firestarter Bug????

rbees · 08-05-2008, 07:47 PM

First; thanks for all the excelient help.

I am setting up a server for my home network. It is running Debian Lenny and is up to date. I want to setup iptables but in the mean time I am using Firestarter, which worked fine on my old server.

A couple of days ago I installed the new server out of necessity befor I was ready to and I didn't have time to test it. When I set up my internet conection sharing with firestarter all worked fine and after about 10 minuets the graphical interface died. The conection sharing is still working fine, and new computers brought online have access too.

I think this is a bug but I want to be sure befor I post a bug report. I have googled some but didn't see any thing like what I see happen.

I did send a request for help to the maintainer but they are busy and I have not heard back from them yet.

The specs:
intel celeron 1.7
kernel 2.6.25-2-686
kde 3.5.9
firestarter 1.0.3
gnome 2.22.3

all installed from deb servers as packages and not compiled from source except the nvidia drivers on my laptop.

I have the same versions on my laptop except it is running amd64 on Turion64x2. They were both updated at the same time. I just tested Firestarter on my laptop, which worked fine befor the update, and it dies on the laptop too.

I have looked at the logs but am not seeing anything that I can identify as info related to this problem. But then I may not be looking at the right log file.

I am also having a problem with kppp and samsung cell phones. It works fine with my motorola e815 but fails to authenicate with the samsung hue's my son and mother have. My mothers worked fine with my old server which runs debian etch. The samsungs are known to not play nice with bluetooth adapters and what not, so I wonder if they don't like the updated pppd or kppp apps. I have not call my provider yet to see if they have changed something. Plan on that tomorrow.

Still a functioning firewall is more improtant and the main focus of this post.

I have not tried running Firestarter from the command line to see if it is out putting some usefull info. Well it came up just fine launched from root. Will see. 8:26pm at 8:43 I noticed that it had died and the root terminal has

Code:

# firestarter
Firewall started
Segmentation fault
#

That is more than I knew before. It does look like a bug, at least to me.

What do you think.

unSpawn · 08-06-2008, 07:29 AM

Go to http://bugs.debian.org/cgi-bin/pkgre...estarter;dist= ,read http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=449051 and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=452815 and see if that holds fixes for you.

rbees · 08-08-2008, 06:28 AM

Thanks unSpawn.

I set the variable listed in the one post

Code:

# G_SLICE=always-malloc firestarter &

and restarted firestarter and it has not died since.

Thanks.

There was also, what I think is a patch linked in that post and I downloaded it but I am not sure what to do with it. I can open it in a text editor and it looks like a program or script. It is not a binary file.

I use kpackage for package management and I don't have a package listed for a firestarter-source package, at least not that I have found.

On a side note: I notice that the count of events that is listed on the status page is not updated correctly. When I first launched it I was getting some serious hits and that count was being incremented but all of the hits for the non-serious (in my case in black not red) are not being added to the count. I don't know if this behavior is related to the "G_SLICE=always-malloc" variable or not. I have launched firestarter with the variable set on my laptop to see if I get simalar results with the amd64 version there. But I really don't expect to get any of the non-serious type at my laptop because of the firewall at the server. It did increment the serious colum when my server requested a smb packet of some kind.

Once again thanks

unSpawn · 08-08-2008, 06:46 AM

Quote:

Originally Posted by rbees

There was also, what I think is a patch linked in that post and I downloaded it but I am not sure what to do with it. I can open it in a text editor and it looks like a program or script. It is not a binary file.

A patch for source code, made with some sort of 'diff' ('man diff'), describes changes between one and another version of that source code. You need the source package to be able to apply the patch then build the application. If the bug tracker maintainer indicated the patch was sent upstream to the Firestarter development team it may be incorporated in a new version. Of course it's easier to check announcements for a fix release.

Quote:

Originally Posted by rbees

I use kpackage for package management and I don't have a package listed for a firestarter-source package, at least not that I have found.

One of the neat things of Debian is that for any package in their repo they'll always list the original source and modified Debian source for that package: given RELEASE=lenny and generic URI http://packages.debian.org/$RELEASE/$APPLICATION check http://packages.debian.org/lenny/firestarter.

Quote:

Originally Posted by rbees

On a side note: I notice that the count of events that is listed on the status page is not updated correctly. When I first launched it I was getting some serious hits and that count was being incremented but all of the hits for the non-serious (in my case in black not red) are not being added to the count. I don't know if this behavior is related to the "G_SLICE=always-malloc" variable or not.

If you think it's a bug you know where to find the bug tracker. Else maybe it's a good question for the firestarter mailing list?

Quote:

Originally Posted by rbees

I have launched firestarter with the variable set on my laptop to see if I get simalar results with the amd64 version there. But I really don't expect to get any of the non-serious type at my laptop because of the firewall at the server. It did increment the serious colum when my server requested a smb packet of some kind.

If you have another machine, and if you have set appropriate rules, you could test it from there with any packet generator. Nmap prolly being the simplest, just fire off an open X-mas scan or something like that.

rbees · 08-10-2008, 04:15 PM

Thanks again unSpawn,

The package I downloaded is a 'diff' file. I looked at the link you posted and there are three source packages listed:

firestarter_1.0.3-6.dsc
firestarter_1.0.3.orig.tar.gz
firestarter_1.0.3-6.diff.gz

Which one do I need? I have never patched a source package before. I have compiled a few kernels but that was a few years ago, one of those "I have done that" things, not that I really know that much about it.

I looked at the sid package and it has the same version number as what I have installed, so it lookes like the patch is still being tested.

Quote:

If you have another machine, and if you have set appropriate rules, you could test it from there with any packet generator. Nmap prolly being the simplest, just fire off an open X-mas scan or something like that.

Any idea how I might do that from a win box? Or would my server work? It is running Lenny. The win box has Lenny on it to but it is my wife's box and she wont leave windows behind. I tried with the server and it did not cause any 'non-serious' hits on the laptop. That is probibly because conections are allowed from that ip.

I tried a couple of commands from my wifes box like ping and netstat but they didn't trip the hits either. But there again I was connected to her machine via tightvncserve and controling her machine form my laptop so. If I get ambisious later I will reboot her machine into Lenny and install the nessessary packages and see if I can get it to trip then.

Whan do you mean by "appropriate rules"? I have the firewall set to drop everything form the external side and drop everthing from the internal side that is not specifically allowed, I think. At least that is my intent.

Once again Thanks

unSpawn · 08-11-2008, 12:52 PM

Quote:

Originally Posted by rbees

Which one do I need?

You'll want the firestarter_1.0.3.orig.tar.gz and the firestarter_1.0.3-6.diff.gz. The "orig" is the upstream source and the diff are changes made by Debian. Unpack the tarball, cd into the dir. Apply the first patch to bring it up to debian specs and the second one to fix issue #449051: 'tar -xzf firestarter_1.0.3.orig.tar.gz && cd firestarter-1.0.3 && zcat ../firestarter_1.0.3-6.diff| patch -p1 && cat ../firestarter-tree_iter-crash.diff| patch -p1'. AFAIK you could build a proper package with 'dpkg-buildpackage -rfakeroot' but let's see first if you can do a binary package: 'fakeroot debian/rules binary' (all from within the "firestarter-1.0.3" dir). Let's keep the rules and testing for when this issue is fixed, OK?

Quote:

Originally Posted by rbees

I looked at the sid package and it has the same version number as what I have installed, so it lookes like the patch is still being tested.

I don't know about Debian status but a quick look at Firestarter's CVS at Sourceforge shows no commits at all. So they either moved development elsewehere or it's simply not being developed anymore...

rbees · 08-12-2008, 05:02 AM

Thanks unSpawn

That seams to all have gone well. Now if memory serves the next step is to do:

make clean
make install

with root privlages.

Or am I forgetting something.

jomen · 08-12-2008, 05:16 AM

...don't forget to configure it:

./configure --help

for help on the options
and don't do this before "make clean" but after

an intemediate "make" step might be a better approach:
make
make install

rbees · 08-14-2008, 07:37 PM

Thanks again unSpawn, and thanks jomen

I had to pull out the text editor for this post. After you mentioned it I remembered that other step 'make'. Like I said it has been some years since I did any compiling.

When I ran 'make clean' I got a message about there not being anything defined to clean. I did not record it so I can't say for sure just how it was worded. I put it down to there not having been a failed compile attempt, or it is not nessessary for firestarter.

