Topic: filtering www

[Joseph B]

On my 30 computers network, I need some to have full http access, some http limited to some web sites, and others with no access at all. I wrote some rules with ipchains, and it seems to work well whent I test it. But after some time, all computers have full http access !!! ipchains -L show that my rules have disappeared, when I can see them when all works well.

I put my rules in /etc/rc.d/rc.local. ipchains -L show them after the e-smith server reboots, but when I try to go on http with any computer, it goes even if I desabled its access, and rules are no more visible with ipchains -L. Seems that they disappear when e-smith connects on internet (I use 4.1.2 with a dial-up connection).

Any idea/advice ? Thanks.

Joseph.

[Walter Padgett]

Good Morning,

Number one you need to upgrade your box to at least 5.5 if your still at 4.1.2. Number two, all files in the etc and below with the exception of the esmith directory are replaced everytime you reboot the system. You need to place any files that you want to stay as part of the configuration/bootup in the /etc/esmith/templates directory. After changing to this directory, place your files in the appropriate directory that relates to what you are trying to do.

Hope this helps,

Wally

[Newton calvin]

See this thread

http://forums.contribs.org/index.php?topic=6347.msg22769#msg22769

[Dan Brown]

Walter,

You're right that he needs to upgrade, but you're very wrong in your understanding of how the template system works.

First, it covers files outside of /etc (like the horde/imp files, for example).  Second, it doesn't cover everything in /etc (even outside the e-smith directory).  Third, the templates aren't re-expanded when you reboot the system, but only when certain configuration changes are made to the system.

[Joseph B]

Thanks, Newton ! This distro seems interesting, but I have something existing, rules with ipchains are enough for me, already written, I just need to make them permanent... I'll see for another network if it's better to choose Censornet or e-smith !

Anyway, thank you for the idea.

Joseph.

[Joseph B]

Thanks Walter and Dan !

Dan is right, it's not a problem with the templates, as ipchains -L show my added rules after a reboot. It's something during the connection process, or some other who erases my rules from time to time...

Upgrade ? Yes, but I'm satified with this version ! Will 5.6 or 6.0 help me to solve this filtering problem ? Not sure ... And fixing this is for me more urgent than to have other advantages I don't need or correct some bug not disturbing for me...

Joseph.

[Nathan Fowler]

I run 4.1.2, and have seen a similar effect.  I think it happens when signal-event network-update runs.  My work-around was to just add my /etc/rc.d/rc.local firewall rules into another script, invoke them from rc.local, and schedule cron to run them every 1 hour.  It's rather "dirty", but I didn't have the time to isolate the specific event causing it.

You don't need to upgrade unless there is a legitimate reason to.  If there is a feature set offered by 5.5/6.0 you want, then upgrade.  If not, don't upgrade.  A funny thing is my 4.1.2 box is a little more secure (due to errata packages and good system managerment) and up to date [than 5.5 (or 6.0) with all the Mitel published errata and security packages].  The moral of the story is follow redhat errata, update exploitable packages, watch http://www.securiteam.com, and continue to be a good systems administrator.  Don't upgrade under the guise of a false sense of security, and don' t be strong-armed into upgrading.

To flame Mitel, I'm rather disappointed at their lax approach to providing errata for their legacy products.  If the life cycle of a single version of E-Smith is only good for 4 months, many people will find they don't have the luxury to continously upgrade a system just to stay "current".  I'd hate to think that every four months I'd have to upgrade and re-engineer every little add-on created due to incompatability differences just to get the Mitel "security updates" which are few and far between.

Mitel is rather lax in applying or publishing security related and errata packages.  In my eyes, an upgrade to 5.5 is not necessary.

Thanks,
Nathan

[Joseph B]

Hi Nathan,

Thank for the advices. I see that we have the same opinion about updates ! Maybe Bill Gates has not the same, but it's one of the reasons why we prefer Linux !!!

I'll do as you, work around with cron... If one day I find what erases the rules, I'll tell you.

Thank you so much !

Joseph.

[Nathan Fowler]

After some investigation, I believe the root cause is the ip-change event which runs weekly.  This script is invoked from /etc/cron.weekly and runs:

/sbin/e-smith/signal-event ip-change

Immediately upon running this event, my custom ipchains rules were cleared.

Looking in /etc/e-smith/events/ip-change I see that there is a event that restarts masq, which then flushes the chain rules that you've supplied.

A fix appears to be to create a custom template to append your rules to the masq script:

mkdir -p /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
cd /etc/e-smith/templates-custom/etc/rc.d/init.d/masq
pico -w 45MyFirewallRules
[Add your ipchains commands]
[Save]
/sbin/e-smith/expand-template /etc/rc.d/init.d/masq
/sbin/e-smith/signal-event ip-change

Now when running ipchains -L you should see your chain rules.  If you don't let me know.

