Bug 232931 - Autogenerated ip6tables ruleset is insecure, allowing incoming TCP connections to higher ports
Autogenerated ip6tables ruleset is insecure, allowing incoming TCP connection...
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: system-config-securitylevel (Show other bugs)
All Linux
medium Severity high
: ---
: ---
Assigned To: Thomas Woerner
: 243741 (view as bug list)
Depends On: 243739
  Show dependency treegraph
Reported: 2007-03-19 11:19 EDT by Peter Bieringer
Modified: 2008-05-21 12:04 EDT (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2008-0340
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-05-21 12:04:53 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Peter Bieringer 2007-03-19 11:19:06 EDT
Description of problem:
After default installation of RHEL5 I found, that the generated ruleset is
insecure, it allows TCP connections to higher ports (32768-61000), which was
unexpected and sure unwanted.

In addition, it uses the wrong ICMPv6 type for rejects.

Version-Release number of selected component (if applicable):

How reproducible:
After each installation

Steps to Reproduce:
1. install default RHEL5
2. IPv6 telnet from outside to e.g. port 36000

Actual results:

Chain RH-Firewall-1-INPUT (2 references)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     all      lo     *       ::/0                 ::/0       
   50  4776 ACCEPT     icmpv6    *      *       ::/0                 ::/0      
    0     0 ACCEPT     esp      *      *       ::/0                 ::/0       
    0     0 ACCEPT     ah       *      *       ::/0                 ::/0       
    0     0 ACCEPT     udp      *      *       ::/0                 ff02::fb/128
      udp dpt:5353 
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0       
       udp dpt:631 
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0       
       tcp dpt:631 
    0     0 ACCEPT     udp      *      *       ::/0                 ::/0       
       udp dpts:32768:61000 
    1    80 ACCEPT     tcp      *      *       ::/0                 ::/0       
       tcp dpts:32768:61000 !!!!
    0     0 ACCEPT     tcp      *      *       ::/0                 ::/0       
       tcp dpt:22 
    0     0 REJECT     all      *      *       ::/0                 ::/0       
       reject-with icmp6-port-unreachabl

Expected results:
Matching the REJECT ruleset.

Additional info:

Following changes in the ruleset fixes that problem and the wrong ICMP error

# diff -u ip6tables.orig ip6tables
--- ip6tables.orig      2007-03-19 16:08:03.000000000 +0100
+++ ip6tables   2007-03-19 16:12:35.000000000 +0100
@@ -15,7 +15,7 @@
 -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
 -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
 -A RH-Firewall-1-INPUT -p udp -m udp --dport 32768:61000 -j ACCEPT
--A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 -j ACCEPT
+-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 32768:61000 ! --syn -j ACCEPT
 -A RH-Firewall-1-INPUT -m tcp -p tcp --dport 22 -j ACCEPT
--A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-port-unreachable
+-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp6-adm-prohibited

See also a comment on:
Comment 1 Thomas Woerner 2007-10-02 06:19:46 EDT
Assigning to system-config-securitylevel as this is generating the configuration.
Comment 2 Thomas Woerner 2007-10-24 07:44:35 EDT
*** Bug 243741 has been marked as a duplicate of this bug. ***
Comment 4 RHEL Product and Program Management 2007-10-31 14:25:40 EDT
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
Comment 9 Peter Bieringer 2008-02-22 14:34:01 EST
Dependency 243739 (closed with WONTFIX) and 243741 (closed with DUPLICATE) are
not covering the above mentioned issue. This bug is regarding the missing !
--syn for incoming TCP packets and the wrong ICMP type for admin-prohibited and
has nothing to do with the on RHEL5 not supported IPv6 connection tracking.

So at least the dependency should be removed.
Comment 12 errata-xmlrpc 2008-05-21 12:04:53 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.