ClearOS Bug Tracker


View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000020ClearOSapp-intrusion-prevention - Intrusion Preventionpublic2010-01-22 03:232010-03-02 19:21
Reportertimb80 
Assigned Todsokoloski 
PrioritynormalSeverityminorReproducibilityalways
StatusclosedResolutionfixed 
PlatformOSOS Version
Product Version5.1 
Target VersionFixed in Version5.1 
Summary0000020: Firewall restart does not regenerate all snortsam iptables rules
DescriptionIp's blocked by snortsam during operation are defined by two rules in the INPUT chain to prevent any traffic originating from suspect IP (with both source and dest defined). Restart of firewall does not re-create both rules. Snortsam then gives errors about missing iptables rule after time elapses.

To reproduce:-
run a port scan (say from grc.com) to block an IP

snortsam will block with two rules, /var/log/snortsam
2010/01/22, 10:12:45, 127.0.0.1, 2, snortsam, Blocking host 4.79.142.206 completely for 86400 seconds (Sig_ID:524).

iptables -L INPUT -n -v | grep 4.79
    0 0 DROP all -- eth1 * 0.0.0.0/0 4.79.142.206
  184 8048 DROP all -- eth1 * 4.79.142.206 0.0.0.0/0

do a 'service firewall restart'

iptables -L INPUT -n -v | grep 4.79
    0 0 DROP all -- eth1 * 4.79.142.206 0.0.0.0/0

Only the original rule is recreated.

After the 24hours has passed snortsam will attempt to remove both rules (unblock the host) and report the following error, as obviously one of the two rules is now missing
iptables, Error: Command2 /sbin/iptables -D INPUT -i eth1 -s 4.79.142.206 -j DROP Failed
Additional InformationAs far as I can tell this affects the section of code "Running incoming denied rules" as the IP does not appear under the list of blocked external hosts from /var/log/system
/etc/rc.d/firewall.lua

TagsNo tags attached.
Attached Files? file icon snortsam-reblock [^] (2,261 bytes) 2010-01-24 16:50 [Show Content]
txt file icon snortsam-reblock-output.txt [^] (3,108 bytes) 2010-01-25 01:58 [Show Content]

- Relationships

-  Notes
(0000013)
timb80 (developer)
2010-01-22 03:25

P.S this category has a typo ;) [ClearOS] Intrusion Projection <<
(0000014)
timb80 (developer)
2010-01-22 03:28

EDIT: Sorry I have a typo on the last line! The Snortsam iptables error relates to the rule when the IP is in the destination field. Source field shown above
iptables, Error: Command2 /sbin/iptables -D INPUT -i eth1 -d 208.111.139.4 -j DROP Failed
(0000015)
dsokoloski (developer)
2010-01-22 11:18
edited on: 2010-01-22 11:23

The firewall init script ignores the snortsam 'mode' type and recreates the iptables rules as FWSAM_HOW_IN only. It is possible for a blocked host to have the following modes:

FWSAM_HOW_IN: blocked host based on incoming traffic
FWSAM_HOW_OUT: blocked host based on outgoing traffic
FWSAM_HOW_INOUT: blocked host based on both in/outgoing traffic
FWSAM_HOW_THIS: blocked host based on traffic sent directly to the gateway

I have updated the firewall init script adding support for the first three modes. This should properly recreate most of the block rules. FWSAM_HOW_THIS will require more changes so I haven't implemented this mode yet.

If you have time, could you test the updated init script? I've attached it to this bug report. Backup your existing /etc/init.d/firewall script and copy this one over it... or just run the updated version from whatever directory you copy it to.

Thanks for the feedback!

(0000017)
timb80 (developer)
2010-01-22 14:25

Hi, thanks for the prompt reply! unfortunately it doesn't appear to work here. If I restart the firewall, it no longer recreates the block rules from snortsam...if I restart snortsam then only the first rule is recreated as it was before

Port scan, ip blocked
2010/01/22, 21:22:04, 127.0.0.1, 2, snortsam, Blocking host 4.79.142.206 completely for 86400 seconds (Sig_ID: 524).

[root@starlane:~]# iptables -L INPUT -n -v | grep 4.79
    0 0 DROP all -- eth1 * 0.0.0.0/0 4.79.142.206
  201 8788 DROP all -- eth1 * 4.79.142.206 0.0.0.0/0
[root@starlane:~]# service firewall restart
Starting firewall: [ OK ]
[root@starlane:~]# iptables -L INPUT -n -v | grep 4.79
[root@starlane:~]# << no rules created
[root@starlane:~]# service snortsam restart
Stopping snortsam: [ OK ]
Starting snortsam: [ OK ]
[root@starlane:~]# iptables -L INPUT -n -v | grep 4.79
    0 0 DROP all -- eth1 * 4.79.142.206 0.0.0.0/0
(0000018)
dsokoloski (developer)
2010-01-22 14:39

Can you download the attached script "snortsam-reblock" to your server, chmod a+x, and then:

./snortsam-reblock

Post the output here. Thanks again!
(0000019)
timb80 (developer)
2010-01-24 14:32

Attached the output as snortsam-reblock-output.txt
(0000020)
dsokoloski (developer)
2010-01-24 16:51

Thanks for the feedback.

I've uploaded another test script with the appropriate fix (I hope).

Btw, my PSNID is darryl, add me :)
(0000021)
timb80 (developer)
2010-01-25 01:58

Attached revised output, just after i'd run another port scan...looks promising

Will add you later :)
(0000022)
dsokoloski (developer)
2010-01-25 15:58

Looks good. I've committed the fixes to SVN and I will mark this as resolved unless you find that the regenerated rules are not correct.

Found ya on PSN... thanks! :)
(0000038)
user2
2010-02-22 16:54

Source Code Changelog
---------------------------------------------------
- Fixed intrusion prevention hooks to regenerate firewall rules [fixed tracker 0000020]

File Changes
---------------------------------------------------
U legacy/modules/branches/5.1/app-firewall/app-firewall.spec.in
U legacy/modules/branches/5.1/app-firewall/firewall
A legacy/modules/branches/5.1/app-firewall/snortsam-reblock
(0000052)
user2
2010-03-02 19:21

Errata Update CFBA-2010:031 - http://clearsdn.clearcenter.com/software/admin.php?aid=31 [^]

- Issue History
Date Modified Username Field Change
2010-01-22 03:23 timb80 New Issue
2010-01-22 03:25 timb80 Note Added: 0000013
2010-01-22 03:28 timb80 Note Added: 0000014
2010-01-22 08:35 user2 Status new => assigned
2010-01-22 08:35 user2 Assigned To => dsokoloski
2010-01-22 11:18 dsokoloski Note Added: 0000015
2010-01-22 11:18 dsokoloski Resolution open => fixed
2010-01-22 11:18 dsokoloski Fixed in Version => 5.2
2010-01-22 11:21 dsokoloski File Added: firewall
2010-01-22 11:21 dsokoloski Status assigned => acknowledged
2010-01-22 11:22 dsokoloski Note Edited: 0000015
2010-01-22 11:23 dsokoloski Note Edited: 0000015
2010-01-22 12:51 dsokoloski Status acknowledged => resolved
2010-01-22 14:25 timb80 Note Added: 0000017
2010-01-22 14:25 timb80 Status resolved => feedback
2010-01-22 14:25 timb80 Resolution fixed => reopened
2010-01-22 14:38 dsokoloski File Added: snortsam-reblock
2010-01-22 14:39 dsokoloski Note Added: 0000018
2010-01-24 14:30 timb80 File Added: snortsam-reblock-output.txt
2010-01-24 14:32 timb80 Note Added: 0000019
2010-01-24 16:49 dsokoloski File Deleted: firewall
2010-01-24 16:49 dsokoloski File Deleted: snortsam-reblock
2010-01-24 16:49 dsokoloski File Deleted: snortsam-reblock-output.txt
2010-01-24 16:50 dsokoloski File Added: snortsam-reblock
2010-01-24 16:51 dsokoloski Note Added: 0000020
2010-01-25 01:58 timb80 File Added: snortsam-reblock-output.txt
2010-01-25 01:58 timb80 Note Added: 0000021
2010-01-25 15:58 dsokoloski Note Added: 0000022
2010-01-25 15:59 dsokoloski Status feedback => resolved
2010-02-22 16:54 user2 Checkin
2010-02-22 16:54 user2 Note Added: 0000038
2010-02-22 16:54 user2 Resolution reopened => fixed
2010-02-24 10:02 user2 Fixed in Version 5.2 => 5.1
2010-03-02 19:21 user2 Note Added: 0000052
2010-03-02 19:21 user2 Status resolved => closed