Bug 129348 - Firewall open during /etc/init.d/iptables restart
Firewall open during /etc/init.d/iptables restart
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
2
All Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Ben Levenson
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-06 15:05 EDT by Aleksandar Milivojevic
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-08-09 10:46:09 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Aleksandar Milivojevic 2004-08-06 15:05:29 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Gecko/20040626 Firefox/0.9.1

Description of problem:
/etc/inid.d/iptables restart works by invoking stop() and than start()
functions.  stop() function will (among other things) set policies for
all chains to ACCEPT.  This opens a small window of opportunity for an
attacker to inject some packets into the network that firewall should
ideally protect.

The solution to the problem would be to change stop() function so that
it detects that iptables was called with restart argument, and if that
is the case not to reset policies on built-in chains (if the policy is
changed in /etc/sysconfig/iptables file, it will get loaded anyhow by
start() function).

This is a minor security issue, since the time window when the
firewall is open is very small and it is hard for an attacker to
predict when it will happen.  However, I believe that this should be
addressed.

Version-Release number of selected component (if applicable):
iptables-1.2.9-2.3.1

How reproducible:
Always

Steps to Reproduce:
1. /etc/init.d/iptables restart
    

Additional info:
Comment 1 Thomas Woerner 2004-08-09 10:46:09 EDT
Please think of this situation:

- user is remotely logged in
- user has modified /etc/sysconfig/iptables with a typo
- user restarts firewall
  - removing all rules
  - setting policy to drop or leaving as drop
  - new firewall can not get applied because of the typo
    -> policy is still drop
-> user can not use this box anymore and can not fix the rules

This is not good.

I'll close this bug as "NOT A BUG"
Comment 2 Aleksandar Milivojevic 2004-08-09 12:41:10 EDT
There is something in your arguments.  However, when was the last time
you turned on firewall logging on machine connected directly to the
Internet?  That typo (and resulting open firewall for minute or two
until user corrects it) can lead to system compromise, and bunch of
worms flying into the user's internal network.

I guess this is a tradeoff issue.  Since one of the sides in this
tradeoff is security, maybe it would be the best if the user has
configuration option allowing him to choose in which state his
firewall should be during reload (or when she/he makes a typo).

Just my 2 cents.

Note You need to log in before you can comment on or make changes to this bug.