shorewall generating garbled syslog entries
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
shorewall (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Binary package hint: shorewall
Hi,
I'm tentatively tagging this as a security issue. It seems that if firewall logs are being garbled, attacks and intrusions may go undetected. Feel free to over-rule me.
I have two separate fully up to date ubuntu hardy servers (called: bron and dingaling) running quite different configurations of shorewall, both of which have considerable numbers of garbled syslog entries. An example:
Sep 24 12:16:19 bron kernel: [76035.749926] Shorewall:
NDOW=8 LEN=56 TOS=.8 LEN=56 TOS=0x00 PREC=0x00 TTL=64 .8 LEN=56 TOS=0x00 PREC=0.8 LEN=56 TOS=0x00 PREC=0x LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=64542 DF PROTO=TCP SPT=2654E
N=56 TOS=0x00 PREC=0x00 TTL=64 ID=12704 DF PROTO=TCP SPT=4499 DPT=956 WINDOW=5840 RES=0xEN=56 TOS=0x00 PREC=0x00 TTEN=56 TOS=0x00 PREC=0x00 TTL=64 LEN=56 TOS=0x00 PREC=0x
00 TTL=64 ID=13736 DF PROTO=TCP SPT=4797 DPT=781 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 24 12:16:19 bron kernel: [76035.751152] Shorewall:
x00 PREC=0x00 TTL=64 ID=7885 DF PROTO=TCP SPT=1416 DPT=463 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 24 12:16:19 bron kernel: [76035.751232] Shorewall:
x00 PREC=0x00 TTL=64 ID=400 DF PROTO=TCP SPT=2539 DPT=734 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 24 12:16:19 bron kernel: [76035.752453] Shorewall:
0 TTL=64 ID=21251 DF PROTO=TCP SPT=2131 DPN=56 TOS=0x00 PREC=0x00 TTL=64 ID=40292 DF PROTO=EN=56 TOS=0x00 PREC=0x00 TTL=64 ID=16189 DF PROTO=TCP SPT=4248 DPT=285 WINDOW=5
840 RES=0x00 SYN URGP=0
Sep 24 12:16:19 bron kernel: [76035.753247] ShorN=56 TOS==56 TOS=0x00 PREC=0x00 TTL=64 ID=5065 DF PROTO=TCP SPT=1216 DPT=2032 WINDOW=5840 RES=0x00 S=56 TOS56 TOS=0x00 PRE
C=0x00 TTL=64 ID=8618=56 TOS=0x00 PREC=0x00 N=56 TOS=0x00 PREC=0x00 TN=56 TOS=0x00 PREC=0xN=56 TOS=0x00 PREC==56 TOS=0x00 PREC=56 TOS=0x00 PREC=0x6 TOS=0x00 PREC=0x6 TOS=
0x00 PR56 TOS=0x00 PREC=0x00 TTL=64 ID=63996 DF PROTO=TCP SPT=4959 DPT=447 WINDOW=5840=56 TOS=0x0EN=56 TOS=0x00 PREC=0x00 TTL=64 ID=45213 DF PROTO=TCP SPT=3467 DPT=422 WI
NDOW=5840 REN=56 TOS=0x00 PREC=0x00 TTL=64 ID=41379 DF PROTO=TCP SPT=2355 DPT=27005 WINDO LEN=56 TOS=0x0 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=50747 DF PROTO=T LEN=56 TOS=0
x00 PREC=0x00 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=64599 DF PROTO=TCP SPT LEN=56 TOS=0x00 PREC=0x0LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID LEN=56 TOS=0x00 PREC=0x.8 LEN=56 TOS
=0x00 P.0.8 LEN=56 TOS=0x00 PREC18.0.8 LEN=56 TOS=0x18.0.8 LEN=56 18.0.8 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=7145 DF 0.88.0.8 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=25213 DF
PR1
Sep 24 12:16:19 bron kernel: .0.8 L18.0.8 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=25914 DF PROTO=TCP SPT=4202 DPT=233 WINDOW=5840 RES=18.0.8 LEN=18.0.8 LEN=56 TOS=0x00 PREC=0
x00 TTL=64 ID=17057 18.0.8 18.0.8 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=14525 DF P18.0.8 LEN=56 TOS=0x00 PREC=0x00 TTL=64 ID=29046 DF PROTO=TCP SPT=1830 DPT=2112 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 24 12:16:19 bron kernel: [76035.757180] Shorewall:
Sep 24 12:16:19 bron kernel: [76035.757347] Shorewall:
This behaviour has been quite sporadic. The problem seems to relate to the use of an eth0:1 alias interface and is most visible when I port scan in or out on that interface.
