12:09 a.m.
I just started playing around with firewalld and I found something that doesn't seem
right to me.
If any user starts firewall-applet and then selects "Block all network traffic"
it will do as asked without any prompt for root's password or any other
authentication.
This seems crazy to me.
--
Programming today is a race between software engineers striving to build bigger and better
idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far,
the Universe is winning. -- Rick Cook, The Wizardry Compiled
9:04 a.m.
On 30 September 2012 23:09, Ed Greshko <Ed.Greshko(a)greshko.com> wrote:
I just started playing around with firewalld and I found something
that doesn't seem right to me.
If any user starts firewall-applet and then selects "Block all network traffic"
it will do as asked without any prompt for root's password or any other
authentication.
This seems crazy to me.
Does the opposite work? Can the person turn off the firewall?
--
Stephen J Smoogen.
"Don't derail a useful feature for the 99% because you're not in it."
Linus Torvalds
"Years ago my mother used to say to me,... Elwood, you must be oh
so smart or oh so pleasant. Well, for years I was smart. I
recommend pleasant. You may quote me." —James Stewart as Elwood P. Dowd
6:34 p.m.
On 10/01/2012 10:04 PM, Stephen John Smoogen wrote:
On 30 September 2012 23:09, Ed Greshko <Ed.Greshko(a)greshko.com>
wrote:
> I just started playing around with firewalld and I found something that doesn't
seem right to me.
>
> If any user starts firewall-applet and then selects "Block all network
traffic" it will do as asked without any prompt for root's password or any other
authentication.
>
> This seems crazy to me.
Does the opposite work? Can the person turn off the firewall?
I imagine that the on/off setting is what is labeled "Shields UP". Not sure of
their jargon. But, here is the "strange" thing.
When the applet is started the "Shields UP" is unchecked. But, for sure the
firewall is running.
If you check the box, you get an authentication dialog. If you hit "cancel" I
would expect the box to remain unchecked. However, it switches to being checked....even
though nothing is done.
Checking the box and providing the root password results in a error message (iptables:
Invalid argument) in the terminal where the applet was started as well as an selinux AVC
denial.
Uggh...
--
Programming today is a race between software engineers striving to build bigger and better
idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far,
the Universe is winning. -- Rick Cook, The Wizardry Compiled
6:46 p.m.
On Oct 1, 2012, at 5:34 PM, Ed Greshko wrote:
Checking the box and providing the root password results in a error message (iptables:
Invalid argument) in the terminal where the applet was started as well as an selinux AVC
denial.
AdamW is there a firewalld test day? I remember there was one for F17, but then firewalld
was reverted back to iptables before final. I'm wondering if firewalld needs another
test day since this is going to be its first Fedora release instead of iptables?
Chris Murphy
6:54 p.m.
On Mon, 2012-10-01 at 17:46 -0600, Chris Murphy wrote:
On Oct 1, 2012, at 5:34 PM, Ed Greshko wrote:
>
> Checking the box and providing the root password results in a error message
(iptables: Invalid argument) in the terminal where the applet was started as well as an
selinux AVC denial.
AdamW is there a firewalld test day? I remember there was one for F17, but then firewalld
was reverted back to iptables before final. I'm wondering if firewalld needs another
test day since this is going to be its first Fedora release instead of iptables?
There isn't one scheduled at present:
https://fedoraproject.org/wiki/QA/Fedora_18_test_days
But it might not be a bad idea.
Also, apparently, today is abrt test day...oopsie!
--
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | identi.ca: adamwfedora
http://www.happyassassin.net
7:35 p.m.
On 10/01/2012 04:54 PM, Adam Williamson wrote:
On Mon, 2012-10-01 at 17:46 -0600, Chris Murphy wrote:
> On Oct 1, 2012, at 5:34 PM, Ed Greshko wrote:
>> Checking the box and providing the root password results in a error message
(iptables: Invalid argument) in the terminal where the applet was started as well as an
selinux AVC denial.
> AdamW is there a firewalld test day? I remember there was one for F17, but then
firewalld was reverted back to iptables before final. I'm wondering if firewalld needs
another test day since this is going to be its first Fedora release instead of iptables?
There isn't one scheduled at present:
https://fedoraproject.org/wiki/QA/Fedora_18_test_days
But it might not be a bad idea.
Also, apparently, today is abrt test day...oopsie!
When I click on
Admin->Firewall from Xfce all I get is a problem report
which fails to contact Bugzilla because it is not configured.
--
Chuck Forsberg WA7KGX N2469R caf(a)omen.com www.omen.com
Developer of Industrial ZMODEM(Tm) for Embedded Applications
Omen Technology Inc "The High Reliability Software"
10255 NW Old Cornelius Pass Portland OR 97231 503-614-0430
1:33 a.m.
On 10/02/2012 07:54 AM, Adam Williamson wrote:
There isn't one scheduled at present:
https://fedoraproject.org/wiki/QA/Fedora_18_test_days
But it might not be a bad idea.
