UweP
March 2, 2014, 11:07am
1
Hallo zusammen,
mein Server läuft zur Zeit als DC Master in der Version 3.2-0 errata 66. Folgendes Problem tritt nun seit Ende Januar wiederholt auf: Nach manchen errata-updates bekomme ich keinen Zugriff mehr auf den Server über ssh. Einloggen ist nur noch an der Konsole des Servers selbst möglich.
Ich habe herausgefunden das die univention-firewall alle Zugänge inkl. ssh blockiert. Im Verzeichnis /etc/security/packetfilter.d liegt die Datei 10_univention-firewall_start.sh. Diese Datei wird aktuell nicht korrekt aufgebaut wenn ein update dies anstösst. Glücklicherweise fand sich noch ein Backup der Datei vom 29.1. welches ich nun händisch an der Konsole zurückspielen kann, um wieder Zugriff per ssh zu bekommen. Diese Datei enthält nach dem erfolglosen Aufbau lediglich einige wenige EInträge die IPv4 und IPv6 beinhalten. Im Backup hingegen sind viele Einträge zu den Univention-Paketen enthalten. Diese fehlen komplett nach dem Neuaufbau. Die UCR listet unter Univention-Firewall aktuell 149 Einträge zu den installierten Paketen auf, jedoch werden diese offensichtlich nicht berücksichtigt.
Wo kann hierbei der Fehler liegen?
Gruß
greif
March 7, 2014, 4:01pm
2
Hallo Uwe,
Ruf doch mal auf:
ucr filter < /etc/univention/templates/files/etc/security/packetfilter.d/10_univention-firewall_start.shdann bekommst Du als Ausgabe genau das, was in die 10_univention-firewall_start.sh geschrieben würde. Ich würde erwarten, daß ucr eine Fehlermeldung ausgibt, wenn beim Generieren ein Fehler passiert. Sollte die Ausgabe einfach nur unvollständig sein und keinen Fehler nennen, müßte man sie mit dem Ergebnis von
ucr search --brief packetfiltervergleichen und herausfinden, welche Variablen fehlen bzw. welche Pakete Probleme machen.
viele Grüße
UweP
March 7, 2014, 4:57pm
3
Hallo Frank,
vielen Dank für die Antwort.
ucr filter < /etc/univention/templates/files/etc/security/packetfilter.d/10_univention-firewall_start.sh
[code]# initialise IPv4
accept IPv4 connections from localhost
/sbin/iptables -A INPUT -i lo -j ACCEPT
accept established IPv4 connections
/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
accept all ICMP messages
/sbin/iptables -A INPUT -p icmp -j ACCEPT
initialise IPv6
/sbin/ip6tables -F
accept IPv6 connections from localhost
/sbin/ip6tables -A INPUT -i lo -j ACCEPT
accept established IPv6 connections
/sbin/ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
accept all ICMPv6 messages
/sbin/ip6tables -A INPUT -p icmpv6 -j ACCEPT[/code]
ucr search --brief packetfilter liefert:
security/packetfilter/defaultpolicy: REJECT
security/packetfilter/disabled: <empty>
security/packetfilter/package/.*: <empty>
security/packetfilter/package/sesam-srv/tcp/11001/all: ACCEPT
security/packetfilter/package/sesam-srv/tcp/11401/all: ACCEPT
security/packetfilter/package/univention-apache/tcp/443/all/en: HTTPS
security/packetfilter/package/univention-apache/tcp/443/all: ACCEPT
security/packetfilter/package/univention-apache/tcp/80/all/en: HTTP
security/packetfilter/package/univention-apache/tcp/80/all: ACCEPT
security/packetfilter/package/univention-bareos/tcp/9101/all/en: bareos-dir
security/packetfilter/package/univention-bareos/tcp/9101/all: ACCEPT
security/packetfilter/package/univention-bareos/tcp/9102/all/en: bareos-fd
security/packetfilter/package/univention-bareos/tcp/9102/all: ACCEPT
security/packetfilter/package/univention-bareos/tcp/9103/all/en: bareos-sd
security/packetfilter/package/univention-bareos/tcp/9103/all: ACCEPT
security/packetfilter/package/univention-base-files/tcp/22/all/en: SSH
security/packetfilter/package/univention-base-files/tcp/22/all: ACCEPT
security/packetfilter/package/univention-base-files/tcp/37/all/en: time
security/packetfilter/package/univention-base-files/tcp/37/all: ACCEPT
security/packetfilter/package/univention-base-files/tcp/49152/all/en: Mediatomb
security/packetfilter/package/univention-base-files/tcp/49152/all: ACCEPT
security/packetfilter/package/univention-base-files/tcp/873/all/en: RSYNC
security/packetfilter/package/univention-base-files/tcp/873/all: ACCEPT
security/packetfilter/package/univention-base-files/udp/123/all/en: ntp
security/packetfilter/package/univention-base-files/udp/123/all: ACCEPT
security/packetfilter/package/univention-base-files/udp/1900/all/en: Mediatomb
security/packetfilter/package/univention-base-files/udp/1900/all: ACCEPT
security/packetfilter/package/univention-base-files/udp/49152/all/en: Mediatomb
security/packetfilter/package/univention-base-files/udp/49152/all: ACCEPT
security/packetfilter/package/univention-bind/tcp/53/all/en: DNS proxy
security/packetfilter/package/univention-bind/tcp/53/all: ACCEPT
security/packetfilter/package/univention-bind/tcp/7777/all/en: DNS server
security/packetfilter/package/univention-bind/tcp/7777/all: ACCEPT
security/packetfilter/package/univention-bind/udp/53/all/en: DNS proxy
security/packetfilter/package/univention-bind/udp/53/all: ACCEPT
security/packetfilter/package/univention-bind/udp/7777/all/en: DNS server
security/packetfilter/package/univention-bind/udp/7777/all: ACCEPT
security/packetfilter/package/univention-dhcp/udp/67/all/en: DHCP
security/packetfilter/package/univention-dhcp/udp/67/all: ACCEPT
security/packetfilter/package/univention-dhcp/udp/68/all/en: DHCP
security/packetfilter/package/univention-dhcp/udp/68/all: ACCEPT
security/packetfilter/package/univention-directory-notifier/tcp/6669/all/en: Univention Directory Notifier
security/packetfilter/package/univention-directory-notifier/tcp/6669/all: ACCEPT
security/packetfilter/package/univention-heimdal-common/tcp/544/all/en: krsh
security/packetfilter/package/univention-heimdal-common/tcp/544/all: ACCEPT
security/packetfilter/package/univention-heimdal-kdc/tcp/464/all/en: kpasswd
security/packetfilter/package/univention-heimdal-kdc/tcp/464/all: ACCEPT
security/packetfilter/package/univention-heimdal-kdc/tcp/749/all/en: kadmin
security/packetfilter/package/univention-heimdal-kdc/tcp/749/all: ACCEPT
security/packetfilter/package/univention-heimdal-kdc/tcp/88/all/en: kerberos
security/packetfilter/package/univention-heimdal-kdc/tcp/88/all: ACCEPT
security/packetfilter/package/univention-heimdal-kdc/udp/464/all/en: kpasswd
security/packetfilter/package/univention-heimdal-kdc/udp/464/all: ACCEPT
security/packetfilter/package/univention-heimdal-kdc/udp/88/all/en: kerberos
security/packetfilter/package/univention-heimdal-kdc/udp/88/all: ACCEPT
security/packetfilter/package/univention-ldap-server/tcp/389/all/en: LDAP
security/packetfilter/package/univention-ldap-server/tcp/389/all: ACCEPT
security/packetfilter/package/univention-ldap-server/tcp/636/all/en: LDAPS
security/packetfilter/package/univention-ldap-server/tcp/636/all: ACCEPT
security/packetfilter/package/univention-ldap-server/tcp/7389/all/en: LDAP
security/packetfilter/package/univention-ldap-server/tcp/7389/all: ACCEPT
security/packetfilter/package/univention-ldap-server/tcp/7636/all/en: LDAPS
security/packetfilter/package/univention-ldap-server/tcp/7636/all: ACCEPT
