First Last Prev Next    This bug is not in your last search results.
Bug 50130 - Somethings restarts (broken) firewall
Somethings restarts (broken) firewall
Status: NEW
Product: UCS
Classification: Unclassified
Component: Firewall (univention-firewall)
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: UCS maintainers
UCS maintainers
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-09-09 11:30 CEST by Philipp Hahn
Modified: 2020-05-05 17:50 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Bug Report
What type of bug is this?: 7: Crash: Bug causes crash or data loss
Who will be affected by this bug?: 2: Will only affect a few installed domains
How will those affected feel about the bug?: 2: A Pain – users won’t like this once they notice it
User Pain: 0.160
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Philipp Hahn univentionstaff 2019-09-09 11:30:13 CEST 
It happened multiple times by know that something restarted the Univention Paket filter and dropped my rules:

- The VM is a base system without univention-apache. Still I have
security/packetfilter/package/univention-apache/tcp/443/all/en: HTTPS
security/packetfilter/package/univention-apache/tcp/443/all: ACCEPT
security/packetfilter/package/univention-apache/tcp/80/all/en: HTTP
security/packetfilter/package/univention-apache/tcp/80/all: ACCEPT

- Therefore I manually opened TCP port 80 via UCRV:
  security/packetfilter/tcp/80/all: ACCEPT

- I later disabled the full packet filter:
  security/packetfilter/disabled: true

- Over the last weekend something touched the firewall setting and now I have:
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere            
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     udp  --  anywhere             anywhere             udp dpts:32765:32769
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp dpt:ntp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:sunrpc
ACCEPT     tcp  --  anywhere             anywhere             tcp dpts:32765:32769
ACCEPT     udp  --  anywhere             anywhere             udp dpt:sunrpc
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:7777
ACCEPT     udp  --  anywhere             anywhere             udp dpt:7777
ACCEPT     udp  --  anywhere             anywhere             udp dpt:nfs
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:nfs
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

I have no idea where that comes from; in the past I have already flushed the rules doing
  iptables -P INPUT ACCEPT
  iptables -F INPUT

This lead to the WWW server not being reachable.

# journalctl -u univention-firewall 
> -- No entries --

# tail security/packetfilter.d/10_univention-firewall_start.sh
> iptables --wait -A INPUT -p "tcp"  --dport 443 -j ACCEPT
> ip6tables --wait -A INPUT -p "tcp"  --dport 443 -j ACCEPT
> 
> # univention-base-files[en]: SSH
> iptables --wait -A INPUT -p "tcp"  --dport 22 -j ACCEPT
> ip6tables --wait -A INPUT -p "tcp"  --dport 22 -j ACCEPT
> 
> iptables --wait -A INPUT -p "tcp"  --dport 80 -j ACCEPT
> ip6tables --wait -A INPUT -p "tcp"  --dport 80 -j ACCEPT
Comment 1 Philipp Hahn univentionstaff 2020-05-05 17:49:08 CEST 
Again.
Comment 2 Erik Damrose univentionstaff 2020-05-05 17:50:56 CEST 
30+ minutes lost searching for errors with the service and webserver configs
First Last Prev Next    This bug is not in your last search results.