When I ran 'make' it ran through OK, but at the end it spit out

Code:

configure: error: Library requirements (libgnome-2.0 >= 2.0.0
                  libgnomeui-2.0 >= 2.0.0
                  gtk+-2.0 >= 2.4.0
                  gnome-vfs-2.0 >= 2.6.0
                  libglade-2.0 >= 2.3.6) not met; 
consider adjusting the PKG_CONFIG_PATH environment variable if your libraries are in a nonstandard prefix so pkg-config can find them.
:~/firestarter-1.0.3$

A brief look at the installed packages on my system show that I have these installed. At least the compiled libraries. I have not had a chance to look for source packages yet. I took a second and third look at ./configure --help and I couldn't find a 'PKG_CONFIG_PATH' environment to set, much less how to set it. Makes me wonder if it is something I have to set in the source?

I also found the install instruction file in the source package. It talks about configuring the package but doesn't explain how. They are pretty generic instructions and not much help except for the basic steps. They did tell me about a log file (config.log) that gives me some more info. It has several entries like:

Code:

configure:2760: gcc -c -g -O2  conftest.c >&5
conftest.c:2: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'me'
configure:2766: $? = 1
configure: failed program was:
| #ifndef __cplusplus
|   choke me
| #endif
configure:2900: checking for library containing strerror

and

Code:

configure:3616: gcc -c -g -O2  conftest.c >&5
conftest.c:2: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'me'
configure:3622: $? = 1
configure: failed program was:
| #ifndef __cplusplus
|   choke me
| #endif
configure:3758: checking for gcc option to accept ANSI C

configure:3943: gcc -E  conftest.c
conftest.c:11:28: error: ac_nonexistent.h: No such file or directory
configure:3949: $? = 1
configure: failed program was:
| /* confdefs.h.  */
| 
| #define PACKAGE_NAME ""
| #define PACKAGE_TARNAME ""
| #define PACKAGE_VERSION ""
| #define PACKAGE_STRING ""
| #define PACKAGE_BUGREPORT ""
| #define PACKAGE "firestarter"
| #define VERSION "1.0.3"
| /* end confdefs.h.  */
| #include <ac_nonexistent.h>
configure:3988: result: gcc -E

configure:4248: gcc -o conftest -g -O2   conftest.c  >&5
conftest.c: In function 'main':
conftest.c:28: warning: incompatible implicit declaration of built-in function 'exit'
configure:4251: $? = 0

