1169829 – Be more careful when creating REJECT firewall rules.

Bug 1169829 - Be more careful when creating REJECT firewall rules.

Summary: Be more careful when creating REJECT firewall rules.

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	system-config-securitylevel
Sub Component:
Version:	5.11
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Thomas Woerner
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-12-02 14:27 UTC by Denys Vlasenko
Modified:	2017-04-18 22:03 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	1169837 (view as bug list)
Environment:
Last Closed:	2017-04-18 22:03:41 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Denys Vlasenko 2014-12-02 14:27:55 UTC

See bug 1101522
"iptables rule ESTABLISHED occasionally not matching"

Short story: REJECT rule can break networking by generating spurious connection aborts when an unexpected packet is seen. To prevent that, use DROP rule to filter our bad packets before REJECT, or use REJECT only for NEW packets, and DROP the rest.


I believe relevant part of the source code is in system-config-securitylevel-1.7.0/lokkit.c here:

for (i=0; ports && ports[i].start_port; i++) {
        ...creates "state NEW -j ACCEPT" rules...
}

fprintf(fw, "-A %s -j REJECT --reject-with icmp-host-prohibited\n", CHAIN_NAME);
fprintf(fw, "-A FORWARD -j REJECT --reject-with icmp-host-prohibited\n");

It's trivial to add "-m state --state INVALID -j DROP" before each of these two REJECT rules.

There is an analogous bit of code for IPv6 later in the same file.

Comment 1 Denys Vlasenko 2015-01-13 12:41:23 UTC

What are you guys saying?
Do you think it's a bug?
Do you plan to fix it?
I need this information to decide what to do with bug 1101522.

Comment 2 Thomas Woerner 2015-02-19 14:00:18 UTC

Yes, it can be considered a bug in system-config-securitylevel/lokkit.

There is also a proposal for a change with REJECT at netfilter upstream: "netfilter: reject: don't send icmp error if packet has invalid checksum"

Comment 3 Thomas Woerner 2015-02-19 15:04:39 UTC

Here is the link to the latest version of the netfilter patch: http://patchwork.ozlabs.org/patch/440307/

Comment 4 Chris Williams 2017-04-18 22:03:41 UTC

Red Hat Enterprise Linux 5 shipped it's last minor release, 5.11, on September 14th, 2014. On March 31st, 2017 RHEL 5 exited Production Phase 3 and entered Extended Life Phase. For RHEL releases in the Extended Life Phase, Red Hat  will provide limited ongoing technical support. No bug fixes, security fixes, hardware enablement or root-cause analysis will be available during this phase, and support will be provided on existing installations only.  If the customer purchases the Extended Life-cycle Support (ELS), certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release will be provided.  For more details please consult the Red Hat Enterprise Linux Life Cycle Page:
https://access.redhat.com/support/policy/updates/errata

This BZ does not appear to meet ELS criteria so is being closed WONTFIX. If this BZ is critical for your environment and you have an Extended Life-cycle Support Add-on entitlement, please open a case in the Red Hat Customer Portal, https://access.redhat.com ,provide a thorough business justification and ask that the BZ be re-opened for consideration of an errata. Please note, only certain critical-impact security fixes and selected urgent priority bug fixes for the last minor release can be considered.

Note You need to log in before you can comment on or make changes to this bug.