As I type, I'm working on a method to simply reproduce the issue and will revert back shortly.
Gavin
Changed in shorewall (Ubuntu): | |
status: | Incomplete → New |
On my home desktop I've managed to reproduce some garbled messages which should make for easier reproduction by others.
Instructions to reproduce this bug for demonstration purposes:
1. Take a common or garden Ubuntu Hardy desktop install with a single network interface, on a subnet with another (ideally linux) machine. doc/shorewall- common/ examples/ one-interface/ {rules, interfaces, policy, zones} /etc/shorewall/ shorewall and set startup=1 shorewall. conf and set STARTUP_ENABLED=Yes policy and change _all_ lines to have policy "REJECT" with log level "info" rules changing the Ping/REJECT to Ping/ACCEPT and add these lines d/shorewall restart
2. sudo apt-get -y install shorewall nmap
3. sudo cp /usr/share/
4. edit /etc/default/
5. edit /etc/shorewall/
6. Edit /etc/shorewall/
7. Edit /etc/shorewall/
ACCEPT $FW net tcp 22
ACCEPT $FW net tcp 22
ACCEPT net $FW tcp 22
ACCEPT net $FW tcp 22
8. sudo /etc/init.
9. sudo ifconfig eth0:1 192.168.2.1 netmask 255.255.255.0
10. On the other linux machine run
sudo ifconfig eth0:1 192.168.2.2 netmask 255.255.255.0
11. nmap 192.168.2.2
12. On the other linux machine run
nmap 192.168.2.1
13. Look in /var/log/syslog and see do you get any garbled entries.
I have just done this and got garbled messages from the port scans in both directions (fw2net and net2fw):
Sep 27 12:50:02 balti kernel: [ 957.257874] Shorewall: fw2net: REJECT: IN= OUT=eth0 SRC=192.168.2.1 DST=192.168.2.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=49089 DF PROTO=TCP SPT=47775 DPT=403 WINDOW=5840 RES=0x00 SYN URGP=0 fw2net: REJECT: IN= OUT=et549 DF PROTO=TCP SPT=54860 DPT=302 WINDOW=5840 RES=0x00 SYN URGP=0 fw2net: REJECT: IN= OUT=eth0 SRC=192.168.2.1 DST=192.168.2.2 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9528 DF PROTO=TCP SPT=58089 DPT=727 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 12:50:02 balti kernel: [ 957.257912] Shorewall:
Sep 27 12:50:02 balti kernel: [ 957.260304] Shorewall:
Sep 27 12:53:18 balti kernel: [ 1151.778943] Shorewall: net2fw: REJECT: IN=eth0 OUT= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192.168.2.2 DST=192.168.2.1 LEN=60 TOS 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192.168.2.2 MAC=00:30:1b:ae:a2: MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7= MAC=00:30:1b: MAC=00:30:1b:a= MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192. MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192.168.2.2 DST=192.168.2.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=20990 DF PROTOMAC= 00:30:1b: ae:a2AC= 00:30:1b: ae:a2:2e: 00:16:6f: 7c:25:8a: 08:00 SRC=192.168.2.2 DSTC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192. 168.2.2AC= 00:30:1b: ae:a2:2e: 00:16:6f: 7c:25:8a: 0C=00:30: 1b:ae:a2: 2e:00:16: 6f:7c:25: 8a:08:00AC= 00:30:1b: ae:a2:2e: 00:16:6f: 7c:25:8a: 08:0AC= 00:30:1b: ae:a2:2e: 00:16:6f: 7c:25:8a: 08:AC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=192. 168.AC= 00:30:1b: ae:a2:2e: 0AC=00: 30:1b:ae: a2:2eMAC= 00:30:1b: ae:a2:2e: 00:16:6f: 7c:25 MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:MAC= 00:30:1b: ae:a2:2e: 00:16:6f: 7c:25:8a: 08 MAC=00: 30:1b:ae: a2:2e:00: 16:6f:7c: 25:8a:08: 00 SRC=19...
=0x00 PREC=0x00 TTL=64 ID=4404 DF PROTO=TCP SPT=54174 DPT=813 WINDOW=5840 RES=0x00 SYN URGP=0
Sep 27 12:53:18 balti kernel: [ 1151.780464]= MAC=00:30:1b:ae:a2: MAC=00:30:1b:ae:a2 MAC=00: