This is the old SliTaz forum - Please use the main forum.slitaz.org

Messed up (?) /etc/firewall.conf in latest cooking
  • avamkavamk December 2010
    I am using latest SliTaz Cooking, and followed the documentation to customise the firewall.

    When I first opened /etc/firewall.conf, I saw a long configuration file with entries like:

    # Enable/disable kernel security at boot time.
    KERNEL_SECURITY="yes"
    # Enable/disable iptables rules.
    IPTABLES_RULES="yes"

    ......

    # Netfilter/iptables rules.
    # This shell function is included in /etc/init.d/firewall.sh
    # to start iptables rules.
    #
    iptables_rules()
    {

    ......

    I changed some setttings in the iptables_rules() function, saved /etc/firewall.conf, then did /etc/init.d/firewall restart.

    However, it showed errors like (each line looks similar):

    .....
    /etc/init.d/firewall: /etc/firewall.conf: line 6: -A: not found
    .....

    I tried pscan localhost, and the open ports do not match my modifications to /etc/firewall.conf.

    Then, I tried to open /etc/firewall.conf via the Server Manager GUI, and found that the entire contents have been *replaced* by just this:

    # Generated by iptables-save v1.4.10 on Tue Dec 28 02:55:54 2010
    *filter
    :INPUT DROP [1765:165821]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [36:1872]
    -A INPUT -i lo -j ACCEPT 
    -A INPUT -s 192.168.0.0/24 -j ACCEPT 
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT 
    -A INPUT -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT 
    -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT 
    -A INPUT -i eth0 -p tcp -m tcp --dport 21 -j ACCEPT 
    -A INPUT -i eth0 -p tcp -m tcp --dport 1024:60310 -j ACCEPT 
    -A INPUT -i eth0 -p tcp -m tcp --sport 6667 -j ACCEPT 
    -A INPUT -i eth0 -p udp -m udp --dport 1024:65535 -j ACCEPT 
    -A INPUT -i eth0 -p icmp -j ACCEPT 
    -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT 
    COMMIT
    # Completed on Tue Dec 28 02:55:54 2010

    The iptables_rules() function is no longer present, also gone are the lines like "KERNEL_SECURITY="yes"".

    It seems to me that my firewall configuration files have been corrupted somehow, is there a way for me to restore all of them to their factory defaults? Afterwards, how do I safely edit my firewall configuration?

    Thanks.
  • seawolfseawolf December 2010
    Hi @avamk --

    I'm running Stable and haven't used this GUI before, but a quick test of running ServerBox and just clicking "Save" did indeed mangle it completely.

    - The 2nd line of /etc/init.d/firewall.sh shows this file is not parsed by IPTables but run as a set of commands, which is why the errors are raised. The shell obviously cannot understand "-A INPUT -i eth0 -p tcp -m tcp --sport 80 -j ACCEPT" as a command.
    - Looking at the source for /usr/bin/serverbox, iptables-save/-restore is run when the buttons clicked, and I don't think this is necessary. These two commands seem to be for applying the currently-running configuration, rather than the contents of the file.
    - It is between these two points that the bug lies.

    The fix would be to restore the default from a SliTaz LiveCD, edit the file in the editor that opens (Leafpad or similar), File>Save it, then run `/etc/init.d/firewall restart`.

    I'm not wholly knowledgeable about IPTables so can't quite grasp why the save/restore commands are used, perhaps it just needs explaining or the UI improving. Perhaps renaming the button to "Restore", and an "Apply" one that just executes `/etc/init.d/firewall restart` should be added...

    HIH.
  • avamkavamk December 2010
    Thanks for the explanation. Looks like I have to stick to manual editing of /etc/firewall.conf for now?

    Unfortunately I don't know enough about ServerBox to fix it, I hope someone will do that soon.
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

SliTaz Network

SliTaz Social