[Whonix-devel] Bug#829640: netfilter-persistent loads firewall rules too late
Patrick Schleizer
adrelanos at riseup.net
Tue Jul 5 01:07:00 CEST 2016
Package: netfilter-persistent
Severity: grave
X-Debbugs-CC: whonix-devel at whonix.org
Tags: security
Dear maintainer,
there is a security issue with the netfilter-persistent systemd service. [1]
netfilter-persistent orders itself before the wrong target. Should be
'Before=network-pre.target'.
The systemd manual is quite clear on network.target and
network-pre.target. [2]
Credits for finding this bug go to rustybird. [3] [4] (I am only
seconding and reporting it.)
(Using severity grave as this could pose a security risk, i.e. the
firewall getting up too late.)
Cheers,
Patrick
[1]
https://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/tree/systemd/netfilter-persistent.service
[2] https://www.freedesktop.org/software/systemd/man/systemd.special.html
[3] https://github.com/rustybird
[4] https://github.com/rustybird/corridor/issues/8#issuecomment-230266161
More information about the Whonix-devel
mailing list