[Bug 532402] Review Request: APF - Advanced Policy Firewall

bugzilla at redhat.com bugzilla at redhat.com
Fri Jan 15 22:11:44 UTC 2010


Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug.


https://bugzilla.redhat.com/show_bug.cgi?id=532402

--- Comment #6 from Mark McKinstry <mmckinst at nexcess.net> 2010-01-15 17:11:40 EST ---
> 1. Now it does build.  rpmlint has issues with the rpm:

APF is kind of weird in the way its written. It is essentially a collection of
shell scripts that act as a wrapper to iptables. It, by default, installs
everything including executables in /etc/apf . The documentation advises
against changing the install directory so I have went with the authors advice.
I went through what rpmlint said and commented on it.

> apf.noarch: E: non-executable-script /etc/apf/conf.apf 0640 /bin/bash
> apf.noarch: E: non-executable-script /etc/apf/extras/dshield/cron.ds 0640 /bin/bash
> apf.noarch: E: non-executable-script /etc/apf/internals/functions.apf 0640 /bin/bash
> apf.noarch: E: script-without-shebang /etc/apf/extras/.ca.def
> apf.noarch: E: script-without-shebang /etc/apf/vnet/vnetgen

This is just the way APF is written. 

> apf.noarch: E: non-readable /etc/apf/allow_hosts.rules 0640
> apf.noarch: E: non-readable /etc/apf/apf 0750
> apf.noarch: E: non-readable /etc/apf/bt.rules 0640
> apf.noarch: E: non-readable /etc/apf/conf.apf 0640
> apf.noarch: E: non-readable /etc/apf/deny_hosts.rules 0640
> apf.noarch: E: non-readable /etc/apf/ds_hosts.rules 0640
> apf.noarch: E: non-readable /etc/apf/ecnshame_hosts.rules 0640
> apf.noarch: E: non-readable /etc/apf/extras/dshield/cron.ds 0640
> apf.noarch: E: non-readable /etc/apf/extras/dshield/dshield-3.2.tar.gz 0640
> apf.noarch: E: non-readable /etc/apf/extras/dshield/install 0750
> apf.noarch: E: non-readable /etc/apf/extras/dshield/README 0640
> apf.noarch: E: non-readable /etc/apf/extras/get_ports 0750
> apf.noarch: E: non-readable /etc/apf/firewall 0750
> apf.noarch: E: non-readable /etc/apf/glob_allow.rules 0640
> apf.noarch: E: non-readable /etc/apf/glob_deny.rules 0640
> apf.noarch: E: non-readable /etc/apf/internals/compat.0.9.5 0640
> apf.noarch: E: non-readable /etc/apf/internals/cports.common 0640
> apf.noarch: E: non-readable /etc/apf/internals/functions.apf 0640
> apf.noarch: E: non-readable /etc/apf/internals/icmp.types 0640
> apf.noarch: E: non-readable /etc/apf/internals/internals.conf 0640
> apf.noarch: E: non-readable /etc/apf/internals/multicast.networks 0640
> apf.noarch: E: non-readable /etc/apf/internals/private.networks 0640
> apf.noarch: E: non-readable /etc/apf/internals/rab.ports 0640
> apf.noarch: E: non-readable /etc/apf/internals/reserved.networks 0640
> apf.noarch: E: non-readable /etc/apf/log.rules 0640
> apf.noarch: E: non-readable /etc/apf/main.rules 0640
> apf.noarch: E: non-readable /etc/apf/postroute.rules 0640
> apf.noarch: E: non-readable /etc/apf/preroute.rules 0640
> apf.noarch: E: non-readable /etc/apf/sdrop_hosts.rules 0640
> apf.noarch: E: non-readable /etc/apf/sysctl.rules 0640
> apf.noarch: E: non-readable /etc/apf/VERSION 0640
> apf.noarch: E: non-readable /etc/apf/vnet/main.vnet 0640
> apf.noarch: E: non-readable /etc/apf/vnet/vnetgen 0750
> apf.noarch: E: non-readable /etc/apf/vnet/vnetgen.def 0640
> apf.noarch: E: non-standard-dir-perm /etc/apf 0750

These are intentional so everyone on the system can't read the firewall rules. 

> apf.noarch: E: non-standard-executable-perm /etc/apf/apf 0750
> apf.noarch: E: non-standard-executable-perm /etc/apf/extras/dshield/install 0750
> apf.noarch: E: non-standard-executable-perm /etc/apf/extras/get_ports 0750
> apf.noarch: E: non-standard-executable-perm /etc/apf/firewall 0750
> apf.noarch: E: non-standard-executable-perm /etc/apf/vnet/vnetgen 0750
> apf.noarch: W: hidden-file-or-dir /etc/apf/extras/.ca.def
> apf.noarch: W: non-conffile-in-etc /etc/apf/extras/dshield/cron.ds
> apf.noarch: W: non-conffile-in-etc /etc/apf/extras/dshield/dshield-3.2.tar.gz
> apf.noarch: W: non-conffile-in-etc /etc/apf/extras/dshield/README
> apf.noarch: W: non-conffile-in-etc /etc/apf/internals/compat.0.9.5
> apf.noarch: W: non-conffile-in-etc /etc/apf/internals/cports.common
> apf.noarch: W: non-conffile-in-etc /etc/apf/internals/functions.apf
> apf.noarch: W: non-conffile-in-etc /etc/apf/internals/icmp.types
> apf.noarch: W: non-conffile-in-etc /etc/apf/internals/internals.conf
> apf.noarch: W: non-conffile-in-etc /etc/apf/internals/multicast.networks
> apf.noarch: W: non-conffile-in-etc /etc/apf/internals/private.networks
> apf.noarch: W: non-conffile-in-etc /etc/apf/internals/rab.ports
> apf.noarch: W: non-conffile-in-etc /etc/apf/internals/reserved.networks
> apf.noarch: W: non-conffile-in-etc /etc/apf/VERSION
> apf.noarch: W: non-conffile-in-etc /etc/apf/vnet/main.vnet
> apf.noarch: W: non-conffile-in-etc /etc/apf/vnet/vnetgen.def

See the comment about how how it stores everything in /etc/apf.

> apf.noarch: E: subsys-not-used /etc/init.d/apf

This is the way it is written. It doesn't have a daemon or PID so I can't
create a lockfile for it. When you start or restart the service it runs its
collection of shell scripts to create all the rules for iptables based on your
config file, then exits while iptables continues to run.

> apf.noarch: E: zero-length /etc/apf/ds_hosts.rules
> apf.noarch: E: zero-length /etc/apf/ecnshame_hosts.rules
> apf.noarch: E: zero-length /etc/apf/sdrop_hosts.rules

Theses files do get used by APF.

> apf.noarch: W: non-conffile-in-etc /etc/logrotate.d/apf

I'm not sure why this is being marked.

> 2. I'd take out the BuildArch: noarch tag.

If I do this, rpmlint complains that it has no binary

> 3. add the %{?dist} tag to release.

Done.

> 4. Please don't chkconfig a service on by default: chkconfig --level 345 apf on

Fixed.

> 5. instead of defining basedir:

Fixed.

> 6. You can take out these two lines:

Fixed.

Spec URL: http://mmckinst.nexcess.net/apf/apf.spec
SRPM URL: http://mmckinst.nexcess.net/apf/apf-9.7.1-3.fc12.src.rpm

-- 
Configure bugmail: https://bugzilla.redhat.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.



More information about the package-review mailing list