--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: apf-firewall: The rules activated by PKT_SANITY_STUFFED are overzealous and block DSL customers
- From: Peter Wiersig <peter@friesenpeter.de>
- Date: Wed, 12 Sep 2018 10:56:56 +0200
- Message-id: <E1g00xE-0004xD-4l@server.wiersig.de>
Package: apf-firewall
Version: 9.7+rev1-5
Severity: normal
Dear Maintainer,
thanks for the time you make available for maintaining packages in
Debian.
I just had an issue in apf-firewall I hopefully expressed understandably
below.
* What led up to the situation?
I got a report that someone could only access my website via his
mobile phone, not via his landline internet access. After switching
off apf-firewall access was possible, further investigation revealed
a conceptional mistake.
* What exactly did you do (or not do) that was effective (or
ineffective)?
Added the IP address directly to the allow hosts.
* What was the outcome of this action?
Access to website was restored, then went on to hunt rules which
triggered with the orignal rulesets. Found the source rule in
bt.rules and went and deactivated PKT_SANITY_STUFFED. Not every
0.0.0.255 is a broadcast, and even .191, .127 or .63 may be, why not
also block those?
* What outcome did you expect instead?
Not to block 0.0.0.255 as you can't tell how the provider uses a big
allocation like 92.252.0.0/17AS15747 for his customers.
netnum: 92.252.8.0 - 92.252.111.255
With kind regards
Peter
-- System Information:
Debian Release: 9.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages apf-firewall depends on:
ii iproute 1:4.9.0-1+deb9u1
ii iptables 1.6.0+snapshot20161117-6
ii lsb-base 9.20161125
ii wget 1.18-5+deb9u2
apf-firewall recommends no packages.
apf-firewall suggests no packages.
-- Configuration Files:
/etc/apf-firewall/allow_hosts.rules changed:
92.252.xx.255
/etc/apf-firewall/conf.apf changed:
DEVEL_MODE="0"
INSTALL_PATH="/etc/apf-firewall"
IFACE_IN="eth0"
IFACE_OUT="eth0"
IFACE_TRUSTED=""
SET_VERBOSE="1"
SET_FASTLOAD="0"
SET_VNET="0"
SET_ADDIFACE="0"
SET_MONOKERN="0"
SET_REFRESH="30"
SET_TRIM="150"
VF_ROUTE="1"
VF_CROND="1"
VF_LGATE=""
RAB="1"
RAB_SANITY="1"
RAB_PSCAN_LEVEL="2"
RAB_HITCOUNT="1"
RAB_TIMER="300"
RAB_TRIP="1"
RAB_LOG_HIT="1"
RAB_LOG_TRIP="0"
TCP_STOP="RESET"
UDP_STOP="RESET"
ALL_STOP="DROP"
PKT_SANITY="1"
PKT_SANITY_INV="1"
PKT_SANITY_FUDP="1"
PKT_SANITY_PZERO="1"
PKT_SANITY_STUFFED="0"
TOS_DEF="0"
TOS_DEF_RANGE="512:65535"
TOS_0=""
TOS_2=""
TOS_4=""
TOS_8="80,443"
TOS_16="25,110,143,22"
TCR_PASS="1" TCR_PORTS="33434:33534"
ICMP_LIM="30/s"
RESV_DNS="1"
RESV_DNS_DROP="1"
BLK_P2P_PORTS=""
BLK_PORTS="111,135_139,445,513,520,1234,1433,1434,1524,3127"
BLK_MCATNET="1"
BLK_PRVNET="1"
BLK_RESNET="1"
BLK_IDENT="1"
SYSCTL_CONNTRACK="34576"
SYSCTL_TCP="1"
SYSCTL_SYN="1"
SYSCTL_ROUTE="1"
SYSCTL_LOGMARTIANS="1"
SYSCTL_ECN="1"
SYSCTL_SYNCOOKIES="1"
SYSCTL_OVERFLOW="0"
HELPER_SSH="1"
HELPER_SSH_PORT="22"
HELPER_FTP="0"
HELPER_FTP_PORT="21"
HELPER_FTP_DATA="20"
IG_TCP_CPORTS="22,25,465,587,80,443,993,995,1011,30033"
IG_UDP_CPORTS="9987"
IG_ICMP_TYPES="3,5,11,0,30,8"
EGF="0"
EG_TCP_CPORTS="21,25,80,443,43"
EG_UDP_CPORTS="20,21,53"
EG_ICMP_TYPES="all"
EG_TCP_UID=""
EG_UDP_UID=""
EG_DROP_CMD="eggdrop psybnc bitchx BitchX init udp.pl"
DLIST_PHP="1"
DLIST_PHP_URL="rfxn.com/downloads/php_list"
DLIST_PHP_URL_PROT="http"
DLIST_SPAMHAUS="1"
DLIST_SPAMHAUS_URL="www.spamhaus.org/drop/drop.lasso"
DLIST_SPAMHAUS_URL_PROT="http"
DLIST_DSHIELD="1"
DLIST_DSHIELD_URL="feeds.dshield.org/top10-2.txt"
DLIST_DSHIELD_URL_PROT="http"
DLIST_RESERVED="1"
DLIST_RESERVED_URL="rfxn.com/downloads/reserved.networks"
DLIST_RESERVED_URL_PROT="http"
DLIST_ECNSHAME="0"
DLIST_ECNSHAME_URL="rfxn.com/downloads/ecnshame.lst"
DLIST_ECNSHAME_URL_PROT="http"
USE_RGT="0"
GA_URL="yourhost.com/glob_allow.rules"
GA_URL_PROT="http"
GD_URL="yourhost.com/glob_deny.rules"
GD_URL_PROT="http"
LOG_DROP="0"
LOG_LEVEL="crit"
LOG_TARGET="LOG"
LOG_IA="1"
LOG_LGATE="0"
LOG_EXT="0"
LOG_RATE="30"
LOG_APF="/var/log/apf_log"
CNFINT="$INSTALL_PATH/internals/internals.conf"
. $CNFINT
/etc/default/apf-firewall changed:
RUN="yes"
-- no debconf information
--- End Message ---