Bug 21362

Summary: MCC security setting lead to a wrong rules.drakx configuration
Product: Mageia Reporter: Christian C <bugzzzz>
Component: RPM PackagesAssignee: Mageia tools maintainers <mageiatools>
Status: RESOLVED OLD QA Contact:
Severity: normal    
Priority: Normal CC: marja11
Version: 5   
Target Milestone: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Source RPM: drakx-net-2.24.2-1.mga5 CVE:
Status comment:

Description Christian C 2017-07-26 17:31:13 CEST 
Description of problem:
When MCC is run to update the security configuration :
Security->Setup your personal firewall->Advanced
and a port is modified or suppressed in the old configuration, the resulting  file /etc/shorewall/rules.drakx is updated with :

ACCEPT	fw	loc:10.0.0.138	tcp	1723
ACCEPT	fw	loc:10.0.0.138	gre

even if the file /etc/shorewall/zones does not contain the loc zone and the address 10.0.0.138 does not exist in the local network.

So shorewall fails to start with the following message :

Jul 26 16:29:12 localhost shorewall[6962]: done.
Jul 26 16:29:12 localhost shorewall[7083]: Compiling...
Jul 26 16:29:13 localhost shorewall[7083]: Processing /etc/shorewall/params ...
Jul 26 16:29:13 localhost shorewall[7083]: Processing /etc/shorewall/shorewall.conf...
Jul 26 16:29:13 localhost shorewall[7083]: Loading Modules...
Jul 26 16:29:14 localhost shorewall[7083]: Compiling /etc/shorewall/zones...
Jul 26 16:29:14 localhost shorewall[7083]: Compiling /etc/shorewall/interfaces...
Jul 26 16:29:14 localhost shorewall[7083]: Determining Hosts in Zones...
Jul 26 16:29:14 localhost shorewall[7083]: Locating Action Files...
Jul 26 16:29:14 localhost shorewall[7083]: Compiling /etc/shorewall/policy...
Jul 26 16:29:14 localhost shorewall[7083]: Running /etc/shorewall/initdone...
Jul 26 16:29:14 localhost shorewall[7083]: Compiling TCP Flags filtering...
Jul 26 16:29:14 localhost shorewall[7083]: Compiling Kernel Route Filtering...
Jul 26 16:29:14 localhost shorewall[7083]: Compiling Martian Logging...
Jul 26 16:29:14 localhost shorewall[7083]: Compiling MAC Filtration -- Phase 1...
Jul 26 16:29:14 localhost shorewall[7083]: Compiling /etc/shorewall/rules...
Jul 26 16:29:14 localhost shorewall[7083]: ERROR: Unknown destination zone (loc) /etc/shorewall/rules.drakx (line 1)
Jul 26 16:29:14 localhost shorewall[7083]: from /etc/shorewall/rules (line 15)
Jul 26 16:29:14 localhost logger: ERROR:Shorewall start failed

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. run /usr/bin/drakfirewall
2. modify a rule
3.
Marja Van Waes 2017-07-27 19:50:25 CEST

CC: (none) => marja11
Assignee: bugsquad => mageiatools
Source RPM: drakx-net-text-2.24.2-1.mga5 => drakx-net-2.24.2-1.mga5

Comment 1 Marja Van Waes 2018-09-20 08:53:28 CEST 
Hi Christian,

Thank you for having taken the needed time to report this issue!

This bug was filed against Mageia 5. Did it get fixed? If so, please change its status to RESOLVED - FIXED.

If it didn't, then we regret that we weren't able to fix it in Mageia 5. Mageia 5 has officially reached its End of Life on December 31st, 2017 https://blog.mageia.org/en/2017/11/07/mageia-5-eol-postponed/
It continued to get limited extended support since then, but that support has now ended, too.
As a result we are closing this bug report as OLD.

If you still see this issue in a newer Mageia version, then please reopen this report and say so.

Note that we are a community distribution, which means that we, the Mageia users, make Mageia together in our free time. If you'd like to help package & maintain drakx-net or any other package, then please consider becoming a Mageia packager https://wiki.mageia.org/en/Becoming_a_Mageia_Packager

Resolution: (none) => OLD
Status: NEW => RESOLVED

Comment 2 Christian C 2018-11-25 10:12:07 CET 
> If you'd like to help package & maintain drakx-net or any other package, then please consider becoming a Mageia packager

Thank you for your proposal but my next project is to upgrade my current desktop to mga-6.
And as you have seen in e.g. https://bugs.mageia.org/show_bug.cgi?id=23026, it's a long shot...

In addition, I have no skill in packaging. I'am just able to grumble when programs don't work as I think they should. Software validation was a part of my job in the past ;-)