As of 8.10, this source package needs corrections to:

debian/init.d/firehol
debian/postinst

The revised TearDown spec should be adhered to. Further, the script
must be modified to start no earlier than 46 (cf. /etc/rcS.d
/S46mountnfs-bootclean.sh) and likely needs to busy-wait [unless a newer
upstart semantics is used].

** Changed in: firehol (Ubuntu)
Status: New => Triaged

** Tags added: bitesize packaging

Daniel, can you explain your reasoning a little more, please?

I started to look at fixing this, and have some questions...

Firstly: In Intrepid (firehol 1.256-3) the debian/postinst script does:

update-rc.d firehol start 41 S . start 36 0 6 . > /dev/null

I initially suspected a typo: the second "start" should be "stop". Am I
correct? Why start a firewall when rebooting or shutting down? Or, is
this a "clever" way to ensure the firewall is only stopped very late in
the set of scripts run at shutdown/reboot, after all other applications
are stopped, since Debian Policy Manual 9.3.1 says:

The two runlevels 0 (halt) and 6 (reboot) are slightly different. In these runlevels,
the links with an S prefix are still called after those with a K prefix, but they too
are called with the single argument stop.

A comment in the postinst script describing the author's intent would
perhaps have been helpful, given how complex the update-rc.d option
syntax is.

Secondly: If this postinst script is patched to say something more conventional, based on
https://wiki.ubuntu.com/Teardown, such as

update-rc.d firehol start 46 2345 . stop 54 1 . > /dev/null

is that sufficient to solve this bug? If busy-wait is required, what is
the firehol init script supposed to wait for?

Thirdly: I fear that delaying firewall setup until runlevels 2 to 5 may
introduce a serious security issue. Does it really make sense for a
firewall to wait until remote network filesystems are mounted before it
is started? Doesn't that introduce a potentially lengthy window of
opportunity (between network startup and completing of remote filesystem
mounts) during which time networking will be active, but the machine
will be unprotected by the packet filter?

In this case, perhaps the real solution would be for NFS/NIS client
machines to use a firehol script (on a local fileystem!) that allows the
appropriate NFS/NIS traffic to flow, and then to start firehol *before*
any attempts to do remote filesystem mounts are made? So the current
approach of starting it in /etc/rcS.d/ is then correct?

I think that (other than the start/stop possible typo issue mentioned
above) this reported bug may in fact be a policy question -- the firehol
developers went for security, starting the packet filtering early; the
bug reporter apparently wants a shared firehol policy file, and so wants
the firewall enabled later, only after NFS/NIS are up and running.
Which approach is "correct" perhaps depends on your perspective (and
your degree of network security paranoia)?

Since anyone installing a firewall on their machine is being at least
somewhat security-conscious, "secure-by-default" sounds to me like the
better way to go here, leaving those who want to reduce security to
allow the convenience of an NFS-shared firehol script to make that
choice for themselves (using any of several runlevel editors) and be
very ware of the risk they are taking.

Jonathan

firhol should be made to source firehol.conf and parts from a directory
like /etc/firehol.d, where other packages can drop config snippets.

While firehol still sets up the firewall as early a possible in the boot
up process.

firhol should be made to source firehol.conf and parts from a directory
like /etc/firehol.d, where other packages can drop config snippets.

While firehol still sets up the firewall as early a possible in the boot
up process.
--
The rcS.d script for firehol starts before NFS and NIS
https://bugs.launchpad.net/bugs/28906
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.

Does what the reporter posted mean that NIS/NFS scipts are flushing
iptables?

Does what the reporter posted mean that NIS/NFS scipts are flushing
iptables?
--
The rcS.d script for firehol starts before NFS and NIS
https://bugs.launchpad.net/bugs/28906
You received this bug notification because you are a member of Ubuntu
Bugs, which is a direct subscriber.

** Summary changed:

- The rcS.d script for firehol starts before NFS and NIS
+ init script starts before NFS, NIS, DNS (need two stages)

Thank you for taking the time to report this bug and helping to make
Ubuntu better. We are sorry that we do not always have the capacity to
look at all reported bugs in a timely manner. There have been many
changes in Ubuntu since that time you reported the bug and your problem
may have been fixed with some of the updates. It would help us a lot if
you could test it on a currently supported Ubuntu version. When you test
it and it is still an issue, kindly upload the updated logs by running
apport-collect 28906 and any other logs that are relevant for this
particular issue.

** Changed in: firehol (Ubuntu)
Status: Triaged => Incomplete
--
You received this bug notification because you are a member of MOTU,
which is a bug assignee.
https://bugs.launchpad.net/bugs/28906

Title:
init script starts before NFS, NIS, DNS (need two stages)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firehol/+bug/28906/+subscriptions

I appreciate this is not a direct reference to firehol, but I have put
together a patch for my fork, sanewall, see here:

http://lists.sanewall.org/pipermail/sanewall-dev/2013-March/000042.html

If anyone is able to help test + verify the principle idea I can extend
the change to cater for early NIS and DNS so that no special
infrastructure to do multiple runs is needed.

The patch can in theory be backported to firehol although it does depend
on some earlier patches.
--
You received this bug notification because you are a member of MOTU,
which is a bug assignee.
https://bugs.launchpad.net/bugs/28906

Title:
init script starts before NFS, NIS, DNS (need two stages)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firehol/+bug/28906/+subscriptions

since the were no reply in more than one year I'm closing the bug report
(even to drop the bug from the list)

** Changed in: firehol (Ubuntu)
Status: Incomplete => Invalid

** Changed in: firehol (Ubuntu)
Assignee: MOTU (motu) => (unassigned)
--
You received this bug notification because you are a member of MOTU,
which is a bug assignee.
https://bugs.launchpad.net/bugs/28906

Title:
init script starts before NFS, NIS, DNS (need two stages)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firehol/+bug/28906/+subscriptions