"[FLSA-2005:2252] Updated iptables packages resolve security issues" introduces new bug

Sun Feb 20 00:39:54 UTC 2005

----- Original Message ----- 
From: "Pekka Savola" <pekkas at netcore.fi>
To: "Discussion of the Fedora Legacy Project" 
<fedora-legacy-list at redhat.com>
Sent: Saturday, February 19, 2005 7:39 PM
Subject: Re: "[FLSA-2005:2252] Updated iptables packages resolve security 
issues" introduces new bug

> On Sat, 19 Feb 2005, Marc Deslauriers wrote:
>> On Sat, 2005-02-19 at 12:46 +0100, Bart Westra wrote:
>>> After upgrading to iptables-1.2.8-8.90.1.legacy for Red Hat 9, I have 
>>> found
>>> that ip_conntrack_ftp is not working on some interfaces of my system (it 
>>> has
>>> 4 physical interfaces). It no longer recognizes the data sessions 
>>> associated
>>> with an ftp control session. When I open the high ports in iptables, the
>>> data session will work.
>>
>> With the new iptables package, you have to manually add
>> "ip_conntrack_ftp" to the IPTABLES_MODULES="" variable in
>> the /etc/sysconfig/iptables-config file and
>> uncomment the line.
>>
>> Please try that and report back here if it worked so we can close the 
>> bug.
>
> Umm.. that shouldn't be needed -- the whole point is that the modules are 
> loaded properly? (Of course, it can be tried...)
>
> But that said, something _is_ wrong.  I started hearing weird reports from 
> our multi-interface RHL9-based firewall as well, and I couldn't associate 
> them until now.
>
> It would be interesting to know whether conntrack_ftp is:
>  - automatically loaded or not
>  - actually loaded when conntracking fails
>  - whether conntracking works on some interfaces and not in others
>

Well, I have sorted it now :)

I had set the system to load ip_conntrack, ip_conntrack_ftp and ip_nat_ftp 
in /etc/rc.modules with modprobe commands. This worked ok untill now, but 
the new iptables package then unloads the modules when it is (re)started, 
and only looks in /etc/sysconfig/iptables-config for what modules should be 
restarted. So none would.

I have now added  ip_conntrack_ftp and ip_nat_ftp in 
/etc/sysconfig/iptables-config (and removed them from /etc/rc.modules). The 
basic ip_conntrack is loaded automatically so I left it out. Now full ftp 
connection tracking is back :)

About the phenomena observed:
- eth0 seemed to work, but closer inspection showed that this was only the 
case if the remote ftp client was not using passive transfer mode. The 
difference between eth0 and the other interfaces in my system is that it 
allows all outgoing traffic. Hence the ftp data session set up by the server 
was allowed and tracked. Once I set the client to passive mode, it would 
also get a time out.
- reloading iptables for new firewall rules now takes quite long at the step 
where modules are unloaded. During this time the policy is all accept.... 
not safe imo.
- at first when I went back to iptables-1.2.8-8.90.1.legacy again to try 
Mark's suggestion, everything worked fine and I started to doubt my previous 
observations.... Eventually I found that some 1.2.7 code was still active. I 
then removed both iptables versions completely with rpm -e --nodeps and 
installed the new package from scratch. Then I could reproduce the error and 
test the solution. The question for me now is: what is the correct way to go 
back and forth between two versions? I use apt to update the system, and I 
see no way to reverse an upgrade using apt.

Regards
Bart Westra 