Skip to content

Upgrading from 2.2.12 to 2.3 leaves firewall open for everything, despite having filters active (whitelisting). #200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
tokariu opened this issue Jun 19, 2018 · 5 comments
Closed

Upgrading from 2.2.12 to 2.3 leaves firewall open for everything, despite having filters active (whitelisting). #200

tokariu opened this issue Jun 19, 2018 · 5 comments
Labels
bug

Comments

@tokariu
Copy link

tokariu commented Jun 19, 2018
edited
Loading

first, sorry, I've been busy with work lately and didn't have the chance to catch up with the issues i've posted lately.. so if I need to have a look at something again, please notify me, i've lost the thread.

back to now.
I got a v2.3 available notification, so I hit upgrade to v2.3.

But all of a sudden, all my previously blocked apps suddenly showed me "new versions available" notifications when I started them and I was wondering what happened?!
Then I saw that despite having simplewall filters active (whitelisting) and the programs are still unchecked/blocked, they all suddenly gained access to the internet and leaked information about version status so I got the "updates availalbe" notfications of various programs.

I disabled and re-enabled filters but it's still the same, everything can get online, despite it should have been blocked!

I uninstalled v2.3 and reverted back to v2.2.12 for the time being until this issue is fixed (it's working again with v2.2.12). This is exactly the worst case scenario - everything gets online despite having block rules set.

one more thing I saw: after installing v2.3 simplewall errors are showing up with a nice balloon tip at the systray. unfortunately there was the DNS error issue (#127) again showing me a notification error popup everytime i start simplewall:

‎19.‎06.‎2018 ‏‎23:14:55, DnsQuery(), 0x0000232b, 159.122.19, 2.3

I don't know where that address comes from I didn't find it anywhere, it's also not even a complete ip.

Looking forward to a version where all these issues finally got fixed.
@LazyZhu
Copy link

LazyZhu commented Jun 19, 2018
edited
Loading

Check your rules, make sure rules are below 128 words length, invalid rule will stop simplewall block apps, and new 2.3 may have CIDR rule parser bug.

related #198

@henrypp
Copy link
Owner

henrypp commented Jun 20, 2018

Yeah it definitely because of user rules, let me see rules_custom.xml.

@tokariu
Copy link
Author

tokariu commented Jun 20, 2018

Okay, you're right, it seems it was the 128 words length issue.

I looked at my custom rules and found one entry with more IPs and it's length was 300+. It was a rule created for Avira Antivir. You remember Issue: #136 ?
As Simplewall does not allow any wildcards for programs in it's rules, I have to globally allow allow all the avira update IPs. And they're changing frequently. I don't have the time to check whether old IPs are still used or not, so I just add new IPs to the Array.
With the 128 chars length limit, there is only place for about 3 IPv4+port. I had like 10 or so..

to fix it for now I created 4 Avira global rules with only 1-3 IPs per rule. And then simplewall v2.3 seems to work. I even noticed that popup notifications of unknown programs came up instantly in contrary to the hours of delay before, so it seems like this issue has been finally fixed.

However, there is something to learn from this issue:

  • I'm still able to enter multiple IP-addresses in the rules-mask and it is not limiting at 128 chars.. so I'm still able to put like 30 IP-Addresses in one rule and it would end up again in this issue leaving the firewall open to all apps. There needs to be a bulletproof way to ensure that there are not more than 128 chars.

  • To prevent leaks of these kind while updating from 2.2.12 to 2.3 it would be necessary to ensure that future simplewall versions comply with old config files so that no old configs break the new program and stuff gets leaked.

@henrypp
Copy link
Owner

henrypp commented Jun 25, 2018

fixed

@henrypp henrypp closed this as completed Jun 25, 2018
@tokariu
Copy link
Author

tokariu commented Jul 23, 2018
edited
Loading

@henrypp may i ask how u fixed it?
because I'm still able to enter a lot of ip addresses, way more than 128 chars. looking at the rules_custom.xml it shows it crops the ip's at 255 chars.
example, when you copy and paste ip addresses in the input field of the custom rule creator, there is no limit, and when saved it crops at 255 chars, and also incomplete IPs (192 at the end):

<item name="fsf" rule="192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192" is_block="true" is_enabled="true" />

shouldn't this again break the application leading to previous mentioned problems?

@henrypp henrypp added the bug label Nov 19, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@LazyZhu @henrypp @tokariu