Bug#1082383: apf-firewall: Stopping/Restarting APF does not flush old rules

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1082383: apf-firewall: Stopping/Restarting APF does not flush old rules
From: Emil <edg@64bitspace.com>
Date: Fri, 20 Sep 2024 13:38:08 +0000
Message-id: <[🔎] 172683948875.322974.4217310527930716046.reportbug@a00.m.64bitspace.com>
Reply-to: Emil <edg@64bitspace.com>, 1082383@bugs.debian.org

Package: apf-firewall
Version: 9.7+rev1-7
Severity: normal

Dear Maintainer,

*** Reporter, please consider answering these questions, where appropriate ***

This is a known bug, and it leads to total system instability: https://github.com/rfxn/advanced-policy-firewall/issues/48

   * What led up to the situation?

I deployed (apt install apf-firewall) apf-firewall to multiple servers and after changing the configuration, I found the firewall did not have my updates.  
Update IG__TCP_CPORTS and remove a port.  Restart apf (apf -r, or apf -f then apf -s, service restart apf-firewall, systemctl restart apf-firewall) and old rules are are still in IP tables.

   * What exactly did you do (or not do) that was effective (or
     ineffective)?

I can flush manually as per the github issue: iptables -F, but that broke updates to apf via ansible.  Modified the /usr/sbin/apf script to include iptables -F - this broke ansible.

   * What was the outcome of this action?
iptables shows that rules were flushed, but the chains still exist.  The default policy is reset.

Separate issue: ansible's session is shut down - causing ansible to hang waiting for a response.

   * What outcome did you expect instead?
iptables should drop rules, chains, and reset the default policies

*** End of the template - remove these template lines ***


-- System Information:
Debian Release: 12.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-25-amd64 (SMP w/2 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages apf-firewall depends on:
ii  init-system-helpers        1.65.2
ii  iproute2                   6.1.0-3
ii  iptables                   1.8.9-2
ii  sysvinit-utils [lsb-base]  3.06-4
ii  wget                       1.21.3-1+b2

apf-firewall recommends no packages.

apf-firewall suggests no packages.

-- Configuration Files:
/etc/apf-firewall/conf.apf [Errno 13] Permission denied: '/etc/apf-firewall/conf.apf'
/etc/apf-firewall/ds_hosts.rules [Errno 13] Permission denied: '/etc/apf-firewall/ds_hosts.rules'
/etc/apf-firewall/glob_allow.rules [Errno 13] Permission denied: '/etc/apf-firewall/glob_allow.rules'
/etc/apf-firewall/glob_deny.rules [Errno 13] Permission denied: '/etc/apf-firewall/glob_deny.rules'
/etc/apf-firewall/sdrop_hosts.rules [Errno 13] Permission denied: '/etc/apf-firewall/sdrop_hosts.rules'
/etc/default/apf-firewall changed:
RUN="yes"


-- no debconf information

Reply to:

Prev by Date: Processing of suck_4.3.5-1_source.changes
Next by Date: libextractor_1.13-5_source.changes ACCEPTED into unstable
Previous by thread: Processing of suck_4.3.5-1_source.changes
Next by thread: libextractor_1.13-5_source.changes ACCEPTED into unstable
Index(es):
- Date
- Thread