Bug#908655: marked as done (apf-firewall: The rules activated by PKT_SANITY_STUFFED are overzealous and block DSL customers)

To: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Subject: Bug#908655: marked as done (apf-firewall: The rules activated by PKT_SANITY_STUFFED are overzealous and block DSL customers)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 03 Jul 2023 23:43:24 +0000
Message-id: <[🔎] handler.908655.D908655.16884277763151172.ackdone@bugs.debian.org>
Reply-to: 908655@bugs.debian.org
References: <[🔎] E1qGTBz-000ZmB-K2@fasolo.debian.org> <E1g00xE-0004xD-4l@server.wiersig.de>

Your message dated Mon, 03 Jul 2023 23:42:51 +0000
with message-id <[🔎] E1qGTBz-000ZmB-K2@fasolo.debian.org>
and subject line Bug#1040239: Removed package(s) from unstable
has caused the Debian Bug report #908655,
regarding apf-firewall: The rules activated by PKT_SANITY_STUFFED are overzealous and block DSL customers
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
908655: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=908655
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apf-firewall: The rules activated by PKT_SANITY_STUFFED are overzealous and block DSL customers
From: Peter Wiersig <peter@friesenpeter.de>
Date: Wed, 12 Sep 2018 10:56:56 +0200
Message-id: <E1g00xE-0004xD-4l@server.wiersig.de>

Package: apf-firewall
Version: 9.7+rev1-5
Severity: normal

Dear Maintainer,

thanks for the time you make available for maintaining packages in
Debian.

I just had an issue in apf-firewall I hopefully expressed understandably
below.

   * What led up to the situation?

   I got a report that someone could only access my website via his
   mobile phone, not via his landline internet access. After switching
   off apf-firewall access was possible, further investigation revealed
   a conceptional mistake.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?
   
   Added the IP address directly to the allow hosts.

   * What was the outcome of this action?
   
   Access to website was restored, then went on to hunt rules which
   triggered with the orignal rulesets. Found the source rule in
   bt.rules and went and deactivated PKT_SANITY_STUFFED.  Not every
   0.0.0.255 is a broadcast, and even .191, .127 or .63 may be, why not
   also block those? 

   * What outcome did you expect instead?

   Not to block 0.0.0.255 as you can't tell how the provider uses a big
   allocation like    92.252.0.0/17AS15747 for his customers.
   netnum:        92.252.8.0 - 92.252.111.255


With kind regards

Peter

-- System Information:
Debian Release: 9.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages apf-firewall depends on:
ii  iproute   1:4.9.0-1+deb9u1
ii  iptables  1.6.0+snapshot20161117-6
ii  lsb-base  9.20161125
ii  wget      1.18-5+deb9u2

apf-firewall recommends no packages.

apf-firewall suggests no packages.

-- Configuration Files:
/etc/apf-firewall/allow_hosts.rules changed:
92.252.xx.255

