Simplewall: Upgrading from 2.2.12 to 2.3 leaves firewall open for everything, despite having filters active (whitelisting).
first, sorry, I've been busy with work lately and didn't have the chance to catch up with the issues i've posted lately.. so if I need to have a look at something again, please notify me, i've lost the thread.
back to now.
I got a v2.3 available notification, so I hit upgrade to v2.3.
But all of a sudden, all my previously blocked apps suddenly showed me "new versions available" notifications when I started them and I was wondering what happened?!
Then I saw that despite having simplewall filters active (whitelisting) and the programs are still unchecked/blocked, they all suddenly gained access to the internet and leaked information about version status so I got the "updates availalbe" notfications of various programs.
I disabled and re-enabled filters but it's still the same, everything can get online, despite it should have been blocked!
I uninstalled v2.3 and reverted back to v2.2.12 for the time being until this issue is fixed (it's working again with v2.2.12). This is exactly the worst case scenario - everything gets online despite having block rules set.
one more thing I saw: after installing v2.3 simplewall errors are showing up with a nice balloon tip at the systray. unfortunately there was the DNS error issue (https://github.com/henrypp/simplewall/issues/127) again showing me a notification error popup everytime i start simplewall:
19.06.2018 23:14:55, DnsQuery(), 0x0000232b, 159.122.19, 2.3
I don't know where that address comes from I didn't find it anywhere, it's also not even a complete ip.
Looking forward to a version where all these issues finally got fixed.
tokariu
All 5 comments
Check your rules, make sure rules are below 128 words length, invalid rule will stop simplewall block apps, and new 2.3 may have CIDR rule parser bug.
LazyZhu
on 20 Jun 2018
Yeah it definitely because of user rules, let me see rules_custom.xml.
henrypp
on 20 Jun 2018
Okay, you're right, it seems it was the 128 words length issue.
I looked at my custom rules and found one entry with more IPs and it's length was 300+. It was a rule created for Avira Antivir. You remember Issue: https://github.com/henrypp/simplewall/issues/136 ?
As Simplewall does not allow any wildcards for programs in it's rules, I have to globally allow allow all the avira update IPs. And they're changing frequently. I don't have the time to check whether old IPs are still used or not, so I just add new IPs to the Array.
With the 128 chars length limit, there is only place for about 3 IPv4+port. I had like 10 or so..
to fix it for now I created 4 Avira global rules with only 1-3 IPs per rule. And then simplewall v2.3 seems to work. I even noticed that popup notifications of unknown programs came up instantly in contrary to the hours of delay before, so it seems like this issue has been finally fixed.
However, there is something to learn from this issue:
- I'm still able to enter multiple IP-addresses in the rules-mask and it is not limiting at 128 chars.. so I'm still able to put like 30 IP-Addresses in one rule and it would end up again in this issue leaving the firewall open to all apps. There needs to be a bulletproof way to ensure that there are not more than 128 chars.
- To prevent leaks of these kind while updating from 2.2.12 to 2.3 it would be necessary to ensure that future simplewall versions comply with old config files so that no old configs break the new program and stuff gets leaked.
tokariu
on 20 Jun 2018
fixed
henrypp
on 25 Jun 2018
@henrypp may i ask how u fixed it?
because I'm still able to enter a lot of ip addresses, way more than 128 chars. looking at the rules_custom.xml it shows it crops the ip's at 255 chars.
example, when you copy and paste ip addresses in the input field of the custom rule creator, there is no limit, and when saved it crops at 255 chars, and also incomplete IPs (192 at the end):
<item name="fsf" rule="192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192.168.3.213;192" is_block="true" is_enabled="true" />
shouldn't this again break the application leading to previous mentioned problems?
tokariu
on 23 Jul 2018
Related issues
ltGuillaume
·
3Comments
p-groarke
·
4Comments
gameb0y
·
3Comments
UNDEFINED-BEHAVIOR
·
3Comments
ltGuillaume
·
3Comments
Most helpful comment
Okay, you're right, it seems it was the 128 words length issue.
I looked at my custom rules and found one entry with more IPs and it's length was 300+. It was a rule created for Avira Antivir. You remember Issue: https://github.com/henrypp/simplewall/issues/136 ?
As Simplewall does not allow any wildcards for programs in it's rules, I have to globally allow allow all the avira update IPs. And they're changing frequently. I don't have the time to check whether old IPs are still used or not, so I just add new IPs to the Array.
With the 128 chars length limit, there is only place for about 3 IPv4+port. I had like 10 or so..
to fix it for now I created 4 Avira global rules with only 1-3 IPs per rule. And then simplewall v2.3 seems to work. I even noticed that popup notifications of unknown programs came up instantly in contrary to the hours of delay before, so it seems like this issue has been finally fixed.
However, there is something to learn from this issue: