GNU bug report logs -
#48753
iptables example update
Previous Next
Reported by: Eric Brown <ecbrown <at> ericcbrown.com>
Date: Sun, 30 May 2021 21:08:01 UTC
Severity: normal
Done: Arun Isaac <arunisaac <at> systemreboot.net>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 48753 in the body.
You can then email your comments to 48753 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
guix-patches <at> gnu.org:
bug#48753; Package
guix-patches.
(Sun, 30 May 2021 21:08:01 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Eric Brown <ecbrown <at> ericcbrown.com>:
New bug report received and forwarded. Copy sent to
guix-patches <at> gnu.org.
(Sun, 30 May 2021 21:08:01 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Dear List,
I have often puzzled over the iptables example that is given in the Guix manual.
It seems that this rule would allow someone to ssh in, but would not
practically allow ssh *outward* because the session would not be able to
receive a response.
I've added what I think is a line that fixes the issue.
Best regards,
Eric
[0001-doc-Updated-iptables-example.patch (text/x-diff, attachment)]
Reply sent
to
Arun Isaac <arunisaac <at> systemreboot.net>:
You have taken responsibility.
(Thu, 03 Jun 2021 18:47:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Eric Brown <ecbrown <at> ericcbrown.com>:
bug acknowledged by developer.
(Thu, 03 Jun 2021 18:47:02 GMT)
Full text and
rfc822 format available.
Message #10 received at 48753-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Eric,
I wrote the iptables service and documentation. So, the mistake is
entirely due to my poor grasp of iptables! :-)
I have applied your patch, and pushed to master. Thanks!
Cheers,
Arun
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
guix-patches <at> gnu.org:
bug#48753; Package
guix-patches.
(Sun, 06 Jun 2021 18:54:02 GMT)
Full text and
rfc822 format available.
Message #13 received at 48753-done <at> debbugs.gnu.org (full text, mbox):
On Thu, Jun 3, 2021, at 1:46 PM, Arun Isaac wrote:
>
> Hi Eric,
>
> I wrote the iptables service and documentation. So, the mistake is
> entirely due to my poor grasp of iptables! :-)
>
> I have applied your patch, and pushed to master. Thanks!
>
> Cheers,
> Arun
>
> Attachments:
> * signature.asc
Hi Arun,
Thank you for applying the patch, I think it’s much better. Truthfully i am relieved that you are an iptables newbie and so am I!
I think there could still be some work done to this recommendation. For example, when I use this updated iptables firewall selection, I am unable to telnet into ports open on localhost. An example is that I am a heavy user of VNC/SSH tunnel connections and it doesn’t let me do that, it blocks e.g. port 5902. (A similar naive rule in nftables does let this work!!!)
But so many examples are given in iptables (esp. WireGuard stuff) and so if you have no objections, I would like to take a further look and maybe even ask around as to what the ‘ufw allow ssh’ behavior vis-a-vis iptables best practices.
Best regards,
Eric
Information forwarded
to
guix-patches <at> gnu.org:
bug#48753; Package
guix-patches.
(Wed, 16 Jun 2021 07:19:01 GMT)
Full text and
rfc822 format available.
Message #16 received at 48753-done <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
Hi Eric,
> Thank you for applying the patch, I think it’s much better. Truthfully
> i am relieved that you are an iptables newbie and so am I!
:-P
> I think there could still be some work done to this recommendation.
> For example, when I use this updated iptables firewall selection, I am
> unable to telnet into ports open on localhost. An example is that I
> am a heavy user of VNC/SSH tunnel connections and it doesn’t let me do
> that, it blocks e.g. port 5902. (A similar naive rule in nftables
> does let this work!!!)
I'm not able to reproduce this. I built and started a container with an
ssh server on port 5902. And, I was able to connect fine with
telnet. Could you describe the precise steps, configuration, etc. to
reproduce this issue?
> But so many examples are given in iptables (esp. WireGuard stuff) and
> so if you have no objections, I would like to take a further look and
> maybe even ask around as to what the ‘ufw allow ssh’ behavior
> vis-a-vis iptables best practices.
Sure, please do! You don't need my permission for that! :-)
Regards,
Arun
[signature.asc (application/pgp-signature, inline)]
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Wed, 14 Jul 2021 11:24:08 GMT)
Full text and
rfc822 format available.
This bug report was last modified 2 years and 298 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.