enable uruk-save by default

-------

пет 27 14:43 < joostvb> http://mdcc.cx/tmp/uruk/uruk_20140627-1_all.deb
пет 27 14:43 < joostvb> casper: ^ of jij?
пет 27 14:44 < casper> Loading IPv4 uruk rulesWARNING: services_eth0_default_dccp is undefined.  (Processing 
                       uruk rc file nevertheless.)
пет 27 14:44 < casper> WARNING: services_eth0_default_sctp is undefined.  (Processing uruk rc file 
                       nevertheless.)
пет 27 14:44 < casper> (op metagross)

--------

сре 20 16:41 < Fruit> joostvb: sctp-support in uruk zou handig zijn
сре 20 16:46 < Fruit> joostvb: misschien ook meteen dccp dan maar
--protocol protocol
   The  protocol of the rule or of the packet to check.  The specified protocol
   can be one of tcp, udp, udplite, icmp, icmpv6,esp, ah, sctp, mh or the  spe‐
   cial  keyword "all", or it can be a numeric value, representing one of these
   protocols or a different one.  A protocol name from /etc/protocols  is  also
   allowed.   A  "!" argument before the protocol inverts the test.  The number
   zero is equivalent to all. "all" will match with all protocols and is  taken
   as  default  when  this  option  is  omitted.  Note that, in ip6tables, IPv6
   extension headers except esp are not allowed.  esp and  ipv6-nonext  can  be
   used  with Kernel version 2.6.11 or later.
in script/uruk, see "for proto in tcp udp" and "--tcp-flags"
see also iptables-extensions(8)
-        for proto in tcp udp
+        for proto in dccp sctp tcp udp
sctp: find out about --chunk-types (vs --tcp-flags in tcp-case)

---------------

phase out sources6 in uruk?  is there still a use-case?

-----

if uruk is configured for ipv4, but not for ipv6, it should block all ipv6 traffic.
if uruk is configured for ipv6, but not for ipv4, it should block all ipv4 traffic.
if uruk is not configured for ipv4 and not for ipv6, it should do nothing (as it currently does).

fix bugs:

querybts --mbox 705687 >debian-bug-705687.mbox
doc/debian-bug-704807.mbox  doc/debian-bug-705687.mbox  doc/debian-bug-720306.mbox
joostvb@arrr:ding% mailx -f ./doc/debian-bug-720306.mbox
then give 'v' or 'p' or ~v or ~p
    #704807 [n|+u|  ] [uruk] uruk: autodetect non-routable nets
    #720306 [n|  |  ] [uruk] uruk: incorrectly blocks and logs tcp RSET packets
    #705687 [w|  |  ] [uruk] Provide "uruk diff" showing diff between running and config

--------------

support for iptables-opvolger: niet netfilter maar ....

----

пон 16 16:04 < joostvb> http://mdcc.cx/tmp/uruk/uruk_20130913-1_all.deb <- klaar voor testen
пон 16 16:20 < thijs> joostvb: update-rc.d: warning: start and stop actions are no longer 
                      supported; falling back to defaults
пон 16 16:21 < thijs> sid
пон 16 16:22 < Fruit> ja logisch, gaat via dependencies nu toch
пон 16 16:23 < joostvb> thijs: sysv-rc 2.88dsf-43 zie ik, zo zo
en zie ook insserv package
пон 16 16:24 < joostvb> thijs: maar t werkt verder wel, als je die warnign laat voor wat ie 
                        is?
пон 16 16:24 < thijs> inderdaad, hij valt terug naar de defaults
пон 16 16:25 < joostvb> ok, tnx voor testen

See insserv(8) for lsb header descriptions

likely removing
# Default-Start:     S
# Default-Stop:      0 1 6
will fix that

------

lintian complains init.d-script-does-not-source-init-functions .
Either change /etc/init.d/uruk's

  . $lsb_init_functions

in

. /lib/lsb/init-functions

, add lintian override or fix /usr/share/lintian/checks/systemd.pm as shipped
with lintian 2.5.17

