Bug#862485: fwsnort mustn't set iptables rules when purged
Control: tag -1 + moreinfo
Control: severity -1 important
Hi Adrian,
Adrian Bunk wrote:
> Severity: critical
I think that's overly exaggerated.
> Tags: security
I also disagree with this tag.
> The #861999 fix adds the following on purging:
> grep -v FWSNORT /var/lib/fwsnort/fwsnort.save | iptables-restore
Yes. In postrm on purge.
> Imagine the following:
> 1. today I install fwsnort and try it
> 2. later today I uninstall it
You usually purge package if you play with packages which make changes
to your system.
> This would in 2 years set the iptables rules to what they
> were today before I shortly played with fwsnort.
I consider this (i.e. just removing but not purging when wanting to
get rid of a package and all its effects) to be the admin's fault, not
the package's fault.
> A case could be made for "fwsnort --ipt-flush" in prerm.
This would be against the expectation of users that configurations,
settings etc. are removed on purge and not on removal.
> Or considering that activating any fwsnort rules is not done
> automatically and that the package should not interfere with
> what the the admin has done.
I disagree. I expect a package to clean up its changes on purge which
result on common usage. To be more specifically, seeing 11'000
iptables rules left on my system after pruging fwsnort with no chance
to remove them without reinstalling the package or removing 11'000
rules by hand. Not cleaning up these rules is a bug. And cleaning up
is a task for "purge", not for "remove".
Regards, Axel
--
,''`. | Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Reply to: