----- Original Message ----- From: "Pekka Savola" <pekkas@xxxxxxxxxx>
To: "Discussion of the Fedora Legacy Project" <fedora-legacy-list@xxxxxxxxxx>
Sent: Saturday, February 19, 2005 7:39 PM
Subject: Re: "[FLSA-2005:2252] Updated iptables packages resolve security issues" introduces new bug
On Sat, 19 Feb 2005, Marc Deslauriers wrote:On Sat, 2005-02-19 at 12:46 +0100, Bart Westra wrote:After upgrading to iptables-1.2.8-8.90.1.legacy for Red Hat 9, I have found
that ip_conntrack_ftp is not working on some interfaces of my system (it has
4 physical interfaces). It no longer recognizes the data sessions associated
with an ftp control session. When I open the high ports in iptables, the
data session will work.
With the new iptables package, you have to manually add "ip_conntrack_ftp" to the IPTABLES_MODULES="" variable in the /etc/sysconfig/iptables-config file and uncomment the line.
Please try that and report back here if it worked so we can close the bug.
Umm.. that shouldn't be needed -- the whole point is that the modules are loaded properly? (Of course, it can be tried...)
But that said, something _is_ wrong. I started hearing weird reports from our multi-interface RHL9-based firewall as well, and I couldn't associate them until now.
It would be interesting to know whether conntrack_ftp is: - automatically loaded or not - actually loaded when conntracking fails - whether conntracking works on some interfaces and not in others
Well, I have sorted it now :)
I had set the system to load ip_conntrack, ip_conntrack_ftp and ip_nat_ftp in /etc/rc.modules with modprobe commands. This worked ok untill now, but the new iptables package then unloads the modules when it is (re)started, and only looks in /etc/sysconfig/iptables-config for what modules should be restarted. So none would.
I have now added ip_conntrack_ftp and ip_nat_ftp in /etc/sysconfig/iptables-config (and removed them from /etc/rc.modules). The basic ip_conntrack is loaded automatically so I left it out. Now full ftp connection tracking is back :)
About the phenomena observed:
- eth0 seemed to work, but closer inspection showed that this was only the case if the remote ftp client was not using passive transfer mode. The difference between eth0 and the other interfaces in my system is that it allows all outgoing traffic. Hence the ftp data session set up by the server was allowed and tracked. Once I set the client to passive mode, it would also get a time out.
- reloading iptables for new firewall rules now takes quite long at the step where modules are unloaded. During this time the policy is all accept.... not safe imo.
- at first when I went back to iptables-1.2.8-8.90.1.legacy again to try Mark's suggestion, everything worked fine and I started to doubt my previous observations.... Eventually I found that some 1.2.7 code was still active. I then removed both iptables versions completely with rpm -e --nodeps and installed the new package from scratch. Then I could reproduce the error and test the solution. The question for me now is: what is the correct way to go back and forth between two versions? I use apt to update the system, and I see no way to reverse an upgrade using apt.
Regards
Bart Westra
-- fedora-legacy-list@xxxxxxxxxx http://www.redhat.com/mailman/listinfo/fedora-legacy-list