Package: firehol Version: 1.231-7 Severity: normal Firehol is getting started at boot time through init script /etc/init.d/firehol. While the iptables rules themselves getting loaded, the policies of the iptables chain's INPUT, OUTPUT, FORWARD, ... remain in status ACCEPT. After reinvoking
/etc/init.d/firehol restart the policies changed to DROP - as they should. I can reproduce this behaviour on several firewalls, where I'm using firehol. I have not figured out yet, what could cause this condition. Maybe it could be SELinux, since I only can find here evidences of iptables settings in /etc/selinux/refpolicy-targeted/contexts/netfilter_contexts. But the kernel says: SELinux: Disabled at boot. so I'm not sure, if SELinux is still getting invoked and where. Luckily, firehol uses some finally DROP rules in the ruleset so this is not that insecure then it looks like. But without them, the firehol may stay completely open in this case. Anyway it looks like if two systems are trying to change firewall rules at the same time. Regards, Andreas -- System Information: Debian Release: 4.0 APT prefers stable APT policy: (990, 'stable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-6-686 Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1) Versions of packages firehol depends on: ii bash 3.1dfsg-8 The GNU Bourne Again SHell ii iproute 20061002-3 Professional tools to control the ii iptables 1.3.6.0debian1-5 administration tools for packet fi ii net-tools 1.60-17 The NET-3 networking toolkit Versions of packages firehol recommends: ii curl 7.15.5-1etch1 Get a file from an HTTP, HTTPS, FT ii module-init-tools 3.3-pre4-2 tools for managing Linux kernel mo ii wget 1.10.2-2 retrieves files from the web -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