It is probably a good idea. Another issue....
If you run the firewall-config GUI there are no rules listed anywhere. "iptables
-L" shows there are plenty defined. I thought that maybe they were
"invisible" but I soon found out that doing a "Reload firewalld"
causes all services to be unavailable. A systemctl restart of firewalld is needed to
restore a "working" system.
--
Programming today is a race between software engineers striving to build bigger and better
idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far,
the Universe is winning. -- Rick Cook, The Wizardry Compiled
2:04 a.m.
On Oct 2, 2012, at 12:33 AM, Ed Greshko wrote:
If you run the firewall-config GUI there are no rules listed anywhere. "iptables
-L" shows there are plenty defined.
I'm not sure I follow. iptables and firewalld aren't at all related and
shouldn't be used at the same time. firewall-config wouldn't list iptables rules.
I thought that maybe they were "invisible" but I soon
found out that doing a "Reload firewalld" causes all services to be unavailable.
A systemctl restart of firewalld is needed to restore a "working" system.
Hmm. The point of firewalld is exactly that restarts of the daemon aren't needed for
behavior changes to be applied, unlike iptables.
Chris Murphy
2:24 a.m.
On 10/02/2012 03:04 PM, Chris Murphy wrote:
On Oct 2, 2012, at 12:33 AM, Ed Greshko wrote:
> If you run the firewall-config GUI there are no rules listed anywhere.
"iptables -L" shows there are plenty defined.
I'm not sure I follow. iptables and firewalld aren't at all related and
shouldn't be used at the same time. firewall-config wouldn't list iptables rules.
I am not running iptables.service.
AFAIK, firewalld still uses the underlying iptables modules....
[egreshko@localhost ~]$ systemctl status iptables.service
iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; disabled)
[egreshko@localhost ~]$ lsmod | grep ip
ipt_MASQUERADE 12880 1
ip6table_mangle 12700 1
ip6t_REJECT 12939 2
nf_conntrack_ipv6 14569 23
nf_defrag_ipv6 18177 1 nf_conntrack_ipv6
ip6table_filter 12815 1
ip6_tables 26942 2 ip6table_filter,ip6table_mangle
iptable_nat 13383 1
nf_nat 25646 2 ipt_MASQUERADE,iptable_nat
iptable_mangle 12695 1
nf_conntrack_ipv4 19143 22 nf_nat,iptable_nat
nf_defrag_ipv4 12673 1 nf_conntrack_ipv4
nf_conntrack 107669 8
nf_conntrack_netbios_ns,ipt_MASQUERADE,nf_nat,xt_conntrack,nf_conntrack_broadcast,iptable_nat,nf_conntrack_ipv4,nf_conntrack_ipv6
> I thought that maybe they were "invisible" but I soon found out that doing
a "Reload firewalld" causes all services to be unavailable. A systemctl restart
of firewalld is needed to restore a "working" system.
Hmm. The point of firewalld is exactly that restarts of the daemon aren't needed for
behavior changes to be applied, unlike iptables.
Yes, since it has a D-BUS interface to allow dynamic changes without a reload. However,
if you do hit reload on the "firewall-config" GUI the system becomes
inaccessible via ssh, for example....
[egreshko@meimei ~]$ ssh 192.168.0.187
egreshko(a)192.168.0.187's password:
Last login: Sun Sep 30 15:22:20 2012 from 192.168.0.18
[egreshko@localhost ~]$
Then hit "reload firewalld" on the GUI....and....
[egreshko@meimei ~]$ ssh 192.168.0.187
ssh: connect to host 192.168.0.187 port 22: No route to host
That's not right....
--
Programming today is a race between software engineers striving to build bigger and better
idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far,
the Universe is winning. -- Rick Cook, The Wizardry Compiled
1:53 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/01/2012 07:34 PM, Ed Greshko wrote:
On 10/01/2012 10:04 PM, Stephen John Smoogen wrote:
> On 30 September 2012 23:09, Ed Greshko <Ed.Greshko(a)greshko.com> wrote:
>> I just started playing around with firewalld and I found something that
>> doesn't seem right to me.
>>
>> If any user starts firewall-applet and then selects "Block all network
>> traffic" it will do as asked without any prompt for root's password or
>> any other authentication.
>>
>> This seems crazy to me.
> Does the opposite work? Can the person turn off the firewall?
>
I imagine that the on/off setting is what is labeled "Shields UP". Not
sure of their jargon. But, here is the "strange" thing.
When the applet is started the "Shields UP" is unchecked. But, for sure
the firewall is running.
If you check the box, you get an authentication dialog. If you hit
"cancel" I would expect the box to remain unchecked. However, it switches
to being checked....even though nothing is done.
Checking the box and providing the root password results in a error message
(iptables: Invalid argument) in the terminal where the applet was started
as well as an selinux AVC denial.
Uggh...
