Univention-firewall: Regeln weg nach Updates

german

#1

Hallo zusammen,

mein Server läuft zur Zeit als DC Master in der Version 3.2-0 errata 66. Folgendes Problem tritt nun seit Ende Januar wiederholt auf: Nach manchen errata-updates bekomme ich keinen Zugriff mehr auf den Server über ssh. Einloggen ist nur noch an der Konsole des Servers selbst möglich.

Ich habe herausgefunden das die univention-firewall alle Zugänge inkl. ssh blockiert. Im Verzeichnis /etc/security/packetfilter.d liegt die Datei 10_univention-firewall_start.sh. Diese Datei wird aktuell nicht korrekt aufgebaut wenn ein update dies anstösst. Glücklicherweise fand sich noch ein Backup der Datei vom 29.1. welches ich nun händisch an der Konsole zurückspielen kann, um wieder Zugriff per ssh zu bekommen. Diese Datei enthält nach dem erfolglosen Aufbau lediglich einige wenige EInträge die IPv4 und IPv6 beinhalten. Im Backup hingegen sind viele Einträge zu den Univention-Paketen enthalten. Diese fehlen komplett nach dem Neuaufbau. Die UCR listet unter Univention-Firewall aktuell 149 Einträge zu den installierten Paketen auf, jedoch werden diese offensichtlich nicht berücksichtigt.

Wo kann hierbei der Fehler liegen?

Gruß
Uwe


#2

Hallo Uwe,

Ruf doch mal auf:

ucr filter < /etc/univention/templates/files/etc/security/packetfilter.d/10_univention-firewall_start.sh

dann bekommst Du als Ausgabe genau das, was in die 10_univention-firewall_start.sh geschrieben würde. Ich würde erwarten, daß ucr eine Fehlermeldung ausgibt, wenn beim Generieren ein Fehler passiert. Sollte die Ausgabe einfach nur unvollständig sein und keinen Fehler nennen, müßte man sie mit dem Ergebnis von

ucr search --brief packetfilter

vergleichen und herausfinden, welche Variablen fehlen bzw. welche Pakete Probleme machen.

viele Grüße
Frank Greif.


#3

Hallo Frank,

vielen Dank für die Antwort.

ucr filter < /etc/univention/templates/files/etc/security/packetfilter.d/10_univention-firewall_start.sh
ergibt ausser dem “Vorspann” nur dies:

[code]# initialise IPv4
/sbin/iptables -F
/sbin/iptables -F -t nat
/sbin/iptables -F -t mangle

accept IPv4 connections from localhost

/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

accept established IPv4 connections

/sbin/iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

accept all ICMP messages

/sbin/iptables -A INPUT -p icmp -j ACCEPT

initialise IPv6

/sbin/ip6tables -F
/sbin/ip6tables -F -t mangle

accept IPv6 connections from localhost

/sbin/ip6tables -A INPUT -i lo -j ACCEPT
/sbin/ip6tables -A OUTPUT -o lo -j ACCEPT

accept established IPv6 connections

/sbin/ip6tables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

accept all ICMPv6 messages

/sbin/ip6tables -A INPUT -p icmpv6 -j ACCEPT[/code]
Dies entspricht exakt dem Inhalt von 10_univention-firewall_start.sh

ucr search --brief packetfilter liefert:

