexander Wirt <email address hidden>
Changed-By: Alexander Wirt <email address hidden>
Description:
 firehol - An easy to use but powerful iptables stateful firewall
Closes: 309651 315399
Changes:
 firehol (1.231-2sarge1) stable; urgency=low
 .
   * Fixed lockfile deletion (Closes: #315399,#309651)
     Backported fix from unstable for sarge r1
Files:
 42ceedc465cfebf98bbf341528b95a96 590 net optional firehol_1.231-2sarge1.dsc
 fdd98e2599a94567cd212404f16d9382 8362 net optional firehol_1.231-2sarge1.diff.gz
 fc4a2ff127ca8d3fdedda7ec06cd1fb7 160262 net optional firehol_1.231-2sarge1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDXeFI01u8mbx9AgoRAhoZAKCac9ggRNZFnBdzfos5uibRBL9iOQCeOMQl
QcJmbq3PaS8v4b/RAxVvegw=
=jkya
-----END PGP SIGNATURE-----

Revision history for this message
Tero Karvinen (karvinen+launchpad) wrote :

Firehol claims it is "already running" but fails to start. Firewall is left completely open.

1) $ sudo /etc/init.d/firehol stop
Stopping iptables firewall: FireHOL ...FireHOL: Clearing Firewall: OK
done.
2) $ sudo /etc/init.d/firehol start
Starting iptables firewall: FireHOL ...Stopping: FireHOL is already running.
done.

What should happen: firewall should be enabled, blocking unwanted traffic.

What actually happens: Firewall is open, letting everything trough.
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Bug bypass: 'sudo /etc/init.d/firehol restart'

Tested on Ubuntu 5.10 Breezy Badger, firehol 1.231-2 and iptables 1.3.1-2ubuntu1.1. Was reproducible on multiple computers. Vesa Nieminen and "Linux-verkon hallinta" course helped to find this bug.

Revision history for this message
Kai Kasurinen (kai-kasurinen) wrote :

Thanks for the bug report. I'm closing it because the bug has been fixed in Dapper.

firehol (1.231-3) unstable; urgency=low
 .
   * Fixed lockfile deletion (Closes: #315399,#309651)

Changed in firehol:
status: Unconfirmed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in firehol:
status: Unknown → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.