configure:5678: g++ -c -g -O2  conftest.cc >&5
conftest.cc: In function 'int main()':
conftest.cc:26: error: 'exit' was not declared in this scope
configure:5684: $? = 1
configure: failed program was:
| /* confdefs.h.  */
| 
| #define PACKAGE_NAME ""
| #define PACKAGE_TARNAME ""
| #define PACKAGE_VERSION ""
| #define PACKAGE_STRING ""
| #define PACKAGE_BUGREPORT ""
| #define PACKAGE "firestarter"
| #define VERSION "1.0.3"
| #define STDC_HEADERS 1
| #define HAVE_SYS_TYPES_H 1
| #define HAVE_SYS_STAT_H 1
| #define HAVE_STDLIB_H 1
| #define HAVE_STRING_H 1
| #define HAVE_MEMORY_H 1
| #define HAVE_STRINGS_H 1
| #define HAVE_INTTYPES_H 1
| #define HAVE_STDINT_H 1
| #define HAVE_UNISTD_H 1
| #define HAVE_DLFCN_H 1
| /* end confdefs.h.  */
| 
| int
| main ()
| {
| exit (42);
|   ;
|   return 0;
| }
configure:5633: g++ -c -g -O2  conftest.cc >&5
conftest.cc:22: error: 'void std::exit(int)' should have been declared inside 'std'
configure:5639: $? = 1
configure: failed program was:
| /* confdefs.h.  */
| 
| #define PACKAGE_NAME ""
| #define PACKAGE_TARNAME ""
| #define PACKAGE_VERSION ""
| #define PACKAGE_STRING ""
| #define PACKAGE_BUGREPORT ""
| #define PACKAGE "firestarter"
| #define VERSION "1.0.3"
| #define STDC_HEADERS 1
| #define HAVE_SYS_TYPES_H 1
| #define HAVE_SYS_STAT_H 1
| #define HAVE_STDLIB_H 1
| #define HAVE_STRING_H 1
| #define HAVE_MEMORY_H 1
| #define HAVE_STRINGS_H 1
| #define HAVE_INTTYPES_H 1
| #define HAVE_STDINT_H 1
| #define HAVE_UNISTD_H 1
| #define HAVE_DLFCN_H 1
| /* end confdefs.h.  */
| extern "C" void std::exit (int) throw (); using std::exit;
| #include <stdlib.h>
| int
| main ()
| {
| exit (42);
|   ;
|   return 0;
| }
configure:5633: g++ -c -g -O2  conftest.cc >&5
conftest.cc:22: error: 'void std::exit(int)' should have been declared inside 'std'
In file included from conftest.cc:23:
/usr/include/stdlib.h:531: error: declaration of 'void std::exit(int) throw ()' throws different exceptions
conftest.cc:22: error: from previous declaration 'void std::exit(int)'
configure:5639: $? = 1
configure: failed program was:
| /* confdefs.h.  */
| 
| #define PACKAGE_NAME ""
| #define PACKAGE_TARNAME ""
| #define PACKAGE_VERSION ""
| #define PACKAGE_STRING ""
| #define PACKAGE_BUGREPORT ""
| #define PACKAGE "firestarter"
| #define VERSION "1.0.3"
| #define STDC_HEADERS 1
| #define HAVE_SYS_TYPES_H 1
| #define HAVE_SYS_STAT_H 1
| #define HAVE_STDLIB_H 1
| #define HAVE_STRING_H 1
| #define HAVE_MEMORY_H 1
| #define HAVE_STRINGS_H 1
| #define HAVE_INTTYPES_H 1
| #define HAVE_STDINT_H 1
| #define HAVE_UNISTD_H 1
| #define HAVE_DLFCN_H 1
| /* end confdefs.h.  */
| extern "C" void std::exit (int); using std::exit;
| #include <stdlib.h>
| int
| main ()
| {
| exit (42);
|   ;
|   return 0;
| }
configure:5633: g++ -c -g -O2  conftest.cc >&5

configure:5794: g++ -E  conftest.cc
conftest.cc:25:28: error: ac_nonexistent.h: No such file or directory
configure:5800: $? = 1
configure: failed program was:
| /* confdefs.h.  */
| 
| #define PACKAGE_NAME ""
| #define PACKAGE_TARNAME ""
| #define PACKAGE_VERSION ""
| #define PACKAGE_STRING ""
| #define PACKAGE_BUGREPORT ""
| #define PACKAGE "firestarter"
| #define VERSION "1.0.3"
| #define STDC_HEADERS 1
| #define HAVE_SYS_TYPES_H 1
| #define HAVE_SYS_STAT_H 1
| #define HAVE_STDLIB_H 1
| #define HAVE_STRING_H 1
| #define HAVE_MEMORY_H 1
| #define HAVE_STRINGS_H 1
| #define HAVE_INTTYPES_H 1
| #define HAVE_STDINT_H 1
| #define HAVE_UNISTD_H 1
| #define HAVE_DLFCN_H 1
| #ifdef __cplusplus
| extern "C" void exit (int) throw ();
| #endif
| /* end confdefs.h.  */
| #include <ac_nonexistent.h>
configure:5839: result: g++ -E
configure:5863: g++ -E  conftest.cc
configure:5869: $? = 0
configure:5901: g++ -E  conftest.cc
conftest.cc:25:28: error: ac_nonexistent.h: No such file or directory
configure:5907: $? = 1
configure: failed program was:
| /* confdefs.h.  */
| 
| #define PACKAGE_NAME ""
| #define PACKAGE_TARNAME ""
| #define PACKAGE_VERSION ""
| #define PACKAGE_STRING ""
| #define PACKAGE_BUGREPORT ""
| #define PACKAGE "firestarter"
| #define VERSION "1.0.3"
| #define STDC_HEADERS 1
| #define HAVE_SYS_TYPES_H 1
| #define HAVE_SYS_STAT_H 1
| #define HAVE_STDLIB_H 1
| #define HAVE_STRING_H 1
| #define HAVE_MEMORY_H 1
| #define HAVE_STRINGS_H 1
| #define HAVE_INTTYPES_H 1
| #define HAVE_STDINT_H 1
| #define HAVE_UNISTD_H 1
| #define HAVE_DLFCN_H 1
| #ifdef __cplusplus
| extern "C" void exit (int) throw ();
| #endif
| /* end confdefs.h.  */
| #include <ac_nonexistent.h>
configure:6002: checking for g77

