Bug#862485: fwsnort mustn't set iptables rules when purged
Control: tag -1 + confirmed - moreinfo
Hi Adrian,
Adrian Bunk wrote:
> > > Tags: security
> >
> > I also disagree with this tag.
>
> messing up the iptables setup at an unexpected time can have bad
> consequences.
bad != security
> > > A case could be made for "fwsnort --ipt-flush" in prerm.
> >
> > This would be against the expectation of users that configurations,
> > settings etc. are removed on purge and not on removal.
>
> When you remove (not purge) a package containing a webserver, do you
> expect that the webserver is stopped or do you expect that the webserver
> is still running after removing the package?
Granted. Thanks for that comparison.
> > > Or considering that activating any fwsnort rules is not done
> > > automatically and that the package should not interfere with
> > > what the the admin has done.
> >
> > I disagree. I expect a package to clean up its changes on purge which
> > result on common usage. To be more specifically, seeing 11'000
> > iptables rules left on my system after pruging fwsnort with no chance
> > to remove them without reinstalling the package or removing 11'000
> > rules by hand. Not cleaning up these rules is a bug. And cleaning up
> > is a task for "purge", not for "remove".
>
> "Remove an installed package. This removes everything except conffiles"
> This the dpkg (and similar in apt) description of what remove does.
>
> A package that is removed but not purged is in the Config-Files states.
> This means the old configuration is still present if the package gets
> installed again.
>
> Purging is supposed to remove the (at that point already unused)
> configuration files of the package.
Point taken. Will move that line (or an "fwsnort --ipt-flush") into a
(to be created) prerm and do another QA upload. (Unless you're already
onto it. Feel free to do that.)
Regards, Axel
--
,''`. | Axel Beckert <abe@debian.org>, http://people.debian.org/~abe/
: :' : | Debian Developer, ftp.ch.debian.org Admin
`. `' | 4096R: 2517 B724 C5F6 CA99 5329 6E61 2FF9 CD59 6126 16B5
`- | 1024D: F067 EA27 26B9 C3FC 1486 202E C09E 1D89 9593 0EDE
Reply to: