Ubuntu
shorewall package

shorewall generating garbled syslog entries

Bug #275121 reported by Gavin McCullagh on 2008-09-27

Affects		Status	Importance	Assigned to	Milestone
	shorewall (Ubuntu)	New	Undecided	Unassigned

Bug Description

Binary package hint: shorewall

Hi,

I'm tentatively tagging this as a security issue. It seems that if firewall logs are being garbled, attacks and intrusions may go undetected. Feel free to over-rule me.

I have two separate fully up to date ubuntu hardy servers (called: bron and dingaling) running quite different configurations of shorewall, both of which have considerable numbers of garbled syslog entries. An example:

Sep 24 12:16:19 bron kernel: [76035.749926] Shorewall:loc2fw:ACCEPT:IN=eth0 OUT= MAC=00:1d:09:8 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=53253 DF PROTO=TCP SPT=3776 DPT=557 WI
NDOW=8 LEN=56 TOS=.8 LEN=56 TOS=0x00 PREC=0x00 TTL=64 .8 LEN=56 TOS=0x00 PREC=0.8 LEN=56 TOS=0x00 PREC=0x LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=64542 DF PROTO=TCP SPT=2654E
N=56 TOS=0x00 PREC=0x00 TTL=64 ID=12704 DF PROTO=TCP SPT=4499 DPT=956 WINDOW=5840 RES=0xEN=56 TOS=0x00 PREC=0x00 TTEN=56 TOS=0x00 PREC=0x00 TTL=64 LEN=56 TOS=0x00 PREC=0x
00 TTL=64 ID=13736 DF PROTO=TCP SPT=4797 DPT=781 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 24 12:16:19 bron kernel: [76035.751152] Shorewall:loc2fw:ACCEPT:IN=eth0 OUT= MAC=00:1d:09:19:fa:c5:00:b0:d0:d7:e2:77:08:00 SRC=172.18.0.10 DST=172.18.0.8 LEN=56 TOS=0
x00 PREC=0x00 TTL=64 ID=7885 DF PROTO=TCP SPT=1416 DPT=463 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 24 12:16:19 bron kernel: [76035.751232] Shorewall:loc2fw:ACCEPT:IN=eth0 OUT= MAC=00:1d:09:19:fa:c5:00:b0:d0:d7:e2:77:08:00 SRC=172.18.0.10 DST=172.18.0.8 LEN=56 TOS=0
x00 PREC=0x00 TTL=64 ID=400 DF PROTO=TCP SPT=2539 DPT=734 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 24 12:16:19 bron kernel: [76035.752453] Shorewall:loc2fw:ACCEPT:IN=eth0 OUT= MAC=00:1d:09:19:fa:c5:00:N=56 TON=56 TOS=0x00 PREC=0x00 TTL=64 ID=1N=56 TOS=0x00 PREC=0x0
0 TTL=64 ID=21251 DF PROTO=TCP SPT=2131 DPN=56 TOS=0x00 PREC=0x00 TTL=64 ID=40292 DF PROTO=EN=56 TOS=0x00 PREC=0x00 TTL=64 ID=16189 DF PROTO=TCP SPT=4248 DPT=285 WINDOW=5
840 RES=0x00 SYN URGP=0
Sep 24 12:16:19 bron kernel: [76035.753247] ShorN=56 TOS==56 TOS=0x00 PREC=0x00 TTL=64 ID=5065 DF PROTO=TCP SPT=1216 DPT=2032 WINDOW=5840 RES=0x00 S=56 TOS56 TOS=0x00 PRE
C=0x00 TTL=64 ID=8618=56 TOS=0x00 PREC=0x00 N=56 TOS=0x00 PREC=0x00 TN=56 TOS=0x00 PREC=0xN=56 TOS=0x00 PREC==56 TOS=0x00 PREC=56 TOS=0x00 PREC=0x6 TOS=0x00 PREC=0x6 TOS=
0x00 PR56 TOS=0x00 PREC=0x00 TTL=64 ID=63996 DF PROTO=TCP SPT=4959 DPT=447 WINDOW=5840=56 TOS=0x0EN=56 TOS=0x00 PREC=0x00 TTL=64 ID=45213 DF PROTO=TCP SPT=3467 DPT=422 WI
NDOW=5840 REN=56 TOS=0x00 PREC=0x00 TTL=64 ID=41379 DF PROTO=TCP SPT=2355 DPT=27005 WINDO LEN=56 TOS=0x0 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=50747 DF PROTO=T LEN=56 TOS=0
x00 PREC=0x00 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=64599 DF PROTO=TCP SPT LEN=56 TOS=0x00 PREC=0x0LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID LEN=56 TOS=0x00 PREC=0x.8 LEN=56 TOS
=0x00 P.0.8 LEN=56 TOS=0x00 PREC18.0.8 LEN=56 TOS=0x18.0.8 LEN=56 18.0.8 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=7145 DF 0.88.0.8 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=25213 DF
PR1
Sep 24 12:16:19 bron kernel: .0.8 L18.0.8 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=25914 DF PROTO=TCP SPT=4202 DPT=233 WINDOW=5840 RES=18.0.8 LEN=18.0.8 LEN=56 TOS=0x00 PREC=0
x00 TTL=64 ID=17057 18.0.8 18.0.8 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=14525 DF P18.0.8 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=29046 DF PROTO=TCP SPT=1830 DPT=2112 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 24 12:16:19 bron kernel: [76035.757180] Shorewall:loc2fw:ACCEPT:IN=eth0 OUT= MAC=00:1d:09:19:fa:c5:00:b0:d0:d7:e2:77:08:00 SRC=172.18.0.10 DST=172.18.0.8 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=63203 DF PROTO=TCP SPT=3094 DPT=1762 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 24 12:16:19 bron kernel: [76035.757347] Shorewall:loc2fw:172.18.0.8 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=45468 DF PROTO=TCP SPT172.72.18.0.8 LEN=56 TOS=2.18.0.8 LEN=562.18.2.18.0.8 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=3872.1172.18.0.8 LEN=56 TOS=0x00 T=172.18.0.8 LEN=56 =172.18.0.8 L172.18.0.872.18.0.2.18.72.18.0.8 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=54011 D72.18.0.8 T=172.18.0.8 LEN=56 TOS=0x00 PT=172.18.0.8 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=30316 DF PROTO=TCP SP172.18.0.8 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=54044 DF PROTO=TCP SPT=3870 DPT=573 WINDOW=5840 RES=0x00 SYN URGP=0

This behaviour has been quite sporadic. The problem seems to relate to the use of an eth0:1 alias interface and is most visible when I port scan in or out on that interface.

As I type, I'm working on a method to simply reproduce the issue and will revert back shortly.

Gavin

Revision history for this message

Gavin McCullagh (gmccullagh) wrote on 2008-09-27:

filtered_syslog.txt Edit (511.2 KiB, text/plain)

Download full text (5.6 KiB)

On my home desktop I've managed to reproduce some garbled messages which should make for easier reproduction by others.

Instructions to reproduce this bug for demonstration purposes:

1. Take a common or garden Ubuntu Hardy desktop install with a single network interface, on a subnet with another (ideally linux) machine.
2. sudo apt-get -y install shorewall nmap
3. sudo cp /usr/share/doc/shorewall-common/examples/one-interface/{rules,interfaces,policy,zones} /etc/shorewall/
4. edit /etc/default/shorewall and set startup=1
5. edit /etc/shorewall/shorewall.conf and set STARTUP_ENABLED=Yes
6. Edit /etc/shorewall/policy and change _all_ lines to have policy "REJECT" with log level "info"
7. Edit /etc/shorewall/rules changing the Ping/REJECT to Ping/ACCEPT and add these lines
   ACCEPT $FW net tcp 22
   ACCEPT $FW net tcp 22
   ACCEPT net $FW tcp 22
   ACCEPT net $FW tcp 22
8. sudo /etc/init.d/shorewall restart
9. sudo ifconfig eth0:1 192.168.2.1 netmask 255.255.255.0
10. On the other linux machine run
      sudo ifconfig eth0:1 192.168.2.2 netmask 255.255.255.0
11. nmap 192.168.2.2
12. On the other linux machine run
      nmap 192.168.2.1
13. Look in /var/log/syslog and see do you get any garbled entries.

I have just done this and got garbled messages from the port scans in both directions (fw2net and net2fw):

Sep 27 12:50:02 balti kernel: [ 957.257874] Shorewall:fw2net:REJECT:IN= OUT=eth0 SRC=192.168.2.1 DST=192.168.2.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49089 DF PROTO=TCP SPT=47775 DPT=403 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 12:50:02 balti kernel: [ 957.257912] Shorewall:fw2net:REJECT:IN= OUT=et549 DF PROTO=TCP SPT=54860 DPT=302 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 12:50:02 balti kernel: [ 957.260304] Shorewall:fw2net:REJECT:IN= OUT=eth0 SRC=192.168.2.1 DST=192.168.2.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9528 DF PROTO=TCP SPT=58089 DPT=727 WINDOW=5840 RES=0x00 SYN URGP=0

On my home desktop I've managed to reproduce some garbled messages which should make for easier reproduction by others.

Instructions to reproduce this bug for demonstration purposes:

1. Take a common or garden Ubuntu Hardy desktop install with a single network interface, on a subnet  with another (ideally linux) machine.
2. sudo apt-get -y install shorewall nmap
3. sudo cp /usr/share/doc/shorewall-common/examples/one-interface/{rules,interfaces,policy,zones} /etc/shorewall/
4. edit /etc/default/shorewall and set startup=1
5. edit /etc/shorewall/shorewall.conf and set STARTUP_ENABLED=Yes
6. Edit /etc/shorewall/policy and change _all_ lines to have policy "REJECT" with log level "info"
7. Edit /etc/shorewall/rules changing the Ping/REJECT to Ping/ACCEPT and add these lines
   ACCEPT    $FW  net  tcp  22
   ACCEPT    $FW  net  tcp  22
   ACCEPT    net  $FW  tcp  22
   ACCEPT    net  $FW  tcp  22
8. sudo /etc/init.d/shorewall restart
9. sudo ifconfig eth0:1 192.168.2.1 netmask 255.255.255.0
10. On the other linux machine run 
      sudo ifconfig eth0:1 192.168.2.2 netmask 255.255.255.0
11. nmap 192.168.2.2
12. On the other linux machine run
      nmap 192.168.2.1
13. Look in /var/log/syslog and see do you get any garbled entries.

I have just done this and got garbled messages from the port scans in both directions (fw2net and net2fw):

Sep 27 12:50:02 balti kernel: [  957.257874] Shorewall:fw2net:REJECT:IN= OUT=eth0 SRC=192.168.2.1 DST=192.168.2.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49089 DF PROTO=TCP SPT=47775 DPT=403 WINDOW=5840 RES=0x00 SYN URGP=0 
Sep 27 12:50:02 balti kernel: [  957.257912] Shorewall:fw2net:REJECT:IN= OUT=et549 DF PROTO=TCP SPT=54860 DPT=302 WINDOW=5840 RES=0x00 SYN URGP=0 
Sep 27 12:50:02 balti kernel: [  957.260304] Shorewall:fw2net:REJECT:IN= OUT=eth0 SRC=192.168.2.1 DST=192.168.2.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9528 DF PROTO=TCP SPT=58089 DPT=727 WINDOW=5840 RES=0x00 SYN URGP=0

