[pve-devel] firewall: Razor Macro broken and opens Firewall

Thomas Lamprecht t.lamprecht at proxmox.com
Sat Mar 30 17:42:39 CET 2019


On 3/30/19 5:04 PM, Tom Weber wrote:
> Hi, in the middle of a weekend migration i realized that the 'Razor'
> Macro is broken and basically disables ALL firewalling for a Container,
> at least when used in a Security Group.
> 
> Looking at Firewall.pm
> ..
>     'RNDC' => [
>         "BIND remote management protocol",
>         { action => 'PARAM', proto => 'tcp', dport => '953' },
>     ],
>     'Razor' => [
>         "Razor Antispam System",
>         { action => 'ACCEPT', proto => 'tcp', dport => '2703' },
>     ],
>     'Rdate' => [
>         "Remote time retrieval (rdate)",
>         { action => 'PARAM', proto => 'tcp', dport => '37' },
>     ],
> ..
> 
> The Problem seems obvious (might have even missed that one myself when
> I was working on this some time ago).

thanks for catching, was introduced quite a bit ago:
https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff;h=857f62c833a604eb8399467a94d325c1994367eb;hp=8c32a215951ba04399f29ef651bdf8dc3fdd3011

> 
> As mentioned, I'm in the middle of a bigger migration so just a short
> notice and no patch (fix seems obvious)... 
> 
> I consider this serious because it silently disables ALL firewalling
> (at least for me). Even though Razor Macro probably isn't used often.
> 

yes, it's probably not used often, still not nice to have, pushed out a
fix for this, thanks again!

cheers,
Thomas

> Regards,
>   Tom



More information about the pve-devel mailing list