Bug 16932 - iptables-save: wrong output format for mandi's port-scan detection rule
Summary: iptables-save: wrong output format for mandi's port-scan detection rule
Status: RESOLVED OLD
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 5
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: Thomas Backlund
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-10-10 18:03 CEST by Sean Heiser
Modified: 2018-10-06 12:57 CEST (History)
1 user (show)

See Also:
Source RPM: iptables-1.4.21-3.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Sean Heiser 2015-10-10 18:03:27 CEST 
Description of problem:
iptables-save corrupts the output for the "port scan detection" rule by deleting two spaces in it, making iptables-restore fail.

Version-Release number of selected component (if applicable): iptables-1.4.21-3.mga5


How reproducible: Always. Confirmed by another user.


Steps to Reproduce:

1. Open drakfirewall and configure it:
  - Open services: none
  - Advanced: empty, unchecked
  - Use Interactive firewall: checked. Port scan detection: checked.
  Accept the interface.

2. Save the firewall rules with iptables-save and import them with iptables-restore:

# iptables-save | iptables-restore
iptables-restore v1.4.21: Couldn't load match `psd--psd-weight-threshold':No such file or directory

Error occurred at line: 106
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
========================

Line 106 is:
-A Ifw -m conntrack --ctstate INVALID,NEW -m psd--psd-weight-threshold 10 --psd-delay-threshold 10000 --psd-lo-ports-weight 2 --psd-hi-ports-weight 1  -j IFWLOG--log-prefix "SCAN"

It has two errors: one space is needed after "-m psd" and another one after "-j IFWLOG". Doing this allows the import: 

# iptables-save | sed -e 's/-m psd-/-m psd -/;s/-j IFWLOG/-j IFWLOG /' | iptables-restore

Sourcing directly the port scan detection file /etc/ifw/rules.d/psd (from mandi-1.4-1.mga5, has correct spacing), doesn't make any difference: iptables-save will delete again those spaces.



Reproducible: 

Steps to Reproduce:
Marja Van Waes 2015-10-10 20:34:52 CEST

CC: (none) => marja11
Assignee: bugsquad => tmb

Comment 1 Sean Heiser 2015-10-11 20:40:47 CEST 
Correction: the file /etc/ifw/rules.d/psd belongs to the package mandi-ifw-1.4-1.mga5, not to mandi-1.4.1.mga5.
Comment 2 Marja Van Waes 2018-04-14 23:48:50 CEST 
Hi Sean,

Thank you for having taken the needed time to report this issue!

Did this bug get fixed? If so, please change its status to RESOLVED - FIXED

If it didn't, then we regret that we weren't able to fix it in Mageia 5. Mageia 5 has officially reached its End of Life on December 31st, 2017 https://blog.mageia.org/en/2017/11/07/mageia-5-eol-postponed/
It only continued to get important security updates since then, because we are waiting for a big Plasma5 update in Mageia 6, that'll fix many of the Mageia 5 => 6 upgrade issues.

If you haven't seen that this bug got fixed, then please check whether this bug still exists in Mageia 6. If it does, then please change the Version (near the top, at the left) to "6". If you know it exists in Cauldron, then change Version to Cauldron. If you see it in both Cauldron and Mageia 6, then please set version to Cauldron and add MGA6TOO on the Whiteboard.

Thanks,
Marja
Comment 3 Marja Van Waes 2018-10-06 12:57:35 CEST 
No reply, so closing as OLD

==> If you didn't reset your password after February 2018, then you'll need to reset it here https://identity.mageia.org/forgot_password to be able to log in and comment in this report. <==

Resolution: (none) => OLD
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.