Bug 2860

Summary: Interactive Firewall failures reported for shorewall startup and restart
Product: Mageia Reporter: Neil Darlow <neil>
Component: RPM PackagesAssignee: Olivier Blin <mageia>
Status: RESOLVED WONTFIX QA Contact:
Severity: major    
Priority: Normal CC: davidwhodgins, mageia, marja11, pterjan, thierry.vignaud
Version: 1Keywords: PATCH
Target Milestone: ---   
Hardware: i586   
OS: Linux   
Whiteboard:
Source RPM: drakx-net-0.97.1-2.mga1.src.rpm CVE:
Status comment:
Bug Depends on: 3575, 3596    
Bug Blocks:    
Attachments: /var/log/shorewall-init.log with Interactive Firewall enabled
/var/log/shorewall-init.log with Interactive Firewall disabled
Patch to replace source command with a period

Description Neil Darlow 2011-09-28 11:34:20 CEST 
Description of problem: The Interactive Firewall component of Personal Firewall has errors reported during shorewall startup and restart.


Version-Release number of selected component (if applicable): Relevant packages:
kernel-netbook-2.6.38.8-5.mga-1-1.mga1
shorewall-4.4.19.1-3.mga1
mandi-ifw-1.0-10.mga1
iptables-1.4.11.1-1.mga1


How reproducible: Every time system boots or Interactive Firewall is enabled


Steps to Reproduce:
1. Enable Personal Firewall in Mageia Control Center.
   I just have SMB, Echo and a custom port for Auth (113) enabled.
2. Enable the Interactive Firewall with all sub-options selected for it.
3. Observe errors reported in /var/log/shorewall-init.log after firewall is restarted and following reboots.
4. Disable the Interactive Firewall.
5. Observe no errors reported in /var/log/shorewall-init.log after firewall is restarted and following reboots.

Attached are two instances of /var/log/shorewall-init.log for a system reboot.
The first is with Interactive Firewall enabled and the second with it disabled.

The deprecation warnings result from /etc/ifw/start
The source error and iptables Input/output errors result from /etc/ifw/rules
Comment 1 Neil Darlow 2011-09-28 11:37:13 CEST 
Created attachment 848 [details]
/var/log/shorewall-init.log with Interactive Firewall enabled

Contents of /var/log/shorewall-init.log for a boot with Interactive Firewall enabled. Note the deprecation warnings resulting from /etc/ifw/start and the source and iptables Input/output errors resulting from /etc/ifw/rules
Comment 2 Neil Darlow 2011-09-28 11:39:19 CEST 
Created attachment 849 [details]
/var/log/shorewall-init.log with Interactive Firewall disabled

Contents of /var/log/shorewall-init.log following boot with Interactive Firewall disabled. Note there are no warnings or errors reported.
Comment 3 Neil Darlow 2011-09-28 11:42:01 CEST 
I should also advise that, with the Interactive Firewall enabled and Ping reporting enabled, when the system is pinged no alert is issued. I conclude that the iptables Input/output errors mean that the associated rules for the Interactive Firewall have not been added.
Comment 4 Marja Van Waes 2011-12-01 22:02:51 CET 
The author of mandi found some time to look into this bug report.

He said 

/var/lib/shorewall/.start: 1: source: not found

wasn't brilliant and that it was probably not supported by dash.

He didn't find time to explain what he meant by "it", but I guess he meant shorewall, because shorewall depends on dash and mandi doesn't

CC'ing some people who committed shorewall and/or dash

CC: (none) => mageia, marja11, pterjan, thierry.vignaud
Source RPM: mandi-1.0-10.mga1.src.rpm => shorewall, dash

Comment 5 Dave Hodgins 2011-12-02 05:10:59 CET 
Created attachment 1162 [details]
Patch to replace source command with a period

The "it" would the the source command, which is not a dash builtin command.
Comment 6 Dave Hodgins 2011-12-02 05:12:25 CET 
Changing the source rpm to drakx-net-1.0-1.mga2.src.rpm

CC: (none) => davidwhodgins
Source RPM: shorewall, dash => drakx-net-1.0-1.mga2.src.rpm

Comment 7 Dave Hodgins 2011-12-02 05:18:14 CET 
Fyi, drakfirewall.pm updates /etc/ifw/rules which is then included
by shorewall when it compiles it's rules.

I expect that once an updated drakfirewall.pm is installed, the interactive
firewall would have to be disabled/re-enabled to update the files.

A workaround would be to have the updated package include a post-install
scriptlet that would replace the word source with the period, if it exists
in /etc/ifw/rules, and then restart shorewall.
Comment 8 Marja Van Waes 2011-12-02 07:21:45 CET 
@ Dave

Thanks a lot for helping and for explaining (and for all the other times you did and do that) :D

(In reply to comment #6)
> Changing the source rpm to drakx-net-1.0-1.mga2.src.rpm

This bug was filed against Mga 1, where the version is 0.97.1-2.mga1.

If you confirm that it is in cauldron, too, I'll open a new bug report for that one and make this one depend on it.

assigning to maintainer

@ blino

Merci beaucoup, pour aider sur IRC hier soir alors que tu n'avais pas du temps :D

Keywords: (none) => PATCH
Assignee: bugsquad => mageia
Source RPM: drakx-net-1.0-1.mga2.src.rpm => drakx-net-0.97.1-2.mga1.src.rpm

Comment 9 Dave Hodgins 2011-12-02 09:00:08 CET 
Yes it's present in cauldron too.
Marja Van Waes 2011-12-02 09:42:12 CET

Depends on: (none) => 3575

Comment 10 Olivier Blin 2011-12-03 16:25:22 CET 
Well, there are quite a lot of bugs here, at least:
- the source builtin from IFW files not supported in dash (fixed in drakx-net SVN)
- the duplicate lines in shorewall config files (in Cauldron only, #3452, fixed in SVN)
- ipset syntax changed, mandi has to be adapted (I have a patch)
- the IFWLOG kernel module should be fixed on recent kernels (I have a patch), needs a new kernel package

Status: NEW => ASSIGNED

Olivier Blin 2011-12-03 17:28:39 CET

Depends on: (none) => 3596

Comment 11 Olivier Blin 2011-12-04 00:34:17 CET 
The last missing piece for Mageia 1 is probably the IFWLOG fix I submitted in bug #3596 (waiting to be included in next kernel update).
The ipset issue seems Cauldron-specific.
Comment 12 Olivier Blin 2012-06-02 21:47:43 CEST 
Closing as wontfix for Mageia 1, it is fixed in Mageia 2

Status: ASSIGNED => RESOLVED
Resolution: (none) => WONTFIX