Sep 27 12:53:18 balti kernel: [ 1151.778943] Shorewall:net2fw:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DST=192.168.2.1 LEN=60 TOS
=0x00 PREC=0x00 TTL=64 ID=4404 DF PROTO=TCP SPT=54174 DPT=813 WINDOW=5840 RES=0x00 SYN URGP=0 
Sep 27 12:53:18 balti kernel: [ 1151.780464]= MAC=00:30:1b:ae:a2: MAC=00:30:1b:ae:a2 MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2  MAC=00:30:1b:ae:a2: MAC=00:30:1b:ae:a2:2e:00:16:6f:7= MAC=00:30:1b: MAC=00:30:1b:a= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20990 DF PROTOMAC=00:30:1b:ae:a2AC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DSTC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2AC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:0C=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00AC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:0AC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:AC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.AC=00:30:1b:ae:a2:2e:0AC=00:30:1b:ae:a2:2eMAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25 MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08 MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 = MAC=00:30:1b:ae:a2:2e:
Sep 27 12:53:18 balti kernel: 0:16:6f:7c:25:8a:08:00 SRCT= MAC=00:30:1T= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DST=192.168.2.1 LEN=6= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DT= MAC=00:30:1b:ae:aT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DST=192.168.2.1 LEN=T= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:T= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2UT= MAC=00:30:1b:aOUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:70 OUT= MAC=00:h0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.16th0 OUT= MAC=00:30:1b:ae:a2:2e:00:16th0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=19eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:2N=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 
Sep 27 12:53:18 balti kernel: N=eth0 OUT= MAC=00:3CT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08JECT:IN=eth0 OUT= MAECT:IN=eth0 OUT= MAECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00EJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2eECT:IN=eth0 OUT= MACJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2ECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:ECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=192.168.2.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64JECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00 SRC=JECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:0EJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:EJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6f:7c:25:8a:08:00REJECT:IN=eth0 OUT= MAC=00:30:1b:aew:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:0w:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:w:REJECT:IN=eth0 fw:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2e:00:16:6fet2fw:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:a2:2eet2fw:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:t2fw:REJECT:IN=eth0 OUT= MAC=00:30:1b:ae:at2fw:REJECT:INt2fw:REJECT:IN=eth0 OUT= M

I'm attaching a file which contains the syslog entries relevant to both port scans.  You can see small garbage in the outgoing nmap but much larger garbage on the incoming portscan.

For some reason, this doesn't appear to happen when a DROP policy is in action, I only see it for REJECTs.

The above of course is just proof of concept and may seem a strange config.  I'm seeing it on more sensibly configured machines too though.

Gavin

Revision history for this message

Gavin McCullagh (gmccullagh) wrote on 2008-10-15:

As nobody has even responded, there's no point in leaving this bug private. I'm opening it.

Revision history for this message

Dimitrios Symeonidis (azimout) wrote on 2009-09-05:

Thank you for taking the time to report this bug and helping to make Ubuntu better. You reported this bug a while ago and there hasn't been any activity in it recently. We were wondering if this is still an issue for you. Can you try with the latest Ubuntu release? Thanks in advance.

Changed in shorewall (Ubuntu):
status:	New → Incomplete

Revision history for this message

Gavin McCullagh (gmccullagh) wrote on 2009-09-27:

To be honest, that firewall has since been reinstalled and is running Vyatta so it's not a big issue for me now.

I did manage to repeat the bug on a desktop and gave instructions for others to do so but it sounds like nobody's interested to try.

Dimitrios Symeonidis (azimout) on 2009-09-28

Changed in shorewall (Ubuntu):
status:	Incomplete → New

Revision history for this message

Colin Kelly (colinrk) wrote on 2011-12-14:

Over at shorewall.net and possibly in some of the manpages they explain that virtual interfaces are incompatible with shorewall.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Bug attachments

filtered_syslog.txt Edit

Add attachment

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntushorewall package

shorewall generating garbled syslog entries

Bug Description

Other bug subscribers

Bug attachments

Remote bug watches

Ubuntu
shorewall package