[Secure-testing-team] Bug#775544: nftables: init system stop action shouldn't flush rules

Christoph Anton Mitterer calestyo at scientia.net
Sat Jan 17 02:20:52 UTC 2015 

Package: nftables
Version: 0.4-2
Severity: important
Tags: security

Hi.

I had the same discussion basically already for netfilter-prsistent:

IMHO, init system stop action shouldn't lead to firewall rules being
flushed.


First, there is a security reason, i.e. when you shut down the system
there would be a small amount of time, where daemons (that depend on
being secured by the firewall) may be exposed (which is why I marked
this bug important/security).


Secondly, it doesn't sound conceptually reasonable to equalise
"stop firewall" with "flush rulsets".
Especially since it's rather undefined what actually happens
when you stop a firewall.... is it all traffic goes throuh? Or is
it nothing goes through any longer.

I'd strongly tend to the later (not only for security reasons),...
consider you'd have a harware firewall and you stop that (i.e. 
pull the plug),.. then networking would be dead.
Similarly, if you take it meaphorically, i.e. you have a wall with
doors (that let some packets through automatically),.. if you stop
the system the doors won't no longer open.


Long story short, init actions might be invoked via many ways,
but completely opening up the firewall's gates, should be really some
clear, distinctive and special command (i.e. like nft flush).



Cheers,
Chris.

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.utf8, LC_CTYPE=en_DE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages nftables depends on:
ii  init-system-helpers  1.22
ii  libc6                2.19-13
ii  libgmp10             2:6.0.0+dfsg-6
ii  libmnl0              1.0.3-5
ii  libnftnl0            1.0.3-4
ii  libreadline6         6.3-8+b3

nftables recommends no packages.

nftables suggests no packages.

-- Configuration Files:
/etc/nftables/bridge-filter 13af207b629f3c157cde9569fc36e0b3 [Errno 2] No such file or directory: u'/etc/nftables/bridge-filter 13af207b629f3c157cde9569fc36e0b3'
/etc/nftables/inet-filter 58921ae85fd0c1c903ef1b334f3d6fc5 [Errno 2] No such file or directory: u'/etc/nftables/inet-filter 58921ae85fd0c1c903ef1b334f3d6fc5'
/etc/nftables/ipv4-filter 03c4f6169a9e3f6af9dfc841d7e74a34 [Errno 2] No such file or directory: u'/etc/nftables/ipv4-filter 03c4f6169a9e3f6af9dfc841d7e74a34'
/etc/nftables/ipv4-mangle d42443803049ad6493713d7ca4148b77 [Errno 2] No such file or directory: u'/etc/nftables/ipv4-mangle d42443803049ad6493713d7ca4148b77'
/etc/nftables/ipv4-nat 4c761d1dc90c7639d32671c402216aaa [Errno 2] No such file or directory: u'/etc/nftables/ipv4-nat 4c761d1dc90c7639d32671c402216aaa'
/etc/nftables/ipv6-filter 9e8cdd55559c335ab759f8d9fece8e86 [Errno 2] No such file or directory: u'/etc/nftables/ipv6-filter 9e8cdd55559c335ab759f8d9fece8e86'
/etc/nftables/ipv6-mangle b865abc1691df2a00c95c07a7d7af38c [Errno 2] No such file or directory: u'/etc/nftables/ipv6-mangle b865abc1691df2a00c95c07a7d7af38c'
/etc/nftables/ipv6-nat 2c2ac8c0d03e48a6d9573b62e89cd222 [Errno 2] No such file or directory: u'/etc/nftables/ipv6-nat 2c2ac8c0d03e48a6d9573b62e89cd222'

-- no debconf information

More information about the Secure-testing-team mailing list