security/packetfilter/package/univention-management-console-server/tcp/6670/all/en: UMC
security/packetfilter/package/univention-management-console-server/tcp/6670/all: ACCEPT
security/packetfilter/package/univention-nagios-client/tcp/5666/all/en: Nagios NRPE
security/packetfilter/package/univention-nagios-client/tcp/5666/all: ACCEPT
security/packetfilter/package/univention-nfs/tcp/111/all/en: portmap
security/packetfilter/package/univention-nfs/tcp/111/all: ACCEPT
security/packetfilter/package/univention-nfs/tcp/2049/all/en: NFS
security/packetfilter/package/univention-nfs/tcp/2049/all: ACCEPT
security/packetfilter/package/univention-nfs/tcp/32765:32769/all/en: NFS related RPC daemons
security/packetfilter/package/univention-nfs/tcp/32765:32769/all: ACCEPT
security/packetfilter/package/univention-nfs/tcp/4660/all/en: NFS
security/packetfilter/package/univention-nfs/tcp/4660/all: ACCEPT
security/packetfilter/package/univention-nfs/udp/111/all/en: portmap
security/packetfilter/package/univention-nfs/udp/111/all: ACCEPT
security/packetfilter/package/univention-nfs/udp/2049/all/en: NFS
security/packetfilter/package/univention-nfs/udp/2049/all: ACCEPT
security/packetfilter/package/univention-nfs/udp/32765:32769/all/en: NFS related RPC daemons
security/packetfilter/package/univention-nfs/udp/32765:32769/all: ACCEPT
security/packetfilter/package/univention-nfs/udp/4660/all/en: NFS
security/packetfilter/package/univention-nfs/udp/4660/all: ACCEPT
security/packetfilter/package/univention-postgresql/tcp/5432/all/en: postgresql
security/packetfilter/package/univention-postgresql/tcp/5432/all: ACCEPT
security/packetfilter/package/univention-printserver/tcp/631/all/en: IPP
security/packetfilter/package/univention-printserver/tcp/631/all: ACCEPT
security/packetfilter/package/univention-printserver/udp/631/all/en: IPP
security/packetfilter/package/univention-printserver/udp/631/all: ACCEPT
security/packetfilter/package/univention-samba4/tcp/1024/all/en: KDM (Samba)
security/packetfilter/package/univention-samba4/tcp/1024/all: ACCEPT
security/packetfilter/package/univention-samba4/tcp/135/all/en: RPC (Samba)
security/packetfilter/package/univention-samba4/tcp/135/all: ACCEPT
security/packetfilter/package/univention-samba4/tcp/137:139/all/en: netbios (Samba)
security/packetfilter/package/univention-samba4/tcp/137:139/all: ACCEPT
security/packetfilter/package/univention-samba4/tcp/3268/all/en: LDAP GC (Samba)
security/packetfilter/package/univention-samba4/tcp/3268/all: ACCEPT
security/packetfilter/package/univention-samba4/tcp/3269/all/en: LDAP GC SSL (Samba)
security/packetfilter/package/univention-samba4/tcp/3269/all: ACCEPT
security/packetfilter/package/univention-samba4/tcp/389/all/en: LDAP
security/packetfilter/package/univention-samba4/tcp/389/all: ACCEPT
security/packetfilter/package/univention-samba4/tcp/445/all/en: microsoft-ds (Samba)
security/packetfilter/package/univention-samba4/tcp/445/all: ACCEPT
security/packetfilter/package/univention-samba4/tcp/464/all/en: Kerberos change/set password
security/packetfilter/package/univention-samba4/tcp/464/all: ACCEPT
security/packetfilter/package/univention-samba4/tcp/53/all/en: DNS
security/packetfilter/package/univention-samba4/tcp/53/all: ACCEPT
security/packetfilter/package/univention-samba4/tcp/636/all/en: LDAPS
security/packetfilter/package/univention-samba4/tcp/636/all: ACCEPT
security/packetfilter/package/univention-samba4/tcp/749/all/en: Kerberos admin
security/packetfilter/package/univention-samba4/tcp/749/all: ACCEPT
security/packetfilter/package/univention-samba4/tcp/88/all/en: Kerberos
security/packetfilter/package/univention-samba4/tcp/88/all: ACCEPT
security/packetfilter/package/univention-samba4/udp/123/all/en: TIME
security/packetfilter/package/univention-samba4/udp/123/all: ACCEPT
security/packetfilter/package/univention-samba4/udp/137:139/all/en: netbios (Samba)
security/packetfilter/package/univention-samba4/udp/137:139/all: ACCEPT
security/packetfilter/package/univention-samba4/udp/389/all/en: LDAP
security/packetfilter/package/univention-samba4/udp/389/all: ACCEPT
security/packetfilter/package/univention-samba4/udp/445/all/en: microsoft-ds (Samba)
security/packetfilter/package/univention-samba4/udp/445/all: ACCEPT
security/packetfilter/package/univention-samba4/udp/464/all/en: Kerberos change/set password
security/packetfilter/package/univention-samba4/udp/464/all: ACCEPT
security/packetfilter/package/univention-samba4/udp/53/all/en: DNS
security/packetfilter/package/univention-samba4/udp/53/all: ACCEPT
security/packetfilter/package/univention-samba4/udp/88/all/en: Kerberos
security/packetfilter/package/univention-samba4/udp/88/all: ACCEPT
security/packetfilter/package/univention-squid/tcp/3128/all/en: HTTP proxy
security/packetfilter/package/univention-squid/tcp/3128/all: ACCEPT
security/packetfilter/package/zarafa4ucs/tcp/110/all/en: POP3
security/packetfilter/package/zarafa4ucs/tcp/110/all: ACCEPT
security/packetfilter/package/zarafa4ucs/tcp/143/all/en: IMAP
security/packetfilter/package/zarafa4ucs/tcp/143/all: ACCEPT
security/packetfilter/package/zarafa4ucs/tcp/236/all/en: ZARAFA
security/packetfilter/package/zarafa4ucs/tcp/236/all: ACCEPT
security/packetfilter/package/zarafa4ucs/tcp/237/all/en: ZARAFA encrypted
security/packetfilter/package/zarafa4ucs/tcp/237/all: ACCEPT
security/packetfilter/package/zarafa4ucs/tcp/25/all/en: SMTP
security/packetfilter/package/zarafa4ucs/tcp/25/all: ACCEPT
security/packetfilter/package/zarafa4ucs/tcp/465/all/en: SSMTP
security/packetfilter/package/zarafa4ucs/tcp/465/all: ACCEPT
security/packetfilter/package/zarafa4ucs/tcp/8080/all/en: ICAL
security/packetfilter/package/zarafa4ucs/tcp/8080/all: ACCEPT
security/packetfilter/package/zarafa4ucs/tcp/8443/all/en: ICALS
security/packetfilter/package/zarafa4ucs/tcp/8443/all: ACCEPT
security/packetfilter/package/zarafa4ucs/tcp/993/all/en: IMAPS
security/packetfilter/package/zarafa4ucs/tcp/993/all: ACCEPT
security/packetfilter/package/zarafa4ucs/tcp/995/all/en: POP3S
security/packetfilter/package/zarafa4ucs/tcp/995/all: ACCEPT
security/packetfilter/tcp/.*: <empty>
security/packetfilter/udp/.*: <empty>
security/packetfilter/use_packages:
Gruß
greif
March 8, 2014, 12:48pm
4
Hallo Uwe,
laut Quelltext des Templates:
# get package settings
if configRegistry.is_true('security/packetfilter/use_packages', True):muß die Variable security/packetfilter/use_packages entweder explizit auf true stehen oder nicht definiert sein (also entweder gar nicht erscheinen oder mit dem Pseudo-Wert vorhanden und auf einen leeren String gesetzt. Also mal probieren:
ucr set security/packetfilter/use_packages=yesund dann sollte es sofort neu generiert werden.
Viele Grüße
UweP
March 8, 2014, 6:00pm
5
Hallo Frank,
damit hat es funktioniert. Genau wie beschrieben wurden in /etc/security/packetfilter.d die Dateien 10_univention-firewall_start.sh und 80_univention-firewall_policy.sh neu aufgebaut. Diesmal korrekt mit allen Einträgen.
Vielen Dank für die schnelle Hilfe!
Gruß