Closed Mic92 closed 10 years ago
push
Bump. This is a pretty big hole.
In the meantime, to get back to the secure-by-default version of before add the following rules/templates:
prefix.erb:
-A INPUT -j FWR
-A FWR -i lo -j ACCEPT
postfix.erb:
# Rejects all remaining connections with port-unreachable errors.
-A FWR -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j REJECT --reject-with icmp-port-unreachable
-A FWR -p udp -j REJECT --reject-with icmp-port-unreachable
I switched to: http://ferm.foo-projects.org/, which provide some additional nice features like functions for better modularity. I can recommend anyone to take a look at it.
@someara Sorry for yet again including you in another thing to get a response, but do you know how to push this forward as a priority? I've only spotted this today.
It seems like the move away from JIRA has possibly reduced the alert response to tickets.
I've added a issue upstream to the new rebuild-script's github repo: https://github.com/phlipper/rebuild-iptables/issues/5
Either this should be reverted to the perl version or an adequate solution done with the new rebuild script.
@someara perhaps v0.13.2 should be yanked from the supermarket for now?
I'm leaning towards preferring a solution like what @jrust mentions, which will give the cookbook greater flexibility, but either is done by injecting the prefix/suffix into the script, or needing to name rules like '0000-prefix', 'zzzz-suffix' in the /etc/iptables.d/ folder so file ordering puts them in the right places
@someara sorry, also v0.13.0 should probably be yanked as well. I was confused seeing the perl script still in the repository for that tag, so thought it was unaffected. v0.12.2 is the last known good version
I can't just yank artifacts from the Supermarket. It breaks builds, CI systems, etc. We'll have to roll forward.
You should at least warn people about the breaking change in README.md
@andytson @Mic92 @someara I am looking at this right now.
The new rebuild-script of the current git version does not add the FWR chain to the INPUT chain, like this:
and it does not drop packets at the end of the FWR chain, if no rules match:
This means all packets will pass the firewall!