[Whonix-devel] Bug#829752: netfilter-persistent systemd service does not lock the network if netfilter-persistent wrapper is failing at system bootup
Patrick Schleizer
adrelanos at riseup.net
Tue Jul 5 20:49:00 CEST 2016
Package: netfilter-persistent
Severity: grave
X-Debbugs-CC: whonix-devel at whonix.org
Tags: security
Dear maintainer,
there is a security issue with the netfilter-persistent systemd service. [1]
If the netfilter-persistent wrapper [2] fails for some reason, it does
not load any firewall rules and does not lock the network.
For example `whoami` or `run-parts` could be corrupted on disk or
otherwise broken. Or one of the firewall scripts in
/usr/share/netfilter-persistent/plugins.d folder could be broken.
If the netfilter-persistent wrapper fails on system startup, it should
lock the network. I.e. set all iptables and ip6tables policies to drop.
Cheers,
Patrick
Credits for finding this bug go to rustybird. [3] [4] (I am only
seconding and reporting it.)
(Using severity grave as this could pose a security risk, i.e. the
firewall getting up too late.)
[1]
https://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/tree/systemd/netfilter-persistent.service
[2]
https://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/tree/netfilter-persistent
[3] https://github.com/rustybird
[4] https://github.com/rustybird/corridor/issues/8#issuecomment-230266161
More information about the Whonix-devel
mailing list