Ubuntu
firestarter package

Firewall not persistent

Bug #59647 reported by thechemist
264
Affects Status Importance Assigned to Milestone
firestarter (Ubuntu)
Invalid
Undecided
Unassigned
Declined for Feisty by Kees Cook
Declined for Gutsy by Luca Falavigna

Bug Description

Binary package hint: firestarter

Dapper, 386, plain vanilla pentium machine, wireless network, up to date as of Sep 9. Firestarter installed through synaptic package manager.

Firewall not persistent. After starting firestarter through System--> Administration --> Firestarter and user password, doing

            sudo iptables -L -n

will give

      target prot opt source destination
      ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state
      Chain INPUT (policy ACCEPT)
      target prot opt source destination

      Chain FORWARD (policy ACCEPT)
      target prot opt source destination

      Chain OUTPUT (policy ACCEPT)
      target prot opt source destination

      ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTAB LISHED
      LSI all -- 0.0.0.0/0 0.0.0.0/0

      Chain INPUT (policy DROP)
      target prot opt source destination
      ACCEPT tcp -- 192.168.0.1 0.0.0.0/0 tcp flags:!0x17/0x0 2
      ACCEPT udp -- 192.168.0.1 0.0.0.0/0
      ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
      ACCEPT all -- 0.0.0.0/0 0.0.0.0/0Chain INPUT (policy ACCEPT)
      target prot opt source destination

      Chain FORWARD (policy ACCEPT)
      target prot opt source destination

      Chain OUTPUT (policy ACCEPT)
      target prot opt source destination
      ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 limit: avg 10/sec b urst 5
      DROP all -- 0.0.0.0/0 255.255.255.255
      DROP all -- 0.0.0.0/0 192.168.0.255
      DROP all -- 224.0.0.0/8 0.0.0.0/0
      DROP all -- 0.0.0.0/0 224.0.0.0/8
      DROP all -- 255.255.255.255 0.0.0.0/0
      DROP all -- 0.0.0.0/0 0.0.0.0
      DROP all -- 0.0.0.0/0 0.0.0.0/0 state INVALID

and more, showing that indeed there is a firewall.

Restart the computer and doing

      sudo iptables -L -n

will give

      Chain INPUT (policy ACCEPT)
      target prot opt source destination

      Chain FORWARD (policy ACCEPT)
      target prot opt source destination
      Chain INPUT (policy ACCEPT)
      target prot opt source destination

      Chain FORWARD (policy ACCEPT)
      target prot opt source destination

      Chain OUTPUT (policy ACCEPT)
      target prot opt source destination
      Chain OUTPUT (policy ACCEPT)
      target prot opt source destination

i.e. there is no firewall. The firewall will reappear only if Firestarter is started through its GUI.

The above is reproducible on two different machines. This is a security risk if an unaware user has any service running that faces the internet.

See original description
thechemist (the-chemist01)
description: updated
description: updated
Revision history for this message
thechemist (the-chemist01) wrote :

This is confirmed by another user. See:

http://www.ubuntuforums.org/showthread.php?t=254906&highlight=firestarter

Revision history for this message
Lionel Le Folgoc (mrpouit) wrote :

Thanks for your bug report.
Do you use network-manager to manage your wireless network? If yes, I think this is the same issue as Bug #42759.

Changed in firestarter:
assignee: nobody → mrpouit
status: Unconfirmed → Needs Info
Revision history for this message
Lionel Le Folgoc (mrpouit) wrote :

We are closing this bug report as it lacks the information, described in the previous comments, we need to investigate the problem further. However, please reopen it if you can give us the missing information and don't hesitate to submit bug reports in the future.

Changed in firestarter:
assignee: mrpouit → nobody
status: Needs Info → Rejected
Revision history for this message
Eduard Christian Dumitrescu (inventatoru) wrote :

This is a _security_ bug. The cause : it's a race condition between the kernel and firestarter.sh .

Changed in firestarter:
status: Invalid → Confirmed
Revision history for this message
Eduard Christian Dumitrescu (inventatoru) wrote :

This whole bug is a race condition. The problem occurs when the computer does not have the time to setup its network interfaces, and the /etc/firestarter/firestarter.sh script is run during that period. I've got a (very) temporary solution (it worked for me) :

32,42c32,42
< if [ "$MASK" = "" -a "$1" != "stop" ]; then
< echo "External network device $IF is not ready. Aborting.."
< exit 2
< fi
<
< if [ "$NAT" = "on" ]; then
< if [ "$INMASK" = "" -a "$1" != "stop" ]; then
< echo "Internal network device $INIF is not ready. Aborting.."
< exit 3
< fi
< fi
---
> #if [ "$MASK" = "" -a "$1" != "stop" ]; then
> # echo "External network device $IF is not ready. Aborting.."
> # exit 2
> #fi
>
> #if [ "$NAT" = "on" ]; then
> # if [ "$INMASK" = "" -a "$1" != "stop" ]; then
> # echo "Internal network device $INIF is not ready. Aborting.."
> # exit 3
> # fi
> #fi

Revision history for this message
henry (henryacev) wrote :

great!

how do you apply this patch?

thanks

Eduard Christian Dumitrescu (inventatoru)
Changed in firestarter:
assignee: nobody → ubuntu-security
Revision history for this message
Eduard Christian Dumitrescu (inventatoru) wrote :

Henry, I assume you're kinda new to linux, so I'll keep this simple. First, configure your firewall -- that is, you just have to start it the first time, that'll be ok. After you've done that, open a terminal window, and paste the following in it (without the quotes): "gksudo gedit /etc/firestarter/firestarter.sh". That will open you an editor window. Now, seek in there the following lines (probably line 33 in the file):
------
 echo "External network device $IF is not ready. Aborting.."
 exit 2
------
edit the second line so it becomes:
------
 echo "External network device $IF is not ready. Aborting.."
# exit 2
------
Now seek these two lines (line 39 I think):
------
  echo "Internal network device $INIF is not ready. Aborting.."
  exit 3
------
edit the second one so that it becomes:
------
  echo "Internal network device $INIF is not ready. Aborting.."
# exit 3
------

This will probably fix your problem and you'll have a running firewall. After doing this, you'll probably have to restart your computer. If you want to check whether your firewall is running, just do "sudo iptables -L -n" in a terminal.

If it doesn't give you this (see below), and it returns many many lines of text, then it means the firewall is active.
------
      Chain INPUT (policy ACCEPT)
      target prot opt source destination

      Chain FORWARD (policy ACCEPT)
      target prot opt source destination
      Chain INPUT (policy ACCEPT)
      target prot opt source destination

      Chain FORWARD (policy ACCEPT)
      target prot opt source destination

      Chain OUTPUT (policy ACCEPT)
      target prot opt source destination
      Chain OUTPUT (policy ACCEPT)
      target prot opt source destination
------

________________
Eduard

Kees Cook (kees)
Changed in firestarter:
assignee: ubuntu-security → nobody
status: Confirmed → New
Jamie Strandboge (jdstrand)
Changed in firestarter:
status: New → Confirmed
Revision history for this message
hackel (hackel) wrote :

I stumbled across this bug because the firewall DOES seem to be persistent in the latest version (1.0.3-6ubuntu4). I installed Firestarter, setup a simple firewall, and now it is being applied whenever my wireless connection goes up or down (by NetworkManager, from /etc/network/if-up.d/50firestarter). This is NOT what I want, however. I only want to run the firewall when I explicitly start Firestarter. I only installed it because I wanted to monitor outgoing connections for something I was working on. I agree that it's a security risk if users think the firewall is persistent when it is not, however there needs to be an easy way to disable this persistence.

Realistically, I only want a firewall to be activated when I am logging into a public wifi network or some other condition. It would be great if the activation of Firestarter could be tied into Network Manager so all this was automated somehow.

Revision history for this message
Phillip Susi (psusi) wrote :

This package has been removed from Ubuntu. Closing all related bugs.

Changed in firestarter (Ubuntu):
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.