Bug 847707

Summary: firewalld: needs source address validation
Product: [Fedora] Fedora Reporter: Florian Weimer <fweimer>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: jpopelka, security-response-team, twoerner
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1045104 (view as bug list) Environment:
Last Closed: 2014-04-03 13:07:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 847757    
Bug Blocks: 847708, 1045104    

Description Florian Weimer 2012-08-13 10:08:19 UTC 
ESTABLISHED/RELATED rules match packets irrespective of the interface they arrive on.  This means that without rp_filter=1, connected devices can inject traffic into existing flows and send packets to services to which they would not ordinarily have access.  Only rp_filter=1 prevents that, rp_filter=2 (loose uRPF) is not sufficient.

As far as I can tell, the default configuration sets rp_filter=1 on IPv4 interfaces, so this is just additional hardening for IPv4.  A sanity check in firewalld for the rp_filter setting might therefore be sufficient.

Not sure about IPv6, I couldn't find an equivalent to rp_filter there, so this might be an actual loophole there.
Comment 1 Florian Weimer 2012-08-14 13:19:19 UTC 
Linux 3.3 introduced the rpfilter match type (for the raw and mangle chains).  This can be used to implement filtering for IPv6.  In userspace, iptables version version 1.4.14 is required.
Comment 2 Jaroslav Reznik 2013-04-05 12:24:41 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 19 development cycle.
Changing version to '19'.

(As we did not run this process for some time, it could affect also pre-Fedora 19 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 19 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora19
Comment 3 Thomas Woerner 2014-01-13 14:42:11 UTC 
Fixed in GIT: https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=910491b15367e188ae5e3a3a73f9b7f2d92e8fee
Comment 4 Thomas Woerner 2014-01-13 14:48:42 UTC 
Enable IPv6_rpfilter by default: https://git.fedorahosted.org/cgit/firewalld.git/commit/?id=a1a48ea3a2fc9f3174c814540cbf28b6a2105a7c
Comment 5 Jiri Popelka 2014-04-03 13:07:34 UTC 
https://admin.fedoraproject.org/updates/FEDORA-2014-0752/firewalld-0.3.9.3-1.fc19