----------

stick in documentation somewhere:

уто 03 09:24 < joostvb> hrm, "conntrack_max = (ram/16384) / (arch/32)"
уто 03 09:24 < joostvb> waarom is dat?
уто 03 09:24 < joostvb> omdat linus t zo wil?
уто 03 09:39 < joostvb> t zou wel mooi zijn als t nog te overrulen is

+Sep  2 14:04:21 tsingou kernel: [3459743.665364] nf_conntrack: table full, dropping packet.
+root@tsingou:~# cat /proc/sys/net/nf_conntrack_maxnntrack_max
+65536
+root@tsingou:~# wc -l /proc/net/ip_conntrack
+63453 /proc/net/ip_conntrack
+dus aardig vol ja
+maar conntrack_max = (ram/16384) / (arch/32) = 64336 dus verhogen heeft geen zin.

уто 03 09:54 < Fruit> joostvb: je kunt het overrulen
уто 03 09:56 < casper> joostvb: afaik heb ik die formule op tory gebruikt
уто 03 09:56 < casper> om uit te rekenen hoe hoog ik conntrack_max kon zetten
уто 03 09:57 < casper> ik geloof niet dat het de default is

--------

urukctl: document how to set up file access permissions in order to be able to
run "urukctl create active" as non-root user.

------

Als lokale ip ongespecifeerd is, check verkeer dan niet op destination
ip, maar alleen op source, port, etc.  Handig bij dhcp en dynamische
ipv6.  Tnx Wessel voor idee.
Bv. als ip_eth0_failover='', dan daar niet op checken.

-------------------------------------------------------------------

kijk in /sys om netwerkinterfaces te vinden.  via ip(1): is niet-standaard
op red hat.  mogelijk fijn voor niet-debian/niet-rh; bv. gentoo oid.

-------

git should do "write to tempfile;  fsync(); rename" when updating HEAD ref.
due to powerfailure my HEAD ref file was empty.  occured with
git 1:1.7.10.4-1+wheezy1

------

metagross# chmod a+x /tmp/urukctl 
metagross# /tmp/urukctl start
Flushing all current iptables rules.
Loading IPv4 uruk rules.
Saving iptables ruleset: save "active" with counters.
Flushing all current ip6tables rules.
Loading IPv6 uruk rulesip6tables: Protocol wrong type for socket.
ip6tables v1.4.14: host/network `' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.4.14: host/network `' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.4.14: host/network `' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.4.14: host/network `' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.4.14: host/network `' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.4.14: host/network `' not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
.
Saving ip6tables ruleset: save "active" with counters.
metagross# 

------------

- fix copyright in .azm: use template.

- The revised uruk init script now exits succesfully when the uruk program
  is not installed, like any init script on Debian systems.  FIXME Red Hat?

-------------

ship a systemd (or go with lsb hack firing of systemd stuff via traditional
init script) and a daemontools init thingie

-------------

FIXME: this is probably / partially fixed (as of < 2013-09) :

plan: hernoem dit script naar uruk-ctl, schrijf nieuw sane init-script dat
wel een configfile is, en dan is dit oude script geen debian config file meer.

wo 22 10:51 < joostvb> Fruit:       log_failure_msg "Aborting uruk 
                       initd: missing executable $i"
wo 22 10:52 < Fruit> service uruk start
wo 22 10:52 < Fruit> exit 0
wo 22 10:52 < joostvb>       exit 5
wo 22 10:52 < joostvb> das fout?
wo 22 10:52 < Fruit> root@fry:~# facedin
wo 22 10:52 < Fruit> service uruk force-reload exited with status 5
wo 22 10:53 < Fruit> snmpd:test -x /usr/sbin/snmpd || exit 0

als je n /e/d/uruk hebt met enable-ipv6 call, en je doet dpkg --remove uruk:

wo 22 16:40 <Fruit> /etc/init.d/uruk: 17: /etc/default/uruk:
                    enable-ipv6: not found

en als je n /e/d/uruk hebt zionder enable-ipv6 call:
wo 22 16:41 <Fruit> root@bender:~# facedin
wo 22 16:41 <Fruit> service uruk force-reload exited with status 5