security/packetfilter/defaultpolicy: REJECT security/packetfilter/disabled: <empty> security/packetfilter/package/.*: <empty> security/packetfilter/package/sesam-srv/tcp/11001/all: ACCEPT security/packetfilter/package/sesam-srv/tcp/11401/all: ACCEPT security/packetfilter/package/univention-apache/tcp/443/all/en: HTTPS security/packetfilter/package/univention-apache/tcp/443/all: ACCEPT security/packetfilter/package/univention-apache/tcp/80/all/en: HTTP security/packetfilter/package/univention-apache/tcp/80/all: ACCEPT security/packetfilter/package/univention-bareos/tcp/9101/all/en: bareos-dir security/packetfilter/package/univention-bareos/tcp/9101/all: ACCEPT security/packetfilter/package/univention-bareos/tcp/9102/all/en: bareos-fd security/packetfilter/package/univention-bareos/tcp/9102/all: ACCEPT security/packetfilter/package/univention-bareos/tcp/9103/all/en: bareos-sd security/packetfilter/package/univention-bareos/tcp/9103/all: ACCEPT security/packetfilter/package/univention-base-files/tcp/22/all/en: SSH security/packetfilter/package/univention-base-files/tcp/22/all: ACCEPT security/packetfilter/package/univention-base-files/tcp/37/all/en: time security/packetfilter/package/univention-base-files/tcp/37/all: ACCEPT security/packetfilter/package/univention-base-files/tcp/49152/all/en: Mediatomb security/packetfilter/package/univention-base-files/tcp/49152/all: ACCEPT security/packetfilter/package/univention-base-files/tcp/873/all/en: RSYNC security/packetfilter/package/univention-base-files/tcp/873/all: ACCEPT security/packetfilter/package/univention-base-files/udp/123/all/en: ntp security/packetfilter/package/univention-base-files/udp/123/all: ACCEPT security/packetfilter/package/univention-base-files/udp/1900/all/en: Mediatomb security/packetfilter/package/univention-base-files/udp/1900/all: ACCEPT security/packetfilter/package/univention-base-files/udp/49152/all/en: Mediatomb security/packetfilter/package/univention-base-files/udp/49152/all: ACCEPT security/packetfilter/package/univention-bind/tcp/53/all/en: DNS proxy security/packetfilter/package/univention-bind/tcp/53/all: ACCEPT security/packetfilter/package/univention-bind/tcp/7777/all/en: DNS server security/packetfilter/package/univention-bind/tcp/7777/all: ACCEPT security/packetfilter/package/univention-bind/udp/53/all/en: DNS proxy security/packetfilter/package/univention-bind/udp/53/all: ACCEPT security/packetfilter/package/univention-bind/udp/7777/all/en: DNS server security/packetfilter/package/univention-bind/udp/7777/all: ACCEPT security/packetfilter/package/univention-dhcp/udp/67/all/en: DHCP security/packetfilter/package/univention-dhcp/udp/67/all: ACCEPT security/packetfilter/package/univention-dhcp/udp/68/all/en: DHCP security/packetfilter/package/univention-dhcp/udp/68/all: ACCEPT security/packetfilter/package/univention-directory-notifier/tcp/6669/all/en: Univention Directory Notifier security/packetfilter/package/univention-directory-notifier/tcp/6669/all: ACCEPT security/packetfilter/package/univention-heimdal-common/tcp/544/all/en: krsh security/packetfilter/package/univention-heimdal-common/tcp/544/all: ACCEPT security/packetfilter/package/univention-heimdal-kdc/tcp/464/all/en: kpasswd security/packetfilter/package/univention-heimdal-kdc/tcp/464/all: ACCEPT security/packetfilter/package/univention-heimdal-kdc/tcp/749/all/en: kadmin security/packetfilter/package/univention-heimdal-kdc/tcp/749/all: ACCEPT security/packetfilter/package/univention-heimdal-kdc/tcp/88/all/en: kerberos security/packetfilter/package/univention-heimdal-kdc/tcp/88/all: ACCEPT security/packetfilter/package/univention-heimdal-kdc/udp/464/all/en: kpasswd security/packetfilter/package/univention-heimdal-kdc/udp/464/all: ACCEPT security/packetfilter/package/univention-heimdal-kdc/udp/88/all/en: kerberos security/packetfilter/package/univention-heimdal-kdc/udp/88/all: ACCEPT security/packetfilter/package/univention-ldap-server/tcp/389/all/en: LDAP security/packetfilter/package/univention-ldap-server/tcp/389/all: ACCEPT security/packetfilter/package/univention-ldap-server/tcp/636/all/en: LDAPS security/packetfilter/package/univention-ldap-server/tcp/636/all: ACCEPT security/packetfilter/package/univention-ldap-server/tcp/7389/all/en: LDAP security/packetfilter/package/univention-ldap-server/tcp/7389/all: ACCEPT security/packetfilter/package/univention-ldap-server/tcp/7636/all/en: LDAPS security/packetfilter/package/univention-ldap-server/tcp/7636/all: ACCEPT security/packetfilter/package/univention-management-console-server/tcp/6670/all/en: UMC security/packetfilter/package/univention-management-console-server/tcp/6670/all: ACCEPT security/packetfilter/package/univention-nagios-client/tcp/5666/all/en: Nagios NRPE security/packetfilter/package/univention-nagios-client/tcp/5666/all: ACCEPT security/packetfilter/package/univention-nfs/tcp/111/all/en: portmap security/packetfilter/package/univention-nfs/tcp/111/all: ACCEPT security/packetfilter/package/univention-nfs/tcp/2049/all/en: NFS security/packetfilter/package/univention-nfs/tcp/2049/all: ACCEPT security/packetfilter/package/univention-nfs/tcp/32765:32769/all/en: NFS related RPC daemons security/packetfilter/package/univention-nfs/tcp/32765:32769/all: ACCEPT security/packetfilter/package/univention-nfs/tcp/4660/all/en: NFS security/packetfilter/package/univention-nfs/tcp/4660/all: ACCEPT security/packetfilter/package/univention-nfs/udp/111/all/en: portmap security/packetfilter/package/univention-nfs/udp/111/all: ACCEPT security/packetfilter/package/univention-nfs/udp/2049/all/en: NFS security/packetfilter/package/univention-nfs/udp/2049/all: ACCEPT security/packetfilter/package/univention-nfs/udp/32765:32769/all/en: NFS related RPC daemons security/packetfilter/package/univention-nfs/udp/32765:32769/all: ACCEPT security/packetfilter/package/univention-nfs/udp/4660/all/en: NFS security/packetfilter/package/univention-nfs/udp/4660/all: ACCEPT security/packetfilter/package/univention-postgresql/tcp/5432/all/en: postgresql security/packetfilter/package/univention-postgresql/tcp/5432/all: ACCEPT security/packetfilter/package/univention-printserver/tcp/631/all/en: IPP security/packetfilter/package/univention-printserver/tcp/631/all: ACCEPT security/packetfilter/package/univention-printserver/udp/631/all/en: IPP security/packetfilter/package/univention-printserver/udp/631/all: ACCEPT security/packetfilter/package/univention-samba4/tcp/1024/all/en: KDM (Samba) security/packetfilter/package/univention-samba4/tcp/1024/all: ACCEPT security/packetfilter/package/univention-samba4/tcp/135/all/en: RPC (Samba) security/packetfilter/package/univention-samba4/tcp/135/all: ACCEPT security/packetfilter/package/univention-samba4/tcp/137:139/all/en: netbios (Samba) security/packetfilter/package/univention-samba4/tcp/137:139/all: ACCEPT security/packetfilter/package/univention-samba4/tcp/3268/all/en: LDAP GC (Samba) security/packetfilter/package/univention-samba4/tcp/3268/all: ACCEPT security/packetfilter/package/univention-samba4/tcp/3269/all/en: LDAP GC SSL (Samba) security/packetfilter/package/univention-samba4/tcp/3269/all: ACCEPT security/packetfilter/package/univention-samba4/tcp/389/all/en: LDAP security/packetfilter/package/univention-samba4/tcp/389/all: ACCEPT security/packetfilter/package/univention-samba4/tcp/445/all/en: microsoft-ds (Samba) security/packetfilter/package/univention-samba4/tcp/445/all: ACCEPT security/packetfilter/package/univention-samba4/tcp/464/all/en: Kerberos change/set password security/packetfilter/package/univention-samba4/tcp/464/all: ACCEPT security/packetfilter/package/univention-samba4/tcp/53/all/en: DNS security/packetfilter/package/univention-samba4/tcp/53/all: ACCEPT security/packetfilter/package/univention-samba4/tcp/636/all/en: LDAPS security/packetfilter/package/univention-samba4/tcp/636/all: ACCEPT security/packetfilter/package/univention-samba4/tcp/749/all/en: Kerberos admin security/packetfilter/package/univention-samba4/tcp/749/all: ACCEPT security/packetfilter/package/univention-samba4/tcp/88/all/en: Kerberos security/packetfilter/package/univention-samba4/tcp/88/all: ACCEPT security/packetfilter/package/univention-samba4/udp/123/all/en: TIME security/packetfilter/package/univention-samba4/udp/123/all: ACCEPT security/packetfilter/package/univention-samba4/udp/137:139/all/en: netbios (Samba) security/packetfilter/package/univention-samba4/udp/137:139/all: ACCEPT security/packetfilter/package/univention-samba4/udp/389/all/en: LDAP security/packetfilter/package/univention-samba4/udp/389/all: ACCEPT security/packetfilter/package/univention-samba4/udp/445/all/en: microsoft-ds (Samba) security/packetfilter/package/univention-samba4/udp/445/all: ACCEPT security/packetfilter/package/univention-samba4/udp/464/all/en: Kerberos change/set password security/packetfilter/package/univention-samba4/udp/464/all: ACCEPT security/packetfilter/package/univention-samba4/udp/53/all/en: DNS security/packetfilter/package/univention-samba4/udp/53/all: ACCEPT security/packetfilter/package/univention-samba4/udp/88/all/en: Kerberos security/packetfilter/package/univention-samba4/udp/88/all: ACCEPT security/packetfilter/package/univention-squid/tcp/3128/all/en: HTTP proxy security/packetfilter/package/univention-squid/tcp/3128/all: ACCEPT security/packetfilter/package/zarafa4ucs/tcp/110/all/en: POP3 security/packetfilter/package/zarafa4ucs/tcp/110/all: ACCEPT security/packetfilter/package/zarafa4ucs/tcp/143/all/en: IMAP security/packetfilter/package/zarafa4ucs/tcp/143/all: ACCEPT security/packetfilter/package/zarafa4ucs/tcp/236/all/en: ZARAFA security/packetfilter/package/zarafa4ucs/tcp/236/all: ACCEPT security/packetfilter/package/zarafa4ucs/tcp/237/all/en: ZARAFA encrypted security/packetfilter/package/zarafa4ucs/tcp/237/all: ACCEPT security/packetfilter/package/zarafa4ucs/tcp/25/all/en: SMTP security/packetfilter/package/zarafa4ucs/tcp/25/all: ACCEPT security/packetfilter/package/zarafa4ucs/tcp/465/all/en: SSMTP security/packetfilter/package/zarafa4ucs/tcp/465/all: ACCEPT security/packetfilter/package/zarafa4ucs/tcp/8080/all/en: ICAL security/packetfilter/package/zarafa4ucs/tcp/8080/all: ACCEPT security/packetfilter/package/zarafa4ucs/tcp/8443/all/en: ICALS security/packetfilter/package/zarafa4ucs/tcp/8443/all: ACCEPT security/packetfilter/package/zarafa4ucs/tcp/993/all/en: IMAPS security/packetfilter/package/zarafa4ucs/tcp/993/all: ACCEPT security/packetfilter/package/zarafa4ucs/tcp/995/all/en: POP3S security/packetfilter/package/zarafa4ucs/tcp/995/all: ACCEPT security/packetfilter/tcp/.*: <empty> security/packetfilter/udp/.*: <empty> security/packetfilter/use_packages:
Das dürfte vom Umfang her dem korrekten Inhalt entsprechen. Damit ist der Server auch entsprechend erreichbar.
Für mich sehen die Einträge unauffällig aus. Kann man hieraus einen Fehler ableiten?

Gruß
Uwe


#4

Hallo Uwe,

laut Quelltext des Templates:

# get package settings
if configRegistry.is_true('security/packetfilter/use_packages', True):

muß die Variable security/packetfilter/use_packages entweder explizit auf true stehen oder nicht definiert sein (also entweder gar nicht erscheinen oder mit dem Pseudo-Wert . Bei Dir ist sie aber vorhanden und auf einen leeren String gesetzt. Also mal probieren:

ucr set security/packetfilter/use_packages=yes

und dann sollte es sofort neu generiert werden.

Viele Grüße
Frank Greif.


#5

Hallo Frank,

damit hat es funktioniert. Genau wie beschrieben wurden in /etc/security/packetfilter.d die Dateien 10_univention-firewall_start.sh und 80_univention-firewall_policy.sh neu aufgebaut. Diesmal korrekt mit allen Einträgen.

Vielen Dank für die schnelle Hilfe!

Gruß
Uwe