/etc/apf-firewall/conf.apf changed:
DEVEL_MODE="0"
INSTALL_PATH="/etc/apf-firewall"
IFACE_IN="eth0" 
IFACE_OUT="eth0"
IFACE_TRUSTED=""
SET_VERBOSE="1"
SET_FASTLOAD="0"
SET_VNET="0"
SET_ADDIFACE="0"
SET_MONOKERN="0"
SET_REFRESH="30"
SET_TRIM="150"
VF_ROUTE="1"
VF_CROND="1"
VF_LGATE=""
RAB="1"
RAB_SANITY="1"
RAB_PSCAN_LEVEL="2"
RAB_HITCOUNT="1"
RAB_TIMER="300"
RAB_TRIP="1"
RAB_LOG_HIT="1"
RAB_LOG_TRIP="0"
TCP_STOP="RESET"
UDP_STOP="RESET"
ALL_STOP="DROP"
PKT_SANITY="1"
PKT_SANITY_INV="1"
PKT_SANITY_FUDP="1"
PKT_SANITY_PZERO="1"
PKT_SANITY_STUFFED="0"
TOS_DEF="0"
TOS_DEF_RANGE="512:65535"
TOS_0=""
TOS_2=""
TOS_4=""
TOS_8="80,443"
TOS_16="25,110,143,22"
TCR_PASS="1"		TCR_PORTS="33434:33534"
ICMP_LIM="30/s"
RESV_DNS="1"
RESV_DNS_DROP="1"
BLK_P2P_PORTS=""
BLK_PORTS="111,135_139,445,513,520,1234,1433,1434,1524,3127"
BLK_MCATNET="1"
BLK_PRVNET="1"
BLK_RESNET="1"
BLK_IDENT="1"
SYSCTL_CONNTRACK="34576"
SYSCTL_TCP="1"
SYSCTL_SYN="1"
SYSCTL_ROUTE="1"
SYSCTL_LOGMARTIANS="1"
SYSCTL_ECN="1"
SYSCTL_SYNCOOKIES="1"
SYSCTL_OVERFLOW="0"
HELPER_SSH="1"
HELPER_SSH_PORT="22"
HELPER_FTP="0"
HELPER_FTP_PORT="21"
HELPER_FTP_DATA="20"
IG_TCP_CPORTS="22,25,465,587,80,443,993,995,1011,30033"
IG_UDP_CPORTS="9987"
IG_ICMP_TYPES="3,5,11,0,30,8"
EGF="0"
EG_TCP_CPORTS="21,25,80,443,43"
EG_UDP_CPORTS="20,21,53"
EG_ICMP_TYPES="all"
EG_TCP_UID=""
EG_UDP_UID=""
EG_DROP_CMD="eggdrop psybnc bitchx BitchX init udp.pl"
DLIST_PHP="1"
DLIST_PHP_URL="rfxn.com/downloads/php_list"          
DLIST_PHP_URL_PROT="http"                            
DLIST_SPAMHAUS="1"
DLIST_SPAMHAUS_URL="www.spamhaus.org/drop/drop.lasso"     
DLIST_SPAMHAUS_URL_PROT="http"                            
DLIST_DSHIELD="1"
DLIST_DSHIELD_URL="feeds.dshield.org/top10-2.txt"   
DLIST_DSHIELD_URL_PROT="http"                       
DLIST_RESERVED="1"
DLIST_RESERVED_URL="rfxn.com/downloads/reserved.networks"
DLIST_RESERVED_URL_PROT="http"			    
DLIST_ECNSHAME="0"
DLIST_ECNSHAME_URL="rfxn.com/downloads/ecnshame.lst" 
DLIST_ECNSHAME_URL_PROT="http"               
USE_RGT="0"
GA_URL="yourhost.com/glob_allow.rules"       
GA_URL_PROT="http" 			     
GD_URL="yourhost.com/glob_deny.rules"        
GD_URL_PROT="http"			     
LOG_DROP="0"
LOG_LEVEL="crit"
LOG_TARGET="LOG"
LOG_IA="1"
LOG_LGATE="0"
LOG_EXT="0"
LOG_RATE="30"
LOG_APF="/var/log/apf_log"
CNFINT="$INSTALL_PATH/internals/internals.conf"
. $CNFINT

/etc/default/apf-firewall changed:
RUN="yes"

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 519961-done@bugs.debian.org,633648-done@bugs.debian.org,703220-done@bugs.debian.org,841895-done@bugs.debian.org,851349-done@bugs.debian.org,908655-done@bugs.debian.org,1039127-done@bugs.debian.org,842966-done@bugs.debian.org,

Cc: apf-firewall@packages.debian.org

Subject: Bug#1040239: Removed package(s) from unstable

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Date: Mon, 03 Jul 2023 23:42:51 +0000

Message-id: <[🔎] E1qGTBz-000ZmB-K2@fasolo.debian.org>
Version: 9.7+rev1-7+rm

Dear submitter,

as the package apf-firewall has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1040239

The version of this package that was in Debian prior to this removal
can still be found using https://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---

Reply to:

References:
- Bug#1040239: Removed package(s) from unstable
  - From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>

Prev by Date: Bug#841895: marked as done (apf-firewall: Apf blocks mysql connection on 127.0.0.1)
Next by Date: Bug#841897: marked as done (apf-firewall: Apf blocks mysql connection on 127.0.0.1)
Previous by thread: Bug#841895: marked as done (apf-firewall: Apf blocks mysql connection on 127.0.0.1)
Next by thread: Bug#841897: marked as done (apf-firewall: Apf blocks mysql connection on 127.0.0.1)
Index(es):
- Date
- Thread