-------------

init/enable-ipv6 doc/default : currently enable_ipv6=false means: do not call
ip6tables.  it should mean: block all ipv6 traffic.  see NEWS.

vr 22 10:16 <@Fruit> joostvb: als IPv6 disabled is in uruk, misschien gewoon alle IPv6-verkeer blokkeren?
vr 22 10:17 <@Fruit> alle tables wissen en de policy op DROP zetten?
vr 22 10:17 <@Fruit> ik kan wel ff een mooie autistische ruleset in elkaar zetten
vr 22 10:22 < joostvb> ja, graag zo'n autistische ruleset voor ipv6

<quote>

Date: Fri, 22 Mar 2013 11:00:13 +0100
From: Wessel Dankers
To: Joost
Subject: autistische IPv6-rulebase
Message-ID: <20130322100013.GN2849@homsar.uvt.nl>

Om te voeren aan ip6tables-restore:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT

*raw
:PREROUTING DROP [0:0]
:OUTPUT DROP [0:0]
COMMIT

*mangle
:PREROUTING DROP [0:0]
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:POSTROUTING DROP [0:0]
COMMIT



Zonder ip6tables-restore:

ip6tables -F
ip6tables -t raw -F
ip6tables -t mangle -F

ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP

ip6tables -t raw -P PREROUTING DROP
ip6tables -t raw -P OUTPUT DROP

ip6tables -t mangle -P PREROUTING DROP
ip6tables -t mangle -P INPUT DROP
ip6tables -t mangle -P FORWARD DROP
ip6tables -t mangle -P OUTPUT DROP
ip6tables -t mangle -P POSTROUTING DROP

Dit gaat er trouwens wel vanuit dat je in uruk de policies op ACCEPT
instelt, iets wat sowieso zou moeten gebeuren (anders kun je niet robuust
een ruleset laden).

</quote>

-----------

later: reimplement uruk-save in perl, be sure to run it only when /usr is
mounted, not in init-script during boot.

from group/uruk/etc/uruk/rc-experimental by Wessel Dankers, 2012:

-------------------

di 23 15:50 < Fruit> joostvb: Saving iptables ruleset: save "inactive".
di 23 15:50 < Fruit> joostvb: dat probeer ik te voorkomen, met enable_autosave=false en 
                     enable_save_counters=false
di 23 15:51 < Fruit> joostvb: maar dat blijft-ie doen

- enable ip-not-yet-known. for roaming users, for fast-chagnging ipv6 adresses,for
interfaces for which ip is not yet known.  optionally: allow specifying range as
local adress.  tnx Wessel for reporting issue.

- init script

*** /var issue

2 init scripts

eentje doet deny alles
tweede doet stuff

alternatief:

ifupdown /etc/network/interfaces  en vooral /etc/init.d/networking

/run is cleared during reboot.  we'd prefer to be able to load from saved state during
boot.  therefore, first block everything.  later, when /var etc. are available,
run uruk.  what to do before halt?

*** rh issue

/etc/redhat-lsb/lsb_* geleverd door redhat-lsb-4.0-3.el6.x86_64
License GPL, by Lawrence Lim e.a., 2011, for Red Hat, Inc.

--------------

- decide: fork this package, get new name, don't bother about migration scenario,
  use dedicated named chains and tables.

- major overhaul: use different chains, optimise behaviour when dealing with ipv6.
  we deal with private ip ranges in a braindead way; improve that.

- test on dijkstra, rolle, bruhat, freitag
   root@janacopoulos:/tmp# wget http://mdcc.cx/tmp/uruk/uruk_20110602-1_all.deb && dpkg -i uruk_20110602-1_all.deb

-------------

- add a full IPv6 example to uruk-rc manpage (we now only have the example
  rc-file).

-  28 14:11 < joostvb> ip6_noroute_ranges='::1/128 ffff:0:0::/96 fc00::/7 
                       fec0::/10 0200::/7 2001:0db8::/32'
vr 28 14:14 < Fruit> joostvb: overigens kun je in IPv6 veel beter over 
                     *routable* spreken dan unroutable
vr 28 14:14 < Fruit> 2000::/3 is gewoon de enige die routeerbaar is, de rest is 
                     lokaal
vr 28 14:26 < Fruit> 2001:0DB8::/32 has been assigned as a NON-ROUTABLE range 
                     to be used for documentation purpose [RFC3849].
vr 28 14:26 < Fruit> daar gaat de mooie 2000::/3 regel :(


--------------- first first prio -----------------------------------

- improve flush:
Subject: Re: uruk Re: iptables leegflikkeren: lelijk maar robuust Wessel
 Dankers <wsl@uvt.nl>
In-Reply-To: <20110114092236.GA14988@dijkstra.uvt.nl>
> Op Fri 14 Jan 2011 om 10:17:10 +0100 schreef Wessel Dankers:
> > iptables-save |
> >   sed -rn 's/^:([A-Z]+) [A-Z]+ \[[0-9]+:[0-9]+\]$/:\1 ACCEPT [0:0]/p; /^(\*|COMMIT$)/p' |
> >   iptables-restore



- gebruik voor net_foo strings als

privnet-10
privnet-0
privnet-172

-  29 15:16 < fvos> joostvb: misschien kan het al, maar op de eee wil ik dat 
                    het ook kan werken als er per verbinding een ander ip-adres 
                    is
za 29 15:18 < fvos> checking van de rc-file is er niet, zoals je zelf aangeeft, 
                    maar met de xml+xsl-aanvulling van mij kun je de 
                    instelling-documenten valideren tegen een xsd en het 
                    bestand opdelen in logische bestanden die je met xinclude 
                    samenvoegt
za 29 19:29 < joostvb> fvos: valideren tegen een xsd: patches welkom :)
za 29 19:29 < joostvb> fvos: maar ik denk niet dat ik dat de default ga maken, 
                       dat ie dat doet

- localhost is 0000:0000:0000:0000:0000:0000:0000:0001 aka
Fri 18 10:36 < Fruit> ::1
000:0000:0000:0000:0000:0000:0000:0000/0 is ::/0
s/(^|:)(0+($|:))+/::/
rijen van woorden kun je afkorten tot ::
Tnx Wessel
http://www.faqs.org/rfcs/rfc3330.html

- Suggested by Casper Gielen: enable broadcast/multicast filtering for IPv6
 Carefull, this part is very different from IPv4. IPv6 does not support
 broadcast (at all) while support for multicast is mandatory. Do not block
 without a proper understanding of what you are blocking.
 Very likely needs to get implemented in script/uruk.in near "# Don't answer
 broadcast and multicast packets"


----------------- first prio ------------------------------------

RSN: write urukconfig : generate uruk rc file based upon currently
offered network services.  all services will be available for _all_ IPs
(or perhaps just local network?)
Packages could run this to generate a first rc file.

----------------- candidates for upcoming release ------------------

- use ip{,6}tables-apply by Martin Krafft: safe testing of new rules on remote host.

- get rid of duplicated code in init-script:
      if test "$found_active" -a "$found_inactive"; then
      eval found_$rule=1

- dpkg --remove uruk does not remove symlinks in /etc/rcS.d/; init-script fails hard
  if binary gone.

- dpkg --purge uruk does not remove /var/lib/uruk/iptables/active.

- "status" is borken in case IPv6 is enabled (found on yosida):

root@yosida:~# invoke-rc.d uruk start
Saving IPv4 uruk rules as active ruleset.
Loading iptables ruleset: load "active".
Starting uruk (iptables)
Saving IPv6 uruk rules as active ruleset.
Loading ip6tables ruleset: load "active".
Starting uruk (ip6tables)

root@yosida:~# /etc/init.d/uruk status      
* Checking uruk (iptables): both active and inactive rulesets present, but active ruleset not loaded
* Checking uruk (ip6tables): both active and inactive rulesets present, but active ruleset not loaded

- "start" when uruk is running flushes and reloads current active ruleset.
  Should it do this?  Or should it rather be a no-op? check lsb.