What is the SELinux denial?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBrOCYACgkQrlYvE4MpobMB0ACgu8oRT+gB7dEVxwOeU5poB/RW
2wQAn2YYklfdRyx9vL8unoN5aeeVqWX3
=hdG/
-----END PGP SIGNATURE-----
7:39 p.m.
On 10/03/2012 02:53 AM, Daniel J Walsh wrote:
On 10/01/2012 07:34 PM, Ed Greshko wrote:
> On 10/01/2012 10:04 PM, Stephen John Smoogen wrote:
>> On 30 September 2012 23:09, Ed Greshko <Ed.Greshko(a)greshko.com> wrote:
>>> I just started playing around with firewalld and I found something that
>>> doesn't seem right to me.
>>>
>>> If any user starts firewall-applet and then selects "Block all network
>>> traffic" it will do as asked without any prompt for root's password
or
>>> any other authentication.
>>>
>>> This seems crazy to me.
>> Does the opposite work? Can the person turn off the firewall?
>>
> I imagine that the on/off setting is what is labeled "Shields UP". Not
> sure of their jargon. But, here is the "strange" thing.
> When the applet is started the "Shields UP" is unchecked. But, for sure
> the firewall is running.
> If you check the box, you get an authentication dialog. If you hit
> "cancel" I would expect the box to remain unchecked. However, it
switches
> to being checked....even though nothing is done.
> Checking the box and providing the root password results in a error message
> (iptables: Invalid argument) in the terminal where the applet was started
> as well as an selinux AVC denial.
> Uggh...
What is the SELinux denial?
type=AVC msg=audit(1349049826.875:414): avc: denied { getattr } for pid=2428
comm="sh" path="/usr/sbin/setfiles" dev="sda3" ino=1451202
scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0
tclass=file
type=AVC msg=audit(1349049827.010:415): avc: denied { getattr } for pid=2429
comm="sh" path="/usr/sbin/setfiles" dev="sda3" ino=1451202
scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:setfiles_exec_t:s0
tclass=file
--
Programming today is a race between software engineers striving to build bigger and better
idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far,
the Universe is winning.
-- Rick Cook, The Wizardry Compiled
4:04 p.m.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/02/2012 08:39 PM, Ed Greshko wrote:
On 10/03/2012 02:53 AM, Daniel J Walsh wrote:
> On 10/01/2012 07:34 PM, Ed Greshko wrote:
>> On 10/01/2012 10:04 PM, Stephen John Smoogen wrote:
>>> On 30 September 2012 23:09, Ed Greshko <Ed.Greshko(a)greshko.com>
>>> wrote:
>>>> I just started playing around with firewalld and I found something
>>>> that doesn't seem right to me.
>>>>
>>>> If any user starts firewall-applet and then selects "Block all
>>>> network traffic" it will do as asked without any prompt for
root's
>>>> password or any other authentication.
>>>>
>>>> This seems crazy to me.
>>> Does the opposite work? Can the person turn off the firewall?
>>>
>
>> I imagine that the on/off setting is what is labeled "Shields UP".
>> Not sure of their jargon. But, here is the "strange" thing.
>
>> When the applet is started the "Shields UP" is unchecked. But, for
>> sure the firewall is running.
>
>> If you check the box, you get an authentication dialog. If you hit
>> "cancel" I would expect the box to remain unchecked. However, it
>> switches to being checked....even though nothing is done.
>
>> Checking the box and providing the root password results in a error
>> message (iptables: Invalid argument) in the terminal where the applet
>> was started as well as an selinux AVC denial.
>
>> Uggh...
>
> What is the SELinux denial?
type=AVC msg=audit(1349049826.875:414): avc: denied { getattr } for
pid=2428 comm="sh" path="/usr/sbin/setfiles" dev="sda3"
ino=1451202
scontext=system_u:system_r:firewalld_t:s0
tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
type=AVC msg=audit(1349049827.010:415): avc: denied { getattr } for
pid=2429 comm="sh" path="/usr/sbin/setfiles" dev="sda3"
ino=1451202
scontext=system_u:system_r:firewalld_t:s0
tcontext=system_u:object_r:setfiles_exec_t:s0 tclass=file
firewalld should not be running setfiles, or restorecon.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBsqFgACgkQrlYvE4MpobPtaACguXwwrWVt21w1qUDYvE6pGRL6
6YAAnR2kKUBkAdsHE+Tbrv8OelNtPJW2
=fS4e
-----END PGP SIGNATURE-----
12:08 a.m.
On 10/04/2012 05:04 AM, Daniel J Walsh wrote:
firewalld should not be running setfiles, or restorecon.
https://bugzilla.redhat.com/show_bug.cgi?id=862974
--
Programming today is a race between software engineers striving to build bigger and better
idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far,
the Universe is winning. -- Rick Cook, The Wizardry Compiled
4222
days inactive
4225
days old
12 comments
6 participants
participants (6)
-
Adam Williamson -
Chris Murphy -
Chuck Forsberg WA7KGX -
Daniel J Walsh -
Ed Greshko -
Stephen John Smoogen