Bug 44038

Summary: errors in ifup-post firewalling script
Product: [Retired] Red Hat Linux Reporter: seifried <seifried>
Component: initscriptsAssignee: Bill Nottingham <notting>
Status: CLOSED RAWHIDE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: pekkas, rvokal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-08-09 05:12:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description seifried 2001-06-10 04:58:56 UTC 
Description of Problem:

ifup-port inserts ipchains rules so that dns will "work". However these 
rules are very promiscuous and for UDP only. This presents two problems:

1) by not allowing tcp dns replies some people will experience "broken" 
DNS, i.e. large replies (sent as TCP data rather then UDP) will be blocked.

Solution: add rules for TCP

2) by using simplistic rules (destination 0.0.0.0 any port) it is now 
possible for someone to spoof the dns server and scan the Linux box or any 
machine the Linux box is supposed to be protecting if it is configured as 
a firewall. This means that there are a LOT of "protected" networks behind 
a Linux firewall that are not very well protected. The destination should 
be at least minimized to ports 1024 and up (reducing exposure of the Linux 
box and anything behind it) and ideally they should specify the IP address
(s) of the Linux box's interfaces only. 

How Reproducible:

N/A

Steps to Reproduce:

N/A 

Actual Results:

N/A

Expected Results:

N/A

Additional Information:
Comment 1 Pekka Savola 2001-07-22 19:22:57 UTC 
Changing to initscripts component.

If your UDP scan src address is spoofed, you don't get any replies anyway (unless you do some special tricks like 
spoof the src to be something other in your LAN, and run tcpdump in promisc mode).  Also, the rules were justified
by the fact that if your DNS server is compromised, this is the least they can do.

Nonetheless, I agree that the rules should be stricter.
Comment 2 Bill Nottingham 2001-08-09 05:10:43 UTC 
These rules are the same as any original rules created by the firewall tool, so
I'm probably not going to change them.
Comment 3 Bill Nottingham 2001-08-09 05:12:43 UTC 
Actually, the sport will be changed in 6.13-1.