- add a "dump-status" option to init-script: dump details about status, keep
  tmpfiles. usefull for debugging.

- /etc/init.d/uruk flush does not flush nat nor mangle table.  This means
force-reload breaks when these tables are in use.  See comment near initd_flush.
Fix this, and accept the introduced cruft.   Tnx Wessel.

- Phase out support for services_eth0_udp, but enforce ipS_eth0; warn for
obsolete syntax

----------------- end of candidates for upcoming release ------------------
----------------- stuff which just might happen one day -------------------

- improve documentation on usage with non-fixed IPs, refer to /etc/network/if-up.d/uruk.

- using names of interfaces in names of variables is dumb.  the characters
  @ : . occur in interface names, but are not allowed in variable names.
  E.g. eth0.54@eth0 and vif6.0 and eth0:3 

- use functions
   log_daemon_msg
   log_end_msg
   log_action_msg
in init-script, see e.g. firehol init script

- Thu 20 23:13 < fvos> joostvb: ik zou de huidige rc graag gesplitst zien in 
                     meerdere losse bestanden, bijvoorbeeld 'networks', 
                     'sources' en zo. Daardoor kunnen de entries in die 
                     bestanden ook eenvoudiger namen hebben en is misschien 
                     kwaliteitscontrole op missende verwijzingen ook 
                     eenvoudiger.
Fri 21 05:37 < joostvb> fvos: een syntax-checker zou inderdaad wel handig zijn 
                        ja

- Phase out support for rc_e

- Debian package: S40uruk could better be S41uruk: explicitly start after
networking (which is S40networking).

- We setup firewall rules only _after_ the network interfaces are configured.
This is dumb: we are vulnerable for bugs in the kernel's IP stack.  One
solution for this: Create an /etc/init.d/uruk-pre script, which is run as early
as possible, and _before_ network interfaces are configured.  It should disable
all networktraffic (except for traffic on loopbackinterface).  Only later,
networkinterfaces are configured, /etc/init.d/uruk is run and networkservices
are started.  (N.B.: so even with the current setup we _do_ protect our
services).

- In uruk-rc manpage, include example rc-file verbatim.

- Create "upload" target in /Makefile.am

- Improve examples in documentation:
<Fruit> joostvb: ik geloof dat ":" een leuke shorthand is voor "alle poorten"

- Fix bugs in uruk script: (force-)reload should do something sane when
uruk not running.

- Check documentation: uruk-rc manpage needs more stuff.

- Write a wrapper for OpenBSD's pf and FreeBSD's ipfilter, so that these tools
can use the same rc file format.  We'd also have to make sure init-script
works on non-LSB-systems, then.

- Reimplement uruk-save: make it more robust.  See
http://www.faqs.org/docs/iptables/iptables-save.html for example of file
format.  Use logic from iptables-save.c.

- Think about alternative for uruk-save: create a chain, and enable it once it's
fully build by doing just one iptables call.  This would allow truly atomical
loading of new rulesets.

- Is it sane to allow all traffic in default inactive rule?

- Check save_counters support in init script.  It's likely broken.

- Date: Wed, 9 Feb 2005 15:09:16 +0100
Message-ID: <20050209140916.GZ1487@trogdor.uvt.nl>
Herken broadcasts (misschien aan destination MAC-adres?) en log ze niet.
.
alternative implementation: near code-snippet:
 # supporting this for multiple-ips would need multiple chains
 # or, perhaps, some iptables extension.
This log-spamming happens only in multiple-ip-per-nic mode.
Do DROP stuff just before log, would that work?  (No, we really can't do
something like "--dest !(ip1 or ip2 or ip3)".)
.
yet to implement: loglevel "high".  Document multiple ip per nic logspamming bug.

# this file maintained at http://git.mdcc.cx/uruk.git