Ubuntu
shorewall package

shorewall does not handle non-resolvable hostname gracefully

Bug #570611 reported by alligator424@free.fr
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
shorewall (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: iptables

version: Ubuntu 8.04.4 LTS
component: iptables
it seems that a null/non-valid IP (dyndns error, not instancied on World by a syntaxic error on domain names) crash iptables frozing the ubuntu server.

example:

- rightaddress.dyndns.org is a right-valid-ip-address
- badaddress.dyndns.org is a syntaxically faulty or non evaluated address.

then on booting, we see in shorewall-init.log

17:57:30 Rule "ACCEPT net:rightaddress.dyndns.org fw tcp 3306 "
added.
iptables v1.3.8: host/network `badaddress.dyndns.org' not found
Try `iptables -h' or 'iptables --help' for more information.
   ERROR: Command "/sbin/iptables -A net2fw -p tcp -s
badaddress.dyndns.org --dport 80 -j ACCEPT" Failed

then the Ubuntu server has frozen!
 I had to:
 - switch in rescue mode and comment the faulting line in /etc/shorewall/rules
 - reboot in standard mode
to recover control of the system.

because badaddress.dyndns.org is not evaluated to a real IP, the server is frozen(all other iptables rules are not evaluated ). This may contribute to shutdown Internet(at least all iptables computers) in case of DNS failure. Of course DNS failure is itself a catastrophic hypothesis, but this behaviour doesn't help. So maybe it is NOT the right action and may be a bug.

Jamie Strandboge (jdstrand)
security vulnerability: yes → no
visibility: private → public
affects: iptables (Ubuntu) → shorewall (Ubuntu)
summary: - it seems that a null/non-valid IP (dns error, not instancied on World)
- crash iptables frozing the ubuntu server
+ shorewall does not handle non-resolvable hostname gracefully
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

Trying to reproduce this, I have:
$ sudo iptables -A INPUT -p tcp -s badaddress.dyndns.org --dport 80 -j ACCEPT
iptables v1.3.8: host/network `badaddress.dyndns.org' not found
Try `iptables -h' or 'iptables --help' for more information.

iptables is not crashing, but instead is letting you know that you can't use 'badaddress.dyndns.org' as a source address because it is unresolvable. It appears this is a problem in shorewall not gracefully handling this error.

PS -- In the vast majority of cases, you do not want to use a hostname in your firewall rules because of things like this and because if someone controls the DNS server on the network your computer is using, then he/she can control access to your firewall.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.