[Nathan Fowler]

Note, I found this to be amusing:

[root@inet01 /root]# curl -I http://www.e-smith.org
HTTP/1.1 200 OK
Date: Fri, 27 Jun 2003 18:51:04 GMT
Server: Apache/1.3.12 (Unix)  (Red Hat/Linux) PHP/4.0.1pl2
X-Powered-By: PHP/4.0.1pl2

[Charlie Brady]

Nathan Fowler wrote:

> To flame Mitel, I'm rather disappointed at their lax approach
> to providing errata for their legacy products.

We have no customers running unsupported versions of the product, and therefore have no reason to provide updates for those versions.

This being free software, you are free to use whatever version you choose, but Mitel has no obligation to provide support to you.

If you believe that support updates should be made available for old versions of the software, then you are free to publish those updates. No doubt many people will thank you if you do so.
 
> Mitel is rather lax in applying or publishing security
> related and errata packages.

Mitel takes great care to ensure that its customers receive relevant updates. Many RedHat updates (including security updates) do not affect the SME server because they are only relevant in particular configuration settings or usage patterns - ones which don't apply to our server systems.

If you have customised your server or use other software or other configurations, you will need to make your own decision as to whether to apply updates as they are made available by various software publishers.

Regards

Charlie

[Nathan Fowler]

Charlie, I completely agree with the business side of what you are saying with respect to paying customers and appropriation of resources, however, with a community sense, I would hope that "you" would stress the importance of security and at least provide a path to those errata packages, or make it known in some form of documentation that you will want to access the RH errata and attempt to stay up to date during and once Mitel support expires for that version.

With respect to the security updates, Mitel does not always provide errata packages (or these packages in a timely basis) for those products that are installed by default.  Such examples include OpenSSL, OpenSSH, Apache, zlib, xinetd, lynx, mysql, vim, fetchmail, PHP, etc.  Some applications go unpatched even if they contain remotely executable exploits.

Additionally I will agree with you on the upgrade evaluation, I couldn't fathom the hours of code and the impossible task of creating an upgrade path for a highly customized system, so the evaluation of an upgrade with respect to customization would be a consideration the administrator would need to make.

Thanks,
Nathan

[Charlie Brady]

Nathan Fowler wrote:

> I would hope that "you"  ...

I do more than my share already, I think.

> Some applications go
> unpatched even if they contain remotely executable exploits.

I'll have to disagree with you on that. If you know of any packages in currently supported versions  which are remotely exploitable, please make these known to smesecurity@mitel.com ASAP.

Charlie

[Walter Padgett]

Good Evening,

A "community sense" would imply some "community structure" right? Wouldn't this bleed over into contribs and patches or does the community have "helter, skelter" infrastructure and anarchy?

Dungog.net wrote a great contrib with DansGuardian and I'm buying it for every school that I contract to. Quality contribs with "community structure."

Later

Wally

[Joseph B]

Hi, Nathan,

Sorry to have been long... Due to different timezone (I'm in France...), I was sleeping while you gave me the solution.

Thank you very much : I put my rules so that they are re-loaded when masq restarts, and it works properly now.

I didn't had a precise look on what happens, but I think that the reason is different on my system, and that masq is restarted each time diald reconnects (I use a dial-up connection), as the problem seemed to occur each time the system reconnected, not only once  week. Or, maybe, an ip-change signal is generated at each connection, as my external IP address is given at this time...

Finally, Walter was somewhere right when he talked about the templates, but his explanations were not very clear !

Thanks to everybody.

Joseph.

[Walter Padgett]

Good morning,

I apologize about not being terribly clear on that, I didn't really start working on the templates until version 5.x. I was just hoping to point you in the right direction.

Glad to hear that it's working for you now.

Wally

[Nathan Fowler]

No problem Walter, everyones goal here is only to help

Joseph, glad you got it working

[Patrick T Hickey]

Amazing anyone can find it within themselves to criticize a free distribution of anything, let alone something which works as well as the Mitel server.

I must have missed the part which says I am obligated to download it and then complain?

At the same time I find it amazing Mitel takes the time to reply to such a baseless tirade.

Thank you for providing me with really cool, free software.

regards,

patrick

[Michiel Blotwijk]

> I must have missed the part which says I am obligated to
> download it and then complain?

Well yeah, you even have to burn your own copy on a CD-Rom for it to work. Ain't that a bloody scandal?

> Thank you for providing me with really cool, free software.

Hear, hear!

M.

[Walter Padgett]

Good Morning,

I concur. As a straight out of the box distribution, it is a great package. My compliments to the authors and others who had their hand in it.

Have a great day!

Wally