configure:15594: f95 -c -g -O2 conftest.f >&5
Warning: conftest.f:1: Illegal preprocessor directive
configure:15597: $? = 0

I don't think i missed any. Sorry for the length, but I included them for completeness.

When I get a chance i will check more thoroughly if I have the correct packages installed and look at the ./configure script to see if I can determine how to point it to the correct place.

jomen · 08-14-2008, 11:52 PM

You will usually need "pkg-config" installed as well as _all_ the development versions of the libraries - the runtime versions are not enough.

"make clean" is for cleaning the source _after_ a compile - so that you can re-configure and then re-make from a known clean state.
If you did not yet configure the source - there is no point in attempting "make clean"
(look at the Makefile for what the different targets do)

rbees · 08-16-2008, 10:12 PM

Thanks jomen,

Writen earlier,

The make clean errror:

make: ++ No rule to make target 'clean'. Stop.

I ran 'apt-get build-dep firestarter' and installed 40 packages. So I guess I may have found the problem.

It seams that I have success. It has run for a few minuets now. I will leave it run untill I have to leave for work, at which time I have to shut it down. This is on my laptop.

I know it is possible to compile it on my laptop for the server. You mentioned making a 'deb' package. Any gotcha's?

Thanks.
------------------

opps

I forgot to uninstall firestarter befor running 'make install' and didn't get a working install somehow. My guess is that it didn't install over the existing version seeing as how they both have the same version number I think. I just did the uninstall and 'make install' thing corectly this time and things seam to be working alright now. Time will tell.

It seams that I didn't get a menu item for firestarer with the 'make install' option. Not that I can't make it run with the Run menu item but a normal menu item would have been nice. Did I do something wrong? Or is that something I have to do manually since I installed form source? Would 'apt-get -b source firestarter' give me the menu item? Of course I would have to make sure that apt-get was reading the patched source file.

Thanks

jomen · 08-17-2008, 01:35 AM

Quote:

It seams that I didn't get a menu item for firestarer with the 'make install' option. Not that I can't make it run with the Run menu item but a normal menu item would have been nice. Did I do something wrong? Or is that something I have to do manually since I installed form source? Would 'apt-get -b source firestarter' give me the menu item?

You did not do wrong - the menu item is a customization made by your distributor.
Since you circumvented the package manager - the customizations are not installed.
All the files are still there - you just need to do the work yourself.

Or you need to follow the way debian packages are built - so that you have at the end a installable .deb package made by you from patched source.
It is faily easy and involves a few more steps than just building - and you will need to find out how to do that yourself.

Isn't firestarter just a tool to set up iptables rules?
These rules could be saved - and re-used at boot time.
No need for the constant use of a graphical interface. Set and forget. Am I mistaken?

rbees · 08-17-2008, 05:16 AM

Thanks jomen,

Yes Firestarter is just a gui to control iptables. As I think I mentioned at the start of this post I am using it as a stop gap mesure untill I have time to learn and implement Shorewall or some other more effective way to have a firewall on my server/router.

Also I am not a big comand line person and don't use it unless I have to. I must admit that I am better with it than I was a few years ago.

There is another issue that makes firestarter very usefull for me. It is easy to stop and restart. That is important because my internet source comes and goes with my cell phone because it is teathered to the server (or laptop when on the road) either by a hard wire or bluetooth.

I would preferr to use iptables but the learning curve is some what steep and I only have so many hours I can devote to playing with new programs. Maybe when the snow comes and I am stuck inside I will have time.

Report: As of this morning firestarter has not died on my laptop. So it appers that the patch has fixed the issue of it crashing.

Once again

Thanks to all, unSpawn and jomen especially, but even those who may gain insite from my strugles.